← Home

Privacy Policy

Syncroly Inc.

Effective March 11, 2026

This Privacy Policy describes how Syncroly Inc. (“Syncroly,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you use our referral coordination platform, website, and related services (collectively, the “Services”). This Policy applies to service providers who use the platform (“Customers”), their team members (“Authorized Users”), individuals who access referrals via secure links (“Referred Individuals”), and visitors to our website (“Visitors”).

This Privacy Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

For Customers in regulated industries: information about how we handle Protected Health Information (“PHI”) under HIPAA is in Section 4.

Table of Contents

1. Information We Collect

1.1 Information You Provide

Account and Profile Information. When you create an Account, we collect your name, email address, practice name, practice address, phone number, specialty, and professional role. We also collect information about team members you invite as Authorized Users.

Referral Data. When you create a referral, we collect information about the person being referred (name, date of birth, email, phone number), referral context (specialty, reasons, notes), and category-specific data such as dental tooth selections, veterinary animal details, or mental health risk context flags. In healthcare contexts, this data may constitute PHI and is governed by the applicable Business Associate Agreement (see Section 4).

Messages and Attachments. The Services support secure messaging and file sharing between referring and receiving providers in the context of a referral. Message content and attached files are stored as part of the referral record.

Payment Information. If you subscribe to a paid plan, payment information is collected and processed by our third-party payment processor (currently Stripe). We do not store credit card numbers or bank account details on our servers. We receive only transaction confirmations, plan details, and billing contact information from the processor.

Communications. If you contact us at privacy@syncroly.co or through other channels, we collect the content of your communications.

1.2 Information Collected Automatically

From Customers and Authorized Users (authenticated app):

  • Session data via authentication cookies (see Section 6)
  • Feature usage patterns and navigation (via Vercel Analytics, cookie-free)
  • Performance metrics (via Vercel Speed Insights, cookie-free)
  • Rate-limiting identifiers (IP addresses are hashed using SHA-256 and truncated; raw IP addresses are never stored)
  • Error and diagnostic data (via Sentry), including stack traces, browser and operating system metadata, and sanitized page URLs. Sentry is configured to minimize the collection of identifiers; we do not intentionally send PHI to Sentry.

From Referred Individuals (token-based access):

  • Consent acceptance timestamp and method
  • Referral view timestamp
  • Booking confirmation selection
  • Rate-limiting identifiers (hashed IP, as described above)
  • Performance and error data (Vercel Speed Insights, Sentry — same scope as above)

Referred Individuals are not tracked by Google Analytics. Referral token pages do not load marketing analytics scripts.

From Visitors (marketing website only):

  • Google Analytics 4 (GA4) collects: anonymized IP address, device type, browser, operating system, screen resolution, pages visited, referrer URL, session duration, and a pseudonymous client identifier stored in the _ga cookie. GA4 does not receive referral data, provider identities, or any information from the authenticated application. GA4 scripts are loaded only on public marketing pages and are subject to cookie consent (see Section 6).
  • Vercel Analytics and Speed Insights (cookie-free beacons)

1.3 Information from Third Parties

Address Autocomplete. When you use address fields in the Services, address queries are sent to Google Places API to provide autocomplete suggestions. Google receives the partial address text you type but does not receive personal names or other identifying information alongside it.

Bot Protection. We use Cloudflare Turnstile on certain public-facing forms to distinguish legitimate users from automated bots. Cloudflare processes visitor IP addresses and interaction signals at its global edge network. No cookies are set by Turnstile.

2. How We Use Your Information

We use personal information for the following purposes:

  • Providing the Services: Processing referrals, generating secure access links, enabling messaging, managing accounts and team roles, and tracking referral lifecycle events.
  • Authentication and Security: Verifying identity, managing sessions, enforcing rate limits, detecting and preventing fraud or unauthorized access, and maintaining audit logs.
  • Service notifications: Sending referral-related notifications (referral alerts, status updates, reminders). You can manage your preferences for these notifications in your account settings.
  • Account notices: Sending operational and administrative communications (security alerts, billing reminders, account updates, terms or policy changes). These cannot be opted out of while your Account is active.
  • Product Improvement: Analyzing aggregated, de-identified Usage Data (as defined in the Terms of Service) to improve features, performance, and reliability.
  • Error Monitoring: Diagnosing and resolving technical issues using error reports that contain technical metadata but not PHI.
  • Compliance: Meeting legal obligations, responding to lawful requests, and enforcing our Terms of Service and BAA.
  • Marketing (Website visitors only): Analyzing marketing website traffic via GA4 to understand how visitors find and interact with our public pages. GA4 is not used inside the authenticated application or on referral-facing pages.

We do not sell, share, or disclose personal contact information — including email addresses, phone numbers, and mailing addresses — to third parties or affiliates for advertising, marketing, or promotional purposes.

3. How We Share Your Information

We share personal information only in the following circumstances:

3.1 Service Providers (Sub-Processors)

We use third-party service providers to operate the Services. Each provider receives only the data necessary for its function. Providers that may access PHI are bound by Business Associate Agreements.

ProviderFunctionData Received
VercelApplication hostingApplication data in transit and at rest
Neon (AWS)Database hostingAll stored application data including ePHI
AWS S3File storageReferral attachments
UpstashRate limitingHashed IP addresses only
PostmarkTransactional emailRecipient email addresses, message content (no PHI in bodies per policy)
TwilioSMS notificationsPhone numbers, message content (no PHI in bodies per policy)
CloudflareBot protectionVisitor IP addresses, interaction signals
Google (Places API)Address autocompletePartial address queries
Google (Analytics 4)Marketing analyticsAnonymized IP, device/browser info, page views (marketing site only)
SentryError monitoringError data, browser/OS metadata (no PHI, no personal identifiers)
UptimeRobotUptime monitoringServer-side health check pings only; no user data
StripePayment processingBilling and payment information

3.2 Within a Referral

When a referral is created, the referring provider’s information, referral details, and context are shared with the receiving provider(s) selected for that referral. This sharing occurs only after consent is established through one of two mechanisms: (a) the Referred Individual accepts the consent disclosure via their secure access link, or (b) the referring provider attests that they have obtained the Referred Individual’s consent prior to submission.

This sharing is the core function of the Services and is authorized by your acceptance of the Terms of Service and the Referred Individual’s consent. For healthcare Customers whose data constitutes Protected Health Information, this sharing is additionally governed by the applicable Business Associate Agreement.

3.3 Legal Requirements

We may disclose personal information if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Syncroly, our users, or others.

3.4 Business Transfers

In connection with a merger, acquisition, or sale of all or substantially all of our assets, personal information may be transferred to the successor entity, subject to the commitments in this Privacy Policy and any applicable BAA.

3.5 With Your Consent

We may share information with your explicit consent for purposes not described in this Policy.

4. HIPAA and Protected Health Information

4.1 Our Role

When Customers use the Services to create referrals containing PHI, Syncroly acts as a Business Associate under HIPAA. Our obligations regarding PHI are governed by the BAA executed between Syncroly and the Customer (the Covered Entity). In the event of a conflict between this Privacy Policy and the BAA regarding PHI, the BAA controls.

4.2 PHI Safeguards

For healthcare Customers whose data constitutes PHI, the platform-wide security measures described in Section 9 additionally satisfy the requirements of the HIPAA Security Rule (45 CFR Part 164, Subpart C).

4.3 De-Identification

When we collect Usage Data (as defined in the Terms of Service, Section 5.5), we de-identify it in accordance with 45 CFR § 164.514. Usage Data does not constitute PHI.

4.4 What We Do Not Do with PHI

  • We do not use PHI for marketing.
  • We do not sell PHI.
  • We do not include PHI in log files, error reports, analytics, or email/SMS message bodies.
  • We do not display PHI to any party until consent has been accepted by the Referred Individual.

5. Data Retention

Data TypeRetention Period
Account and profile dataDuration of Account, plus 60 days post-termination for export
Referral data (including PHI)As governed by the applicable BAA; otherwise 60 days post-termination
Audit logs (ActivityLog)6 years minimum (industry best practice; required for healthcare Customers under HIPAA)
Authentication session data30 days (JWT expiry)
Rate-limiting data (hashed IPs)Transient; automatically expires per rate-limit window
Error monitoring data (Sentry)Per Sentry's standard retention (30 days default)
GA4 analytics data (marketing)Per Google's standard retention settings (14 months default)
Payment recordsAs required by tax and financial reporting obligations

Upon Account termination, data handling follows the process described in Section 5.4 of the Terms of Service and any applicable BAA.

6. Cookies and Tracking Technologies

6.1 Cookies We Use

Cookie / TechnologyTypePurposeDurationRequired?
NextAuth session cookieHTTP cookie (JWT)Authentication — maintains your logged-in session30 days
Essential
NextAuth CSRF cookieHTTP cookieSecurity — prevents cross-site request forgerySession
Essential
next-themeslocalStorageFunctional — remembers your light/dark mode preferencePersistent
Functional
Vercel AnalyticsCookie-free beaconProduct analytics — page views and usage patternsN/A
No cookies
Vercel Speed InsightsCookie-free beaconPerformance monitoringN/A
No cookies
_ga, _ga_* (GA4)HTTP cookiesMarketing analytics — marketing website traffic onlyUp to 2 years
Consent required

6.2 Cookie Consent

Essential cookies (authentication, CSRF) are set automatically because the Services cannot function without them. No consent is required for essential cookies.

Marketing cookies (GA4) are loaded only on our public marketing website and only after you provide consent via our cookie consent banner. If you decline or do not interact with the banner, GA4 scripts are not loaded and no GA4 cookies are set. You can withdraw consent at any time through the cookie settings link in our website footer.

Referred Individuals are never served marketing cookies. Referral token pages do not load GA4 or any marketing analytics scripts.

6.3 Browser Controls

Most browsers allow you to control cookies through their settings. Blocking essential cookies may prevent you from using the Services. For more information, visit your browser’s help documentation.

7. Your Rights and Choices

7.1 Account Holders (Customers and Authorized Users)

  • Access and Export. You may access and export your Customer Data through the functionality available in the Services at any time during the term.
  • Correction. You may update your account and profile information through the Services.
  • Deletion. You may request deletion of your Account by contacting privacy@syncroly.co. Upon termination, data retention is governed by Section 5.4 of the Terms of Service and any applicable BAA.
  • Marketing Communications. If we offer marketing communications in the future, they will require separate consent and you will be able to unsubscribe at any time via an unsubscribe link in each message or by contacting privacy@syncroly.co.
  • Cookie Preferences. You may manage non-essential cookie preferences via our cookie consent banner on the marketing website.

7.2 Referred Individuals

Referred Individuals access the Services through secure token links and do not create accounts. Referred Individuals may:

  • Decline consent. If you decline the consent disclosure, no referral details will be shown and no information will be disclosed to receiving providers.
  • Contact us. Referred Individuals may contact us at privacy@syncroly.co with questions about their data. For healthcare referrals, requests related to PHI may be directed to the referring provider (the Covered Entity), who controls decisions about the use and disclosure of health information under HIPAA.

7.3 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

  • Right to Know. You may request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete. You may request deletion of personal information we have collected, subject to legal exceptions.
  • Right to Opt Out of Sale/Sharing. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
  • Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@syncroly.co. We will verify your identity before processing a request.

8. International Users

The Services are primarily designed for service providers in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States, where our servers and service providers are located.

8.1 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland and visit our marketing website, we process your personal data on the following legal bases:

  • Consent for non-essential cookies and marketing analytics (GA4). You may withdraw consent at any time.
  • Legitimate interests for essential website functionality and security.

You have the right to access, rectify, erase, restrict processing, and port your personal data, as well as the right to object to processing and to lodge a complaint with your local supervisory authority. To exercise these rights, contact us at privacy@syncroly.co.

We do not currently offer the Services to service providers in the EEA, UK, or Switzerland for the purpose of processing regulated personal data. If this changes, we will update this Policy and implement appropriate data transfer safeguards.

9. Security

Syncroly applies strong security and privacy protections to all data processed through the Services, regardless of industry. We implement administrative, physical, and technical safeguards including:

  • AES-256 encryption for data at rest (provided by infrastructure); TLS 1.2 or higher for data in transit
  • Application-layer field-level encryption (AES-256-GCM) for designated high-risk data elements, including free-text notes and public form submission snapshots
  • Database-level encryption at rest, tenant isolation, consent gating, and role-based access controls
  • Token-based access with expiration enforcement for referral views
  • Audit logging for sensitive operations (access, consent, modifications)

No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Children’s Privacy

The Services are not directed to individuals under the age of 18, and minors may not create Accounts. We do not knowingly collect personal information directly from children. If we learn that a child under 18 has directly provided us with personal information outside the context of a referral, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@syncroly.co.

The Services may process data of minors as part of referrals created by Customers. Customers are responsible for obtaining any required parental or guardian consents under applicable law before submitting referral data for a minor.

For healthcare Customers, the Covered Entity is additionally responsible for obtaining any consents required under HIPAA. Syncroly processes such data as a Business Associate under the direction of the Covered Entity.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will provide at least thirty (30) days’ notice of material changes via email or a prominent notice within the Services. Your continued use of the Services after the effective date of any changes constitutes acceptance. The “Effective Date” at the top of this Policy indicates when it was last revised.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Syncroly Inc.

Attn: Privacy Officer

privacy@syncroly.co

If you are a Referred Individual with questions about your information, you may also contact the provider who referred you. For healthcare referrals, the referring provider is the Covered Entity responsible for decisions about your PHI under HIPAA.

For information about our terms of use, see our Terms of Service. For our HIPAA obligations, see our Business Associate Agreement.

Privacy Policy | Syncroly