← Home

Privacy Policy

Syncroly Inc.

Effective March 11, 2026

This Privacy Policy describes how Syncroly Inc. (“Syncroly,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you use our referral coordination platform, website, and related services (collectively, the “Services”). This Policy applies to healthcare providers (“Customers”), their team members (“Authorized Users”), patients who access referrals via secure links (“Patient Users”), and visitors to our website (“Visitors”).

This Privacy Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

For information specifically about how we handle Protected Health Information (“PHI”) under HIPAA, see Section 4.

Table of Contents

1. Information We Collect

1.1 Information You Provide

Account and Profile Information. When you create an Account, we collect your name, email address, practice name, practice address, phone number, specialty, and professional role. We also collect information about team members you invite as Authorized Users.

Referral Data. When you create a referral, we collect patient information (name, date of birth, email, phone number), clinical context (specialty, reasons, notes), and category-specific data such as dental tooth selections, veterinary animal details, or mental health risk context flags. This data may constitute PHI and is governed by the applicable Business Associate Agreement.

Messages and Attachments. The Services support secure messaging and file sharing between referring and receiving providers in the context of a referral. Message content and attached files are stored as part of the referral record.

Payment Information. If you subscribe to a paid plan, payment information is collected and processed by our third-party payment processor (currently Stripe). We do not store credit card numbers or bank account details on our servers. We receive only transaction confirmations, plan details, and billing contact information from the processor.

Communications. If you contact us at privacy@syncroly.co or through other channels, we collect the content of your communications.

1.2 Information Collected Automatically

From Customers and Authorized Users (authenticated app):

  • Session data via authentication cookies (see Section 6)
  • Feature usage patterns and navigation (via Vercel Analytics, cookie-free)
  • Performance metrics (via Vercel Speed Insights, cookie-free)
  • Rate-limiting identifiers (IP addresses are hashed using SHA-256 and truncated; raw IP addresses are never stored)
  • Error and diagnostic data (via Sentry), including stack traces, browser and operating system metadata, and sanitized page URLs. Sentry is configured to minimize the collection of identifiers; we do not intentionally send PHI to Sentry.

From Patient Users (token-based access):

  • Consent acceptance timestamp and method
  • Referral view timestamp
  • Booking confirmation selection
  • Rate-limiting identifiers (hashed IP, as described above)
  • Performance and error data (Vercel Speed Insights, Sentry — same scope as above)

Patient Users are not tracked by Google Analytics. Patient token pages do not load marketing analytics scripts.

From Visitors (marketing website only):

  • Google Analytics 4 (GA4) collects: anonymized IP address, device type, browser, operating system, screen resolution, pages visited, referrer URL, session duration, and a pseudonymous client identifier stored in the _ga cookie. GA4 does not receive patient data, provider identities, or any information from the authenticated application. GA4 scripts are loaded only on public marketing pages and are subject to cookie consent (see Section 6).
  • Vercel Analytics and Speed Insights (cookie-free beacons)

1.3 Information from Third Parties

Address Autocomplete. When you use address fields in the Services, address queries are sent to Google Places API to provide autocomplete suggestions. Google receives the partial address text you type but does not receive patient names or other identifying information alongside it.

Bot Protection. We use Cloudflare Turnstile on certain public-facing forms to distinguish legitimate users from automated bots. Cloudflare processes visitor IP addresses and interaction signals at its global edge network. No cookies are set by Turnstile.

2. How We Use Your Information

We use personal information for the following purposes:

  • Providing the Services: Processing referrals, generating secure access links, enabling messaging, managing accounts and team roles, and tracking referral lifecycle events.
  • Authentication and Security: Verifying identity, managing sessions, enforcing rate limits, detecting and preventing fraud or unauthorized access, and maintaining audit logs.
  • Communications: Sending transactional and operational notifications (referral alerts, security notices, billing reminders, account updates). These cannot be opted out of while your Account is active.
  • Product Improvement: Analyzing aggregated, de-identified Usage Data (as defined in the Terms of Service) to improve features, performance, and reliability.
  • Error Monitoring: Diagnosing and resolving technical issues using error reports that contain technical metadata but not PHI.
  • Compliance: Meeting legal obligations, responding to lawful requests, and enforcing our Terms of Service and BAA.
  • Marketing (Visitors only): Analyzing marketing website traffic via GA4 to understand how visitors find and interact with our public pages. GA4 is not used inside the authenticated application or on patient-facing pages.

We do not sell personal information. We do not use PHI for marketing purposes.

3. How We Share Your Information

We share personal information only in the following circumstances:

3.1 Service Providers (Sub-Processors)

We use third-party service providers to operate the Services. Each provider receives only the data necessary for its function. Providers that may access PHI are bound by Business Associate Agreements.

ProviderFunctionData Received
VercelApplication hostingApplication data in transit and at rest
Neon (AWS)Database hostingAll stored application data including ePHI
AWS S3File storageReferral attachments
UpstashRate limitingHashed IP addresses only
PostmarkTransactional emailRecipient email addresses, message content (no PHI in bodies per policy)
TwilioSMS notificationsPhone numbers, message content (no PHI in bodies per policy)
CloudflareBot protectionVisitor IP addresses, interaction signals
Google (Places API)Address autocompletePartial address queries
Google (Analytics 4)Marketing analyticsAnonymized IP, device/browser info, page views (marketing site only)
SentryError monitoringError data, browser/OS metadata (no PHI, no patient identifiers)
UptimeRobotUptime monitoringServer-side health check pings only; no user data
StripePayment processingBilling and payment information

3.2 Within a Referral

When a referral is created, the referring provider’s information, patient information, and clinical context are shared with the receiving provider(s) selected for that referral — but only after the Patient User accepts the HIPAA consent disclosure. This sharing is the core function of the Services and is authorized by the applicable BAA.

3.3 Legal Requirements

We may disclose personal information if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Syncroly, our users, or others.

3.4 Business Transfers

In connection with a merger, acquisition, or sale of all or substantially all of our assets, personal information may be transferred to the successor entity, subject to the commitments in this Privacy Policy and any applicable BAA.

3.5 With Your Consent

We may share information with your explicit consent for purposes not described in this Policy.

4. HIPAA and Protected Health Information

4.1 Our Role

When Customers use the Services to create referrals containing PHI, Syncroly acts as a Business Associate under HIPAA. Our obligations regarding PHI are governed by the BAA executed between Syncroly and the Customer (the Covered Entity). In the event of a conflict between this Privacy Policy and the BAA regarding PHI, the BAA controls.

4.2 PHI Safeguards

We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule, including:

  • AES-256 encryption for data at rest (provided by infrastructure); TLS 1.2 or higher for data in transit
  • Application-layer field-level encryption (AES-256-GCM) for designated high-risk data elements, including free-text clinical notes and public form submission snapshots
  • Structured PHI additionally protected by database-level encryption at rest, tenant isolation, consent gating, and role-based access controls
  • Token-based access with expiration enforcement for referral views
  • Audit logging for sensitive operations (access, consent, modifications)

4.3 De-Identification

When we collect Usage Data (as defined in the Terms of Service, Section 5.5), we de-identify it in accordance with 45 CFR § 164.514. Usage Data does not constitute PHI.

4.4 What We Do Not Do with PHI

  • We do not use PHI for marketing.
  • We do not sell PHI.
  • We do not include PHI in log files, error reports, analytics, or email/SMS message bodies.
  • We do not display PHI to any party until HIPAA consent has been accepted by the Patient User.

5. Data Retention

Data TypeRetention Period
Account and profile dataDuration of Account, plus 60 days post-termination for export
Referral data (including PHI)As governed by the applicable BAA; otherwise 60 days post-termination
Audit logs (ActivityLog)6 years minimum (HIPAA requirement)
Authentication session data30 days (JWT expiry)
Rate-limiting data (hashed IPs)Transient; automatically expires per rate-limit window
Error monitoring data (Sentry)Per Sentry's standard retention (30 days default)
GA4 analytics data (marketing)Per Google's standard retention settings (14 months default)
Payment recordsAs required by tax and financial reporting obligations

Upon Account termination, data handling follows the process described in Section 5.4 of the Terms of Service and any applicable BAA.

6. Cookies and Tracking Technologies

6.1 Cookies We Use

Cookie / TechnologyTypePurposeDurationRequired?
NextAuth session cookieHTTP cookie (JWT)Authentication — maintains your logged-in session30 days
Essential
NextAuth CSRF cookieHTTP cookieSecurity — prevents cross-site request forgerySession
Essential
next-themeslocalStorageFunctional — remembers your light/dark mode preferencePersistent
Functional
Vercel AnalyticsCookie-free beaconProduct analytics — page views and usage patternsN/A
No cookies
Vercel Speed InsightsCookie-free beaconPerformance monitoringN/A
No cookies
_ga, _ga_* (GA4)HTTP cookiesMarketing analytics — marketing website traffic onlyUp to 2 years
Consent required

6.2 Cookie Consent

Essential cookies (authentication, CSRF) are set automatically because the Services cannot function without them. No consent is required for essential cookies.

Marketing cookies (GA4) are loaded only on our public marketing website and only after you provide consent via our cookie consent banner. If you decline or do not interact with the banner, GA4 scripts are not loaded and no GA4 cookies are set. You can withdraw consent at any time through the cookie settings link in our website footer.

Patient Users are never served marketing cookies. Patient token pages do not load GA4 or any marketing analytics scripts.

6.3 Browser Controls

Most browsers allow you to control cookies through their settings. Blocking essential cookies may prevent you from using the Services. For more information, visit your browser’s help documentation.

7. Your Rights and Choices

7.1 Account Holders (Customers and Authorized Users)

  • Access and Export. You may access and export your Customer Data through the functionality available in the Services at any time during the term.
  • Correction. You may update your account and profile information through the Services.
  • Deletion. You may request deletion of your Account by contacting privacy@syncroly.co. Upon termination, data retention is governed by Section 5.4 of the Terms of Service and any applicable BAA.
  • Marketing Communications. If we offer marketing communications in the future, they will require separate consent and you will be able to unsubscribe at any time via an unsubscribe link in each message or by contacting privacy@syncroly.co.
  • Cookie Preferences. You may manage non-essential cookie preferences via our cookie consent banner on the marketing website.

7.2 Patient Users

Patient Users access the Services through secure token links and do not create accounts. Patient Users may:

  • Decline consent. If you decline the HIPAA consent disclosure, no referral details will be shown and no PHI will be disclosed to receiving providers.
  • Contact us. Patient Users may contact us at privacy@syncroly.co with questions about their data. Requests related to PHI may be directed to the referring healthcare provider (the Covered Entity), who controls decisions about the use and disclosure of your health information under HIPAA.

7.3 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

  • Right to Know. You may request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete. You may request deletion of personal information we have collected, subject to legal exceptions.
  • Right to Opt Out of Sale/Sharing. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
  • Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@syncroly.co. We will verify your identity before processing a request.

8. International Users

The Services are primarily designed for healthcare providers in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States, where our servers and service providers are located.

8.1 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland and visit our marketing website, we process your personal data on the following legal bases:

  • Consent for non-essential cookies and marketing analytics (GA4). You may withdraw consent at any time.
  • Legitimate interests for essential website functionality and security.

You have the right to access, rectify, erase, restrict processing, and port your personal data, as well as the right to object to processing and to lodge a complaint with your local supervisory authority. To exercise these rights, contact us at privacy@syncroly.co.

We do not currently offer the Services to healthcare providers in the EEA, UK, or Switzerland for the purpose of processing patient health data. If this changes, we will update this Policy and implement appropriate data transfer safeguards.

9. Security

We implement administrative, physical, and technical safeguards designed to protect personal information, including encryption at rest and in transit, role-based access controls, tenant-scoped data isolation, token-based access with expiration enforcement, and audit logging. For details on our HIPAA security measures, see Section 4.2.

No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Children’s Privacy

The Services are not directed to individuals under the age of 18, and minors may not create Accounts. We do not knowingly collect personal information directly from children. If we learn that a child under 18 has directly provided us with personal information outside the context of a referral, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@syncroly.co.

The Services may process PHI of minor patients as part of referrals created by Covered Entities (e.g., a pediatric dental referral). In such cases, the Covered Entity is responsible for obtaining any required parental or guardian consent under HIPAA and applicable state law. Syncroly processes this data as a Business Associate under the direction of the Covered Entity.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will provide at least thirty (30) days’ notice of material changes via email or a prominent notice within the Services. Your continued use of the Services after the effective date of any changes constitutes acceptance. The “Effective Date” at the top of this Policy indicates when it was last revised.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Syncroly Inc.

Attn: Privacy Officer

privacy@syncroly.co

If you are a Patient User with questions about your health information, you may also contact the healthcare provider who referred you, as they are the Covered Entity responsible for decisions about your PHI under HIPAA.

For information about our terms of use, see our Terms of Service. For our HIPAA obligations, see our Business Associate Agreement.

Privacy Policy | Syncroly