Synter Media Privacy Policy

Last updated: November 7, 2025

This Privacy Policy explains how Synter Media ("Synter Media," "we," "us," or "our") collects, uses, discloses, and protects information in connection with our software-as-a-service platform located at syntermedia.ai and related services (the "Service"). The Service helps users manage cross‑platform advertising campaigns, including integrations with Google Ads, Reddit Ads, X Ads, LinkedIn Ads, Meta Ads, and Microsoft Ads.

By using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

If you have questions or would like to exercise privacy rights, contact us at privacy@syntermedia.ai.

Summary (at a glance)

• We collect account info, OAuth tokens (encrypted), campaign data, and performance metrics to provide and improve the Service.
• We use third parties to operate the Service (hosting, payments via Stripe, analytics via PostHog, AI features via OpenAI).
• OAuth tokens and API keys are encrypted at rest using AES‑256‑CBC; we never store your ad account passwords.
• You can access, correct, export, or delete your data, and disconnect ad accounts at any time.
• We do not sell personal information.

Who we are and roles

• Controller: For your account, billing, and product analytics, Synter Media is the "controller" (GDPR).
• Processor: For advertising campaign data we ingest from ad platforms at your direction, Synter Media acts as a "processor" on your behalf.

Information we collect

1. Account and contact information

• Name, company name, email address, password (hashed)
• Billing contact details, subscription tier, credit balance/usage
• Support communications and feedback

2. Authentication and connections

• OAuth tokens and refresh tokens for ad platforms you connect
• OAuth token metadata (scopes, expiry)
• We do NOT store ad platform passwords

3. Campaign and performance data

• Account, campaign, ad group, ads, keywords, audiences, budgets
• Performance metrics (impressions, clicks, cost, conversions, ROAS)
• Labeling, notes, and structures you create

4. Payment and transactional data

• Subscription status, invoices, credits purchased
• Payment details handled by Stripe (we do not store full card numbers)

5. Usage and device data

• Log data (IP address, device/browser, timestamps, pages viewed)
• Product analytics events via PostHog
• Cookie identifiers

6. AI features content

• Prompts and inputs you submit to AI features
• Generated outputs and campaign suggestions

How we use information

We use information to:

• Provide and operate the Service (account creation, ad platform connections, campaign sync, reporting)
• Secure the Service (authentication, abuse prevention)
• Process payments and manage subscriptions (via Stripe)
• Analyze and improve product performance (via PostHog)
• Provide support and communicate updates
• Comply with legal obligations

Security and encryption

• Credential encryption: All OAuth tokens, API keys, and service account credentials are encrypted at rest using AES‑256‑CBC encryption
• Key management: Encryption keys stored separately in secure secret management system (Doppler) with restricted access
• Transport security: All data transmitted over TLS 1.3+ (HTTPS only)
• Database security: Database connections encrypted, credentials rotated regularly, and access logged
• OAuth scopes: We request minimum OAuth scopes needed for functionality
• Token lifecycle: Tokens refreshed automatically and revoked when you disconnect
• Passwords: We never store ad platform passwords; only hashed user passwords for Synter login
• Access controls: Role-based access control (RBAC) ensures users only access their own data
• Audit logging: All credential access and modifications are logged for security monitoring

Third‑party services

We share information with service providers:

• Hosting: Vercel (frontend), Railway/cloud services (backend), PostgreSQL database
• Payments: Stripe (payment processing)
• Analytics: PostHog (product analytics)
• AI features: OpenAI (AI-powered campaign suggestions)

We do not sell personal information.

Your use of connected ad platforms is governed by their respective privacy policies.

Cookies and similar technologies

We use cookies for:

• Essential: Login, security, session management
• Functional: Remember preferences
• Analytics: Understand usage and improve the Service

You can control cookies through your browser settings or our cookie banner (where required).

Data retention

• Account data: While account is active; deleted upon request
• OAuth tokens: While connection is active; removed upon disconnect
• Campaign data: Deleted or anonymized 30–60 days after account closure
• Analytics: Retained up to 12 months
• Logs: Retained 30–90 days
• Billing records: Retained up to 7 years (tax/accounting)

International data transfers

We process data primarily in the United States. When transferring personal data from the EEA/UK, we use appropriate safeguards such as Standard Contractual Clauses.

Your rights

EEA/UK individuals (GDPR):

• Access: Obtain a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion ("right to be forgotten")
• Restrict/Object: Restrict or object to processing
• Portability: Receive data in machine-readable format
• Withdraw consent: Withdraw consent for cookie/analytics

California residents (CCPA/CPRA):

• Know/Access: Request details about personal information collected
• Correct: Request correction of inaccurate information
• Delete: Request deletion (subject to exceptions)
• Opt‑out: Opt out of sale (we do not sell personal information)
• Non‑discrimination: We will not discriminate for exercising rights

How to exercise rights:

• Email: privacy@syntermedia.ai
• In‑app: Use data export or account deletion features
• Response time: We aim to respond within 30 days

Managing ad platform connections

• Connect or disconnect ad platforms anytime in Settings
• Review OAuth scopes before connecting
• After disconnect, we stop syncing and delete stored tokens

Security

We use safeguards to protect information:

• Encryption: AES‑256‑GCM at rest, HTTPS/TLS in transit
• Access controls: Role-based access, least privilege
• Secret management: Keys stored separately with rotation
• Monitoring: Security monitoring and vulnerability management

No method is 100% secure. If we learn of a breach, we will notify you as required by law.

AI features

• AI features use OpenAI to generate campaign suggestions
• Only inputs you provide are sent to OpenAI
• We do NOT send OAuth tokens or passwords to AI providers
• OpenAI does not use our API data to train models (by default)

Children's privacy

The Service is not intended for individuals under 16. We do not knowingly collect personal information from children. If you believe a child provided information, contact privacy@syntermedia.ai.

Changes to this policy

We may update this Privacy Policy from time to time. We will post updates on this page and update the "Last updated" date. Material changes will be communicated via email or in-app notice where required.

Contact us

Synter Media
Email: privacy@syntermedia.ai
Support: support@syntermedia.ai

If you are in the EEA/UK, you may also contact your local data protection authority with questions or complaints.