Privacy Policy

1. Introduction

SynSave (“we,” “us,” or “the Company”) operates the SynSave web application and mobile application (collectively, the “Service”). This Privacy Policy describes how we collect, use, store, and disclose information when you access or use the Service. By using SynSave, you acknowledge and agree to the practices described herein.

We are committed to safeguarding the confidentiality of your personal and financial information. This policy is designed to comply with applicable data protection regulations, including but not limited to the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other relevant privacy frameworks.

2. Information We Collect

2.1 Information You Provide Directly

• Account Credentials — email address and encrypted password, or third-party authentication tokens (Google Sign-In).
• Financial Data — income sources, bank account balances, credit card details (balances, APR, minimum payments), loan information, recurring expenses, and savings goals as entered by you into the Service.
• Receipt Images — photographs of receipts uploaded via the mobile application for automated data extraction.
• Profile Information — display name, notification preferences, and canvas configurations.

2.2 Information Collected Automatically

• Device & Usage Data — device type, operating system, browser type, session duration, feature usage patterns, and crash reports.
• Log Data — IP address, access timestamps, referring URLs, and API request metadata.
• Cookies & Local Storage — authentication session tokens and user interface preferences stored locally on your device.

2.3 Information from Third Parties

If you authenticate via Google Sign-In, we receive your name, email address, and profile photograph from Google. We do not receive or store your Google account password.

3. How We Use Your Information

We use the information collected for the following purposes:

• Service Operation — to provide, maintain, and improve the Service, including financial projections, debt payoff calculations, cashflow analysis, and scenario modeling.
• AI-Powered Processing — receipt images are transmitted to third-party AI models (OpenAI) for optical character recognition and data extraction. The AI copilot feature processes your financial data to generate personalized insights. See Section 6 for details.
• Notifications — to send bill reminders, receipt processing status updates, and other Service-related notifications you have opted into.
• Security — to detect, prevent, and address fraud, unauthorized access, and other illegal activities.
• Analytics — to understand usage patterns and improve Service quality. All analytics data is aggregated and anonymized.

4. Data Storage & Security

Your data is stored on infrastructure provided by Supabase, Inc., which utilizes Amazon Web Services (AWS) data centers. All data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 encryption.

• Authentication tokens are managed via Supabase Auth with industry-standard JWT protocols.
• Receipt images are stored in private, access-controlled storage buckets with Row-Level Security (RLS) policies ensuring only the uploading user may access their own files.
• Biometric authentication data (Face ID, fingerprint) is processed entirely on-device via the operating system's secure enclave. We never receive, transmit, or store biometric templates.
• Sensitive user preferences are stored in the device's secure keychain (iOS) or encrypted shared preferences (Android) via Expo SecureStore.

Notwithstanding the foregoing, no method of electronic storage or transmission over the Internet is completely secure. While we employ commercially reasonable measures to protect your data, we cannot guarantee absolute security and shall not be liable for any unauthorized access that occurs despite such measures.

5. Third-Party Service Providers

We engage the following categories of third-party service providers to operate the Service. Each provider receives only the minimum data necessary to perform its designated function:

We do not sell, rent, or trade your personal information to any third party for marketing purposes. Data shared with the above providers is governed by their respective privacy policies and data processing agreements.

6. Artificial Intelligence & Automated Processing

The Service utilizes artificial intelligence models provided by OpenAI for the following automated processing activities:

• Receipt Scanning — uploaded receipt images are processed by a vision-capable AI model to extract merchant name, total amount, date, and line-item details. Images are transmitted to OpenAI's API, processed, and the extracted data is returned to the Service. OpenAI does not retain images submitted via API for model training purposes per their data usage policy.
• AI Financial Copilot — the copilot analyzes your financial data (income, expenses, debts, projections) to provide personalized insights, recommendations, and scenario modeling. Conversations with the copilot are stored in your account and are not used to train AI models.

You may opt out of AI-powered features at any time by not utilizing receipt scanning or the copilot feature. All AI-generated outputs are advisory in nature and do not constitute financial advice. See our Terms of Service for important disclaimers.

7. Data Retention

We retain your personal and financial data for as long as your account remains active and as necessary to provide the Service. Upon account deletion:

• All user-generated content (canvases, nodes, projections, scenarios, receipt drafts) is permanently deleted within 30 days.
• Receipt images are deleted from storage immediately upon account deletion request.
• Copilot conversation history is permanently deleted within 30 days.
• Aggregated, anonymized analytics data may be retained indefinitely as it cannot be traced back to any individual.
• Transaction records with Stripe may be retained by Stripe in accordance with their data retention policy and applicable tax/accounting regulations.

8. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Right of Access — request a copy of all personal data we hold about you.
• Right to Rectification — correct any inaccurate or incomplete personal data.
• Right to Erasure — request deletion of your personal data, subject to legal retention obligations.
• Right to Data Portability — receive your data in a structured, commonly used, machine-readable format.
• Right to Restrict Processing — request that we limit how we process your data in certain circumstances.
• Right to Object — object to processing of your data for certain purposes.

To exercise any of these rights, please contact us at privacy@synsave.com. We will respond to verified requests within 30 days.

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us, and we will take steps to delete such information promptly.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from the laws of your jurisdiction. By using the Service, you consent to the transfer of your information to such countries. We ensure that appropriate safeguards are in place, including standard contractual clauses where applicable.

11. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time. Material changes will be communicated via in-app notification or email to the address associated with your account. Your continued use of the Service following the posting of changes constitutes your acceptance of such changes. We encourage you to review this policy periodically.

12. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact: