Privacy Policy

Last updated: May 12, 2026

Synquil ("we", "us", or "our") operates the Synquil service (the "Service"). This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Account Information

When you sign up, we collect your name, email address, and profile picture via Clerk (our authentication provider). This information comes from your Google account or other sign-in method you choose.

1.2 Google User Data

When you connect a Google account, we request access to the following Google API scopes:

• Google Sheets (read-only): We read the content of spreadsheets you explicitly select. We do not access any spreadsheet you have not specifically authorized.
• Google account profile (email, name): Used to identify your account.

We store OAuth tokens for these scopes in our database, encrypted at rest using AES-256-GCM. These tokens are used solely to fetch data from the Google APIs on your behalf, at the sync frequency you have configured.

1.3 Third-Party Integration Data

If you connect Notion or HubSpot, we similarly request the minimum OAuth scopes needed to read the data sources you select (databases, CRM objects, etc.). The same encryption and access controls apply.

1.4 Synced Data

The actual content of the spreadsheets, databases, or CRM records you select is fetched and stored in your private, isolated database schema on our infrastructure. This data is used exclusively to power the Synquil Service for your account.

1.5 Usage and Technical Data

We automatically collect:

• Log data: IP address, browser type, pages visited, timestamps
• Error reports: stack traces and context (via Sentry, with personal data minimized)
• Product analytics: feature usage events (via PostHog, anonymized where possible)
• Billing data: subscription status, plan tier (via Stripe; we do not store raw card numbers)

1.6 Cookies

We use session cookies for authentication (managed by Clerk) and analytics cookies (PostHog). You can disable non-essential cookies in your browser settings, though this may affect service functionality.

2. How We Use Your Information

2.1 To Provide the Service

• Authenticate your identity and maintain your session
• Sync data from your connected sources on the schedule you configure
• Store your data in an isolated schema for querying
• Power MCP (Model Context Protocol) tools so AI assistants can query your data
• Generate and apply database schemas using AI inference

2.2 To Communicate With You

• Send transactional emails (sync failures, account alerts) via Resend
• Respond to support requests
• Notify you of material changes to these policies

2.3 To Improve the Service

• Analyze aggregated, anonymized usage patterns
• Debug errors and improve reliability

We do not use your Google user data, or any data from your connected sources, to train AI models — ours or anyone else's.

3. Google API Services — Limited Use Disclosure

Synquil's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve the features described to the user in this Privacy Policy and within the Synquil interface.
• We do not transfer Google user data to third parties except as necessary to provide the Service (e.g., storing it in our database on your behalf), or as required by law.
• We do not use Google user data for serving advertisements.
• We do not allow humans to read your Google user data unless you have given explicit permission, it is necessary for security purposes, it is required by law, or the data has been aggregated and anonymized so it is no longer personally identifiable.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in these limited circumstances:

4.1 Service Providers

We use the following sub-processors who may handle your data solely to deliver the Service:

• Supabase — database hosting (your isolated schema)
• Clerk — authentication
• Stripe — billing and subscription management
• Railway — application infrastructure hosting
• Redis / Upstash — job queue
• Anthropic — AI inference for schema generation and NL-to-SQL (query text only, not your stored data rows)
• Sentry — error monitoring
• PostHog — product analytics
• Resend — transactional email

Each sub-processor is bound by data processing agreements and handles data only as instructed.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in good-faith belief that such action is necessary to comply with legal obligations, protect our rights, or prevent fraud.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

5. Data Retention

We retain your account information and synced data for as long as your account is active. If you delete your account, all associated data — including OAuth tokens, synced data, schema definitions, and API keys — is permanently deleted within 30 days. Billing records may be retained for up to 7 years as required by applicable law.

You can revoke Google access at any time via Google Account Permissions. Upon revocation, we will no longer be able to sync your Google Sheets data.

6. Data Security

We implement the following security measures:

• OAuth tokens encrypted at rest using AES-256-GCM with a server-side secret key
• All API keys stored as bcrypt hashes; plaintext is never logged
• Customer data isolated in per-account database schemas with no cross-account access
• All data transmitted over TLS 1.2 or higher
• MCP queries are read-only and SQL-validated before execution
• Access to production systems is limited to authorized personnel

No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your account and all associated data.
• Portability: Request your data in a machine-readable format.
• Objection: Object to certain uses of your data (e.g., analytics).
• Withdrawal of Consent: Revoke OAuth access to connected sources at any time.

To exercise any of these rights, email us at hello@synquil.com. We will respond within 30 days. You may also delete your account directly from the Settings page, which initiates immediate data deletion.

8. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately.

9. International Data Transfers

Our infrastructure is primarily based in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer. Where required, we rely on Standard Contractual Clauses or equivalent mechanisms for international transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by emailing the address associated with your account at least 14 days before the change takes effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the Service after a change takes effect constitutes acceptance of the revised policy.

11. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Synquil
Email: hello@synquil.com