Privacy Policy

1. Who We Are

Synatsis Systems Inc., doing business as Synatsis (the "Company", "we", "our", or "us") is a Domestic Stock Corporation registered in the Republic of the Philippines. We operate a relationship intelligence platform for financial professionals, including wealth managers, private bankers, and private equity professionals.

As a Personal Information Controller (PIC) under the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations, we are responsible for the personal data you and your firm entrust to us. For the purposes of the EU/UK GDPR, Synatsis Systems Inc. is the data controller for personal data collected through the Site and platform.

Our registered Data Protection Officer (DPO) can be reached at . Users in the EEA or UK may contact the same address for GDPR-related requests; we will engage appropriate local counsel as required.

2. Scope of This Policy

This Privacy Policy applies to all personal data processed through:

• Our website at synatsis.com, including early access waitlist and demo request forms
• The Synatsis web platform and any associated mobile applications
• Our API and CRM integration endpoints (Team and Enterprise plans)
• Communications between you and our team (support, sales, onboarding)

It applies to website visitors, prospective customers who submit waitlist or demo requests, individual subscribers, and firms and their authorised users.

3. Data We Collect

3.1 Website and Waitlist Data

When you submit our early access or demo request forms, we collect:

• First name and last name
• Business email address
• Job title or professional role
• Company name

We do not collect sensitive personal data (as defined under GDPR Article 9), payment card information, or social media credentials through the Site. We also automatically collect certain technical data when you visit the Site, including IP address, browser type, operating system, referring URL, and pages visited, for security and operational purposes only.

3.2 Account and Subscription Data

• Name, email address, job title, and firm name
• Billing and payment information (tokenised; raw card data is processed by Stripe and never stored on Synatsis systems)
• Subscription tier, seat allocation, and usage entitlements

3.3 Client Profile Data (Sensitive)

When you use the platform, you may enter information about your clients, including:

• Names, contact details, and professional information
• Relationship notes, meeting records, and communication history
• Psychographic and behavioural data (interests, communication preferences, life events)
• Financial indicators entered by you (e.g. general wealth tier, investment focus: not account numbers or transaction records)

Synatsis does not collect, process, or store actual banking account data, securities transaction records, or regulated financial instrument data. This data category never enters our systems.

3.4 Usage and Technical Data

• Feature interaction logs, session duration, and in-app actions
• IP address, browser type, operating system, and device identifiers
• Error logs and performance telemetry

3.5 Third-Party Integration Data

Where you connect a CRM (e.g. Salesforce, HubSpot, Microsoft Dynamics) under a Team or Enterprise plan, data flows from that platform into Synatsis pursuant to your authorisation. You remain responsible for ensuring that your use of such integrations complies with your firm's data governance policies and applicable law.

4. How We Process Your Data: AI Architecture

Synatsis uses a layered AI architecture. Understanding how data flows through these layers is central to understanding your privacy protections.

4.1 The Sana Orchestrator (Proprietary)

All AI processing requests are routed through the Sana Orchestrator, Synatsis's proprietary decision engine. The Orchestrator determines which model is appropriate for a given task, formats inputs and outputs, and enforces data handling rules before and after model invocation. It does not expose raw client data to any external model without first applying the anonymisation procedures described in Section 4.2.

4.2 Sensitive PII Handling: Private On-Premises SLM

Any task involving sensitive personally identifiable information, including client names, net worth indicators, relationship notes, and psychographic data, is processed exclusively by a fine-tuned Small Language Model (Llama 3-8B) hosted on Synatsis's private, dedicated server infrastructure.

• This model operates entirely within our Virtual Private Cloud (VPC)
• No sensitive PII ever leaves our VPC boundary
• Client identifiers are anonymised or pseudonymised before any data is passed to external model providers
• The fine-tuning dataset does not include subscriber or client data

4.3 Heavy Synthesis: Google Gemini (External)

For tasks involving large-scale public information synthesis, such as reading and summarising market news, earnings reports, or industry signals to identify relevance to a client, we use Google Gemini Pro, accessed via Google Cloud Vertex AI (region: asia-southeast1, Singapore).

• Only anonymised, de-identified, or publicly available data is sent to Gemini
• Client names and identifying details are replaced with pseudonyms by the Sana Orchestrator prior to external transmission
• Google processes this data as a data processor under Google Cloud's Data Processing Addendum, subject to Google's enterprise security and compliance commitments
• Data processed through Vertex AI does not leave the asia-southeast1 (Singapore) region

4.4 Summary of Data Flows

• Sensitive PII (names, net worth, notes) → Private on-premises SLM only. Stays within VPC.
• Anonymised synthesis tasks (news, signals) → Gemini via Google Vertex AI (Singapore). PII stripped before transmission.
• Routing logic → Sana Orchestrator (proprietary). Never exposes raw data to third-party models.

We do not use your data to train, fine-tune, or improve any external AI model. Our on-premises SLM fine-tuning uses curated, synthetic, and anonymised datasets only.

5. Legal Basis for Processing

We operate under two legal frameworks depending on where you are located. Philippine law applies to all users as our primary governing jurisdiction. EU/UK GDPR applies additionally where you are located in the European Economic Area or United Kingdom.

Under the Philippine Data Privacy Act (RA 10173)

The DPA permits processing of personal data where it is:

• Necessary for a contract (Section 12(b)): processing required to deliver the Services you have subscribed to, or to take steps at your request prior to entering into a subscription
• Necessary for compliance with a legal obligation (Section 12(c)): compliance with applicable Philippine law, NPC regulations, tax requirements, and lawful authority requests
• Necessary for the legitimate interests of Synatsis (Section 12(f)): security monitoring, fraud prevention, platform stability, product improvement, and contacting waitlist applicants about our product. We have assessed that these interests are not overridden by your rights and freedoms.
• Consent (Section 12(a)): where you have given your consent for a specific purpose, such as optional marketing communications. You may withdraw consent at any time by contacting .

Under the EU/UK GDPR (for EEA and UK residents)

Where EU or UK GDPR applies, we rely on the following Article 6 lawful bases:

• Article 6(1)(b), Contractual necessity, processing required to perform our contract with you or to take pre-contractual steps at your request
• Article 6(1)(c), Legal obligation, compliance with EU/UK law and regulatory requirements
• Article 6(1)(f), Legitimate interests, security monitoring, fraud prevention, product improvement, and contacting waitlist or demo applicants. You may request our legitimate interests balancing assessment at .
• Article 6(1)(a), Consent, where explicitly obtained for optional communications. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

6. Data Residency and Cross-Border Transfers

Synatsis Systems Inc. (DBA Synatsis) is incorporated in the Philippines. Your data is stored and processed in Singapore on Google Cloud infrastructure (asia-southeast1 region), which satisfies our data residency requirements.

Cross-border data transfers are governed as follows:

• Philippines to Singapore: We maintain a Data Sharing Agreement and adhere to NPC guidelines on cross-border transfers under Section 21 of RA 10173
• Singapore (Vertex AI): Governed by Google Cloud's Data Processing Addendum, aligned with Singapore's Personal Data Protection Act (PDPA 2012)
• EEA/UK users: Where personal data of EEA or UK residents is processed, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA), as applicable. You may request a copy of the transfer safeguards we rely on by contacting .

We do not transfer data to jurisdictions without adequate protection unless contractual safeguards equivalent to those above are in place.

7. Data Retention

• Waitlist and demo request data: retained for 24 months from the date of submission, or until you request deletion, whichever is earlier
• Active subscriptions: data retained for the duration of the subscription
• Post-cancellation grace period: 30 days; data remains exportable
• Deletion: secure deletion from production systems within 90 days of grace period expiry
• Technical log data: IP addresses and access logs retained for up to 90 days for security and operational purposes
• Backups: purged on their standard rotation cycle (maximum 180 days)
• Legal hold: certain records may be retained longer if required by Philippine law, court order, or regulatory investigation

At the end of the applicable retention period, your data will be securely deleted or anonymised.

8. Security Measures

We implement the following technical and organisational measures:

• Encryption in transit: TLS 1.2 minimum across all endpoints
• Encryption at rest: AES-256 for all stored data
• VPC isolation: sensitive PII processing is fully isolated within our private cloud boundary
• Access controls: role-based access control (RBAC) with least-privilege principles; MFA required for all staff accessing production systems
• Infrastructure: the Site is hosted on infrastructure with enterprise-grade DDoS protection and automatic security patching
• Vulnerability management: regular penetration testing and dependency scanning
• Incident response: documented breach response procedure; NPC and affected users notified within 72 hours of a qualifying breach as required by NPC Circular 16-03

No method of transmission over the internet or electronic storage is 100% secure. If you believe your interaction with us is no longer secure, contact us immediately at . Enterprise customers may request our SOC 2 Type II attestation and GDPR Data Processing Addendum under NDA.

9. Your Rights

Under the Philippine Data Privacy Act and, where applicable, the EU/UK GDPR, you have the right to:

• Be informed: know what data we collect and how it is used
• Access (GDPR Article 15): obtain a copy of your personal data
• Rectification (GDPR Article 16): correct inaccurate or incomplete data
• Erasure (GDPR Article 17): request deletion of your personal data, subject to certain legal exceptions
• Restriction of processing (GDPR Article 18): restrict how we process your data in certain circumstances
• Data portability (GDPR Article 20): receive your data in a structured, machine-readable format
• Object (GDPR Article 21): object to processing based on legitimate interests
• Withdraw consent: where processing is based on consent, withdraw at any time without affecting prior lawful processing
• Lodge a complaint: with the National Privacy Commission (Philippines) at privacy.gov.ph. If you are in the UK, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk. In the EEA, contact the supervisory authority in your country of residence.

To exercise any right, contact . We will respond within 15 business days (Philippine DPA requirement). GDPR users retain the 30-day response window under Article 12. We may ask you to verify your identity before fulfilling your request.

10. US Privacy Rights (Voluntary Commitment)

Synatsis is incorporated in the Philippines and our primary legal obligation is to the Philippine Data Privacy Act (RA 10173). However, because many of our customers and their clients are based in the United States, we voluntarily honour the following rights as a matter of practice.

California residents (CCPA / CPRA)

If you are a California resident, you may request to know, access, correct, or delete personal information we hold about you, and to opt out of any sale or sharing of your personal information. We do not sell personal information to any third party. We do not use personal information for targeted advertising or profiling with significant effects.

Categories of personal information collected in the past 12 months: identifiers (name, email, IP address); professional information (job title, company name); internet or network activity (pages visited, session data). We do not use sensitive personal information beyond purposes permitted under CPRA Section 1798.121.

Other US state residents

Residents of other US states with applicable privacy laws (including Virginia, Colorado, Texas, Connecticut, and Oregon) may contact us to exercise equivalent rights to access, correct, delete, or obtain a portable copy of their personal information. We will honour these requests on the same basis as California residents.

How to submit a request

Email with the subject line "US Privacy Request" and your state of residence. We will respond within 45 days. You may designate an authorised agent to submit a request on your behalf.

11. Financial Services Compliance (Voluntary Commitment)

Synatsis is not subject to US law by virtue of our Philippine incorporation. However, many of our customers are financial institutions subject to US financial privacy regulation, and we design our security and data handling practices to support their compliance obligations.

GLBA service provider alignment

Where our customers are US financial institutions subject to the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) and the FTC Safeguards Rule (16 CFR Part 314), Synatsis acts as a service provider and commits to the following as a matter of contract and practice:

• We maintain a written information security programme with administrative, technical, and physical safeguards appropriate to the sensitivity of nonpublic personal information (NPI) we handle on behalf of customers
• Our security controls, including access controls, AES-256 encryption, MFA, vulnerability management, and incident response, are designed to meet FTC Safeguards Rule standards
• We do not disclose NPI received from financial institution customers except as directed by that customer or as required by law
• We will cooperate with customers to support their own GLBA vendor management obligations, including providing security documentation under NDA on request

Financial institution customers requiring a GLBA-specific Data Processing Addendum or Vendor Due Diligence Questionnaire should contact .

FTC and CAN-SPAM alignment

As a matter of practice, we do not make material misrepresentations about our privacy or security practices, and we maintain reasonable security measures commensurate with the sensitivity of data we handle: consistent with FTC Act Section 5 expectations. Commercial email from Synatsis includes a clear opt-out mechanism in line with CAN-SPAM Act requirements.

12. Cookies and Similar Technologies

The Site uses session storage (a browser-based technology that stores temporary data and is cleared when you close your browser tab) to remember whether you have previously visited in the current session. This is used solely to manage the page experience and does not track you across sessions or sites.

We use strictly necessary cookies for authentication and session management within the platform, and analytics cookies to understand usage patterns. We do not currently use advertising cookies, third-party tracking pixels, or cross-site profiling scripts on the Site. If this changes, we will update this policy and, where required by law, obtain your prior consent.

You may manage non-essential cookies through your browser settings. Disabling strictly necessary cookies will impair platform functionality.

13. Sub-Processors

We engage the following sub-processors, each bound by a data processing agreement or equivalent contractual safeguard.

13.1 Core Infrastructure

• Google Cloud Platform: Vertex AI (asia-southeast1, Singapore). Large-context synthesis tasks. Anonymised / pseudonymised data only. No raw client PII transmitted.
• Supabase: Managed PostgreSQL database hosting. Primary application data store including client profiles. Hosted within our designated data residency region.
• Vercel: Frontend hosting and serverless edge functions. Hosts the Site and platform. Request metadata and session tokens only; sensitive payload data is not processed at the edge layer. Vercel's data processing terms are available at vercel.com/legal/dpa.
• Resend: Transactional email delivery. Receipts, password resets, and system notifications. Recipient email address and message content only. No client PII included.
• Stripe: Payment processing and subscription billing. Billing contact details and payment method tokens. Raw card data is handled exclusively by Stripe and never transmitted to or stored on Synatsis systems. Stripe is PCI DSS Level 1 certified.
• Clerk: Identity and authentication provider. Manages user authentication, session tokens, JWT issuance, and organisation-level seat management for Team and Enterprise plans. Processes name, email address, and authentication credentials. Clerk-issued JWTs are verified by Supabase Row Level Security policies to enforce per-user and per-firm data isolation.
• Porkbun: Domain registrar. DNS and domain management. Registrant contact information only. No client PII.

13.2 AI Providers

• Google Gemini (via Vertex AI): Large language model for heavy synthesis tasks. See Section 4.3. Anonymised data only.
• Anthropic Claude: Used exclusively for internal prototyping, tooling, and development workflows. Client PII is never submitted to Claude. Not used in production data pipelines.
• Google Antigravity: Used exclusively for internal prototyping and research. Client PII is never submitted. Not used in production data pipelines.

Our on-premises fine-tuned SLM (Llama 3-8B) is self-hosted within our VPC and is not a third-party sub-processor. It processes sensitive client PII exclusively within our infrastructure boundary.

13.3 Compliance and Security

• Vanta: Automated compliance monitoring and SOC 2 Type II audit preparation. Infrastructure metadata, access logs, and configuration data only. No client PII is shared with Vanta.

13.4 Client-Initiated Third-Party Integrations

The following integrations are optional and activated solely at the discretion of the subscribing firm. Synatsis acts as a conduit; the firm retains full responsibility for ensuring their use of these integrations complies with their own data governance obligations and applicable law.

• Salesforce: CRM data sync (Team and Enterprise plans). Activated by client.
• HubSpot: CRM data sync (Team and Enterprise plans). Activated by client.
• Other CRM and productivity integrations as enabled by the client from time to time.

A complete, up-to-date sub-processor list is maintained at synatsis.com/legal/subprocessors and available on request at . We will provide at least 14 days' written notice before adding or replacing a sub-processor that handles personal data.

14. Children's Privacy

The Site and platform are directed at business professionals and are not intended for individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us at and we will delete it promptly.

15. Changes to This Policy

We will notify you of material changes by email and in-product notice at least 14 days before the change takes effect. We will update the "Last Updated" date at the top of this page. Continued use of the Site or Services after the effective date constitutes acceptance. Non-material changes (corrections, clarifications) take effect immediately upon posting.

16. Contact and Data Protection Officer

If you have questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please contact us at:

Regulatory authority: National Privacy Commission (NPC): privacy.gov.ph. We aim to respond to all legitimate enquiries within 15 business days. For complex or multiple requests, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it.

This policy is governed by the laws of the Republic of the Philippines. Synatsis Systems Inc. is incorporated as a Domestic Stock Corporation under Philippine law, operating under the trade name Synatsis. Where clients are located in other jurisdictions, we apply equivalent or higher standards of protection as described herein.