SyngulrSyngulr

Privacy Policy

Effective date: 22 May 2026

Last updated: 02 June 2026

1. Introduction

This Privacy Policy explains how Syngulr AI (“Syngulr”, “we”, “us”, “our”) collects, uses, shares, and protects personal information when you visit syngulr.ai, use our applications, APIs, beta programs, or any related services (together, the “Service”).

This Policy applies to personal information of website visitors, account holders, the authorized users in their organizations, and people who interact with us (for example, by emailing support).

If you use the Service on behalf of an organization, that organization is the controller of personal information about its end users that it processes through the Service, and Syngulr acts as a processor under a Data Processing Addendum (DPA). For personal information we determine the purposes and means of processing – for example, account, billing, security, and product analytics – Syngulr is the controller, and this Policy describes that processing.

Syngulr is based in Australia and handles personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Policy should be read together with our Terms of Service, our Cookie Policy, and our Refund Policy.

2. Information we collect

2.1 Information you provide

  • Account information: name, email address, password, organization name, job title.
  • Billing information: billing contact, address, tax ID, and (where applicable) the last four digits of your payment card. Full card numbers are collected and stored by our payment processor, not by us.
  • Communications: messages you send us, support requests, survey responses, feedback, and beta program notes.
  • Customer Content: prompts, instructions, files, workflows, approvals, and other content you submit to or generate using the Service.

2.2 Information we collect automatically

  • Device and connection data: IP address, browser type and version, device identifiers, operating system, language settings, time zone, approximate location derived from IP.
  • Usage data: pages and features used, actions taken, agent and workflow performance metrics, error and crash logs, referral source, campaign parameters.
  • Cookies and similar technologies: see Section 6 and our Cookie Policy.

2.3 Information from third parties

  • Authentication providers (for example, Google sign-in) - basic profile information you authorize them to share.
  • Payment processors– billing status and transaction metadata.
  • Connected apps and integrations you choose to link to the Service.
  • Service providers that help us deliver, secure, and analyze the Service.
  • Publicly available business information used for sales and account enrichment.

We do not knowingly collect sensitive personal information as defined under the CPRA or special category data under GDPR, and you must not submit such information through the Service except where the Service is expressly configured to handle it under a separate written agreement.

3. How we use information and our legal bases

We use personal information for the purposes below. The “legal basis” column applies to individuals in the EU, UK, and other jurisdictions whose data protection law requires one. For Australian individuals, we rely on the APPs and the lawful-handling requirements in the Privacy Act 1988 (Cth).

PurposeLegal basis (GDPR / UK GDPR)
Create and operate your account; provide the Service and its featuresPerformance of a contract
Process payments, invoices, and tax recordsPerformance of a contract; legal obligation
Provide support and respond to your requestsPerformance of a contract; legitimate interests
Maintain security, prevent fraud and abuse, enforce our TermsLegitimate interests; legal obligation
Improve, debug, and develop the Service (using aggregated and de-identified data; not by training AI models on Customer Content)Legitimate interests
Send service messages (e.g. security alerts, billing, material changes)Performance of a contract; legal obligation
Send marketing and product communications to business contactsLegitimate interests, or consent where required (e.g. EU/UK e-marketing to individuals)
Run beta programs and waitlistsPerformance of a contract; legitimate interests
Comply with law and respond to lawful requestsLegal obligation
Defend or pursue legal claimsLegitimate interests; establishment, exercise, or defense of legal claims

Where we rely on legitimate interests, we have weighed those interests against your rights and concluded that our processing is proportionate. You can object at any time (see Section 10).

4. AI processing and our no training commitment

When you use the Service, your prompts, instructions, uploads, and the resulting Output are processed by our systems and by trusted third-party AI model providers under written agreements that prohibit them from using your data to train their models.

We do not use Customer Content to train or fine-tune our own AI models, and we contractually require our AI model providers not to use Customer Content to train their models. If we ever introduce a program that allows you to opt in to sharing Customer Content for model training, it will be opt-in, clearly disclosed, and revocable.

We may use aggregated, de-identified, or anonymized information about how the Service is used (for example, error rates, latency, feature adoption) to operate, secure, and improve the Service. We do not attempt to re-identify this data.

Some agents and workflows take actions on connected systems on your behalf. Where the configuration requires human approval before an action, you are responsible for reviewing and approving that action.

5. How we share information

We share personal information only as described below.

  • Service providers and subprocessors that host, secure, analyze, support, or operate the Service. A current list of subprocessors is available on request by emailing [email protected], and we will give notice of material changes.
  • AI model and inference providers under contracts that prohibit training on Customer Content.
  • Payment processors that handle billing.
  • Professional advisers (lawyers, auditors, accountants) under duties of confidentiality.
  • Authorities and other parties where we believe in good faith that disclosure is required by law, necessary to protect rights or safety, or necessary to enforce our Terms.
  • In a corporate transaction – for example, a merger, financing, acquisition, reorganization, or sale of assets – subject to the receiving party honoring this Policy or giving you notice.
  • With your direction– for example, when you connect a third-party integration or share content with collaborators.

We do not sell personal information for money. Some advertising and analytics cookies may constitute “sharing” or “sale” under the CPRA and similar US state laws; see Section 12 for how to opt out, including our recognition of Global Privacy Control (GPC) signals.

6. Cookies and similar technologies

We use cookies, pixels, local storage, and similar technologies to:

  • Keep you signed in and remember your preferences;
  • Secure the Service and detect abuse;
  • Measure usage and performance; and
  • Support marketing on our own properties and limited partner properties.

You can control cookies through your browser, through the consent banner we present in regulated regions, and through our Cookie Policy. Some parts of the Service may not function correctly if essential cookies are disabled.

We honor browser-level Global Privacy Control (GPC) signals as a valid opt-out of “sharing” and “sale” of personal information under California law and equivalent US state laws.

7. Data retention

We retain personal information only as long as needed for the purposes for which it was collected, including legal, accounting, security, and dispute-resolution needs.

CategoryDefault retention
Account dataWhile your account is active, plus 12 months after closure
Customer Content in active systemsWhile your account is active; deletable on request or via account controls
Customer Content in backupsUp to 90 days after deletion from active systems
Billing and tax records7 years, or as required by applicable tax law
Security and audit logsUp to 24 months
Support communicationsUp to 36 months after the case is closed
Marketing contact dataUntil you unsubscribe, plus a short suppression record

We may keep information longer where required by law, to defend or bring legal claims, or in a form that no longer identifies you.

8. Data security

We use technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, and loss. These include encryption in transit and at rest, access controls and least-privilege provisioning, secure software development practices, vulnerability management, logging and monitoring, employee training, and vendor security reviews.

No system is perfectly secure. We will notify you of a personal data breach affecting your information without undue delay as required by applicable law, including (for Australian individuals) under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth)

9. International data transfers

We operate globally and may transfer, store, and process personal information in countries other than your own, including the United States.

Where we transfer personal information out of the EEA, UK, or Switzerland to a country that has not been recognized as providing an adequate level of protection, we rely on appropriate safeguards, including the European Commission Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented as necessary. For personal information of Australian individuals, we take reasonable steps under APP 8 to ensure overseas recipients handle the information consistently with the APPs. You may obtain a copy of the safeguards used for a specific transfer by emailing [email protected].

10. Your rights

Depending on where you live, you may have rights to:

  • Access the personal information we hold about you;
  • Correct inaccurate or incomplete information;
  • Delete personal information;
  • Obtain a portable copy of certain information;
  • Restrict or object to certain processing, including direct marketing;
  • Withdraw consent where processing is based on consent (without affecting the lawfulness of prior processing); and
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 14).

To exercise these rights, email [email protected]. We may need to verify your identity before responding, and we will respond within the time required by applicable law. There is no fee for most requests; we may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.

If we process your personal information on behalf of a business customer (as a processor), please direct your request to that customer; we will support them in responding.

You have the right to lodge a complaint with a supervisory or data protection authority (see Sections 11-13 for the authority that applies in your jurisdiction).

11. Australian privacy rights

This section applies to individuals in Australia. We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

You may:

  • Request access to personal information we hold about you (APP 12);
  • Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information (APP 13);
  • Withdraw consent for any processing based on consent;
  • Opt out of direct marketing (APP 7); and
  • Make a privacy complaint by emailing [email protected].

We will acknowledge your request within a reasonable period and respond within 30 days where practicable. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au or on 1300 363 992.

If we become aware of an “eligible data breach” within the meaning of Part IIIC of the Privacy Act 1988 (Cth), we will notify the OAIC and affected individuals as required by the Notifiable Data Breaches (NDB) scheme.

12. California privacy rights

This section applies if you are a California resident. It uses CCPA/CPRA terminology.

Categories of personal information we collect, “sell”, or “share”

In the last 12 months we have collected the categories of personal information described in Section 2 (identifiers, commercial information, internet activity, geolocation derived from IP, professional information, and inferences drawn from these). We have not sold personal information for money. To the extent our use of advertising or analytics cookies constitutes “sharing” or a “sale” under the CPRA, you may opt out as described below.

Your rights

  • Right to know what personal information we collect, use, disclose, and “share”.
  • Right to correct inaccurate personal information.
  • Right to delete personal information we collected from you, subject to legal exceptions.
  • Right to opt out of “sale” or “sharing” of personal information.
  • Right to limit use of sensitive personal information (we do not use sensitive personal information for purposes that trigger this right).
  • Right to non-discrimination for exercising your rights.

How to exercise rights

Email [email protected] or use the controls in your account. We honor Global Privacy Control (GPC) signals as a valid opt-out of “sale” and “sharing”. Authorized agents may submit requests on your behalf with proof of authorization.

“Shine the Light”

California Civil Code Section 1798.83 lets California residents request information about disclosures of personal information to third parties for those third parties’ direct marketing purposes. We do not make such disclosures, so no such information exists to report.

Retention

We retain personal information as described in Section 7.

13. EU, UK, and Swiss privacy rights

This section applies to individuals in the EEA, UK, and Switzerland and supplements the rights in Section 10.

  • Controller: Syngulr AI, with the contact details in Section 19.
  • EU representative: We will appoint and disclose an Article 27 representative if and when we offer the Service to individuals in the EU in a way that requires one. Until then, EU individuals may contact us using the details in Section 19.
  • UK representative: We will appoint and disclose a UK Article 27 representative if and when we offer the Service to individuals in the UK in a way that requires one. Until then, UK individuals may contact us using the details in Section 19.
  • Legal bases: see Section 3.
  • International transfers: see Section 9.
  • Right to complain:In the EU, you may complain to the supervisory authority in the member state of your residence, place of work, or place of the alleged infringement. In the UK, the relevant authority is the Information Commissioner’s Office (ico.org.uk).

14. Automated decision making and profiling

Some Service features use AI to suggest, draft, or stage actions. Where these features are configured to require human approval, no decision is made solely by automated processing. Where you configure agents to act without human approval, you are responsible for ensuring this is lawful in your jurisdiction and for providing any required notices and human-review mechanisms to affected individuals.

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing.

15. Children

The Service is intended for users 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it.

16. Third party links and integrations

The Service may link to or integrate with third-party websites, apps, models, and services. Those third parties have their own privacy practices, and we are not responsible for them. Review their policies before using them.

17. Meta (Facebook & Instagram) advertising data

If you connect a Meta advertising account, you authorize Syngulr to access your Meta (Facebook and Instagram) advertising data through the Meta Marketing API so that our agents can help you manage and report on your ad campaigns at your direction. This section describes that processing and applies in addition to the rest of this Policy.

Permissions we request

We request only the permissions needed to provide the features you use:

  • ads_read– to read your ad accounts, campaigns, and performance insights so we can report on them;
  • ads_management– to create, update, and pause campaigns when you ask us to;
  • pages_show_list– to list the Facebook Pages you manage so a Page can be selected;
  • business_management– to list your Meta Business Managers and the ad accounts they own or are granted access to;
  • catalog_management– to read your product catalogs and the products in them.

What we store and how we use it

  • We store a Meta access token (encrypted at rest), your Facebook user ID, and the permissions you granted, used solely to make authorized API calls on your behalf and to maintain the connection.
  • Ad account, campaign, and insights data we retrieve is processed to fulfil your requests and appears in your chat history. We do not maintain a separate copy or warehouse of your Meta advertising data.
  • We do not sell your Meta data, and we do not use it to train AI models. We use it only to provide the Service as you direct, and we may use aggregated, de-identified, or anonymized information for analytics to improve the Service, without attempting to re-identify it.

Retention, revocation, and deletion

The access token is retained until you disconnect Meta Ads or it expires (Meta long-lived tokens last roughly 60 days), after which you must reconnect to continue. You can revoke access and delete the stored credentials at any time by disconnecting Meta Ads in Integrations → Meta Ads, by removing Syngulr from your Facebook Business integrations, or by following our Data Deletion Instructions.

Our handling of data obtained through the Meta platform complies with the Meta Platform Terms and Developer Policies. Your use of Meta’s own products is governed by Meta’s terms and privacy policy.

18. Changes to this Policy

We may update this Policy from time to time. If a change is material, we will give at least 30 days’ notice by email or in-product before it takes effect and, where required by law, will seek your consent. The “Last updated” date at the top of this Policy shows when it was most recently revised.

19. Contact us

Syngulr

Website: https://syngulr.ai

Email: [email protected]

Country: Australia

For questions about this Policy or to exercise any right described above, email [email protected]. Australian residents may also contact the Office of the Australian Information Commissioner (OAIC) as described in Section 11.