Privacy Policy
Last updated: July 1, 2026 · Version 1.2
1. Who we are
Syncademia AI Inc. is an Ontario corporation operating Syncademia AI, a student productivity platform with AI-powered study tools.
Contact: syncademiaai@gmail.com
Mailing address: [TODO: Add physical address]
2. What data we collect
Account data
- Full name, email address, password (hashed — never stored in plain text)
- University, program, year of study (optional)
- Profile picture (optional)
- Timezone preference
Usage data
- Pages visited, features used, time spent
- Clicks, search queries, navigation patterns
- Device type, browser, operating system
- IP address (security and fraud prevention)
Academic data (provided by you)
- Course names and codes, syllabus files, documents, assignments, due dates, grades
- Notes, study materials, and flashcard content
AI interaction data
- Messages to Syncy, AI responses, documents sent for AI processing
- Quest questions and answers, flashcard generation requests
Payment data
- Subscription tier and status, billing email via Stripe
- Last four digits of card (held by Stripe, not by us)
- We never store full card numbers
Wellness data (optional)
- Mood check-ins, stress self-assessments, wellness quiz responses
3. How we use your data
- Provide and improve the Syncademia platform
- Personalize Syncy with your academic context
- Generate flashcards, study plans, and Quest content from your materials
- Send account emails (password reset, billing receipts)
- Enforce our Terms of Service and prevent abuse
- Analyze aggregate usage to improve features
- Comply with legal obligations
4. AI provider disclosure
Important: Syncademia uses artificial intelligence extensively. AI outputs may be inaccurate. Do not rely on Syncy for medical, legal, financial, or professional advice.
AI providers we use
- OpenAI — Syncy chat, flashcards, Quest questions, study plans, document chat. Privacy: openai.com/policies/privacy-policy
- Google Gemini (when configured) — fallback for some AI and wellness features. Privacy: policies.google.com/privacy
Sent to AI providers
- Messages to Syncy, uploaded document content for AI processing
- Course and task context used to personalize responses
- Flashcard and Quest generation requests
Not sent to AI providers
- Your password, payment information, or other users' data
We use OpenAI's API under terms that restrict use of API data for training their public models. See OpenAI's current enterprise/API data processing terms for details.
5. Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database, auth, storage | Account and app data |
| Stripe | Payments | Email, subscription status |
| OpenAI / Gemini | AI features | Messages, documents, context |
| Vercel | Hosting | IP addresses, request logs |
| Sentry | Error monitoring | Error data, stack traces |
We do not use PostHog or advertising analytics SDKs.
6. Data retention
- Account data: while your account is active
- Usage logs: up to 90 days
- AI conversation history: until you delete it or delete your account
- Wellness check-ins: until you delete them or delete your account
- Payment records: 7 years (legal requirement)
- Deleted accounts: anonymized within 30 days of deletion request
7. Your rights
All users
- Access, correct, delete your data, and withdraw optional consents
- Export: contact syncademiaai@gmail.com or use Settings → Delete/Export where available
Canadian users (PIPEDA / Quebec Law 25)
- Right to access, correction, and withdrawal of consent
- Quebec residents may have additional rights including de-indexing
EU/UK users (GDPR)
- Access, rectification, erasure, portability, objection, and restrictions on automated decision-making
California users (CCPA/CPRA)
- Right to know, delete, and non-discrimination. We do not sell personal information.
8. Children's privacy
Syncademia is intended for university students (typically 18+). We do not knowingly collect data from children under 13. Contact syncademiaai@gmail.com if you believe a child created an account and we will delete it.
9. Security
- Passwords hashed with industry-standard algorithms
- Data encrypted in transit (TLS 1.2+)
- Database access restricted by row-level security
- API keys stored as environment variables, not in source code
- We will notify affected users within 72 hours of discovering a material security breach
10. Contact
Privacy questions, access requests, or deletion: syncademiaai@gmail.com
We aim to respond within 30 days.