Privacy Policy
Last updated: January 8, 2026.
Syft ("we", "us", or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and share your data when you use our mobile application and services (the "Services").
1. Information We Collect
We collect the following types of information when you use Syft:
1.1 Information You Provide
- Account information: such as your name, email address, and login credentials when you create an account.
- Messages and content: messages you send, receive, or generate within Syft's messaging platform.
- Calendar data: if you connect your calendar, we access event titles, descriptions, times, and attendees to provide scheduling insights.
- User preferences: your communication style preferences, priorities, and profile settings provided during onboarding.
- User feedback or support inquiries: information you share with us when contacting support or providing feedback.
1.2 Information Automatically Collected
- Usage data: including log files, timestamps, feature usage, and interactions with the Services.
- Device and technical information: such as IP address, browser type, operating system, and device identifiers.
- Cookies and tracking technologies: as described in our [Cookie Policy](/cookie-policy).
2. How We Use Your Information
We use your data to:
- Provide, operate, and maintain the Syft platform
- Enable messaging and AI-powered assistant functionality
- Improve and personalize the user experience
- Communicate with you about updates, new features, and service information
- Detect, prevent, and respond to security issues or abuse
- Comply with legal obligations
3. Legal Basis for Processing
We process your data based on the following lawful grounds:
- Contract Performance: To provide the Syft service you've signed up for
- Consent: For optional features like connecting Gmail/Calendar (you can withdraw anytime)
- Legitimate Interests: For security, fraud prevention, and service improvement
4. Data Encryption & Security
We take the security of your data seriously. Syft implements multiple layers of protection:
4.1 Encryption at Rest
All sensitive data stored in our systems is encrypted using AES-256-GCM, a military-grade encryption standard. This includes:
- Message content and previews
- Calendar event details (titles, descriptions, locations, attendees)
- Your personal profile information and preferences
- OAuth tokens for connected services
4.2 Per-User Encryption Keys
Each user's data is encrypted with a unique Data Encryption Key (DEK). This means:
- Your data is cryptographically isolated from other users
- Even in the unlikely event of unauthorized database access, your data remains encrypted
- Only authenticated requests through our secure backend can decrypt your data
4.3 Encryption in Transit
All data transmitted between your device and our servers is protected using TLS encryption, ensuring your information cannot be intercepted during transmission.
4.4 Key Rotation
We automatically rotate encryption keys every 90 days as a security best practice, limiting the exposure window if a key were ever compromised.
4.5 Access Controls
- Rate limiting protects against brute-force attacks and abuse
- Audit logging tracks security-relevant events for compliance and incident investigation
- Role-based access ensures only authorized systems can access encrypted data
5. AI & Third-Party Data Processing
5.1 How AI Features Work
Syft uses AI to provide intelligent features like message summarization, smart replies, and priority detection. Here's how we protect your data:
- Data Minimization: We only send the minimum necessary data to AI providers—never your full inbox
- No Training on Your Data: OpenAI does not use API data to train their models. Your messages are never used to improve AI.
- Limited Retention: OpenAI may retain API data for up to 30 days for abuse monitoring, after which it is automatically deleted
- Encrypted at Rest: All AI-generated content (summaries, suggestions) is encrypted before storage in Syft
5.2 Third-Party Services
We use trusted third-party services to operate Syft:
- Supabase: Secure database hosting with row-level security
- OpenAI: AI processing (data not used for training, retained max 30 days)
- Google APIs: Calendar and Gmail integration (with your explicit consent)
All third-party providers are bound by confidentiality and security obligations. We maintain Data Processing Agreements (DPAs) with our AI providers.
6. Automated Processing
Syft uses AI to automatically prioritize messages and generate suggestions. These features:
- Do not make legally significant decisions about you
- Are designed to assist, not replace, your judgment
7. Data Retention & Deletion
We retain your personal information only for as long as necessary to provide Syft's services, comply with legal obligations, resolve disputes, and maintain security.
Retention Periods
- Account Information: Retained while your account is active. Deleted within 30 days of account deletion request.
- Messages and Content: Stored until you delete them or delete your account. Deleted messages may remain in encrypted backups for 30–90 days before automatic removal.
- Calendar Data: Synced events are retained while your calendar is connected. Disconnecting removes stored calendar data.
- Usage & Analytics Data: Kept for up to 12 months, then deleted or anonymized.
- Audit Logs: Security logs retained for 12 months for compliance purposes.
- Support Communications: Customer support logs retained for up to 24 months from resolution date.
Your Deletion Rights
You can request complete deletion of your data at any time:
- In-App: Settings → Privacy → Delete My Data
- Via Email: Contact privacy@syft.tech
- Via API: Authenticated request to our data deletion endpoint
We will process deletion requests within 30 days and provide confirmation upon completion.
8. Your Rights (GDPR & Global Privacy)
Depending on your location, you may have the right to:
- Access: Receive a copy of your personal data in a portable format
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data ("right to be forgotten")
- Portability: Export your data in a machine-readable format
- Object: Object to or restrict certain processing
- Withdraw Consent: Withdraw consent where applicable
- Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority (e.g., ICO in the UK, or your EU member state's DPA)
Exercising Your Rights
- Data Export: Available in-app at Settings → Privacy → Export My Data
- Data Deletion: Available in-app at Settings → Privacy → Delete My Data
- Email: Contact privacy@syft.tech
- EU/UK Representative: Via our representative Prighter at https://app.prighter.com/portal/syft
We respond to all privacy requests within 30 days.
9. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you
- Right to Delete: You can request deletion of your personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.
To exercise your CCPA rights, contact us at privacy@syft.tech or use the in-app privacy settings.
10. Sharing of Information
We do not sell your personal data. We may share limited information only as necessary with:
- Service providers that help us operate and maintain Syft (hosting, analytics, support)
- AI providers for processing requests (not used for training)
- Legal authorities if required by law, subpoena, or other lawful process
- Business transfers such as mergers or acquisitions, where privacy protections will continue to apply
All third parties are bound by confidentiality and security obligations.
11. Connected Services
When you connect external services to Syft (Gmail, Google Calendar, Slack), we:
- Request only necessary permissions to provide the features you've enabled
- Encrypt stored tokens using the same AES-256-GCM encryption as your messages
- Allow disconnection at any time through the app or by contacting support
- Delete associated data when you disconnect a service
You can review and revoke Syft's access to your connected accounts at any time through those platforms' security settings.
12. Minimum Age and Children's Privacy
You must be at least 16 years old to use Syft. If you are located in the United States, you must be 13 years or older. We do not knowingly collect personal information from anyone under these ages. If you believe we have collected data from a minor, please contact us immediately.
13. International Data Transfers
As Syft operates globally, your information may be transferred to and processed in countries where privacy laws may differ. We ensure appropriate safeguards are in place to protect your data, including:
- Encryption of all data in transit and at rest
- Contractual obligations with all service providers
14. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Any updates will be posted on this page with an updated "Last updated" date. We will notify you of material changes via email or in-app notification.
15. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us at:
Email: privacy@syft.tech
16. Representative
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:
- United Kingdom (UK)
- European Union (EU)
Prighter gives you an easy way to exercise your privacy-related rights (e.g., requests to access or erase personal data). If you want to contact us via our representative, Prighter, or make use of your data subject rights, please visit: https://app.prighter.com/portal/syft
