Privacy Policy

This Privacy Policy describes how Synapic AI (the “Service”) handles personal information when you use our web application and related features. The organization that operates this deployment for your team is responsible for how the Service is used in your environment; contact your administrator for organization-specific questions.

What the Service is

The Service is a central workspace for media planning, campaign and client configuration, collaboration, and AI-assisted workflows. Depending on your access, it may include tools for media strategy, reporting, shared campaign views, configuration of media channels and integrations, and activity logging. Features available to you depend on your account and permissions.

Roles: controller vs processor

Workspace/customer data: When your organization uses the Service to store and process client, campaign, and planning information, Synapic AI generally acts as a data processor on behalf of the organization that operates the workspace (the controller). Your organization determines what data is uploaded, how it is used, and who has access.

Service operations data: Oakil OÜ (operating Synapic AI) may act as a controller for certain limited data required to operate the Service (for example account creation, authentication, security logs, and product analytics), as described below.

Information we process

We process information in order to run and secure the Service, including:

• Account and profile data: such as your email address, name or display name, role, and authentication identifiers provided through our identity provider (Supabase Auth).
• Content you or your organization provide: campaign and media-plan data, client records, configuration (for example media channels, placements, integrations), documents, prompts, and other materials you upload or enter into the workspace.
• Technical and usage data: server and application logs (which may include IP addresses, device or browser type, timestamps, and requested URLs), security-related events, and product analytics to understand how the Service is used and to improve reliability and performance.
• Shared links: where your organization uses token-based links to share specific campaigns or assets with recipients, access is limited to the content those links expose; do not share links outside your intended audience.

Connected accounts and integrations (Google, Meta, and others)

If your organization enables integrations, the Service can connect to third-party platforms (for example Google Ads, Google Analytics (GA4), Display & Video 360, and Meta Marketing API) after an authorized user completes an OAuth consent flow.

• What we store for integrations: OAuth tokens/credentials (stored server-side), token expiry timestamps, and connection metadata such as integration status and selected scope identifiers (for example selected customer/account IDs).
• What we access from integrated platforms: information needed to show reporting and insights, such as accessible ad accounts/customers for scope selection and advertising performance data (for example impressions, clicks, cost, and conversions) for the accounts you select.
• How we use integrated data: to provide the user-requested features (for example dashboards, summaries, and AI-assisted analysis grounded in retrieved metrics) within your organization's workspace.
• What we do not do with integrated data: we do not sell Google or Meta data; we do not use it for targeted advertising, data brokerage, or unrelated profiling; and we do not access unrelated Google services (such as Gmail or Drive) unless you enable a separate integration that requires it.

Google API data: limited use

Synapic AI's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Google API data is used only to provide or improve user-facing features in the Service and is not used for purposes such as selling data, serving ads, or training generalized AI models.

AI features

When you use AI-powered features, your inputs and relevant context may be sent to underlying model providers (for example through Vercel AI SDK or configured API providers) to generate responses. Do not submit personal data or confidential information unless your organization has approved that use. Outputs may be inaccurate or incomplete and should be reviewed by qualified people before business or legal reliance.

Cookies and similar technologies

We use cookies and similar technologies that are necessary for authentication and session management (for example Supabase session cookies). We may use analytics tools (such as Vercel Analytics) that collect aggregated usage information. You can control cookies through your browser settings; disabling essential cookies may prevent sign-in from working.

Why we process information

We process information to:

• Provide, operate, and improve the Service;
• Authenticate users and enforce access controls and roles;
• Maintain security, prevent abuse, and troubleshoot issues;
• Comply with legal obligations and respond to lawful requests where applicable.

Legal bases (EEA/UK and similar jurisdictions)

Where required by law, we rely on one or more of the following legal bases to process personal information:

• Contract / performance of a contract: to provide the Service you or your organization requested (for example sign-in, workspace access, and core features).
• Legitimate interests: to secure, maintain, and improve the Service (for example preventing fraud/abuse, troubleshooting, and aggregated analytics), where those interests are not overridden by your rights.
• Consent: where we (or your organization) present choices for optional processing (for example certain analytics or cookies, depending on jurisdiction).
• Legal obligation: to comply with applicable laws and lawful requests.

Service providers

We rely on subprocessors that host or support the Service, including Supabase (authentication and database), Vercel (hosting and analytics), and Google Gemini (AI features). These providers process data only as needed to deliver their services, under appropriate agreements.

We may share information with (a) your organization's administrators and authorized users according to workspace permissions, (b) our service providers acting on our instructions, and (c) authorities or other parties where required by law.

No sale of personal information

We do not sell personal information. We also do not share personal information with third parties for cross-context behavioral advertising.

Retention

We retain information for as long as needed to provide the Service and as required by law or your organization's settings. Backup, caching, and deletion timelines may vary by system component.

Integration data retention: integration credentials and related settings are retained until you disconnect the integration, or for up to 60 days without activity, unless your organization removes the related client/workspace data earlier. If you revoke consent at the third-party provider, the integration may stop working until reconnected.

Operational logs and analytics: security and operational logs are retained for up to 3 months, product analytics data is retained for up to 12 months, and backups are retained for up to 6 months.

Disconnecting integrations, revoking access, and deletion

You can disconnect integrations from within the Service (where enabled for your role), which removes the stored connection for the relevant client/workspace and stops future API calls for that integration. You can also revoke access directly with the provider (for example in your Google Account or Facebook/Meta app settings). For Meta-specific deletion requests, see Meta (Facebook) data deletion instructions.

Security

We implement technical and organizational measures appropriate to the Service, including encryption in transit where supported, access controls, and secure credential handling. No method of transmission or storage is completely secure; use strong passwords and protect your account.

Your rights

Depending on your location, you may have rights to access, correct, delete, or restrict processing of your personal information, or to object to certain processing. To exercise these rights, contact your workspace administrator or the data protection contact for your organization. We may need to verify your identity before fulfilling a request.

Where applicable, you may also have the right to data portability, to withdraw consent (where we rely on consent), and to opt out of certain processing. If you are in the EEA/UK, you may also lodge a complaint with your local supervisory authority.

International transfers

Data may be processed in countries where our service providers operate. When personal data is transferred across borders, we rely on appropriate safeguards as required by applicable law.

These safeguards include standard contractual clauses and additional measures where appropriate. For EU clients, we store data in the EU. For US clients, data may be stored in the US or other regions as needed to operate the Service.

Automated decision-making

The Service may provide recommendations, summaries, or AI-assisted outputs, but we do not use automated decision-making that produces legal or similarly significant effects about you without meaningful human review.

Children

The Service is not directed at children under 16, and we do not knowingly collect personal information from children.

Business customers only

The Service is intended for business use by organizations and their authorized users. It is not offered as a consumer service.

Changes

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the “Last updated” date. Continued use of the Service after changes constitutes acceptance of the updated policy where permitted by law.

Contact

For privacy questions related to your organization's use of the Service, contact your administrator. For product-level inquiries about this deployment, email privacy@synapic.ai.

Data controller contact details: Oakil OÜ, Karusambla tee 1/3 - 1, Järveküla, Estonia, 75304.