Synapse
PrivacyTerms

Legal

Privacy Policy

Last updated 29 May 2026

Synapse provides AI-assisted legal services to startup clients. This page explains what personal data we collect, why, where it lives, how long we keep it, and the rights you have over it. The full Synapse Services Agreement (PDF) is the legally-binding version - this is a plain-English mirror of the same commitments.

Want the full document?

The Synapse Services Agreement is the legally-binding version. The summary below mirrors the same terms in plain English.

Download PDF

1. Who we are

Synapse Legal Limited is a private company registered in England and Wales, operating as a regulated legal services provider. We are the data controller for the personal data described in this policy.

Contact us at hello@synapse.legal for any privacy question, data subject request, or general enquiry.

2. What personal data we collect

We collect only what we need to provide legal services to you:

  • Account data - your full name, work email, and the name of the company you represent. Collected at sign-up.
  • Identity verification data (Google sign-in) - when you sign in with Google, we receive your name, email address, and profile picture from Google. We do not request access to your Gmail, Drive, Calendar, or any other Google service.
  • Contract content - any documents you upload to your Synapse workspace, plus contextual notes you provide alongside them. These are work product covered by legal professional privilege.
  • Payment data - billing identifiers from Stripe. We do not store your card number; Stripe handles all card data in PCI-DSS-compliant infrastructure.
  • Usage data - server-side audit logs of significant actions (sign-in, contract submission, quote acceptance, payment events) and minimal performance telemetry from Sentry.

3. How we use your data

Personal data is used strictly for:

  • Providing the legal services you have engaged us to deliver.
  • Communicating with you about your contracts, quotes, invoices, and account.
  • Producing AI-assisted draft documents and contract analyses, which our qualified lawyers review and edit before sending you the final output.
  • Billing, accounting, and regulatory record-keeping.
  • Improving our service - looking at aggregate, de-identified usage patterns to decide what to build next.

We never sell your data. We never use your contract content to train third-party AI models. AI processing (Anthropic Claude) runs on a zero-retention contractual basis - your data is not stored or used for model training by the provider.

4. Where your data is stored

  • Primary database - Supabase, hosted in Frankfurt, Germany (EU region eu-central-1). UK and EU GDPR applies.
  • Document storage - Cloudflare R2, EU region.
  • Email transmission - Resend (for transactional emails). EU processing.
  • Payment processing - Stripe (for billing). US/EU; Stripe is GDPR-compliant.
  • AI processing - Anthropic (Claude API). Processed under our enterprise contract with a zero-retention guarantee.
  • Application hosting - Vercel. EU/global edge network for delivery; data at rest stays in the EU regions above.

5. How long we keep your data

  • Active accounts - for as long as you remain a Synapse client plus 7 years thereafter (the standard professional records-retention period for UK legal services).
  • Cancelled / deleted accounts - when you ask us to delete your account, we retain only the minimum records we are legally required to keep (anti-money-laundering, accounting) for the statutory period, then we delete them too.
  • Audit logs - kept for the same retention period as account data; cannot be deleted on individual request because we rely on them for security and regulatory accountability.

6. Your rights

Under UK / EU GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Correct any inaccurate personal data.
  • Request deletion of your personal data (subject to the legal retention obligations described above).
  • Receive a portable copy of your data (data portability).
  • Object to processing or request a restriction on processing.
  • Withdraw any consent you have given (this won't affect lawfulness of processing already done).
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) or your local EU supervisory authority.

To exercise any of these rights, email hello@synapse.legal. We respond within 30 days.

7. Security

  • All data in transit uses TLS 1.2 or higher.
  • All data at rest is encrypted.
  • Database access is restricted via row-level security - each user can only read and write their own company's data.
  • Multi-factor authentication available on every Synapse account, required for all staff accounts.
  • Regular vulnerability monitoring (Dependabot, Sentry) and pre-launch third-party security review.

8. Cookies and tracking

Synapse uses only essential cookies - those required to keep you signed in and protect against cross-site request forgery. We do not use advertising cookies, third-party analytics that profile you, or fingerprinting techniques.

9. Children

Synapse is a business-to-business service. We do not knowingly collect data from anyone under 18 and we do not offer services to consumers.

10. Changes to this policy

We update this policy when our data-handling practice changes. Material changes will be communicated to active account holders by email at least 14 days before they take effect.

11. Contact

Privacy questions, data subject requests, complaints: hello@synapse.legal