Privacy Policy

1. Definitions

For purposes of this Privacy Policy:

• "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA").
• "Sensitive Personal Information" means Personal Information that includes: government-issued identifiers (Social Security numbers, driver's license numbers), financial account information (account numbers with access codes), precise geolocation, racial or ethnic origin, religious beliefs, contents of communications (where Arc Labs is not the intended recipient), genetic or biometric data, health information, or sexual orientation data. With the exception of authentication credentials which are encrypted at rest, Arc Labs does not intentionally collect Sensitive Personal Information through the Services.
• "Knowledge Graph Data" means thoughts, insights, decisions, patterns, notes, connections, and other cognitive content that you create, store, or process through the ARX knowledge graph system.
• "Device Data" means information stored locally on your mobile device when using Synap Mobile, including local SQLite databases, cached content, and application preferences.
• "Tenant Data" means all data associated with a specific organizational account in Synap Business or Synap Enterprise, including user accounts, Knowledge Graph Data, signals, briefings, conversation history, and configuration settings.
• "Processing" means any operation performed on Personal Information, whether by automated or manual means.

2. Information We Collect

The information we collect varies depending on which Service tier you use. We have designed our architecture to minimize data collection at every tier.

2.1 Synap Mobile (Personal Tier)

Synap Mobile is designed with an offline-first, on-device architecture. The following data handling applies:

• On-Device Data (local mode): Your Knowledge Graph Data, SSH session data, terminal history, AI conversation history, application preferences, custom themes, and code snippets are stored locally on your device using SQLite. In local-only mode, this data is never transmitted to any server. SSH terminal sessions may contain sensitive data including passwords or credentials — this data remains entirely on your device and is never accessible to Arc Labs.
• Cloud Sync (hybrid/remote mode — optional): If you enable cloud sync, your Knowledge Graph Data is encrypted in transit (TLS 1.2+) and stored on US-based Arc Labs infrastructure. You choose your storage mode: local-only (nothing leaves your device), hybrid (local graph with cloud backup), or remote (full cloud graph). AI conversation history and SSH terminal data are never synced to the cloud regardless of storage mode.
• Account Information (collected): If you create an account or purchase Synap Mobile Pro, we collect your email address, display name, and payment information (processed by Apple via In-App Purchase — we do not receive or store your credit card number, bank account number, or other financial account credentials).
• AI Provider Credentials (NOT stored by Arc Labs): API keys for third-party AI providers (Claude, OpenAI, or local models) are stored in your device's secure keychain (Apple iOS Keychain) and are transmitted directly from your device to the respective AI provider. Arc Labs does not proxy, intercept, or store these communications.
• Self-Hosted Option: You may run your own ARX server and sync your Knowledge Graph directly to it. Arc Labs does not receive, route, or have access to self-hosted data.
• Crash Reports and Analytics: We may collect anonymized crash reports and basic usage analytics (e.g., feature usage frequency, app launch counts) to improve the application. Anonymization is performed on-device before transmission, removing all user-identifiable content. This data does not include Knowledge Graph content, conversation content, or terminal content. You may opt out of analytics in the application settings.
• System Integrations (all opt-in, all on-device): The following device data sources are accessed on-device only to provide contextual AI features. This data is processed locally and never transmitted to Arc Labs servers:
  • Apple HealthKit (read-only): Steps, sleep duration, heart rate variability, and workout history. Read-only access — Synap never writes to HealthKit. Health data is used on-device by the AI for inference, pattern analysis, and wellness-aware responses (e.g., the Cognitive Guardian feature). Health data is never transmitted to Arc Labs servers.
  • Location (CoreLocation): Current device location used for weather data (Apple WeatherKit) and location-aware AI responses. Location is used transiently and is not stored on or transmitted to Arc Labs servers.
  • Contacts (read-only): Contact names and details accessed on-demand by the AI contact lookup tool. Never cached, indexed, or uploaded.
  • Calendar & Reminders (EventKit): Read and create events/reminders via the AI assistant. Data stays within Apple frameworks.
  • Motion & Activity (CoreMotion): Activity state (walking, driving, stationary) for physical context awareness. Processed locally.
  • Microphone (Speech framework): Voice capture for speech-to-text thought entry. Audio is processed by Apple Speech Recognition on-device and is not recorded or transmitted.
  • Camera (VisionKit): Document scanning via OCR. Images are processed on-device; only extracted text is saved as a knowledge graph thought.
  • NFC (Core NFC): Read/write NFC tags for physical context switching (e.g., tap a tag to switch project focus). Tag data is processed locally.
  • Apple Intelligence (Foundation Models): On-device AI processing for auto-tagging, summarization, and pattern synthesis. All inference runs locally on your device hardware.
  • Spotlight: If enabled, knowledge graph thoughts are indexed in Spotlight for on-device search. Managed by Apple APIs.
• Biometric Data: The 3D brain visualization feature renders your Knowledge Graph as a force-directed graph. This visualization does not collect, process, or store biometric data as defined under any applicable law, including the Illinois Biometric Information Privacy Act (BIPA). The visualization is a graphical representation of your knowledge graph structure, not a biometric measurement.
• Apple Watch (watchOS companion): The Synap Watch app captures voice thoughts via on-device speech recognition (Apple Speech framework). Transcribed text syncs to your paired iPhone via Apple WatchConnectivity. No Watch data is transmitted directly to Arc Labs servers.

2.2 Synap Business (Hosted Tier)

Synap Business is a hosted multi-tenant platform. The following data is processed:

• Account and User Information: Name, email address, organizational affiliation, role, and authentication credentials (passwords are hashed using bcrypt; plaintext passwords are never stored).
• Tenant Data: Knowledge Graph Data, signals, relationship mappings, briefings, conversation history, and team collaboration content are stored on Arc Labs-managed infrastructure in the United States, with logical tenant isolation ensuring data separation between customers.
• Usage Data: Login timestamps, feature usage, API call volumes, and performance metrics.
• Communications: Data transmitted through our platform's AI chat features is processed by third-party AI model providers (as configured) and may be subject to those providers' data handling policies. We disclose which providers are in use and their applicable policies in our Service documentation.

Data Location: Synap Business Tenant Data is stored on infrastructure located in the United States. We do not currently offer data residency options in other regions. If data localization is a regulatory requirement for your organization, please contact us to discuss Enterprise Tier deployment on your own infrastructure.

2.3 Synap Enterprise (Custom Deployment)

Synap Enterprise is deployed on your infrastructure under your control:

• On Your Infrastructure (NOT accessible by Arc Labs): All Tenant Data — including Knowledge Graph Data, user accounts, signals, briefings, conversation history, RBAC configurations, and SSO integrations — resides entirely on infrastructure owned and operated by you or your designated hosting provider. Arc Labs does not have access to this data in the ordinary course of operations.
• License and Support Data (collected by Arc Labs): License key validation requests, support ticket content (submitted voluntarily by your administrators), and aggregate usage metrics for billing purposes (e.g., seat counts).
• Onboarding Data: During white-glove onboarding, your administrators may share configuration details, sample data, or system specifications with Arc Labs personnel. Such data is used solely for onboarding purposes and is deleted within 30 days of onboarding completion unless you request otherwise in writing.

2.4 Website (synap.ing)

• Waitlist and Contact Forms: Email address, name, company name, and any message content you voluntarily submit.
• Server Logs: IP address (anonymized by Cloudflare before reaching our servers), browser user agent, pages visited, and timestamps. These logs are retained for a maximum of 90 days.
• Cookies: We use only essential cookies required for website functionality. We do not use advertising cookies, tracking pixels, or third-party analytics services. Cloudflare, our CDN provider, may set the following security-related cookies: __cf_bm (bot management, expires after 30 minutes), cf_clearance (challenge passage, expires based on challenge configuration). These cookies are set by Cloudflare directly and are not accessible to Arc Labs.

3. CCPA/CPRA Required Disclosures

The following table summarizes our data practices as required by the CCPA/CPRA. This table covers the preceding 12-month period.

Categories NOT collected: Protected characteristics, biometric data, geolocation data, sensory data (audio/video), education information, or any Sensitive Personal Information as defined in Section 1.

Sale or Sharing: Arc Labs does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. Arc Labs is not a data broker as defined under the California Delete Act (SB-362) and is not required to register with the California Privacy Protection Agency's data broker registry.

4. How We Use Your Information

We use the Personal Information we collect for the following purposes:

• Service Provision: To create and manage your account, provide the Services, process transactions, and deliver customer support.
• Communication: To respond to your inquiries, send service-related notifications (e.g., security alerts, billing confirmations), and provide waitlist updates. We will never send unsolicited marketing emails without your explicit opt-in consent.
• Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
• Improvement: To analyze anonymized, aggregated usage patterns to improve our Services, fix bugs, and develop new features. We do not use your Knowledge Graph Data, conversation content, or Tenant Data for product improvement, model training, or any purpose other than providing the Services to you.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

What we will NEVER do:

• We will never sell your Personal Information to third parties.
• We will never use your Knowledge Graph Data, conversation content, or Tenant Data to train AI models, whether our own or third-party models.
• We will never share your data with advertisers or data brokers.
• We will never access Enterprise deployment data without explicit written authorization from your designated administrator, and only for the specific purpose of providing requested support.

5. Data Sharing and Disclosure

We share Personal Information only in the following limited circumstances:

• Service Providers (Subprocessors): We engage a limited number of third-party service providers who process data on our behalf and are contractually bound to use it only for the purposes we specify. Our current subprocessors are:
  • Resend, Inc. — Email delivery (transactional emails only, sent from notify.synap.ing)
  • Cloudflare, Inc. — CDN, DDoS protection, SSL termination for synap.ing
  • Apple Inc. — App Store distribution and In-App Purchase processing for Synap Mobile
  • AI Model Providers — As configured by you (e.g., Anthropic PBC for Claude, OpenAI LLC for GPT models); applicable only to Synap Business where Arc Labs manages the AI integration
  We will notify Synap Business customers via email at least 30 days before adding a new subprocessor. You may object to a new subprocessor within that 30-day period by contacting us at legal@synap.ing. If we cannot reasonably accommodate your objection, you may terminate your subscription without penalty.
• Legal Requirements: We may disclose Personal Information if required by law, regulation, subpoena, court order, or other legal process. Where legally permitted, we will provide you with advance notice of at least 5 business days before disclosing your information in response to legal process, unless: (a) providing notice is prohibited by law, (b) we believe there is an imminent risk of death or serious physical injury, or (c) the disclosure relates to an ongoing investigation of Arc Labs itself.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your Personal Information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website at least 30 days before any such transfer. You will have the opportunity to delete your account and data before the transfer is completed.
• With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.

6. Data Security

We implement commercially reasonable administrative, technical, and physical security measures to protect your Personal Information, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Role-based access controls for Arc Labs personnel with least-privilege principles
• Regular security assessments and infrastructure monitoring
• Isolated tenant environments for Synap Business deployments with logical data separation
• Secure credential storage using platform-native keychains (iOS Keychain for Synap Mobile)
• Authentication credential hashing using bcrypt with appropriate cost factors

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee absolute security.

6.1 Data Breach Notification

If we become aware of a security breach affecting your Personal Information, we will:

• Notify affected individuals in the most expedient time possible and without unreasonable delay, as required by California Civil Code §1798.82 (SB-1386), and in no event later than 60 calendar days from discovery of the breach
• For Business and Enterprise customers subject to GDPR, notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Provide written notice that includes: (a) the nature of the breach, (b) categories of data affected, (c) approximate number of individuals affected, (d) measures taken to address the breach, and (e) recommendations for affected individuals to protect themselves

7. Data Retention

• Synap Mobile: On-device data is retained until you delete it or uninstall the application. Account data is retained for the duration of your account and deleted within 30 days of account closure.
• Synap Business: Tenant Data is retained for the duration of your subscription. Upon termination, you may export your data in standard machine-readable formats (JSON, CSV) for 30 days, after which it is permanently deleted from our systems within 60 days. Upon written request, we will provide a written certification of data deletion.
• Synap Enterprise: All Tenant Data resides on your infrastructure. Arc Labs retains only license and billing data, which is kept for 7 years for tax and legal compliance purposes.
• Website Data: Waitlist and contact form submissions are retained until they are no longer needed for their stated purpose or until you request deletion. Server logs are retained for a maximum of 90 days.
• Backups: For Synap Business, automated encrypted backups are performed daily and retained for 30 days. Deleted data may persist in backups for up to 30 days beyond the deletion date, after which it is permanently removed.

8. Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA/CPRA:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your Personal Information, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
• Right to Correct: You have the right to request that we correct inaccurate Personal Information we maintain about you.
• Right to Opt-Out of Sale/Sharing: We do not sell or share (as defined by CCPA/CPRA) your Personal Information. Therefore, there is no need to opt out. Should our practices ever change, we will provide a conspicuous "Do Not Sell or Share My Personal Information" link.
• Right to Limit Use of Sensitive Personal Information: We do not collect or use Sensitive Personal Information for purposes other than those permitted under CCPA/CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights. You will not receive different pricing, quality, or levels of service for exercising your privacy rights.

To exercise any of these rights, contact us at legal@synap.ing or keep@synap.ing. We will verify your identity using information associated with your account before processing your request. You may also designate an authorized agent to submit requests on your behalf; we will require proof of authorization. We will respond within 45 days as required by law, with the possibility of a 45-day extension for complex requests (with notice).

If you are not satisfied with our response, you have the right to file a complaint with the California Privacy Protection Agency at cppa.ca.gov.

9. International Users and GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

• Legal Basis for Processing: We process your Personal Information based on: (a) your consent, (b) the necessity to perform a contract with you, (c) our legitimate business interests (provided they do not override your fundamental rights), or (d) compliance with legal obligations.
• Data Transfers: Your Personal Information may be transferred to and processed in the United States, where Arc Labs is headquartered. We rely on Standard Contractual Clauses approved by the European Commission (Decision 2021/914) to safeguard such transfers.
• Additional Rights: In addition to the rights listed above, you have the right to: (a) restrict processing, (b) data portability in a structured, commonly used, machine-readable format, (c) object to processing based on legitimate interests, (d) withdraw consent at any time, and (e) lodge a complaint with your local data protection authority.
• Data Processing Agreement: Synap Business customers located in the EEA, UK, or Switzerland are entitled to a Data Processing Agreement (DPA) in compliance with GDPR Article 28. Our standard DPA is available upon request at legal@synap.ing and will be executed before Processing begins.
• Data Protection Officer: Given our current scale of operations, Arc Labs has not appointed a formal Data Protection Officer. Privacy inquiries may be directed to legal@synap.ing.

10. Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect Personal Information from children under 16. In compliance with the Children's Online Privacy Protection Act (COPPA), we specifically do not collect Personal Information from children under the age of 13 under any circumstances.

If we learn that we have collected Personal Information from a child under 16, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with Personal Information, please contact us at legal@synap.ing.

In compliance with the California Age-Appropriate Design Code Act (CAADCA), we do not profile users under 18, do not use dark patterns to encourage users under 18 to provide Personal Information beyond what is necessary, and default to the highest privacy settings for users who may be under 18.

11. Third-Party AI Providers

Certain features of the Services involve sending data to third-party AI model providers for processing (e.g., AI chat). Important disclosures:

• Synap Mobile: You configure your own AI provider API keys. Data is sent directly from your device to the provider you choose. Arc Labs does not intermediate these requests. You are subject to the privacy policy of the AI provider you configure.
• Synap Business: AI processing is routed through Arc Labs infrastructure. We select AI providers based on their data handling commitments, including contractual commitments not to use API inputs for model training. We disclose the current AI providers in our Service documentation and will notify you via email at least 14 days before changing AI providers.
• Synap Enterprise: You configure your own AI provider integrations on your infrastructure. Arc Labs has no visibility into these communications.

We contractually require that AI providers used in Synap Business do not retain, log, or use your inputs or outputs for training purposes. However, we cannot guarantee the internal practices of third-party providers beyond our contractual agreements, and we disclaim liability for any AI provider's breach of their obligations to Arc Labs.

12. ARX Protocol and Open Source

The ARX Protocol is an open specification for personal knowledge graphs. The following applies:

• The protocol specification itself does not collect or process Personal Information.
• Self-hosted ARX server implementations operate entirely under your control. Arc Labs does not collect telemetry, usage data, or any other information from self-hosted ARX deployments unless you explicitly configure them to communicate with Arc Labs services.
• MAAP (Multi-Agent ARX Protocol) bundles are self-contained knowledge packets. When transmitted between agents you control, Arc Labs has no access to their contents.

13. Do Not Track

Our website does not respond to Do Not Track ("DNT") browser signals because we do not engage in cross-site tracking. We do not track users across third-party websites and therefore do not need to respond to DNT signals. We honor the Global Privacy Control (GPC) signal as a valid opt-out request under the CCPA/CPRA.

14. Accessibility

Arc Labs is committed to ensuring our Privacy Policy and related privacy mechanisms are accessible to individuals with disabilities. If you have difficulty accessing or understanding this Privacy Policy, or if you need to exercise your privacy rights through an alternative means, please contact us at legal@synap.ing and we will provide reasonable accommodations.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) posting the updated policy on our website with a revised "Last Updated" date, (b) sending an email notification to registered users at least 30 days before material changes take effect, and (c) for Synap Business and Enterprise customers, providing notice through the Service dashboard. Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

For CCPA/CPRA requests, you may also contact us at the above email addresses. We will respond to verifiable consumer requests within 45 days as required by law.

For complaints regarding our handling of your Personal Information, California residents may contact the California Privacy Protection Agency. EEA, UK, and Swiss residents may lodge a complaint with their local data protection authority.