Privacy Policy

1. Controller and contact

2. Who is responsible for your data

Please note an important distinction. When operating this website, we are the controller.

For our customers – tradespeople and other businesses – we provide the AI phone assistant as a processor under Article 28 GDPR. In that relationship, the business using Synora is the controller towards callers; we process data solely on their documented instructions under a data processing agreement. If you are a caller and want to know who is responsible for processing your call, it is the business you contacted. Section 5 nonetheless describes that processing transparently.

3. Your rights as a data subject

In relation to the respective controller, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)

Where processing is based on your consent, you may withdraw it at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal.

To exercise your rights, an informal message to info@synora-ai.de is sufficient. Specific deletion instructions are available on our Data Deletion page. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR); the authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (baden-wuerttemberg.datenschutz.de).

4. Processing when visiting this website

Hosting and server log files

This website is hosted on servers in Germany (EU). When the website is accessed, technically necessary data is recorded automatically in server log files (e.g. shortened/anonymised IP address, date and time, page requested, browser type and operating system). This serves the secure and stable provision of the website. The legal basis is our legitimate interest in a functional, secure web presence (Art. 6(1)(f) GDPR).

Contact form and email

If you contact us via the contact form or by email, we process the data you provide (e.g. name, company, email address, phone number, message) in order to respond to your request. Form messages are sent via an email service provider with servers in Germany (EU). The legal basis is Art. 6(1)(b) GDPR where the request relates to the initiation or performance of a contract, otherwise our legitimate interest in responding (Art. 6(1)(f) GDPR).

Online appointment booking

To arrange consultation appointments, we embed the booking widget of a provider based in the USA. Loading the widget transmits data to that provider; when you book, it processes the appointment and contact data you enter on our behalf. The legal basis is our legitimate interest in simple scheduling (Art. 6(1)(f) GDPR) or the initiation of a contract (Art. 6(1)(b) GDPR). For transfers to the USA, see Section 7.

Cookies and consent (§ 25 TDDDG)

We only use technically necessary cookies and comparable technologies that are required to operate this website; no consent is required for these under § 25(2) TDDDG. For storage of, or access to, information on your device that is not strictly necessary – for example through embedded third-party services – we obtain your consent under § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR where required. You may withdraw consent at any time with effect for the future.

Fonts

The fonts used on this website are served locally from our own server. No connection to third-party servers is established and your IP address is not transmitted to third parties.

5. Processing in our AI phone assistant

The following notes concern the AI-assisted phone and messaging service we operate for our customers. In that relationship, the respective customer business is the controller and we act as a processor (see Section 2). We provide this information for transparency.

AI transparency notice (EU AI Act, Art. 50)

At the start of incoming calls, callers are informed that the conversation is supported by a digital assistant. This fulfils the transparency obligation under Article 50 of Regulation (EU) 2024/1689 (AI Act). An alternative, human means of contact is offered on request.

We do not record calls

Your conversations stay private. We do not record phone calls: the audio of a call is processed exclusively in volatile memory in order to convert it into text. No audio recording is ever written to a storage medium – neither as a file nor in logs or backups. Only the text transcript and the structured information derived from it (e.g. name, request) are processed and stored. This is how we have set things up technically and reflects the requirements of § 201 of the German Criminal Code.

Consent during the call

Active consent to the processing of the information is obtained at the start of the call. If callers do not consent, a callback or an alternative means of contact is offered. The legal basis is Art. 6(1)(a) GDPR; where processing serves the performance or initiation of a contract, also Art. 6(1)(b) GDPR.

Communication via WhatsApp, SMS and email

At the customer business's request, communication may also take place via WhatsApp (provider: Meta Platforms Ireland Ltd.), SMS or email, e.g. to confirm appointments or for callbacks. We process the phone number or email address and the message content. Promotional messages are marked as automated; automated callbacks only take place within the legally permitted scope (in particular § 7 UWG). Instructions for deleting WhatsApp-related data are available on our Data Deletion page.

Use of Google services and calendar integration (Limited Use)

We use large language models for voice processing that are processed in the EU (Frankfurt region). If a customer business offers online booking via its calendar, a calendar integration may be set up based on explicit authorisation (OAuth) – e.g. with Google Calendar, Microsoft 365, Apple or via CalDAV – to check availability and create appointments.

Synora's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We use this data solely to provide the calendar feature requested by the user, do not share it for other purposes and do not use it for advertising.

Automated processing (Art. 22 GDPR)

AI models are used during the dialogue to recognise requests and structure conversations. No solely automated decision producing legal effects or similarly significant effects within the meaning of Art. 22 GDPR takes place; handling of the request remains with the respective business.

6. Recipients and sub-processors

To provide our services, we use carefully selected providers that we engage as processors under Art. 28 GDPR. Depending on the booked service and the customer business's configuration, we disclose personal data to the following categories of recipients:

We provide an up-to-date, complete list of the named processors we use on request at info@synora-ai.de; for our customers it forms part of the data processing agreement.

7. Where your data is processed

Your data stays mostly within the European Union. Where a provider outside the EU – for example in the USA – is involved, we safeguard the transfer through recognised guarantees:

• an adequacy decision of the European Commission – in particular the EU-US Data Privacy Framework (Art. 45 GDPR), where the recipient is certified under it; and/or
• the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR) together with supplementary measures.

You can request a copy of the relevant safeguards via the contact address in Section 1.

8. Retention

We store personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations. In the phone assistant, the following guideline periods apply, subject to differing instructions from the respective controller:

• Audio: not stored (volatile in-memory processing only).
• Transcripts: 7 days by default.
• Tickets / request data: 365 days by default.

9. Data security

This website uses TLS encryption (indicated by the padlock symbol in your browser's address bar) to protect the transmission of confidential content. We also take technical and organisational measures under Art. 32 GDPR to protect your data against loss, misuse and unauthorised access. Identifying information is removed automatically from logs (PII redaction).

10. Changes to this Privacy Policy

We reserve the right to adapt this Privacy Policy so that it always complies with current legal requirements or to reflect changes to our services. The version published here applies. For privacy questions, contact us at info@synora-ai.de.