Skip to main content

LEGAL

Privacy Policy

Effective: February 27, 2026  ·  Last updated: February 27, 2026

Privacy Policy

Effective Date: February 27, 2026 Last Updated: February 27, 2026

This Privacy Policy describes how SyncTek LLC (“SyncTek,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you use ForgeOS, our AI-powered software governance platform, and any related websites, applications, or services (collectively, the “Service”).

Please read this policy carefully. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

Table of Contents

  1. Who This Policy Applies To
  2. Information We Collect
  3. How We Use Your Information
  4. Legal Basis for Processing (GDPR)
  5. How We Share Your Information
  6. Third-Party Data Processors
  7. AI Providers and Code Analysis
  8. Federation Privacy
  9. Cookies and Similar Technologies
  10. Data Retention
  11. Data Security
  12. International Data Transfers
  13. Your Privacy Rights — All Users
  14. California Privacy Rights (CCPA/CPRA)
  15. European Privacy Rights (GDPR)
  16. Children’s Privacy
  17. Data Breach Notification
  18. Changes to This Policy
  19. Contact Us

1. Who This Policy Applies To

This Privacy Policy applies to:

  • Individual users who create accounts and use the ForgeOS platform directly
  • Organization members who access ForgeOS through an organization account
  • Visitors to synctek.io and forgeos.synctek.io who do not hold an account

If you are using ForgeOS on behalf of an organization, your organization may have a separate Data Processing Agreement (“DPA”) with SyncTek that governs processing of data submitted through the Service. In that case, the organization’s terms control for that data, and this Privacy Policy applies to the extent not superseded by the DPA.

2. Information We Collect

We collect information in three ways: information you provide directly, information generated automatically through your use of the Service, and information from third parties.

2.1 Information You Provide

Account Information When you create a ForgeOS account, we collect:

  • Full name
  • Email address
  • Organization name (if applicable)
  • Password (stored as a cryptographic hash — we never store plaintext passwords)
  • Profile information you choose to add

Communications If you contact us for support or other purposes, we collect:

  • The content of your messages
  • Your contact details
  • Any attachments or files you send us

Payment Information We use Stripe to process payments. When you subscribe to a paid plan:

  • SyncTek does not store your full credit card number, CVV, or banking credentials
  • Stripe processes and stores payment data under their own privacy policy
  • We retain only: your subscription plan, billing status, Stripe customer ID, and billing address for invoicing and tax purposes

2.2 Information Generated Automatically

Usage Data We automatically collect data about how you interact with the Service, including:

  • Features and pages accessed
  • API calls made (endpoint, timestamp, response status — not request payload content)
  • Dashboard interactions and navigation patterns
  • Session duration and frequency of use
  • Error events and performance diagnostics

Code Analysis Metadata When you use ForgeOS’s code intelligence features, we collect metadata about your analysis activity, including:

  • File counts and directory structure statistics
  • Programming language composition
  • Trust scores and governance metrics generated by the platform
  • Gate statuses, workflow states, and initiative metadata

What we do NOT collect from your code: We do not read, store, or retain the actual content of your source code files as part of our standard data collection. Code content is transmitted to AI providers for analysis (see Section 7) and is not retained by SyncTek beyond the duration of the analysis request. If you explicitly paste or share code snippets in support requests, chat interfaces, or comments, that content is stored as part of your communication record.

Device and Network Information

  • IP address (used for security, fraud prevention, and approximate geolocation for compliance)
  • Browser type and version
  • Operating system
  • Referring URLs
  • Timestamps of access

2.3 Information from Third Parties

We may receive information about you from:

  • Identity providers if you choose to authenticate via OAuth (e.g., GitHub, Google) — limited to the scopes you authorize
  • Payment processors confirming transaction status
  • Publicly available sources if relevant to fraud prevention or account verification

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery

  • Provisioning and operating your ForgeOS account
  • Processing and responding to your requests
  • Enabling core platform features: code analysis, trust scoring, governance automation, and reporting

Security and Integrity

  • Authenticating your identity and managing session security
  • Detecting, investigating, and preventing fraudulent, abusive, or illegal activity
  • Enforcing our Terms of Service
  • Protecting the security and reliability of our infrastructure

Product Improvement

  • Analyzing aggregated usage patterns to improve features and user experience
  • Diagnosing and resolving technical issues
  • Conducting internal research and development (using aggregated, de-identified data)

Communications

  • Sending transactional messages (account confirmations, password resets, billing receipts)
  • Sending service announcements and important policy updates
  • Sending product and feature updates (you may opt out of marketing communications at any time)

Legal and Compliance

  • Complying with applicable laws and regulations
  • Responding to lawful requests from governmental or regulatory authorities
  • Establishing, exercising, or defending legal claims

We do not:

  • Sell your personal information to third parties
  • Use your personal information to serve you targeted advertising on other platforms
  • Use your source code or trust score data to train AI models without your explicit consent

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following lawful bases as defined by the General Data Protection Regulation (GDPR):

Processing ActivityLawful Basis
Account creation and managementContract — processing is necessary to perform our agreement with you
Service delivery (core features)Contract — necessary to provide the Service you have requested
Payment processingContract — necessary to fulfill your subscription
Security monitoring and fraud preventionLegitimate Interests — we have a legitimate interest in keeping the Service secure
Usage analytics and product improvementLegitimate Interests — we have a legitimate interest in improving our product (you may object)
Marketing communicationsConsent — we only send marketing emails where you have opted in (you may withdraw consent at any time)
Legal complianceLegal Obligation — where required by applicable law
Responding to legal claimsLegitimate Interests — defending or pursuing legal rights

Where we rely on legitimate interests, we have conducted a balancing test and concluded our interests are not overridden by your privacy rights. You have the right to object to processing based on legitimate interests — see Section 15.

5. How We Share Your Information

We share personal information only in the following circumstances:

With Your Organization If you use ForgeOS through an organization account, your organization’s administrators may have access to your account activity, usage data, and content within that organization’s workspace.

With Service Providers We share information with third-party vendors and service providers who perform functions on our behalf (see Section 6). These providers are contractually bound to process data only for the purposes we specify and to maintain appropriate security measures.

In Business Transfers If SyncTek is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service prior to such a transfer becoming effective.

For Legal Reasons We may disclose your information where required by law or in the good-faith belief that such action is necessary to:

  • Comply with a legal obligation or valid legal process (e.g., subpoena, court order)
  • Protect the rights, property, or safety of SyncTek, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues

With Your Consent We may share your information for any other purpose with your explicit prior consent.

What We Never Do

  • We do not sell your personal information to data brokers or third parties for their own commercial purposes
  • We do not share your source code with other customers
  • We do not share individual trust scores or governance data outside your organization without your authorization

6. Third-Party Data Processors

We use the following categories of third-party processors to operate the Service. Each processor is subject to a Data Processing Agreement or equivalent contractual safeguard.

ProcessorCategoryPurposeLocation
StripePayment ProcessingSubscription billing, invoicing, payment securityUnited States
RailwayCloud InfrastructureAPI hosting, compute, and data storageUnited States
CloudflareCDN / SecurityContent delivery, DDoS protection, DNS, Pages hostingUnited States (global CDN)
AnthropicAI ProviderCode analysis and intelligence features (Claude)United States
OpenAIAI ProviderCode analysis and intelligence features (GPT)United States
GoogleAI ProviderCode analysis and intelligence features (Gemini)United States

We review our processors periodically. If we add or replace a processor in a way that materially affects how your data is handled, we will update this section and notify users as described in Section 18.

7. AI Providers and Code Analysis

ForgeOS uses large language models (LLMs) from Anthropic (Claude), OpenAI (GPT), and Google (Gemini) to power its code intelligence, trust scoring, and governance automation features.

How AI Processing Works

When you use an AI-powered feature in ForgeOS:

  1. Your input (which may include code snippets, metadata, or natural language prompts) is transmitted to one or more AI providers via API
  2. The AI provider processes your input and returns a response
  3. ForgeOS uses the response to generate the output you see (e.g., a trust score, governance suggestion, or analysis result)
  4. Your input is not retained by SyncTek beyond the duration of the request

AI Provider Data Practices

Each AI provider processes your inputs under their own terms of service and privacy policies. Key points:

  • SyncTek opts out of AI provider model training wherever provider terms and contractual arrangements permit us to do so. We have enabled available opt-out mechanisms with each provider.
  • AI providers may log API requests for safety monitoring, abuse prevention, and service operation, subject to their own data retention policies. We recommend reviewing the relevant policies: Anthropic Privacy Policy, OpenAI Privacy Policy, Google Privacy Policy.

Important User Guidance

Do not submit sensitive, confidential, or proprietary code that you do not consent to being processed by third-party AI providers. By using AI-powered features in ForgeOS, you acknowledge that your inputs will be processed by the AI providers listed above.

If your organization has strict data handling requirements:

  • Use ForgeOS features that do not invoke AI analysis where possible
  • Contact us at privacy@synctek.io to discuss enterprise data handling arrangements
  • Review your organization’s policies before submitting proprietary intellectual property

8. Federation Privacy

ForgeOS supports federation — the ability to connect multiple ForgeOS instances to share governance intelligence across teams and organizations.

Federation Is Opt-In

Federation is entirely opt-in. Your ForgeOS instance does not participate in any federation network unless you explicitly enable and configure it in your settings.

What Federation Shares

When federation is enabled, the following data may be shared between federated instances:

  • Trust scores — aggregate governance health metrics
  • Governance metadata — gate statuses, initiative health, process patterns
  • Anonymized pattern data — de-identified observations that contribute to shared intelligence

What federation does NOT share:

  • Source code content
  • Individual developer identities (unless explicitly configured)
  • Proprietary business logic or architecture details

Privacy Scrubbing

Before any data is transmitted through a federation connection, ForgeOS applies a three-pass privacy scrubbing algorithm that:

  1. Removes or redacts personally identifiable information
  2. Strips file paths, variable names, and other code-specific identifiers
  3. Validates that output contains only permissible governance metadata

Your Control

You control federation participation entirely through your ForgeOS settings, including:

  • Enabling or disabling federation at any time
  • Configuring what categories of data are eligible for sharing
  • Reviewing the list of federated instances you are connected to
  • Revoking federation connections

9. Cookies and Similar Technologies

ForgeOS uses cookies and similar technologies to operate the Service and, with your consent, to understand how it is used.

Types of Cookies We Use

Essential Cookies (Always Active) These cookies are strictly necessary to provide the Service. They cannot be disabled without breaking core functionality.

Cookie PurposeDescription
AuthenticationMaintains your logged-in session across pages
Session ManagementStores session state (e.g., CSRF tokens) to protect against security attacks
Load BalancingRoutes requests to the correct server

Analytics Cookies (Consent-Based) With your consent, we use analytics cookies to understand how users interact with the Service. This helps us improve features and fix issues. You may opt out at any time.

Cookie PurposeDescription
Usage AnalyticsTracks page views, feature usage, and navigation patterns in aggregate
Error TrackingLogs client-side errors to help us diagnose and fix issues

What We Do Not Use

  • Advertising cookies — We do not run advertising campaigns and do not use cookies for ad targeting
  • Third-party tracking cookies — We do not allow third-party advertising networks to place tracking cookies on our properties
  • Cross-site tracking — We do not track your activity on other websites

Managing Cookies

You can control cookies through:

  • Your browser settings (most browsers allow you to block or delete cookies)
  • The cookie consent banner displayed on your first visit to our website

Note: Disabling essential cookies will prevent you from using core features of the Service.

10. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Data CategoryRetention Period
Account information (name, email, organization)Duration of active account + 30 days following account deletion
Usage analytics and interaction logs90 days
Trust ledger and governance dataDuration of active account (this data is a core part of the product value)
Payment records (billing history, invoices)7 years (required for tax and financial compliance)
System backups30-day rolling retention cycle
Support communications3 years from last interaction
Security and fraud prevention logs1 year

Post-Termination

When you delete your account:

  1. Your account is deactivated immediately
  2. A 30-day data export window opens — you may request a full export of your data during this period
  3. After 30 days, your account data is permanently deleted from production systems
  4. Data may persist in encrypted backups for up to an additional 30 days before those backups are cycled out

To request early deletion or a data export, contact privacy@synctek.io.

11. Data Security

SyncTek implements technical and organizational security measures designed to protect your personal information against unauthorized access, disclosure, alteration, and destruction.

Technical Measures

  • All data in transit is encrypted using TLS 1.2 or higher
  • Data at rest is encrypted using AES-256
  • Access to production systems is restricted to authorized personnel and requires multi-factor authentication
  • API keys and credentials are stored using secrets management infrastructure — never in source code

Organizational Measures

  • Access to personal data is limited to personnel who require it to perform their job functions
  • We conduct periodic security reviews and vulnerability assessments
  • We maintain an incident response plan

Limitations No security system is impenetrable. While we take commercially reasonable steps to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials. If you believe your account has been compromised, contact us immediately at privacy@synctek.io.

12. International Data Transfers

SyncTek is headquartered in the United States. If you are located outside the United States, your personal information will be transferred to and processed in the United States, which may have data protection laws different from those in your jurisdiction.

For EEA, UK, and Swiss Users When we transfer personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision from the relevant supervisory authority, we rely on:

  • Standard Contractual Clauses (SCCs) — We have implemented the European Commission’s Standard Contractual Clauses with relevant processors and, upon request, can make these available via a signed Data Processing Agreement (DPA)
  • UK International Data Transfer Agreement (IDTA) — For transfers from the United Kingdom

To request a Data Processing Agreement or inquire about our transfer safeguards, contact privacy@synctek.io.

13. Your Privacy Rights — All Users

Regardless of where you are located, you have the following rights with respect to your personal information:

  • Access — You may request a copy of the personal information we hold about you
  • Correction — You may request that we correct inaccurate or incomplete information
  • Deletion — You may request that we delete your personal information, subject to legal retention requirements
  • Data Portability — You may request your data in a machine-readable format
  • Opt-Out of Marketing — You may unsubscribe from marketing communications at any time using the link in any marketing email, or by contacting us

To exercise any of these rights, email privacy@synctek.io. We will respond within 30 days. We may need to verify your identity before fulfilling your request.

We will never discriminate against you for exercising your privacy rights.

14. California Privacy Rights (CCPA/CPRA)

This section applies to California residents and supplements the general rights described above.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

CCPA CategoryExamplesCollected
IdentifiersName, email address, IP address, account IDYes
Personal information (Cal. Civ. Code §1798.80)Name, email addressYes
Commercial informationSubscription plan, purchase historyYes
Internet/network activityFeature usage, API calls, browsing history within the ServiceYes
Geolocation dataApproximate location derived from IP addressYes (approximate only)
Professional/employment informationOrganization name, job-related usage contextYes
Sensitive personal informationPayment card data (processed by Stripe — not stored by SyncTek)No (not stored)

Categories of Sources

We collect personal information from: you directly, your use of the Service, and (where applicable) OAuth identity providers you authorize.

Business or Commercial Purposes for Collection

As described in Section 3 — service delivery, security, product improvement, communications, and legal compliance.

Categories of Third Parties With Whom We Share

Service providers as listed in Section 6 (infrastructure, payment, AI providers). We do not share personal information with data brokers.

We Do Not Sell or Share Your Personal Information

SyncTek does not sell your personal information. We do not sell, rent, lease, or otherwise provide your personal information to third parties in exchange for monetary or other valuable consideration as defined by the CCPA/CPRA.

We do not share your personal information with third parties for cross-context behavioral advertising purposes.

Your CCPA/CPRA Rights

As a California resident, you have the right to:

  1. Know — Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes, and the categories of third parties with whom we share it

  2. Delete — Request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, security purposes, legal compliance)

  3. Correct — Request correction of inaccurate personal information we maintain about you

  4. Opt Out of Sale or Sharing — As stated above, we do not sell or share your personal information for cross-context behavioral advertising, so no opt-out action is required

  5. Limit Use of Sensitive Personal Information — We do not use sensitive personal information for purposes beyond those permitted by the CPRA without your consent

  6. Non-Discrimination — We will not deny you goods or services, charge you different prices, provide a different level of service, or retaliate against you for exercising your CCPA/CPRA rights

How to Submit a CCPA Request

Email privacy@synctek.io with the subject line “California Privacy Request.” We will respond within 45 days. We may extend by an additional 45 days where reasonably necessary with prior notice. We will verify your identity before processing your request.

You may designate an authorized agent to submit a request on your behalf by providing written authorization.

15. European Privacy Rights (GDPR)

This section applies to individuals in the European Economic Area (EEA), United Kingdom, and Switzerland.

Your Rights Under GDPR

You have the following rights with respect to your personal data:

  • Right of Access (Art. 15) — Request a copy of the personal data we process about you and information about how it is used

  • Right to Rectification (Art. 16) — Request correction of inaccurate or incomplete personal data

  • Right to Erasure / Right to Be Forgotten (Art. 17) — Request deletion of your personal data where it is no longer necessary, where you withdraw consent, where you object and we have no overriding legitimate interests, or where processing is unlawful

  • Right to Restriction of Processing (Art. 18) — Request that we restrict processing of your data while accuracy is contested, while you have objected to legitimate interest processing, or where processing is unlawful but you prefer restriction to erasure

  • Right to Data Portability (Art. 20) — Receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where processing is based on consent or contract and carried out by automated means

  • Right to Object (Art. 21) — Object to processing based on legitimate interests or direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or where processing is necessary for legal claims

  • Rights Related to Automated Decision-Making (Art. 22) — We do not make solely automated decisions that produce legal or similarly significant effects on you without human review

Data Protection Officer

We have designated a data protection contact for GDPR purposes:

Data Protection Contact: info@synctek.io Postal Address: SyncTek LLC, 5540 Centerview Dr Ste 204 #462485, Raleigh, NC 27606

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

We encourage you to contact us first so we can attempt to resolve your concern directly.

How to Submit a GDPR Request

Email privacy@synctek.io with the subject line “GDPR Data Request.” We will respond within 30 days (one calendar month). Where requests are complex or numerous, we may extend by up to two additional months with prior notice.

15b. GDPR Ledger Erasure Policy

ForgeOS audit ledgers are hash-chained JSONL files where each entry includes a cryptographic reference to the prior entry. This design provides tamper-evidence: any modification to a past entry invalidates all subsequent signatures. Naive deletion of a ledger entry would therefore break the chain and compromise the integrity of all downstream entries.

To satisfy GDPR erasure rights while preserving audit chain integrity, SyncTek implements a tombstone approach:

  • Upon a validated erasure request, any ledger entry that contains personal data — specifically, the actor field that maps a key ID to an individual — is marked as redacted.
  • The actor field value is replaced with [DELETED:{key_id}] — removing the mapping between the key identifier and the account holder’s identity.
  • A tombstone entry is appended to the ledger chain immediately following the redacted entry. The tombstone entry is signed and hash-chained normally, preserving the cryptographic continuity of the chain from that point forward.
  • The governance records themselves (initiative IDs, gate decisions, event timestamps, event types) are retained, as these are not personal data — they are organizational compliance records.

This approach satisfies the GDPR right to erasure with respect to personal data while maintaining the integrity of the audit trail that organizations depend on for compliance purposes. We will provide written confirmation of completed erasure within 30 days of a validated request.

To submit a ledger erasure request, contact privacy@synctek.io with the subject line “GDPR Erasure Request” and the email address associated with your account. We may ask for identity verification before processing the request.

16. Children’s Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16.

If we learn that we have inadvertently collected personal information from a child under 16 without appropriate parental consent, we will delete that information as promptly as possible. If you believe we may have collected information from a child under 16, please contact us at privacy@synctek.io.

17. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

  • Notify relevant supervisory authorities within 72 hours of becoming aware of the breach, where feasible, as required by GDPR Article 33
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
  • Notify affected users in the United States as required by applicable state data breach notification laws

Breach notifications will be sent to the email address associated with your account. We recommend keeping your account email up to date.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, applicable law, or for other operational, legal, or regulatory reasons.

When we make material changes, we will:

  • Update the “Last Updated” date at the top of this policy
  • Post a notice on the Service or send an email notification at least 30 days before the changes take effect
  • For significant changes affecting your rights, seek your renewed consent where required

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with a material change, you may discontinue your use of the Service and request deletion of your data.

Previous versions of this Privacy Policy are available upon request by emailing privacy@synctek.io.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact us:

Privacy Inquiries (CCPA, GDPR, data requests): privacy@synctek.io

General Inquiries: info@synctek.io

Web: synctek.io

Product: forgeos.synctek.io

We are committed to working with you to resolve any privacy concerns. If you are not satisfied with our response, you may contact your local data protection authority (see Section 15 for GDPR complaint procedures).

SyncTek LLC — Building software governance infrastructure you can trust.

© 2026 SyncTek LLC. All rights reserved.

Also see our Terms of Service.