Legal
Privacy Policy
Contents
1. Who we are
Syncop ("Syncop," "we," "us," or "our") operates the Syncop platform at syncop.app and console.syncop.app. We provide an AI-powered service that automatically generates weekly product updates from your code repositories, issue tracker, and CI pipeline data.
For the purposes of the GDPR, Syncop is the data controller of personal data it collects directly from users. When you connect Syncop to your GitHub, GitLab, or Jira workspace, Syncop acts as a data processor on your behalf — processing data you control according to your instructions and our Data Processing Addendum (DPA), available on request.
Contact: For all privacy matters, email privacy@syncop.app.
2. Data we collect
Account and identity data
- Name and work email address (from sign-up or Google OAuth)
- Company name and team size (optional, provided during onboarding)
- Profile information from Google OAuth (name, email, profile photo URL)
Integration credentials
- GitHub / GitLab — OAuth access and refresh tokens, authorized repo list, webhook signing secrets
- Jira — API token or OAuth credentials, workspace domain, project keys
- CircleCI — API key (provided directly by you, stored encrypted)
All tokens and API keys are stored encrypted at rest. We request only the minimum OAuth scopes needed to read commits and issue data. We never request write access to your repositories.
Third-party content you authorize us to access
When you connect an integration, we access and temporarily process:
- Git commit messages, commit SHAs, author names, branch names, and repository names
- Jira ticket titles, descriptions, statuses, assignees, labels, and fix versions
- CircleCI pipeline statuses and deployment information
This content may include personal data about your employees (e.g., commit author names). You, as the customer, are the data controller for this content; we process it solely to generate your product updates.
AI inputs and outputs
- Prompts we construct from your integration data (derived from commits and tickets) and send to our AI provider
- AI-generated product update text returned by our AI provider
- Your filter rules and product context descriptions
Usage and technical data
- IP address, browser type, operating system, time zone
- Pages visited, features used, actions taken, and timestamps
- Session identifiers and authentication cookies
- Error logs and performance data
Communications
- Emails and messages you send to our support team
- Feedback or survey responses you voluntarily submit
3. How we use your data
We use your data to:
- Provide the service — authenticate your account, connect your integrations, run the AI agent, generate and store weekly product updates
- Improve reliability — monitor errors, diagnose bugs, and maintain service uptime
- Communicate with you — send transactional emails (update notifications, billing receipts), respond to support requests
- Enforce our terms — detect and prevent abuse, fraud, or violations of our Acceptable Use Policy
- Comply with legal obligations — respond to lawful requests from courts or regulators
We do not use your data for advertising, sell it to third parties, or use it to build profiles for marketing purposes.
4. Legal basis for processing (GDPR)
If you are in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Creating and managing your account | Contract — necessary to perform the service you've signed up for |
| Accessing integration data (commits, tickets, CI) | Contract — the core service cannot be provided without this |
| Generating AI product updates | Contract — this is the primary purpose of the service |
| Security monitoring and fraud prevention | Legitimate interests — protecting the platform and our users |
| Product analytics and service improvement | Legitimate interests — improving performance and reliability |
| Marketing emails (if opted in) | Consent — you can withdraw at any time |
| Retaining billing records | Legal obligation — tax and accounting requirements |
5. AI and your data
How AI processing works
To generate your product updates, we construct a structured prompt containing anonymized commit data, relevant Jira ticket summaries, and your product context. This prompt is sent to Anthropic PBC (makers of Claude) via their commercial API. Anthropic returns the generated text, which we store and display to you.
Anthropic as a subprocessor
Anthropic processes your data as a subprocessor under our instructions. Under Anthropic's commercial API terms, they do not use customer API data to train their models. You can review Anthropic's privacy commitments at anthropic.com/legal/privacy.
What we send to Anthropic
Prompts sent to Anthropic contain derived summaries of your commit and ticket data — not raw OAuth tokens, credentials, or full repository contents. We minimise the data included in each prompt to what is necessary for generating an accurate update.
Automated decision-making
Syncop uses AI to decide whether a given week's activity warrants a product update (based on your filter rule). This is not a decision with significant legal or similarly significant effects on any individual, and no human profiles are created. You can always override any AI decision by re-running or editing an update manually.
6. Who we share your data with
We share data only with the following categories of third parties, for the stated purposes:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Hosting (Cloud Run), database (Cloud SQL), cloud storage | United States |
| Anthropic PBC | AI text generation (Claude API) | United States |
| GitHub, Inc. | Source code integration (OAuth) | United States |
| GitLab B.V. | Source code integration (OAuth) | Netherlands / United States |
| Atlassian Pty Ltd | Jira integration (OAuth/API) | United States / Australia |
| CircleCI (HashiCorp) | CI/CD pipeline integration | United States |
| Stripe, Inc. | Payment processing and billing | United States |
We may also share data in the following circumstances:
- Legal requirements — if required by a court order, subpoena, or applicable law, we may disclose your data to authorities. Where permitted, we will notify you before doing so.
- Business transfers — if Syncop is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you and you will have the option to delete your account.
We do not sell your personal data to third parties. We do not share data for cross-context behavioral advertising.
7. International data transfers
Syncop is based in the United States. If you are in the EEA, United Kingdom, or Switzerland, your data is transferred to the US to provide the service.
We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA to the US — including transfers to Google Cloud and Anthropic. A copy of the applicable SCCs is available on request at privacy@syncop.app.
For UK users, we rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs as applicable.
8. How long we keep your data
| Data category | Retention period |
|---|---|
| Account and identity data | Until account deletion, then purged within 90 days |
| OAuth tokens and API keys | Deleted immediately upon integration disconnect or account deletion |
| Commit and Jira data (used to generate updates) | Retained as part of run logs for 12 months, then purged |
| Generated product updates | Retained until you delete them or delete your account |
| Usage and technical logs | 90 days |
| Billing and payment records | 7 years (legal/tax obligation) |
| Support communications | 3 years from last interaction |
When retention periods expire, data is permanently deleted or anonymised. You may request earlier deletion — see Your rights below.
9. Your rights
Depending on your location, you have the following rights over your personal data:
For everyone
- Access — request a copy of the personal data we hold about you
- Correction — ask us to fix inaccurate or incomplete data
- Deletion — ask us to delete your data (subject to legal retention obligations)
- Portability — receive your data in a structured, machine-readable format
- Withdraw consent — where processing is based on consent (e.g., marketing emails), you can withdraw at any time
Additional rights for EEA / UK residents (GDPR / UK GDPR)
- Object to processing based on legitimate interests
- Restriction — ask us to pause processing while a dispute is resolved
- Complain — lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your national supervisory authority in the EEA)
Additional rights for California residents (CCPA / CPRA)
- Know — the categories of personal information we collect and why
- Delete — request deletion of your personal information
- Correct — request correction of inaccurate personal information
- Opt out of sale or sharing — we do not sell or share your data for targeted advertising, but you may submit a request to confirm this
- Non-discrimination — we will not discriminate against you for exercising any of these rights
To exercise any right, email privacy@syncop.app with "Privacy Request" in the subject line. We will respond within 30 days (or 45 days for California requests). We may ask you to verify your identity before fulfilling a request.
10. Security
We implement industry-standard technical and organisational measures to protect your data, including:
- Encryption at rest (AES-256) for all stored credentials and sensitive data
- Encryption in transit (TLS 1.2+) for all data moving between your browser, our servers, and third-party APIs
- OAuth tokens stored as encrypted values — never logged or exposed in plaintext
- Role-based access controls limiting which employees can access customer data
- Regular dependency updates and security patching
No system is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR.
To report a security vulnerability, email security@syncop.app.
11. Cookies
We use a minimal set of cookies to operate the service:
- Session cookie (
__session) — maintains your logged-in state. Strictly necessary; cannot be opted out of while using the service. - CSRF token — prevents cross-site request forgery attacks. Strictly necessary.
We do not use third-party advertising cookies. If we add analytics cookies in the future, we will update this policy and ask for your consent where required.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. We will give you at least 30 days' notice before material changes take effect.
Continued use of Syncop after a change takes effect constitutes acceptance of the updated policy.
Also see: Terms of Service · Questions: privacy@syncop.app