Legal

Privacy Policy

Version 2.0 · effective 17 May 2026

1. Who we are and what this policy covers

Syntharra Limited (“Syntharra”, “we”, “us”) is an Irish-incorporated company providing AI-assisted first-party invoice follow-up services. This Privacy Policy explains what personal data we process when our clients (businesses) use the service, the legal bases on which we rely, and the rights of every data subject whose personal data passes through the platform.

A separate notice, the Recipient Privacy Notice, is addressed directly to invoice recipients (debtors). If you received a call or SMS from Syntharra about an outstanding invoice, please read that notice for the information specific to your situation.

For our role under data-protection law: with respect to our clients’ account data, we act as a data controller. With respect to invoice-recipient contact data and call recordings that we process on a client’s instructions, we act as either a joint controller with the client (for matters such as the decision to make a call) or as a processor on the client’s behalf (for the technical execution of the call). The detailed allocation of responsibilities is set out in our Data Processing Agreement.

2. What personal data we process

  • Account data (about you, our client). Company name, billing email, phone number, IP address and user agent at signup, ToS acceptance metadata, billing history.
  • Accounting data (synced via OAuth). From QuickBooks, Xero, FreshBooks, Square, Zoho Books, Jobber: customer names, phone numbers, email addresses, invoice numbers, amounts, due dates, payment status. We sync only what is needed to identify overdue invoices and to contact recipients about them.
  • Call data (about invoice recipients). Recordings and transcripts of calls we place on your behalf, retained for the period described in Section 6.
  • SMS data (about invoice recipients). Messages we send, delivery metadata, and any replies (including DNC and STOP keywords).
  • Payment data. Processed by Stripe Inc. and its affiliates. We do not store card numbers, CVV codes, or bank-account credentials on Syntharra servers; we retain only Stripe-provided customer and payment identifiers.
  • Dashboard analytics. Page views and aggregate usage of the dashboard, used solely to operate and improve the product.

3. How we use it (purposes and legal bases under GDPR Article 6)

We use personal data only for the purposes set out below, on the legal bases identified for each. Each Article 6(1)(f) basis is supported by a documented Legitimate Interests Assessment, available on request to legal@syntharra.com.

  • To provide the service to you, our client. Identifying overdue invoices, placing calls, collecting payments via Stripe Connect, billing you for the success fee. Legal basis: Article 6(1)(b) (contract performance).
  • To contact invoice recipients on your behalf. Placing AI-assisted voice calls and SMS messages to recipients regarding their outstanding invoice with you. Legal basis: Article 6(1)(f) (legitimate interests of the original creditor in recovering amounts owed under an existing commercial relationship), as further set out in our Legitimate Interests Assessment for transactional invoice follow-up.
  • To improve the service. De-identified, aggregated transcripts and metrics are used to improve call scripts, model performance, and operational quality. Legal basis: Article 6(1)(f) (legitimate interests of Syntharra in improving the service), supported by a separate Legitimate Interests Assessment.
  • To detect and prevent fraud and abuse. Including detecting misuse of the platform and protecting the security of our systems and our clients. Legal basis: Article 6(1)(f).
  • To comply with legal obligations. Retaining billing records, responding to lawful information requests, defending statutory claims under 47 U.S.C. § 227 and analogous laws. Legal basis: Article 6(1)(c) and Article 6(1)(f).

We do not. We do not sell personal data. We do not use it for advertising or cross-context behavioural advertising. We do not share raw call recordings with any third party for the purpose of training that party’s general-purpose AI models.

4. Sub-processors and recipients

We share the minimum personal data necessary with the sub-processors listed below. Each sub-processor is engaged under a written data processing agreement. The current, authoritative list (including type of data shared, location, and transfer mechanism) is maintained at /legal/subprocessors and is updated before any new sub-processor is added. Clients receive 14 days’ advance email notice of new sub-processors and may object by emailing legal@syntharra.com; an unresolved objection is grounds for termination of the affected services without penalty.

  • Stripe (Stripe Inc. and Stripe Payments Europe Ltd). Payment processing, connected-account onboarding, payouts. Privacy.
  • Retell AI. AI voice agent platform. Audio streams and transcripts are transmitted to Retell for real-time processing under our DPA. Privacy.
  • Telnyx. Telephony carrier for outbound voice and SMS. Call metadata and message content pass through Telnyx infrastructure under our DPA. Privacy.
  • Supabase Inc. Managed PostgreSQL database. Hosts our account, invoice, recording-metadata, and learning data. Servers in the United States; transfer mechanism described in Section 9. Privacy.
  • Anthropic PBC. Used for periodic, de-identified service-improvement analysis via the Claude Code CLI (not the Anthropic API). Only aggregated, de-identified weekly call metrics are transferred. You may opt your account out of this use in the dashboard. Privacy.
  • Brevo. Transactional email delivery (welcome messages, outcome reports). Privacy.
  • Sentry. Error monitoring. Configured to scrub personal data before ingestion. Privacy.

5. Call recording and AI-identification disclosure

Every outbound call starts with an audible disclosure that the call may be recorded and that the caller is an AI assistant calling on behalf of the named client. In jurisdictions requiring all-party recording consent (currently California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington), the disclosure is expanded and the recipient is given a meaningful opportunity to refuse recording before the substance of the call begins. If the recipient asks to stop receiving calls (by saying “stop”, “do not call me”, “remove me”, “DNC”, or words to that effect), the call ends immediately and the recipient is added to our global DNC list, effective across all clients of the platform.

6. Retention and deletion

We retain personal data only for as long as is necessary for the purpose for which it was collected, and longer only where we are required or permitted to by law.

  • Account data. For the duration of the contract, plus 30 days after account closure.
  • Invoice-recipient contact data. Deleted within 30 days of the client’s account closure or within 30 days of the invoice being marked paid or archived in the connected accounting system, whichever is sooner. Recipients on our DNC list are retained as DNC-only records (phone number plus DNC flag) indefinitely to honour the opt-out, and may be removed only on documented written request to legal@syntharra.com.
  • Call recordings and transcripts (US-only numbers). Up to 4 years from the call date. The retention period is set by reference to the federal catch-all statute of limitations under 28 U.S.C. § 1658(a), which applies to claims under 47 U.S.C. § 227 (TCPA) per Mims v. Arrow Fin. Servs., LLC, 565 U.S. 368 (2012). Where applicable state-level limitation periods are longer for specific claim types, retention may extend to the longer period.
  • Call recordings and transcripts (EEA, UK, or other non-US numbers). Up to 24 months from the call date, reflecting the typical dispute-resolution window for transactional contacts. Where a specific dispute is open, retention extends until the dispute is closed.
  • Billing records. 6 years (Irish tax) or 7 years (US tax for relevant transactions), as required by law.
  • Learning data. De-identified, aggregated metrics derived from recordings may be retained indefinitely; raw recordings used to derive them are deleted under the recording retention schedule above.

7. Your rights as a data subject

You have the following rights, exercisable by email to legal@syntharra.com. We respond within one month and may extend by two further months for complex requests, giving you reasons.

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data, subject to legal retention requirements set out in Section 6.
  • Restriction — ask us to limit processing while a request is resolved.
  • Portability — receive your account data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests, including the right to object at any time to processing for service-improvement purposes (in which case we cease such processing for your account).
  • Withdraw consent — where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawal must be as easy as giving consent: clients can withdraw and terminate by emailing support@syntharra.com or, where available, through the dashboard; invoice recipients can opt out using STOP keywords during a call or SMS, by emailing legal@syntharra.com, or via the self-serve form at /unsubscribe (where deployed).
  • Lodge a complaint — you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Data Protection Commission of Ireland (dataprotection.ie); UK users may also complain to the ICO (ico.org.uk).

8. Security and breach notification

Personal data is encrypted in transit (TLS 1.2 or higher) and at rest. OAuth tokens are encrypted at the application layer with keys not visible to the database. Database access is restricted by Row Level Security policies in Supabase. Only authorised personnel with a documented business need have access to production data. We log administrative access. A separated immutable audit log of consent and acceptance events is being deployed; in the interim, administrative access is logged and periodically reviewed.

If we become aware of a personal data breach affecting your data, we will notify you without undue delay and within 48 hours of becoming aware, providing the information required for you to meet your own notification obligations under GDPR Articles 33 and 34 or analogous laws. Our internal breach-notification procedure is summarised at /dpa#breach-notification.

9. International data transfers

Several of our sub-processors (Stripe, Retell AI, Telnyx, Supabase, Anthropic, Brevo, Sentry) process data in the United States. Personal data leaving the European Economic Area is transferred under one of the following lawful mechanisms, as listed in the sub-processor table:

  • EU-US Data Privacy Framework (DPF). Where the receiving organisation is actively self-certified under the EU-US DPF (or UK extension where applicable).
  • Standard Contractual Clauses. Where the receiving organisation is not DPF-certified, transfers are made under the European Commission’s 2021 Standard Contractual Clauses (Decision 2021/914), Module 2 (controller to processor) or Module 3 (processor to processor) as applicable.

Our Transfer Impact Assessment process aligns with EDPB Recommendations 01/2020 and the post-Schrems II framework, and is applied to each US sub-processor. The current TIA summary for each sub-processor is available on request to legal@syntharra.com.

10. UK-specific notice and UK representative

For data subjects in the United Kingdom, this Privacy Policy is supplemented by the UK GDPR. Where required by UK GDPR Article 27 for the scale of our UK debtor processing, Syntharra will appoint a UK representative to receive inquiries from UK residents and the ICO. The appointment status and (when complete) the representative’s name and address are published at /legal/subprocessors. You may contact the representative or contact Syntharra directly at legal@syntharra.com.

11. US state privacy rights

If you are a US resident in a state with a comprehensive consumer-privacy law (California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, Tennessee, New Hampshire, New Jersey, and other states as their laws come into force), you have additional rights under that state’s law. We honour these rights regardless of whether they apply to a particular consumer category, to simplify operation.

  • Right to know / access — request the categories and specific pieces of personal information we have collected about you in the past 12 months (or longer where the relevant state law extends the period).
  • Right to correct — ask us to correct inaccurate information.
  • Right to delete — subject to the exceptions in Section 6.
  • Right to opt out of sale or sharing — Syntharra does not sell or share personal information for cross-context behavioural advertising. The “Do Not Sell or Share My Personal Information” link is provided regardless, stating our non-sale practice.
  • Right to limit use and disclosure of sensitive personal information— we treat voice recordings as sensitive personal information for purposes of California’s CPRA and do not use them for any purpose beyond providing the service and the de-identified service-improvement use described in Section 3.
  • Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

California consumers may submit requests by emailing legal@syntharra.com with subject line “CCPA Request”. Authorised agents may submit requests on a consumer’s behalf with verified written authorisation. We are implementing recognition of the Global Privacy Control (GPC) browser signal as a valid opt-out signal in connection with our marketing site.

12. Cookies and tracking

We use a small number of strictly necessary cookies to operate the dashboard (authentication, CSRF protection, language preference). We do not use third-party marketing or advertising cookies on the dashboard. The public marketing site uses privacy-preserving analytics with IP-truncation and no cross-site identifiers. A full cookie list is available on request.

13. Changes to this policy

Material changes to this policy are notified by email to clients and posted in the dashboard at least 30 days before they take effect, and require renewed acceptance. Non-material changes (typos, clarifications, sub-processor updates handled under Section 4) take effect on publication. Past versions are archived at syntharra.com/privacy/v[version-number] for at least seven years.

14. Contact

Data-protection inquiries: legal@syntharra.com.
Data Protection Officer: contactable at the same address, marked “Attn: DPO”.
General support: support@syntharra.com.