SymaOS ("we", "us", "our") operates the SymaOS personal operating system: a web dashboard, an iOS / Android companion application, and the underlying APIs that organize email, calendar, tasks, and approvals on behalf of a single end user.

For the purposes of the EU/UK GDPR, the California Consumer Privacy Act (CCPA / CPRA), and equivalent regimes, SymaOS acts as the data controller for account data and as a data processor for content read on your behalf from connected providers (Google Workspace, Microsoft 365, etc.).

We deliberately keep the surface area small. We collect:

• Identity data: the email address you sign in with and any optional display name. We do not collect demographic data, government identifiers, or health data.
• Authentication metadata: hashed session tokens, session timestamps, IP address, user agent, and OAuth state nonces used to prevent CSRF on third-party callbacks.
• Connector tokens: encrypted OAuth access and refresh tokens for the providers you choose to connect (Gmail, Google Calendar, Microsoft 365). Tokens are encrypted at rest with an envelope key controlled by SymaOS.
• Derived task and calendar metadata: normalized tasks, schedules, briefs, and audit entries. We minimize raw message body retention - we extract evidence snippets needed for traceability and discard the rest as soon as the extraction is committed.
• Billing data: Stripe customer and subscription identifiers, plan, status, and high-level usage counters. SymaOS never sees or stores card numbers - card data is handled exclusively by Stripe.

We process the data above strictly to:

• Operate the daily brief, planning, and approval loops.
• Authenticate you and maintain a single canonical account regardless of which identity provider you used to sign in.
• Bill the correct plan, enforce entitlements, and account for AI usage costs.
• Detect abuse, debug failures, and recover from incidents using short-lived structured logs scrubbed of sensitive content.

We do not sell your data, share it with advertising networks, or use it to train third-party foundation models on your private corpus.

When SymaOS extracts tasks or composes a brief, evidence snippets may be sent to a third-party large language model provider for summarization. These snippets are processed under zero-retention terms wherever the provider supports them. Raw email bodies and calendar events are never used to train external models.

A complete list of AI sub-processors is published on our sub-processors page.

• Contract: processing required to deliver the SymaOS service you signed up for.
• Legitimate interest: security, abuse prevention, and aggregate, non-identifying product analytics.
• Consent: connecting an optional provider (Google, Microsoft) or enabling AI-assisted features.
• Legal obligation: tax records, fraud prevention, responding to lawful access requests.

SymaOS shares data only with the vetted sub-processors required to run the product (cloud hosting, database, queueing, payments, AI providers, error tracking). Each sub-processor is bound by a data processing agreement and listed at /sub-processors.

We do not transfer your data outside of contractually permitted regions without appropriate safeguards (Standard Contractual Clauses or equivalent).

Detailed retention windows are published at /retention. As a summary: account data lives as long as the account is active; audit and billing records are retained for the legally required window; raw message bodies are not persisted after extraction.

Subject to applicable law, you may at any time access, correct, export, restrict, object to, or erase your personal data. You may also withdraw consent for optional integrations and AI processing.

• Access & export: the in-product audit log shows every user-visible action; you can request a structured export at privacy@symaos.com.
• Erasure: trigger account deletion from Settings → Account → Delete account or via the DELETE /api/account/data endpoint. Deletion revokes all sessions, disconnects every integration, cancels active subscriptions at the period end, and removes user data on the cooling-off schedule documented on the retention page.
• Complaint: EU/UK users may lodge a complaint with their local supervisory authority.

Encryption in transit (TLS 1.2+), encryption of secrets at rest (Fernet / KMS-managed envelope keys), least-privilege OAuth scopes, per-user tenancy enforced in every query, hashed session tokens, centralized audit logging, and a published vulnerability disclosure policy at /security.

SymaOS is not directed at children under 16 and we do not knowingly process their data. If you believe a minor has signed up, contact privacy@symaos.com and we will delete the account.

Material changes will be announced in the product and via email at least 14 days before they take effect. The effective date at the top of this document reflects the most recent revision.

Privacy questions: privacy@symaos.com.
Security reports: security@symaos.com.
Data Protection Officer: dpo@symaos.com.