Privacy Policy
Last updated: June 2026
Synalogic Pty Ltd (ABN 45 691 043 320) ("Synalogic", "we", "us", or "our") is committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy describes how we collect, hold, use, and disclose your personal information.
We operate the Synalogic Platform — an AI trust platform for professional workflows. Customers use the Platform to apply AI to high-stakes professional work, including compliance, audit, legal review, contract analysis, asset and evidence review, and other workflows where the outputs need to be defensible. Our handling of personal information depends on the relationship you have with us, and this policy explains both.
1. The Two Ways We Handle Personal Information
We deal with personal information in two distinct roles, and the rest of this policy makes the distinction where it matters.
1.1 As a controller — for visitors, prospects, and platform users
When you contact us through our website, ask for a demo, or use the Synalogic Platform under a subscription, we determine how and why your information is handled. The information we collect in this role is described in section 2.
1.2 As a processor — for content provided by our customers
Our customers use the Synalogic Platform to apply AI to their own professional work. The content they upload, generate, or store in the Platform — for example, contracts, evidence documents, audit findings, asset records, and risk assessments — may contain personal information about their employees, suppliers, contractors, or other individuals. We process that information only on our customer's documented instructions, as set out in the data processing agreement we have with them.
If your personal information appears in customer content held in the Platform and you want to exercise rights over it, your first point of contact is that customer (the Synalogic customer whose Platform deployment contains your information). We will assist you in identifying the right contact if needed — see section 11.
2. Information We Collect as a Controller
2.1 Information You Give Us
- Name and contact details (email address, phone number)
- Organisation name and your role
- Information you provide when you contact us or submit an enquiry
- Records of our communications with you
- Authentication details when you create or use a Platform account (email, role assignments)
2.2 Information We Collect Automatically
When you visit our website or use the Synalogic Platform, we collect:
- Your IP address and browser type
- Pages visited and time spent
- Referring website addresses
- Platform usage events (logins, feature interactions, error events) where you are an authenticated user
- Other technical information collected through cookies and similar technologies
2.3 Sensitive Information
We do not ask for or knowingly collect sensitive information (as defined in the Privacy Act, including information about health, racial or ethnic origin, sexual orientation, religious beliefs, or criminal history) through our controller-path channels. Where sensitive information appears in customer content held in the Platform, we process it only under the customer's documented instructions and our data processing agreement with them.
3. How We Use the Information
We use personal information collected as a controller to:
- Respond to your enquiries and provide information about our products and services
- Arrange and conduct product demonstrations
- Operate, secure, and improve the Synalogic Platform for authenticated users
- Communicate with you about your account, updates to the Platform, and material changes to our terms or policies
- Comply with our legal obligations
- Detect and respond to security events affecting the Platform
- For any other purpose to which you have consented
3.1 AI Processing of Customer Content
Where personal information appears in customer content held in the Platform, that content may be processed by artificial intelligence services within the cloud region selected for the customer's Platform deployment. Synalogic supports deployment in multiple Google Cloud regions; the region for each customer is recorded in our data processing agreement with them. We operate under contractual data protection terms with our AI service provider that prohibit retention or use of customer content for model training. A PII sanitisation step screens content before it is sent to AI services to minimise personal information exposure.
Our Platform is not configured to produce binding decisions through automated processing alone in our controller relationships. AI-generated outputs are presented to human reviewers, who make the resulting decisions. This is an architectural property of the Platform, not just a policy commitment.
4. Where Personal Information Is Held and Processed
Personal information held in connection with Synalogic falls into three categories. Each is handled differently and rests on different contractual and architectural arrangements.
4.1 Customer content in the Synalogic Platform
The Platform is deployed in cloud regions selected by each customer. Customer content (the documents, data, and AI-generated outputs held in a customer's workspace) is processed and stored in that customer's selected region and does not leave that region unless the customer reconfigures their deployment. The region for each customer is recorded in our data processing agreement with them.
4.2 Personal information we collect as a controller
Personal information we collect from website visitors, prospects, and Platform account holders is processed using a combination of cloud infrastructure and third-party service providers that assist us with hosting, email delivery, support tooling, and analytics. Some of these service providers operate outside Australia, including in the United States and the European Union. Where this is the case:
- we engage them only under written contracts that include data protection terms aligned with Australian and (where applicable) European privacy law;
- we take reasonable steps to ensure that recipients comply with the Australian Privacy Principles or are subject to substantially similar privacy protections;
- for transfers from the EEA we rely on the European Commission's Standard Contractual Clauses or other lawful transfer mechanisms;
- we do not transfer personal information overseas for any purpose not covered by these arrangements.
4.3 Business communications with partners and advisers
In the course of running our business we correspond with professional advisers (lawyers, accountants, auditors including our SOC 2 external auditor), partners, integrators, and other third parties, some of whom are located outside Australia. Where such correspondence contains personal information, the recipient is responsible for handling that personal information in compliance with the privacy law of their jurisdiction. We require these recipients to handle personal information consistently with our obligations to you, either through written agreements with us, through their own legally-binding professional confidentiality obligations, or both.
4.4 Legal and corporate disclosures
We may disclose personal information to government authorities if required by law, court order, or regulatory direction. We may also disclose personal information to a successor entity in the event of a corporate reorganisation, merger, or sale of the relevant business; in such cases, the successor will be bound by terms no less protective than this Privacy Policy.
We have not sold, rented, or traded personal information for marketing purposes, and we do not intend to.
5. Data Security
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These measures include:
- Encryption of data in transit and at rest. Cryptographic keys for production data are managed by Synalogic in Google Cloud Key Management Service, with documented rotation schedules and access restricted to authorised personnel
- Role-based access controls and multi-factor authentication
- Continuous logging and monitoring of Platform activity
- Regular vulnerability scanning, penetration testing, and security reviews
- Staff training in privacy and information security
- A documented incident response plan with notification commitments
Synalogic operates an information security programme aligned with SOC 2, ISO/IEC 27001:2022, and ISO/IEC 42001:2023 (the AI management system standard). We will notify affected individuals and the Office of the Australian Information Commissioner of eligible data breaches in accordance with the Notifiable Data Breaches scheme.
6. Cookies and Tracking
Our website uses cookies and similar technologies to improve your browsing experience and analyse website traffic. You can manage cookie preferences through your browser settings; disabling cookies may affect some website functionality. We do not use cookies to track individuals across third-party sites.
7. Your Rights
Under the Privacy Act 1988 (Cth) you have the right to:
- Access the personal information we hold about you
- Correct any inaccurate, incomplete, or out-of-date information
- Request deletion or de-identification of your personal information (subject to our legal and contractual obligations)
- Opt out of receiving direct marketing communications at any time
- Complain if you believe we have breached the APPs
Where you are an individual whose personal information appears in customer content held in the Platform, your first point of contact for these rights is that customer. We will assist in identifying the right contact and will support our customer's response.
7.1 Australian residents
To exercise any of these rights, contact us using the details in section 11. Consistent with APP 12, we will acknowledge your request within a reasonable timeframe and provide a substantive response within the period required by the Privacy Act.
7.2 EEA and UK residents
If you are located in the European Economic Area or the United Kingdom, you have additional rights under the GDPR or UK GDPR, including the right to restrict processing, the right to data portability, and the right to lodge a complaint with your local supervisory authority. We will honour those rights where they apply, and will respond to requests within the timeframes set out in those regulations.
8. How Long We Keep Your Information
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law or contract. When personal information is no longer required, we securely delete or de-identify it.
8.1 Customer content held in the Platform
Customer content held in the Synalogic Platform (uploads, extracted text, vector chunks, embeddings, and AI-generated outputs derived from customer data) is retained under a class configured at the workspace level by our customer (the data controller). The default behaviour is deletion of source content and all derivatives within a short defined timeframe of a customer-initiated deletion request. Where a customer elects extended retention to support specific operational, regulatory, or record-keeping requirements, that election is documented in our data processing agreement with that customer. The specific retention periods, customer election mechanics, and customer rights are set out in our standard data processing agreement (available to customers under NDA).
8.2 Records of our operations
We retain security event records (which contain metadata about Platform activity such as timestamps, identifiers, and content hashes, but not the underlying customer content) for the periods necessary to satisfy our SOC 2 and ISO 27001 audit obligations and Australian regulatory record-keeping requirements. These records do not retain the content of customer documents or the personal information contained within them.
8.3 Information collected as a controller
Information we collect in our controller role (account records, enquiries, marketing list information, website analytics) is retained for the periods set out in our internal data retention schedule, which balances operational need, legal obligations, and privacy minimisation. We will provide more specific information on request.
9. Children
Our website and the Synalogic Platform are intended for use by professionals in the course of their work. They are not directed to individuals under 18 years of age, and we do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us at privacy@synalogic.com.au and we will take steps to delete it.
10. Third-Party Links
Our website and the Synalogic Platform may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to read their privacy policies.
11. Contact Us
If you have any questions about this Privacy Policy, wish to access or correct your personal information, or have a complaint about how we have handled your information, please contact us:
Synalogic Pty Ltd
Email: privacy@synalogic.com.au
We will acknowledge your enquiry within a reasonable timeframe and respond substantively in line with our obligations under the Privacy Act.
12. Complaints
If you are not satisfied with our response to your privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC):
Website: www.oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5218, Sydney NSW 2001
European and UK individuals may also contact their local supervisory authority. Lists are maintained at edpb.europa.eu (for the EEA) and ico.org.uk (for the UK).
13. Changes to This Policy
We may update this Privacy Policy from time to time. Any material changes will be posted on this page with an updated revision date, and where the change is significant we will notify Platform users by email. We encourage you to review this policy periodically.
14. Governing Law
This Privacy Policy is governed by the laws of New South Wales, Australia. Any disputes arising from this policy will be subject to the exclusive jurisdiction of the courts of New South Wales.