Privacy Policy
Effective date: June 22, 2026
SYNAX ("we", "us", or "our") operates an AI-powered clinic management platform accessible at www.synax.cloud. This Privacy Policy explains what information we collect, how we use it, and the choices you have. By using SYNAX, you agree to the practices described here.
1. Information We Collect
We collect information in the following categories:
Business account data — When a clinic subscribes to SYNAX, we collect the business name, address, operating hours, services list, WhatsApp phone number ID (Meta Business Account), and the names and email addresses of staff members who are invited to the dashboard.
Patient interaction data — When a patient contacts the clinic via WhatsApp, our AI agent records the patient's phone number, the name they provide, the content of their messages, appointment requests, and any clinical notes added by clinic staff through the patient vault.
Appointment records — Booking time, reason for visit, and appointment status (scheduled, confirmed, cancelled, completed).
Conversation logs — Inbound and outbound WhatsApp messages associated with a patient phone number and clinic.
Usage and analytics data — Anonymised page views and web vitals collected by Vercel Analytics. No personally identifiable information is attached to these analytics events.
Error logs — Technical error records that include the clinic identifier, the workflow node that failed, and the patient phone number associated with the failed interaction. Used solely for diagnosing and resolving service issues.
2. How We Use Information
We use the information we collect to:
- Operate the AI WhatsApp agent and route messages to the correct clinic workflow - Display appointment schedules, patient records, and conversation history in the clinic dashboard - Send in-app notifications to clinic staff about new bookings, handoffs, and system alerts - Diagnose technical failures and improve service reliability - Measure aggregate platform usage (anonymised analytics only) - Send transactional emails such as staff invitation links
We do not use patient data for advertising, cross-clinic profiling, or any purpose other than providing the service to the subscribing clinic.
3. Data Sharing and Third-Party Services
We share data only as necessary to operate the platform:
Supabase — Our database, authentication, and file storage provider. Patient data, messages, appointments, and business configuration are stored in Supabase-managed PostgreSQL databases. Data is stored in the EU (Frankfurt) region.
Vercel — Our hosting and deployment infrastructure. Vercel Analytics collects anonymised usage data. No personally identifiable information is transmitted to Vercel.
Meta / WhatsApp Cloud API — WhatsApp messages pass through Meta's infrastructure. Use of the WhatsApp channel is subject to Meta's own Terms of Service and Privacy Policy. SYNAX does not control how Meta processes message metadata.
n8n — Our AI workflow engine processes incoming WhatsApp messages and reads clinic configuration from the database in order to generate AI responses. n8n acts as a data processor on our behalf.
Resend — Used to deliver transactional emails (staff invitations). Only the email address of the invited user is transmitted.
We do not sell, rent, or trade personal data to third parties for commercial purposes.
4. Data Retention
We retain data for as long as a business account is active. When a business account is deleted, we permanently remove all associated business records, patient records, messages, appointments, and staff profiles from the database within 30 days. Audit log entries related to the account are anonymised (the business identifier is nulled) but retained for platform security purposes.
Patients may contact the clinic directly to request deletion of their personal data. The clinic (as the data controller) is responsible for fulfilling such requests through the dashboard or by contacting us.
5. Data Security
We implement the following security measures:
- All data is encrypted in transit using TLS 1.2 or higher - Database data is encrypted at rest by Supabase - Row-Level Security (RLS) policies ensure that clinic staff can only access records belonging to their own clinic - Super-admin access to patient data requires explicit consent from the clinic owner (break-glass access with a logged audit trail) - Staff access is controlled by a three-level role system (Staff, Admin, Super-Admin)
No system is perfectly secure. If you discover a security vulnerability, please report it to security@synax.cloud.
6. Your Rights
Depending on your location, you may have the right to:
–Access the personal data we hold about you
–Correct inaccurate information
–Request deletion of your personal data
–Object to certain processing activities
–Data portability — receive a copy of your data in a machine-readable format
To exercise any of these rights, contact us at privacy@synax.cloud. Clinic patients should contact their clinic directly; clinics can fulfil requests through the dashboard or escalate to us.
7. Children's Privacy
SYNAX is not directed at children under the age of 13. We do not knowingly collect personal data from children. If a minor contacts a clinic via WhatsApp, the data is handled by the clinic as the data controller. If you believe we have inadvertently collected data about a child, contact us at privacy@synax.cloud and we will delete it promptly.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page. We encourage you to review this page periodically. Continued use of SYNAX after an update constitutes acceptance of the revised policy.
9. Contact Us
If you have any questions about this Privacy Policy, please contact us:
SYNAX Email: privacy@synax.cloud Website: www.synax.cloud