Back to home
EspañolTerms of Service
Synvaxis LogoSynvaxisApp

Privacy Policy

Last updated: April 22, 2026

1. Introduction and Identity of the Controller

This Privacy Policy describes how Synvaxis LLC, a limited liability company organized under the laws of the State of Wyoming, United States of America, with registered address at 30 N Gould St Ste N, Sheridan, WY 82801, USA ("Synvaxis", "we", "us", "our"), collects, uses, stores, shares and protects personal data when you use SynvaxisApp (the "Platform", the "Service").

Processing roles. Synvaxis acts as a controller with respect to data necessary to provide the Service to the customer who holds the account (registration, billing, support). With respect to end-user data (contacts, conversations, orders) that the customer manages through the Platform, Synvaxis acts as a processor on behalf of the customer.

By using the Platform you consent to the data-processing practices described in this policy. We encourage you to read it carefully.

2. Data We Collect

2.1 Registration Data

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored in hashed form)

2.2 Platform Usage Data

While using the Platform we process:

  • Conversations: Messages between you/your AI and end customers over WhatsApp.
  • Contacts: Names, phone numbers and metadata of managed contacts.
  • Orders: Product information, prices, order status and shipping data.
  • Products: Product catalog including descriptions, prices and images/multimedia.
  • Audio: Voice notes sent and received, as well as AI-generated transcripts.
  • Campaigns: Marketing-campaign data, performance metrics and sales attribution.

2.3 Integration Data

When you connect third-party services we process:

  • WhatsApp Business API tokens: Access credentials to Meta's API for sending and receiving messages.
  • AI API keys: Tokens of OpenAI, Google Gemini, Deepseek or other AI providers configured by the user.
  • ElevenLabs and Vapi credentials: Keys for voice generation and AI calling services.

2.4 Technical Data

  • IP address
  • Browser and device type
  • Session data and activity logs
  • Functional and session cookies

3. How We Use the Data

We use your data to:

  • Deliver the service: Process conversations, manage contacts, fulfill orders and operate the autonomous AI.
  • Improve the service: Analyze usage patterns to optimize Platform performance and the quality of AI responses.
  • Security: Detect and prevent fraud, abuse or violations of the terms of service.
  • Communications: Send system notifications, AI performance alerts and service updates.
  • AI processing: Conversations are sent to AI providers (using the user's API keys) to generate responses and analytics. This includes the RAG (Retrieval Augmented Generation) system to contextualize replies.

4. Storage and Security

4.1 Infrastructure

Data is stored on Supabase servers (PostgreSQL-based) with encryption at rest and in transit. Multimedia files (images, audio) are stored in Supabase Storage with secure access policies (RLS — Row Level Security).

4.2 Credential Encryption

Third-party API keys (OpenAI, WhatsApp, ElevenLabs, etc.) are stored encrypted using AES-256-GCM in the database. They are decrypted only at runtime on the server to make the corresponding API calls.

4.3 Multi-Tenant Isolation

The Platform implements per-user (multi-tenant) isolation through Row Level Security (RLS) in PostgreSQL. Each user can access only their own data, contacts, conversations and orders.

5. Sharing Data with Third Parties

We do not sell or "share" (as defined under CCPA/CPRA) personal data for advertising purposes. Data is shared only with the following service providers (sub-processors) strictly in connection with operating the Platform and under contractual data-protection agreements:

  • Meta Platforms, Inc. (WhatsApp Business API): Messages and conversation metadata for message delivery. Use is governed by the WhatsApp Business Solution Terms and Meta's data policy.
  • AI providers (OpenAI, Google, Deepseek, and others configured by the customer): Conversation content for AI response generation, transmitted using the customer's API keys. These providers operate under their own privacy policies; when the customer brings their own keys, Synvaxis does not control their retention practices.
  • ElevenLabs, Inc. / Vapi, Inc.: Text for audio generation and content of AI-driven calls.
  • Supabase, Inc.: Infrastructure provider for database, authentication and storage (hosted in the U.S.).
  • Vercel, Inc.: Hosting provider for the frontend and serverless functions.
  • Stripe, Inc. / payment processors: Subscription payment processing (where applicable). Synvaxis does not store full credit-card information.

We may also disclose data when required by law, valid court order, legitimate government request, or when necessary to protect the rights, property or safety of Synvaxis, our users or the public.

6. Legal Basis for Processing

We process personal data on the following legal bases, as applicable to your jurisdiction:

  • Performance of contract: To provide you with the Service in accordance with the Terms.
  • Consent: Where you expressly authorize us (e.g. optional communications).
  • Legitimate interest: For security, fraud prevention, service improvement and aggregated analytics.
  • Legal obligation: To comply with tax, accounting and regulatory obligations.

7. User Rights

Depending on your jurisdiction, you may exercise the following rights regarding your personal data. Synvaxis honors the rights established under the General Data Protection Regulation (GDPR, EU 2016/679), the UK GDPR, the California Consumer Privacy Act/CPRA, the Lei Geral de Proteção de Dados (LGPD, Brazil), the Federal Law on the Protection of Personal Data Held by Private Parties (Mexico), the Organic Law on Personal Data Protection (Ecuador), and other applicable regulations:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure / "right to be forgotten": Request the deletion of your personal data, subject to legal retention obligations. See our Data Deletion Policy.
  • Portability: Receive your data in a structured, commonly used, machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Restriction: Request the restriction of processing of your data.
  • Withdraw consent: Where processing is based on consent, without affecting prior lawfulness.
  • Non-discrimination (CCPA/CPRA): You will not receive differential treatment for exercising your rights.
  • Complaint to authority: File complaints with the data-protection authority competent in your jurisdiction.

To exercise any of these rights, contact us at gerencia@synvaxis.com. We will respond within the timeframes required by applicable law (generally thirty (30) days; up to forty-five (45) days under CCPA, extendable).

8. Data Retention

We retain your data while your account is active or while necessary to fulfill the purposes described in this policy. After cancellation or deletion of the account:

  • Account data is retained for 30 days to allow recovery or export.
  • After that period, data is permanently deleted from our active systems.
  • Backups are purged within an additional 90 days.
  • Certain data may be retained to satisfy legal obligations (tax records, fraud prevention, regulatory compliance) for the period required by applicable law.

9. Cookies and Tracking Technologies

The Platform uses strictly functional and session cookies to:

  • Maintain the user's authentication session.
  • Store preferences (such as dark/light mode, language).
  • Ensure session security and prevent CSRF.

We do not use third-party cookies for advertising tracking, cross-site behavioral analytics or targeted advertising.

10. Children's Data

The Platform is not directed at minors under 18 years of age, and we do not intentionally collect data from minors. In accordance with the Children's Online Privacy Protection Act (COPPA) and equivalent regulations, if we become aware that we have collected data from a minor under 13 years of age (or the minimum age applicable in your jurisdiction) without verifiable parental or guardian consent, we will proceed to delete it immediately.

11. International Data Transfers

Synvaxis LLC operates from the United States and its principal infrastructure providers are located in the United States (Supabase, Vercel, OpenAI, Google Cloud, Anthropic, among others). If you are located outside of the United States, by using the Platform you consent to the transfer of your data to the United States, where data-protection laws may differ from those of your jurisdiction.

For transfers from the European Economic Area (EEA), the United Kingdom and Switzerland, we rely on the Standard Contractual Clauses approved by the European Commission, as well as supplementary technical and organizational measures. You may request a copy of these clauses by writing to gerencia@synvaxis.com.

12. Security and Incident Notification

We implement reasonable technical and organizational measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest, encryption of sensitive credentials (AES-256-GCM), role-based access control, multi-tenant isolation through RLS, audit logs and periodic security reviews.

No transmission over the Internet or storage method is fully secure. In the event of a data breach affecting your personal data, Synvaxis will notify users and competent authorities within the timeframes required by applicable law (e.g. 72 hours under GDPR).

13. "Do Not Track" Policy and Privacy Signals

The Platform currently does not respond to browser "Do Not Track" signals. We honor Global Privacy Control (GPC) signals where technically detectable, treating them as a valid opt-out request under CCPA/CPRA.

14. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified at least fifteen (15) days in advance through the Platform or by email to registered users. The "Last updated" date at the top indicates when it was last modified.

15. Contact and Data Protection Officer

For inquiries, requests to exercise your rights or complaints regarding the privacy of your data, contact us at:

  • Legal name: Synvaxis LLC
  • Address: 30 N Gould St Ste N, Sheridan, WY 82801, USA
  • Email: gerencia@synvaxis.com
  • Suggested subject line: "Privacy Request / Data Subject Request"

If you reside in the European Union, the United Kingdom or the EEA and consider that the processing of your data infringes applicable law, you have the right to lodge a complaint with the supervisory authority competent in your country of residence.

© 2026 Synvaxis LLC·Privacy Policy·Terms of Service·Data Deletion

30 N Gould St Ste N, Sheridan, WY 82801, USA