Privacy Policy

Last updated: March 26, 2026

1. Introduction

Symlfy ("we," "us," "our") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Symlfy platform ("Service").

Symlfy is a Backend-as-a-Service provider. We process data on behalf of our customers (platform tenants). This policy covers data we collect directly from you as a Symlfy account holder. Our customers are responsible for their own privacy policies governing the data their end users provide.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name (first and last)
• Password (hashed — we never store plaintext passwords)
• Phone number (optional, for MFA)

2.2 Billing Information

If you subscribe to a paid plan, our payment processor (Stripe) collects your payment information. We do not store credit card numbers or bank account details on our servers. We receive only a billing identifier from Stripe.

2.3 Usage Data

We automatically collect:

• IP addresses (for security and rate limiting)
• Browser user agent (for session management)
• API request metadata (method, path, status code, duration)
• Authentication events (login, logout, MFA verification)

2.4 Customer Data

As a BaaS provider, we host data that you and your application tenants store through the Service (documents, user records, etc.). We process this data solely to provide the Service and do not access, analyze, or use it for any other purpose.

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Authenticate your identity and secure your account
• Process payments and manage your subscription
• Send transactional emails (account verification, password reset, security alerts)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

We do not:

• Sell your data to third parties
• Use your data for advertising
• Train AI models on your data
• Share your data with third parties except as described in this policy

4. Data Storage and Security

Your data is stored on Google Cloud Platform infrastructure in the United States (us-central1 region). We implement the following security measures:

• Encryption at rest (AES-256, Google-managed keys)
• Encryption in transit (TLS 1.2+ with modern cipher suites)
• Database accessible only via private VPC (no public IP)
• Mandatory MFA for all accounts
• Immutable audit logs retained for 7 years
• Automated secret rotation every 90 days

For full details, see our Security Policy.

5. Data Retention

• Account data: Retained while your account is active. Deleted 30 days after account closure.
• Customer data: Retained while your account is active. Deleted 30 days after account closure.
• Audit logs: Retained for 7 years for compliance purposes, then automatically deleted.
• Billing records: Retained as required by tax and accounting regulations.

6. Third-Party Services

We use the following third-party services to operate the platform:

• Google Cloud Platform: Infrastructure hosting, database, storage, authentication (Firebase)
• Stripe: Payment processing
• Google Workspace: Business email (symlfy.com domain)

Each of these providers maintains their own security certifications and privacy commitments. Google Cloud Platform holds SOC 2 Type II, ISO 27001, and FedRAMP certifications.

7. Your Rights

You have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and associated data
• Export: Export your data in a standard format
• Restrict processing: Request that we limit how we use your data

To exercise these rights, contact privacy@symlfy.com. We will respond within 30 days.

8. Cookies

The Service uses session cookies for authentication. These cookies are:

• HttpOnly (not accessible via JavaScript)
• Secure (transmitted only over HTTPS)
• SameSite: Lax (CSRF protection)
• Signed with HMAC (tamper-proof)

We do not use tracking cookies, analytics cookies, or advertising cookies.

9. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top indicates when the policy was last revised.

11. Contact

For privacy-related inquiries, contact us at privacy@symlfy.com.