Privacy Policy
Last updated: February 14, 2026
This Privacy Policy describes how Synode, a sole proprietorship based in Sweden ("Synode," "we," "us," or "our"), collects, uses, shares, and protects your personal data when you use the Synode application, website, and related services (collectively, the "Service") available at synode.io.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable Swedish and European data protection laws.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.
1. Data Controller
The data controller responsible for your personal data is:
Synode
Sweden
Email: legal@synode.io
2. What Data We Collect
We collect different categories of data depending on how you use the Service.
2.1 Account Data
When you create an account, we collect:
- Email address — provided via Google Sign-in or email registration
- Display name and profile photo — if you sign in with Google, as provided by Google
- Account creation date
- Language preference (English or Swedish)
- Knowledge level preference (e.g., beginner, intermediate, expert)
2.2 Workspace Content
When you use the Service, you create and store workspace data, including:
- Questions, answers, notes, and other text nodes
- Connections between nodes
- Imported resources (PDF text, YouTube transcripts, arXiv paper content)
- Generated quizzes and quiz results
- AI-generated content (summaries, visualizations, follow-up questions)
For registered users, workspace data is synced to and stored in Google Firebase Firestore (cloud). For guest users (not signed in), workspace data is stored only locally on your device (IndexedDB) and is not transmitted to our servers.
2.3 Payment and Subscription Data
If you subscribe to a paid plan or purchase credits, we store:
- Your Stripe customer ID (a reference to your Stripe account)
- Subscription tier, status, and billing period
- Credit balance and transaction history
We do not store your credit card number, bank account details, or other sensitive payment information. All payment processing is handled by Stripe, which is PCI DSS compliant.
2.4 Usage Data
We track your usage of AI features to enforce plan limits:
- Number of AI actions used per month
- Token usage statistics (aggregated monthly)
- Last action timestamp
2.5 Analytics Data (Only with Your Consent)
If you grant analytics consent, we collect anonymous usage analytics via Firebase Analytics (Google Analytics), including:
- Pages viewed and features used
- Session duration and engagement metrics
- Device type, browser type, and operating system
- Approximate geographic location (based on IP, not precise)
- Interaction events (e.g., creating a workspace, generating AI content)
Analytics collection is disabled by default and only activated if you explicitly grant consent via the consent banner. You can revoke consent at any time. We do not use advertising cookies or trackers. Ad-related storage is always denied.
2.6 Feedback Data (Voluntary)
If you voluntarily submit feedback through the Service, we may collect:
- Feedback text and conversation transcript
- Sentiment and topic analysis
- NPS (Net Promoter) score
- Browser user agent and language
- Whether you were signed in or anonymous
2.7 Local Storage
The Service stores certain preferences and state information locally on your device using browser localStorage. This data is not transmitted to our servers and includes:
- Analytics consent status and timestamp
- Session identifiers
- UI preferences (knowledge level, navigation mode, visual settings)
- Feedback submission status
3. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing and operating the Service (account management, workspace sync, AI features) | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Enforcing usage limits and preventing abuse | Legitimate interest (Art. 6(1)(f)) |
| Sending service-related communications (e.g., subscription notices, security alerts) | Legitimate interest (Art. 6(1)(f)) |
| Collecting analytics to improve the Service | Consent (Art. 6(1)(a)) |
| Processing feedback you voluntarily submit | Consent (Art. 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Data Shared with Third Parties
To provide the Service, we share certain data with third-party service providers. We do not sell your personal data to anyone.
| Third Party | Data Shared | Purpose |
|---|---|---|
| Anthropic (USA) | Workspace content, questions, and contextual text sent via API | AI text generation (answers, summaries, quizzes, follow-ups, chat) |
| Google (Gemini) (USA) | Workspace content, audio streams | AI voice chat and visualization generation |
| Google Firebase (USA/EU) | Account data, workspace data, usage data, analytics events (if consented) | Authentication, cloud storage, hosting, analytics |
| Stripe (USA) | Email, payment details (processed directly by Stripe) | Payment processing and subscription management |
| DuckDuckGo | Search queries generated by the AI | Web search during AI content generation |
Important: When you use AI-powered features, your workspace content (including questions, node text, and imported source material) is transmitted to Anthropic and/or Google for processing. These providers process data according to their own privacy policies. We recommend reviewing:
5. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), in particular the United States, where our third-party service providers (Anthropic, Google, Stripe) operate.
Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:
- European Commission adequacy decisions
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The EU-U.S. Data Privacy Framework, where applicable
If you would like more information about the specific safeguards applied to data transfers, please contact us at legal@synode.io.
6. Cookies and Tracking Technologies
Synode uses minimal tracking technologies:
6.1 No Third-Party Cookies
We do not use third-party advertising or tracking cookies. We do not serve ads. Ad-related storage consent is always set to "denied."
6.2 Firebase Analytics (Consent-Based)
Firebase Analytics uses first-party cookies and local storage to collect anonymous usage data. This is only activated after you grant explicit consent via the consent banner shown on first use. You may revoke consent at any time, and all stored analytics data on your device will be cleared.
6.3 Essential Local Storage
We use browser localStorage to store your consent decision, session state, and user preferences. These are strictly necessary for the Service to function and do not track you across websites.
7. Data Retention
- Account and workspace data: Retained as long as your account exists. If you delete your account, your data will be deleted from our systems within a reasonable period (typically 30 days), except where we are required by law to retain it longer.
- Payment and subscription data: Retained for the duration of your subscription and for as long as required for accounting and tax purposes under Swedish law (typically 7 years for financial records).
- Usage data: Retained on a rolling monthly basis. Historical usage records are retained for 12 months after the end of the relevant billing period.
- Analytics data: Retained in Firebase Analytics according to Google's standard retention periods (default 14 months). You can revoke consent to stop further collection.
- Feedback data: Retained indefinitely in anonymized/aggregated form for product improvement. Personally identifiable feedback may be deleted upon request.
- Guest (local) data: Stored on your device only. You control its deletion by clearing your browser data.
8. Data Security
We implement reasonable technical and organizational measures to protect your data, including:
- Encryption in transit (HTTPS/TLS for all communications)
- Firebase Security Rules ensuring users can only access their own data
- Server-side validation and write protection for subscription, usage, and payment data (only Cloud Functions with admin privileges can modify these)
- IP address hashing (SHA-256) for anonymous user identification — raw IP addresses are not stored
- Stripe PCI DSS compliance for payment data
While we take reasonable precautions, no method of data transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
9. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights regarding your personal data:
- Right of Access (Art. 15): You may request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
- Right to Erasure (Art. 17): You may request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
- Right to Restriction of Processing (Art. 18): You may request that we limit how we process your data in certain circumstances.
- Right to Data Portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
- Right to Object (Art. 21): You may object to data processing based on legitimate interests.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent (e.g., analytics), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at legal@synode.io. We will respond to your request within 30 days as required by GDPR.
If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY):
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
Website: www.imy.se
Email: imy@imy.se
10. Children's Privacy
The Service requires users to be at least 16 years old to create an account, in accordance with Sweden's implementation of GDPR (Article 8). We do not knowingly collect personal information from children under 16.
Guest users (who do not create an account) may be younger than 16, as guest use does not involve the collection, storage, or processing of any personal data on our servers. All guest data is stored locally on the user's own device.
If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at legal@synode.io.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, the Service, or applicable law. If we make material changes, we will notify you by email (if you have a registered account) or by posting a prominent notice within the Service at least 30 days before the changes take effect.
We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top indicates when the policy was most recently revised.
12. Contact Us
If you have any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us at:
Synode
Sweden
Email: legal@synode.io
Website: synode.io