Privacy Policy

SyncAll ("we," "us," or "our") operates a HIPAA-adjacent SaaS platform for licensed dental and legal practices in the United States. This Privacy Policy explains what information we collect, how we use and protect it, and your rights regarding that information.

SyncAll is designed so that Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is never required to operate the core scheduling features. Where PHI-adjacent data is processed (such as in AI reception conversation logs), it is handled under strict technical and administrative safeguards described below.

We collect the following categories of information:

(a) Account and Practice Information: Practice name, industry type (dental or legal), contact person name, business address, business phone number, and contact email. This information is used to configure your workspace and personalize AI-generated content.

(b) Authentication Data: Email address and hashed password (if using email/password login), or Google account identifiers (if using Google OAuth). We do not store plaintext passwords.

(c) Phone Numbers: We collect two distinct phone numbers — (i) the management WhatsApp number used by authorized staff to submit media content, and (ii) the public AI reception number through which patients and clients reach your practice. These numbers serve different workflows and are never interchanged.

(d) Calendar Availability Data: If you connect a Google Calendar or iCal subscription URL, we store only busy/free time blocks. See Section 4 for full details on how calendar data is handled.

(e) AI Reception Conversation Data: Summaries of inbound voice and SMS interactions handled by our AI system. Conversation data is encrypted at rest and access is restricted to authorized service operations.

(f) Social Media Content and Media: Scripts, captions, images, and video files submitted for AI-assisted editing and social media distribution. This content is stored encrypted and associated with your clinic account.

(g) Subscription and Billing Data: Plan type, billing contact, and payment status. Payment card details are handled directly by our payment processor and are not stored on SyncAll servers.

(h) Audit and Access Logs: Records of all read and write operations involving sensitive data, maintained for HIPAA audit-controls compliance (45 C.F.R. § 164.312(b)). These logs are immutable and cannot be modified or deleted by application users.

We use the information we collect to:

• Create and manage your practice workspace and subscription • Authenticate users and enforce multi-tenant data isolation (every record is scoped to your clinic_id) • Generate AI-powered social media content tailored to your practice's industry and brand • Operate AI voice and SMS reception on behalf of your practice • Query appointment availability and respond to scheduling inquiries • Send operational communications, including onboarding guidance, account alerts, and service notifications • Maintain security audit trails as required by applicable law • Detect and prevent unauthorized access or misuse of the platform

We do not use your data to train AI models without your explicit consent, and we do not sell your data to third parties.

SyncAll's scheduling features operate on busy/free time signals only. We apply a strict PHI Filter at the point of data ingestion:

(a) iCal Subscriptions: When you provide a calendar subscription URL, our system fetches the ICS feed and extracts only three fields per event: • DTSTART — event start time • DTEND — event end time • UID — a deduplication key for idempotent updates

All other iCal fields — including SUMMARY, DESCRIPTION, LOCATION, ATTENDEE, and ORGANIZER — are discarded at parse time and are never stored, logged, or transmitted.

(b) Google Calendar OAuth: When you connect via Google Calendar OAuth, our system reads only start and end times from your calendar events. Event titles, descriptions, and attendee information are processed in memory solely to extract timing data and are not written to our database.

(c) Soft PHI Detection: On first connection, our system counts (but does not store or log) how many events contain non-empty values in fields we discard. If a significant proportion of events appear to include detailed information, we display an advisory notice recommending that you switch to a busy-only calendar export. This is an advisory only; our PHI Filter continues to protect against storage of PHI regardless.

(d) Busy Slot Storage: The result of calendar ingestion is stored in a busy_slots table containing only: clinic_id, start_at, end_at, a source identifier, and a source_uid for deduplication. This table is designed so that it is technically impossible to determine patient identity or appointment content from its contents.

We implement the following technical safeguards:

(a) Encryption at Rest: PHI-adjacent fields (patient contact details, conversation notes, phone numbers, OAuth tokens, iCal subscription URLs) are encrypted at the application layer using AES-256-GCM before being written to the database. Encryption keys are stored in Google Cloud Secret Manager and rotated quarterly.

(b) Encryption in Transit: All data in transit between clients, our backend, and third-party services is encrypted using TLS 1.2 or higher.

(c) Infrastructure Isolation: All PHI-adjacent data is processed and stored within Google Cloud Platform and Supabase infrastructure, both of which operate under appropriate data processing agreements. No PHI is routed through Vercel or other shared-infrastructure environments without a BAA.

(d) Access Controls: Database access is enforced via row-level security policies. Every query is scoped to a clinic_id extracted from the authenticated user's JWT token. Client-supplied identifiers in request bodies are never trusted for data access.

(e) Audit Logging: Every read and write of sensitive data generates an immutable audit log entry. These logs support HIPAA breach detection and investigation requirements.

(f) Media Storage: Images and videos submitted via WhatsApp are downloaded from Twilio's media endpoints, encrypted, and stored in a private Supabase Storage bucket. Only encrypted object keys are stored in the database — never publicly accessible URLs.

SyncAll uses Twilio to deliver SMS messages and WhatsApp communications on behalf of your practice.

(a) Practice Management WhatsApp: By providing a WhatsApp management number during onboarding, you authorize SyncAll to send activation messages and receive media submissions from that number. Message and data rates may apply. Reply STOP to opt out of non-essential messages.

(b) Patient/Client SMS: SyncAll sends appointment-related SMS messages to patients and clients only as directed by your practice workflows. You are responsible for obtaining appropriate consent from your patients and clients before enabling AI reception SMS features.

(c) No Marketing Sharing: Mobile information — including phone numbers, message content, and opt-in data — will not be shared with third parties or affiliates for marketing or promotional purposes. SMS opt-in data and consent records are excluded from any data sharing arrangements and will not be disclosed to third parties.

(d) Message Logs: Inbound and outbound message previews (limited to 40 characters) are retained in our SMS log for operational and audit purposes. Full message bodies are not stored.

We share data with third-party providers solely to operate the Service. Current providers include:

• Google (Cloud Platform, OAuth, Calendar API) — infrastructure, authentication, and calendar data access • Supabase — database, authentication services, and encrypted media storage • Twilio — SMS, voice, and WhatsApp communications • Vapi — AI voice reception • Postiz (self-hosted) — social media content distribution to Google Business Profile, Facebook/Instagram, and TikTok. Only marketing content (video files, captions, scheduled times) is transmitted. No PHI passes through Postiz. • Upstash Redis — asynchronous job queue for background processing

Each provider is selected based on their data security practices and, where required, their availability to sign appropriate data processing agreements. We do not authorize providers to use your data for their own marketing purposes.

We retain your practice account data for the duration of your subscription and for a period of up to seven (7) years following termination, as required by applicable law and HIPAA record-retention standards. Audit logs are retained for a minimum of six (6) years. You may request deletion of your account data by contacting us at privacy@getsyncall.com; we will fulfill deletion requests subject to applicable legal retention obligations.

Depending on your jurisdiction, you may have the right to:

• Access a copy of the personal information we hold about your practice • Correct inaccurate practice or contact information • Request deletion of your account data (subject to legal retention requirements) • Opt out of non-essential SMS and WhatsApp communications by replying STOP • Request information about how your data is shared with third parties

To exercise these rights, contact us at privacy@getsyncall.com. We will respond within thirty (30) days.

SyncAll has executed a Business Associate Agreement ("BAA") with Supabase to cover database infrastructure. If your organization requires a BAA with SyncAll directly (for example, if your use of AI reception involves PHI-containing conversations), please contact privacy@getsyncall.com to discuss your requirements before enabling those features in a production environment.

The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information from minors. If you believe a minor has submitted information to us, contact us at privacy@getsyncall.com and we will promptly delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least thirty (30) days before taking effect. The effective date at the top of this page reflects when the current version was last updated.

For privacy inquiries, data access requests, or to report a potential data incident:

SyncAll Privacy Team Email: privacy@getsyncall.com