Privacy Policy

Last updated: April 21, 2026

1. Introduction

SymlaVault ("we," "us," "our") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the SymlaVault platform ("Service").

SymlaVault is a Backend-as-a-Service provider. We process data on behalf of our customers (platform tenants). This policy covers data we collect directly from you as a SymlaVault account holder. Our customers are responsible for their own privacy policies governing the data their end users provide.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Email address
Name (first and last)
Password (hashed — we never store plaintext passwords)
Phone number (optional, for MFA)

2.2 Billing Information

If you subscribe to a paid plan, our payment processor (Stripe) collects your payment information. We do not store credit card numbers or bank account details on our servers. We receive only a billing identifier from Stripe.

2.3 Usage Data

We automatically collect:

IP addresses (for security and rate limiting)
Browser user agent (for session management)
API request metadata (method, path, status code, duration)
Authentication events (login, logout, MFA verification)

2.4 Customer Data

As a BaaS provider, we host data that you and your application tenants store through the Service (documents, user records, etc.). We process this data solely to provide the Service and do not access, analyze, or use it for any other purpose.

3. How We Use Your Information

We use your information to:

Provide, maintain, and improve the Service
Authenticate your identity and secure your account
Process payments and manage your subscription
Send transactional emails (account verification, password reset, security alerts)
Detect and prevent fraud, abuse, and security incidents
Comply with legal obligations

We do not:

Sell your data to third parties
Use your data for advertising
Train AI models on your data
Share your data with third parties except as described in this policy

3a. Connected Google / Microsoft Accounts (Email, Calendar, Tasks)

If you connect a Google or Microsoft account to the Service, we request the minimum OAuth scopes required to:

Send email on your behalf (Gmail: gmail.send; Outlook: Mail.Send).
Read email metadata — sender, recipient, subject, timestamp, message ID — for the email activity log and automation triggers (Gmail: gmail.metadata; Outlook: Mail.ReadBasic). We do not read, store, or process the bodies of your emails, message snippets, attachments, or the contents of any message. These scopes are technical restrictions that physically prevent the Service from accessing message content.
Create and read calendar events when you configure an automation that adds an event, or use the calendar API directly (Google: calendar.events; Outlook: Calendars.ReadWrite).
Create and read tasks when you configure an automation that adds a task, or use the tasks API directly (Google Tasks: tasks; Microsoft To Do: Tasks.ReadWrite).

All scopes above are only requested when you explicitly click "Connect" for the relevant provider. Data read under these scopes is used solely to drive your own automations and API calls; it is not used to train machine-learning models, sold to third parties, or shared outside the boundaries described in Section 6.

Metadata records (email events, automation run history) are retained in short-term storage according to your tenant's configured retention period (default 365 days; minimum 30 days; maximum 7 years) and are automatically deleted when that window expires. Disconnecting your connected account triggers immediate deletion of the associated metadata from our primary database. An immutable audit record persists for 7 years in our compliance storage for legal and regulatory purposes (described in Section 4).

This use of Google user data is governed by the Google API Services User Data Policy, including the Limited Use requirements. We confirm that SymlaVault's use and transfer of information received from Google APIs adheres to those requirements.

4. Data Storage and Security

Your data is stored on Google Cloud Platform infrastructure in the United States (us-central1 region). We implement the following security measures:

Encryption at rest (AES-256, Google-managed keys)
Encryption in transit (TLS 1.2+ with modern cipher suites)
Database accessible only via private VPC (no public IP)
Mandatory MFA for all accounts
Immutable audit logs retained for 7 years
Automated secret rotation every 90 days

For full details, see our Security Policy.

5. Data Retention

SymlaVault serves regulated industries (financial services, healthcare, insurance, legal) where business records are subject to statutory retention requirements, typically 3–7 years. Retention periods vary by data type:

Account identifiers (name, email, phone, profile data): Retained while your account is active. On a verified deletion request or 30 days after account closure, these identifier fields are scrubbed — replaced with null values — while the underlying account row remains in place to preserve referential integrity with records we are required to retain (signed documents, audit trails, billing records).
Documents and uploaded files: Retained for the period required by our customer's regulatory obligations — typically 3–7 years for financial, legal, and insurance records. Storage class transitions automatically over time to reduce cost (Standard → Nearline at 90 days → Coldline at 365 days → Archive at 3 years) without reducing availability. Documents remain fully accessible for court-ordered production and regulatory audit at every tier. Documents are not deleted on account closure.
Signed electronic records (contracts, consent forms, e-signatures): Retained for the period required by the Uniform Electronic Transactions Act (UETA), the federal E-Sign Act, and applicable industry regulations — minimum 7 years. The associated signing audit trail (signer identity, IP address, timestamps, consent text, document hash) is immutable once recorded and cannot be deleted during the retention period.
Audit logs: Retained for 7 years in an immutable, append-only storage bucket for regulatory compliance (RESPA/TILA, GLBA, HIPAA where applicable). Individual audit events cannot be edited or removed during the retention period by any party, including SymlaVault personnel.
Customer data held on behalf of tenants: Where we process data on behalf of our customer (a platform tenant), the retention period is set by our customer's regulatory obligations and contractual terms with their end users. We do not unilaterally delete customer data outside the customer's retention schedule.
Email and integration metadata (sender/recipient/subject, OAuth tokens): Retained for your tenant's configured retention window (default 365 days; minimum 30 days; maximum 7 years). Disconnecting an integration triggers immediate deletion of the associated metadata from our primary database; an immutable audit record persists in the 7-year compliance bucket.
Billing records: Retained as required by tax and accounting regulations (typically 7 years).

Where the retention periods above conflict with a deletion request, we honor the statutory retention period. See Section 7 for the rights available to you and how they interact with retention.

6. Third-Party Services

We use the following third-party services to operate the platform:

Google Cloud Platform: Infrastructure hosting, database, storage, authentication (Firebase)
Stripe: Payment processing
Google Workspace: Business email (symlavault.com domain)

Each of these providers maintains their own security certifications and privacy commitments. Google Cloud Platform holds SOC 2 Type II, ISO 27001, and FedRAMP certifications.

7. Your Rights

You have the right to:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate data.
Deletion of account identifiers: Request that your name, email, phone, and other identifier fields be scrubbed from your account. We will complete this within 30 days of a verified request. Because SymlaVault serves regulated industries, the underlying account row, signed records, documents, and audit trails subject to statutory retention (Section 5) are preserved until the mandated retention period expires. Identifier scrubbing is sufficient to meet most privacy-law deletion requirements (e.g., CCPA, CPA) without violating the retention rules that governed record creation.
Export: Export your data in a standard format.
Restrict processing: Request that we limit how we use your data for non-essential purposes. Essential processing required to operate the Service and meet retention obligations cannot be restricted.

To exercise these rights, contact privacy@symlavault.com. We will respond within 30 days. Where a request conflicts with a statutory retention obligation, we will honor the retention requirement and explain the scope of what can and cannot be deleted at that time.

If you are an end user of one of our customer's applications (rather than a direct SymlaVault account holder), please contact that customer directly to exercise your rights; we process your data on their behalf and will cooperate with their response.

8. Cookies

The Service uses session cookies for authentication. These cookies are:

HttpOnly (not accessible via JavaScript)
Secure (transmitted only over HTTPS)
SameSite: Lax (CSRF protection)
Signed with HMAC (tamper-proof)

We do not use tracking cookies, analytics cookies, or advertising cookies.

9. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top indicates when the policy was last revised.

11. Contact

For privacy-related inquiries, contact us at privacy@symlavault.com.