Synapse

Legal

Privacy Policy

Last updated: May 21, 2026

1. Overview

This policy describes what data Synapse collects, how we use it, and who we share it with. We try to keep it short and concrete. If something here is unclear, write to us at the contact address below.

2. Data we collect

When you use Synapse, we collect and store:

  • Account data: your name, email address, and a one-way bcrypt hash of your password. We do not store your plaintext password. If you sign up with Google, we receive your email address, name, and (if you have one) profile picture URL from Google as part of the OAuth flow — we store these in the same Account record. We do not receive or store your Google password. You can later add a password to your Google-linked account via the password-reset flow.
  • Content you create or upload: the prompts you submit to generate schools; the schools, courses, lessons, quizzes, homework, and projects that result; your homework and project submissions, including any attached text files; your conversations with the per-course Teacher AI; resources you upload to a course or module.
  • Progress data: which lessons you have completed, your quiz scores, your spaced-repetition cards, your XP and streak counters, your daily-challenge answers.
  • Technical data: approximate IP address (for rate limiting), timestamps of major actions, and standard server logs from our hosting provider.
  • Email-verification and password-reset tokens: short-lived, single-use, deleted on consumption.
  • Content-quality feedback: the up/down vote you leave on a slide, homework, or project, and any optional free-text “reason” you attach to a downvote. School owners see the verbatim reason in their owner dashboard (without your name or email) so they can improve the affected content. We do not display the identity of the voter to other users.

3. How we use your data

We use the data above to:

  • Provide the Service: generate content, grade submissions, schedule spaced-repetition reviews, track your progress.
  • Send transactional emails: verification, password reset, study reminders, weekly digests, and similar service notifications. You can disable optional study reminders in your account settings.
  • Protect the Service: rate-limit signups and other sensitive endpoints, detect abuse.
  • Improve the Service: aggregate, anonymized analysis of how features are used. We do not use your specific content to train external AI models.

4. Third-party services

Operating Synapse requires sharing some data with vetted third parties. We choose providers with strong privacy practices and minimize what we send them.

  • Anthropic (AI model provider): we send the prompts, course content, and submission content needed to generate or grade material. Anthropic processes this data under their own terms and does not, to our knowledge, use it to train their models. We do not send your name or email to Anthropic.
  • Supabase (database hosting): stores your account data and content at rest. Located in the United States.
  • Vercel (web hosting): serves the application to your browser; receives your IP and standard request metadata.
  • Resend (email delivery): receives your email address and the contents of any email we send you.
  • Stripe (payment processing, if and when we charge): receives the information needed to bill you. We do not store your full card details on our servers.
  • Google (sign-in, optional): if you choose to sign in with Google, Google authenticates you and returns your email address, name, and profile picture URL to Synapse. We do not request additional Google account scopes. Your Google password is never sent to us.

5. Cookies and sessions

We use a small number of strictly necessary cookies for authentication (a session token and a CSRF token). We do not use advertising cookies, tracking pixels, or third-party analytics that follow you across the web.

6. Data retention

We retain your data for as long as your account is active. When you delete your account from Settings → Danger zone → Delete my account, deletion proceeds in two phases:

  • Immediately: your name and email are replaced with placeholder values, your password is destroyed, future sign-in attempts are blocked, your active Stripe customer record is closed, and the schools you owned are either transferred to the “Synapse Team” system account (if other students are actively enrolled and you chose the “transfer” option) or archived.
  • After a 30-day cooldown: your account row and all per-user data cascade-delete — submissions, quiz attempts, lesson completions, spaced-repetition cards, daily challenges, XP, streak, chat history, notifications, content feedback, referrals, redeemed promo codes, and credit-transaction ledger entries. The cooldown exists so we can recover the account if you change your mind and so we can investigate any disputes (chargebacks, refund claims) tied to the account before the records vanish.

Synapse credit purchases are all-sales-final per Section 7 of the Terms; no refunds are issued at deletion. Idempotency logs (rate-limit buckets, reminder dedupe records) and short-lived security tokens may be retained briefly for fraud prevention before being purged on their normal schedules. Aggregated, fully anonymous analytics may be retained indefinitely.

7. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your data. You can do this yourself at any time via Settings → Delete my account; see Section 6 above for the timeline.
  • Receive a copy of your data in a portable format.
  • Object to or restrict certain processing.

To exercise any rights not available in-product, email us at the contact address below. We will respond within a reasonable timeframe (typically within 30 days).

8. Children

Synapse is not directed to children under 13, and we do not knowingly collect data from them. If you believe a child has signed up, contact us and we will delete the account.

9. International users

Synapse is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. The data-protection laws of the US may be different from those of your jurisdiction.

10. Changes

We may update this policy from time to time. If we make a material change we will notify you by email or by an in-product notice before the change takes effect.

11. Contact

Privacy questions, requests, and complaints should be directed to synapse@bondpb.com.