Privacy Policy

1. Introduction

Welcome to SalesSynq ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our sales SaaS platform and related services (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

• Account information (name, email, company details)
• Payment and billing information
• Communication preferences
• Support requests and feedback

2.2 Information We Collect Automatically

• Usage data and analytics
• Device information and IP addresses
• Cookies and similar tracking technologies
• Performance and error logs

2.3 Third-Party Integration Data

Our Service integrates with various messaging platforms and communication channels, including but not limited to:

• WhatsApp Business API
• Gmail/Google Workspace
• Microsoft Outlook/Office 365
• Slack
• Telegram
• SMS/Text messaging services
• Social media messaging platforms
• Customer relationship management (CRM) systems

When you connect these services to our platform, we may collect and process:

• Message content, metadata, and attachments
• Contact information from conversations
• Conversation history and thread data
• User identifiers and profile information
• Timestamps and interaction patterns
• Business account information and settings

2.4 Cookies and Google Analytics

We use Google Tag Manager (GTM) and Google Analytics (GA) to understand how visitors use our website (e.g. pages visited, device type, approximate location). Analytics run only if you accept analytics cookies via our cookie banner. If you decline, we do not load GTM or GA and no analytics data is collected from your visit.

When you accept cookies, Google may collect data such as IP address, browser and device information, and usage data. This is subject to Google's Privacy Policy. You can change your choice at any time by clearing site data or using a different browser; we will show the cookie banner again on your next visit if no consent is stored.

3. How We Use Your Information

We use the collected information to:

• Provide, maintain, and improve our Service
• Process transactions and manage billing
• Send service-related communications
• Provide customer support and respond to inquiries
• Analyze usage patterns and optimize performance
• Ensure security and prevent fraud
• Comply with legal obligations
• Facilitate communication between users and customers
• Generate business insights and analytics
• Personalize user experience and recommendations

4. Data Encryption and Security

4.1 Data Encryption Standards

We implement the following concrete encryption controls:

4.2 Security Measures

• Authentication: OAuth 2.0 / OpenID Connect SSO with Google and Microsoft (which carry the Customer's own MFA), and native TOTP-based MFA with self-service enrolment, recovery codes, and configurable hard-enforcement for password sign-in.
• Fine-grained authorization via OpenFGA, with tenant-scoped repository access enforced by an aspect that rejects any cross-tenant query.
• Append-only audit log with periodic chain sealing; retained for 365 days by default.
• Static application security testing (CodeQL) on every pull request; OWASP Dependency-Check (CVSS ≥ 7 fails the build); secret scanning (Gitleaks) on every commit.
• Documented incident response procedure; we will notify the affected data controller without undue delay and, in any event, within 72 hours of becoming aware of a personal-data breach (GDPR Article 33).
• Annual third-party penetration testing planned; vendor selection in progress, engagement target before the first paying Customer. The executive summary will be made available on request under NDA once delivered.

4.3 AI / LLM Processing of Customer Data

• No training on Customer Data. We do not use Customer Data to train, fine-tune, or otherwise improve any third-party or proprietary AI / machine-learning model. Operationally, we apply each LLM provider's "do not use my data for training" toggle at the production-org level, and we have applied for OpenAI Zero-Data-Retention.
• Data minimization. Common categories of personal data (email addresses, phone numbers, financial identifiers) are redacted from prompts before they are sent to an LLM provider, where feasible.
• Provider segregation. Each LLM call sets the OpenAI user field to an opaque, per-tenant identifier so the provider's abuse-monitoring stays per-tenant. The provider protocol enforces this: in production, calls without tenant context fail closed.
• Determinism boundary. Customer-facing scoring, risk likelihood, progress trend, similar-deal comparison, and workflow-integrity outputs are produced by deterministic rule-based logic. LLM output is suggested text and is validated, parsed, and falls back to deterministic logic on parse failure.
• EU AI Act alignment. Our public AI Disclosure (under Article 50, limited-risk transparency) describes the model, what is logged, and which actions require explicit user approval.

4.4 Data Residency

Production data for the Service is stored in data centers operated by our infrastructure provider. Where applicable, we offer (or are working to offer) deployment in EU regions for Customers with EU data-residency requirements. Where data is necessarily transferred outside the European Economic Area — for example, when an LLM sub-processor's regional endpoint is required — we rely on the safeguards set out in Section 8.

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We may share your information with trusted third-party service providers who:

• Host our infrastructure and services
• Process payments and billing
• Provide analytics and monitoring tools
• Deliver customer support services
• Integrate with messaging platforms

All third-party providers are contractually bound to maintain the same level of data protection and security.

5.2 Legal Requirements

We may disclose your information when required by law, including:

• Court orders or legal proceedings
• Government investigations
• Compliance with applicable regulations
• Protection of our rights and safety

6. Data Retention

We retain personal data only as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Default retention periods are:

You may request deletion of your personal data at any time, subject to legal and contractual constraints, by contacting us at the address in Section 12 or by exercising the data-subject request flow inside the Service.

7. Your Rights and Choices

7.1 Access and Control

You have the right to:

• Access your personal information
• Correct inaccurate or incomplete data
• Request deletion of your data
• Export your data in a portable format
• Opt-out of certain communications
• Restrict or object to processing

7.2 Communication Preferences

You can manage your communication preferences through your account settings or by contacting our support team.

7.3 Third-Party Integrations

You control which third-party services connect to our platform. You can:

• Revoke access to connected services
• Modify integration permissions
• Delete integration data
• Control data sharing preferences

7.4 Cookie Consent and Analytics

You can accept or decline analytics cookies (including Google Analytics) using the cookie banner shown on your first visit. If you previously accepted and wish to opt out, clear this site's data in your browser or decline when the banner is shown again. Declining analytics cookies means we do not load Google Tag Manager or Google Analytics for your visits.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including:

• Standard contractual clauses
• Adequacy decisions
• Binding corporate rules
• Other approved transfer mechanisms

9. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy on our website
• Sending email notifications to registered users
• Displaying prominent notices in our Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

11. Compliance Posture

We design and operate the Service to meet the requirements of:

• EU General Data Protection Regulation (Regulation (EU) 2016/679)
• California Consumer Privacy Act (CCPA / CPRA)
• EU Artificial Intelligence Act — Article 50 (transparency obligations for limited-risk AI systems); see our AI Disclosure

We are not currently certified to SOC 2, ISO/IEC 27001, or HIPAA. We are pursuing SOC 2 readiness; an attestation report and timeline can be shared on request under NDA.

12. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

13. Complaints and Dispute Resolution

If you have concerns about our data practices, you may:

• Contact our support team directly
• File a complaint with relevant data protection authorities
• Seek resolution through alternative dispute resolution mechanisms

We are committed to addressing all privacy concerns promptly and fairly.