1. Who We Are and What This Covers
Cynap is an AI-powered operations platform operated by Roee Alfasi ("Cynap", "we"). Contact for privacy matters: roee@cynap.ai.
Two different roles apply, and this distinction shapes everything below:
- Your account and our website — names, emails, login records, billing contact, support messages. For this data, Cynap is the controller, and this policy is the primary document.
- Your organization's business data — the records, communications, and integration data your business brings into Cynap (which may include your own customers', clients', or patients' personal data). For this data, your organization is the controller and Cynap is a processor acting on your instructions under our Data Processing Agreement . If you are a customer, client, or patient of a business that uses Cynap, that business's privacy notice governs — and requests about your data should go to them; we assist them in responding.
2. Information We Collect
- Account data: name, email, password (hashed), organization membership, and — if you sign in with Google — your Google profile identifier.
- Business context and integration data: the workflows you configure and the data flowing from tools you connect (for example CRM, accounting, calendar, or messaging systems). Processed as processor under the DPA.
- Usage and log data: operational logs, diagnostic events, and security telemetry needed to run and protect the service.
- Billing data: handled by Paddle, our Merchant of Record. Cynap never stores full card numbers.
- Communications: support requests and emails you exchange with us.
3. How We Use Information and Our Lawful Bases
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Providing the service: accounts, organizations, automations, portal, support | Performance of a contract (Art. 6(1)(b)) |
| Security, abuse prevention, service operations, and improving the service | Legitimate interests (Art. 6(1)(f)) — running a secure, reliable platform |
| Billing, tax, and legal compliance | Legal obligation (Art. 6(1)(c)) and contract |
| Processing your organization's business data in automations | As processor on your organization's instructions — your organization holds the lawful basis |
We do not sell personal data, and we do not use personal data for third-party advertising.
4. AI Processing
- Cynap's automations and analytics send relevant business context to large language model providers — routed via OpenRouter or directly to OpenAI, Anthropic, or Google — to generate results. A current list of these providers is available on request.
- We do not train our own AI models on personal data. The AI providers we use process inputs solely to generate responses for the request, and under their API terms do not use business data submitted through their APIs to train their models.
- AI outputs may be inaccurate; the Terms of Service (including the Acceptable Use section) describe responsibility for reviewing them.
5. Sharing
- Service providers (subprocessors) that host and power the service, in these categories: cloud infrastructure and database hosting; sandbox compute; AI/LLM model providers (OpenAI, Anthropic, and Google, reached via OpenRouter); transactional email; and authentication. A current, named list of subprocessors is available on request and forms part of the DPA .
- Integrations you connect — data flows to and from your own tools based on your configuration and authorization.
- Paddle as Merchant of Record for payments.
- Legal — where required by law or to protect rights, safety, and the integrity of the service.
6. International Transfers
Our core infrastructure is hosted in the United States. Where personal data is transferred from the UK or EEA, we use appropriate safeguards: the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses, EU SCCs for EEA transfers, and — where a provider is certified — the UK Extension to the EU-US Data Privacy Framework. See the DPA for details.
7. Security and Retention
- Each customer organization's business data lives in a dedicated, isolated database — never pooled across customers.
- Data is encrypted in transit; credentials and secrets live in managed secure systems.
- Access is role-based and logged.
| Data Type | Retention |
|---|---|
| Account and business context data | While the account is active |
| Operational and security logs | Limited periods set by security and support needs |
| After cancellation | Deleted within 90 days (sooner on request, within 30 days), unless retention is legally required; backups purge on their scheduled cycle |
| Billing records | As required by tax and accounting law |
8. Your Rights
Subject to applicable law, you may request access, correction, deletion, restriction, portability, or object to processing of your personal data — email roee@cynap.ai and we will respond within one month (we may need to verify your identity). You can also withdraw consent where processing is based on consent.
If you are in the UK, you have the right to complain to the Information Commissioner's Office (ico.org.uk); if you are in the EEA, to your local supervisory authority. We would appreciate the chance to address your concern first.
If your data is held in a Cynap customer's organization (for example, you are a client of a business that uses Cynap), please direct requests to that business — they are the controller, and we will assist them.
9. Cookies
We use only strictly necessary cookies: an authentication session cookie (httpOnly) that keeps you signed in. We run no third-party analytics, advertising, or tracking cookies on this site, which is why you do not see a cookie banner. If this ever changes, this policy and the site will be updated first.
10. Children
Cynap is a business tool and is not directed at children; you must be 18 or older to create an account. A customer organization's business data may include children's personal data (for example, a clinic's patient records) — that data is processed on the organization's behalf under the DPA , with the organization as controller.
11. Changes
We may update this policy as the service evolves. Material changes are posted here with an updated date, and account owners are notified by email before they take effect.
12. Contact
Privacy questions and requests: roee@cynap.ai.