Synthesis Privacy Policy

Introduction

Synthesis ("we," "our," or "us") is committed to protecting your privacy and handling your personal health information with the highest level of security and care. This Privacy Policy explains how we collect, use, share, and protect your information when you use our precision wellness platform.

Your privacy is fundamental to our mission. We believe you should have control over your health data while benefiting from personalized, biomarker-driven wellness insights.

Definitions

• "Biomarker Data": Laboratory results, blood panels, hormone levels, vitamin/mineral status, and other clinical markers
• "User Content": Questions, conversations, and other content you create while using our Service
• "Health Coordinator": Our AI-powered feature that provides personalized wellness recommendations
• "Service": Our website, mobile applications, and all related services

Our Regulatory Status

Important: Synthesis is a consumer wellness platform, not a covered entity under HIPAA (Health Insurance Portability and Accountability Act). While we implement security measures that often exceed industry standards, we are not bound by HIPAA regulations. We voluntarily adopt many healthcare-grade security practices to protect your sensitive health information.

AI Health Coordinator and Third-Party AI Technology

Synthesis Health Coordinator

Synthesis Health Coordinator is a generative AI feature designed to help you understand your biomarker data, make progress toward your wellness goals, and receive personalized health optimization recommendations. The Health Coordinator creates a personalized coaching experience by combining your unique, anonymized biomarker data with evidence-based wellness science.

If you choose to use the Health Coordinator, please note that it leverages third-party AI technology provided by our Large Language Model (LLM) partner. This technology generates intelligent and personalized responses based on your biomarker data and wellness questions. For example, if you ask about fatigue, the Health Coordinator will provide personalized insights based on your anonymized iron levels, sleep data, and other relevant biomarkers.

Important Safeguards:

• We require our LLM partner to use your anonymized biomarker data only for generating responses to you
• Our LLM partner operates under a "Zero-Retention/Zero-Training Policy," meaning they do not store your data or use it to train their algorithms
• We only share anonymized biomarker data with our LLM partner - never personally identifiable information
• We ask that you avoid providing identifying information in conversations with the Health Coordinator

Data Handling and Storage

Synthesis may retain your conversation history with the Health Coordinator to ensure continuity and improve your experience. When you revisit topics from previous conversations, we may share that context to create better, more personalized recommendations. You can delete your Health Coordinator conversation history at any time through your account settings.

Synthesis employees will only access your conversations when necessary to provide customer support or improve our AI systems. If the Health Coordinator suggests contacting our support team, you can opt in to have that specific conversation shared with our support staff to provide better assistance.

Your Control

You have complete control over the Health Coordinator feature:

• Enable or disable the feature at any time through your account settings
• Delete conversation history whenever you choose
• Opt out of data sharing with our LLM partner by not using the feature
• Request manual deletion of all AI-related data by contacting us

Information We Collect

Health and Biomarker Data

• Laboratory Results: Blood panels, hormone levels, vitamin/mineral status, metabolic markers, and other clinical biomarkers you upload or authorize us to receive
• Biometric Data: DEXA scan results, RMR testing, body composition measurements
• Wearable Device Data: Sleep patterns, heart rate variability, activity levels, and other metrics from connected devices
• Health History: Medical conditions, medications, supplements, allergies, and family health history you provide
• Lifestyle Information: Diet preferences, exercise habits, stress levels, sleep quality, and wellness goals
• AI Conversations: Your interactions with the Synthesis Health Coordinator, including questions asked, recommendations received, and conversation history

Account and Usage Data

• Profile Information: Name, email address, date of birth, gender, location
• Subscription Data: Billing information, payment method, subscription tier and history
• Communication Data: Messages with our AI health coordinator, support interactions, and feedback
• Platform Usage: Features used, recommendations followed, engagement patterns, and app analytics

Technical Data

• Device Information: IP address, device type, operating system, browser information
• Cookies and Tracking: Session data, preferences, and usage analytics (see Cookie section below)

How We Use Your Information

Primary Uses

• Personalized Recommendations: Analyze your biomarkers and health data to provide tailored nutrition, supplement, and lifestyle recommendations
• AI Health Coordination: Power our conversational AI system to answer your health questions and provide ongoing optimization guidance
• Progress Tracking: Monitor your biomarker improvements and wellness journey over time
• Research Integration: Connect your data with peer-reviewed research to ensure evidence-based recommendations

Secondary Uses

• Service Improvement: Enhance our AI algorithms, recommendation accuracy, and user experience
• Safety Monitoring: Identify biomarker patterns that may require medical attention and provide appropriate referrals
• Customer Support: Respond to your questions and provide technical assistance
• Legal Compliance: Meet regulatory requirements and protect against fraud or misuse

Aggregated Research

We may use de-identified, aggregated data for research purposes to advance precision wellness science. This data cannot be linked back to individual users and helps improve our platform for everyone.

Information Sharing and Disclosure

We Do Not Sell Your Personal Health Information

Your biomarker data, health information, and personal wellness data are never sold to third parties for marketing or commercial purposes.

Service Providers and Partners

• Laboratory Partners: We may share necessary information with Quest, LabCorp, and other lab partners to facilitate testing and result delivery
• Payment Processors: Billing information is shared with secure payment providers to process subscriptions
• Technology Vendors: Trusted vendors who help operate our platform under strict data protection agreements
• Cloud Services: Computing and storage providers that power our recommendation engine with appropriate security safeguards
• AI/LLM Partners: Our third-party Large Language Model provider that powers the Health Coordinator feature, operating under strict zero-retention and zero-training policies

Required Disclosures

We may disclose your information when:

• Legal Obligation: Required by law, court order, or regulatory authority
• Safety Concerns: Necessary to protect your immediate health and safety or that of others
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with continued privacy protection)
• Consent: You have given explicit permission for specific sharing

Sharing with Your Healthcare Providers

We provide tools for you to easily share your biomarker insights and wellness data with your healthcare providers if you choose. You maintain full control over what information to share and when.

Data Security and Protection

Technical Safeguards

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Multi-factor authentication and role-based access limiting who can view your data
• Infrastructure Security: SOC 2 Type II compliant cloud infrastructure with regular security audits
• Data Anonymization: Personal identifiers removed from research and analytics datasets

Organizational Safeguards

• Employee Training: All staff trained on privacy protection and data handling procedures
• Minimum Necessary: Access limited to information necessary for job functions
• Business Associate Agreements: All vendors handling health data sign strict data protection agreements
• Incident Response: Comprehensive procedures for addressing any security incidents

Consumer Privacy Focus

As a consumer wellness platform, we maintain robust privacy protections that often exceed industry standards:

• Enterprise-grade security measures typically reserved for healthcare applications
• Regular third-party security audits and penetration testing
• Employee privacy training and strict access controls
• Transparent incident reporting and user notification procedures

Data Breach Notification

In the unlikely event of a data breach that may compromise your personal information:

• We will notify affected users within 72 hours of discovery
• Notifications will include: nature of the breach, types of data involved, steps we're taking, and recommendations for you
• We will work with appropriate authorities as required by law
• We maintain cyber insurance to help protect users in case of incidents

Your Privacy Rights

Access and Control

• View Your Data: Access all personal information we have about you
• Update Information: Correct inaccurate or incomplete health data
• Download Your Data: Export your biomarker results, recommendations, and wellness history in common formats (CSV, JSON)
• Delete Your Account: Request complete removal of your account and associated data

Communication Preferences

• Marketing Communications: Opt out of promotional emails while continuing to receive service-related messages
• Recommendation Frequency: Customize how often you receive AI-generated insights and suggestions
• Research Participation: Choose whether to include your de-identified data in research studies

State-Specific Rights

If you reside in California, Virginia, Colorado, Connecticut, Utah, or other states with enhanced privacy laws, you may have additional rights including:

• Right to know what personal information is collected and how it's used
• Right to delete personal information (subject to certain exceptions)
• Right to opt out of sale or sharing for targeted advertising
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information

Data Retention and Deletion

Retention Periods

• Active Accounts: Health data retained as long as your account is active
• Inactive Accounts: Data retained for 3 years after last login, then securely deleted
• Legal Requirements: Some data may be retained for 7 years to comply with financial regulations
• Research Data: De-identified data used for research may be retained indefinitely

Secure Deletion

When data is deleted, we use industry-standard secure deletion methods to ensure it cannot be recovered. Backups are deleted according to our 90-day backup rotation schedule.

Right to Be Forgotten

You may request immediate deletion of your account and all associated data. We will honor this request within 30 days, subject to any legal retention requirements.

International Data Transfers

Global Service Delivery

Synthesis operates primarily in the United States. If you access our Service from outside the U.S., your data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place for international transfers:

• Standard Contractual Clauses: Use of approved contract terms for international transfers
• Encryption: All data transfers are encrypted regardless of location
• Access Controls: Same security standards applied globally

Data Localization

We currently store all data in U.S.-based data centers. Users should be aware of this when using our Service from other countries.

Cookies and Tracking Technologies

Essential Cookies

• Authentication: Keep you logged in to your account
• Security: Protect against fraud and unauthorized access
• Functionality: Remember your preferences and settings

Analytics Cookies

• Usage Patterns: Understand how users interact with our platform
• Performance Monitoring: Identify and fix technical issues
• Feature Optimization: Improve user experience based on behavior data

Third-Party Cookies

We use limited third-party services:

• Stripe: Payment processing (essential)
• Google Analytics: Anonymous usage analytics (optional)
• Intercom: Customer support chat (optional)

Cookie Management

You can control cookie preferences through:

• Your browser settings (may impact functionality)
• Our cookie preference center (accessible from account settings)
• Opting out of analytics cookies while maintaining essential functionality

Children's Privacy

Synthesis is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. We use age verification during account creation to prevent underage access. If we become aware that we have collected information from a child under 18, we will take steps to delete such information promptly.

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service offerings. We will:

• Notify users of material changes via email at least 30 days before the effective date
• Post the updated policy with a new effective date
• Maintain an archive of previous versions for transparency
• Obtain consent for changes that materially affect how we use your health information

Contact Information

Privacy Questions

For questions about this Privacy Policy or our privacy practices:

• Email: privacy@emergentlabs.dev
• Support Portal: Access through your account dashboard

Data Protection Officer

For privacy-specific inquiries:

• Email: dpo@emergentlabs.dev

Exercising Your Rights

To exercise any privacy rights or submit requests:

• Email: rights@emergentlabs.dev
• Account Portal: Settings > Privacy Rights

Response Times

• General inquiries: 3-5 business days
• Rights requests: Within 30 days (45 days for complex requests with notice)
• Urgent security matters: Within 24 hours

State-Specific Addenda

California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act:

• Right to know what personal information we collect, use, disclose, and sell
• Right to delete personal information (with exceptions)
• Right to opt-out of sale or sharing of personal information
• Right to non-discrimination
• Right to correct inaccurate information
• Right to limit use of sensitive personal information

Note: We do not sell personal information as defined by CCPA.

To exercise these rights, contact rights@emergentlabs.dev or use our automated rights portal in account settings.

European Union Residents (GDPR)

If you are accessing our Service from the EU:

• Legal Basis: We process data based on consent, legitimate interests, and contractual necessity
• Data Portability: Export your data in machine-readable format
• Right to Restrict: Limit how we process your data in certain circumstances
• Supervisory Authority: You may lodge complaints with your local data protection authority

Virginia Residents (VCDPA)

Virginia residents have rights similar to California residents, including:

• Right to access, correct, and delete personal data
• Right to data portability
• Right to opt-out of targeted advertising and sale of personal data

Other States

We extend similar privacy rights to residents of Colorado, Connecticut, Utah, and other states with comprehensive privacy laws. Contact us to exercise your rights under applicable state law.