Privacy Policy

1. Who We Are

Synetic Studio Pty Ltd (ABN 52 696 129 049) (“we”, “us” or “our”) operates the Synetic Studio platform - an AI-powered video editing tool accessible at https://www.syneticstudio.com/ (“the Platform”).

We are committed to protecting your personal information and handling it responsibly. This Privacy Policy explains what information we collect, why we collect it, how we use it, and your rights in relation to it.

We are based in Australia and the Platform is offered globally. This Policy is designed to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”), the European Union General Data Protection Regulation (“GDPR”) and the United Kingdom GDPR for users in the EEA and the UK (see Section 17), and applicable United States state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”) and equivalent laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon and other states (see Section 18). Where these laws conflict, the law providing the higher level of protection applies to your personal information. This Policy applies to our website, the Platform, and all associated services worldwide.

Our Terms & Conditions also apply to your use of the Platform and are incorporated into this Privacy Policy by reference.

2. What Personal Information We Collect

The personal information we collect depends on how you interact with us. It may include:

• Account information: your name and email address when you register for an account;
• Authentication data: if you sign in via Google or GitHub, we receive your name, email address, and profile picture from those providers in accordance with your OAuth permissions. We do not receive or store your passwords for those external services;
• Payment information: billing name and email address. We do not store your card number, CVV, or full payment details - these are processed and held securely by Stripe, our payment provider;
• Media content: video footage, audio files, and images that you upload to the Platform for AI-assisted editing;
• Project data: prompts, editing instructions, metadata, and other inputs you provide while using the Platform;
• Usage data: pages visited, features used, editing actions performed, session duration, and general interaction patterns within the Platform;
• Device and technical information: browser type, operating system, screen resolution, IP address, and referring URL; and
• Waitlist and feedback submissions: name, email address, and any responses you provide through our waitlist form, feedback surveys, or support communications.

3. How We Collect Your Information

3.1 Directly from You

We collect information directly from you when you:

• create an account or sign in;
• upload content to the Platform;
• interact with the AI editing tools or provide prompts;
• make a payment or update billing details;
• contact us for support; or
• join our waitlist or complete a feedback form.

3.2 Automatically

We collect certain information automatically when you visit or use the Platform, including through cookies, log files, and analytics tools. This includes IP address, browser and device information, pages accessed, and session activity.

3.3 From Third-Party Providers

If you sign in using Google or GitHub OAuth, those services provide us with basic profile information (name, email, and profile image) based on your account permissions with them. We only use this information to create and manage your account.

We may also receive limited information from Stripe regarding the status of transactions (e.g. payment success or failure) to manage your subscription.

4. Cookies

We use cookies and similar tracking technologies to operate and improve the Platform. Cookies are small files placed on your device that help us recognise you, maintain your session, and understand how the Platform is used.

We use cookies for:

• session management (keeping you logged in);
• analytics and performance monitoring; and
• remembering your preferences.

Most browsers accept cookies by default. You can configure your browser to reject cookies or to alert you before accepting them. Please note that disabling cookies may affect the availability and functionality of some parts of the Platform.

We may use analytics providers such as Vercel Analytics or PostHog to understand how users engage with the Platform. These tools collect anonymised or aggregated usage data.

5. How We Use Your Information

We use the personal information we collect to:

• Provide the service: create and manage your account, process your uploads, run AI editing pipelines, and deliver Platform functionality;
• Process payments: manage subscriptions, billing, and invoicing through Stripe;
• Communicate with you: send operational notices, security alerts, product updates, and support responses. Where you have opted in, we may also send marketing communications. You can opt out of marketing communications at any time;
• Improve the Platform: analyse usage patterns, test new features, fix bugs, and enhance the overall experience. We only use Your Content to improve AI models if you have given your explicit opt-in consent - see Section 6 below;
• Maintain security and integrity: detect, prevent, and investigate fraud, abuse, security incidents, and other misuse of the Platform;
• Comply with legal obligations: meet our obligations under applicable laws and regulations, and respond to lawful requests from government or regulatory bodies; and
• Business operations: administer our business, manage relationships with service providers, and support internal planning and reporting.

6. AI Processing & Model Improvement Consent

6.1 Consent to AI Processing of Your Uploaded Content

When you upload video, audio, image, or text content to the Platform, you expressly consent to that content being processed by automated AI systems for the sole purpose of delivering the service you have requested. This processing may include, without limitation:

• generating transcripts, captions, scene descriptions, and other metadata about your content;
• analysing visual frames, audio waveforms, and spoken language to enable editing features;
• transforming, segmenting, re-assembling, and adapting your content into Outputs at your direction; and
• storing intermediate analysis results for the duration of your project.

Without this consent we cannot deliver the Platform’s core functionality. You may withdraw this consent at any time by deleting the relevant content or by closing your account, which terminates all further AI processing of your content.

6.2 AI Model Improvement (Opt-In Only)

We do not use Your Content, prompts, or Outputs to train, fine-tune, or improve our AI models or those of any third party. If we introduce any such use in future, it will require your explicit, informed opt-in consent collected through a clear in-product mechanism, and the default for every user, regardless of region, will be off.

If you choose to opt in at that time, we will only use de-identified and anonymised data for this purpose - we will not pass identifiable personal information to any model training pipeline. You will be able to withdraw your opt-in at any time, and the withdrawal will apply to data we collect from that point forward. We cannot retract data that has already been incorporated into a trained model.

6.3 Third-Party AI Sub-Processors

We use third-party AI model providers to power certain Platform features. Those providers process your content on our behalf strictly to return outputs to you. We have contractual arrangements in place that prohibit those providers from using your content to train their own foundation models. The categories of AI sub-processors we use, and their general processing locations, are described in Section 7.

6.4 Inference Logging

For service reliability, abuse prevention, and debugging, we may retain transient request and response metadata associated with AI inference calls. This metadata is access-restricted, is not used to train models, and is retained only for as long as reasonably necessary for these purposes.

7. Who We Share Your Information With

We do not sell your personal information and we do not share it for cross-context behavioural advertising. We engage a limited number of third-party service providers (“sub-processors”) to operate the Platform, all of whom act only on our documented instructions and under appropriate contractual data protection obligations.

The named providers we currently engage are set out in Section 7.2 below. We will publish updates to this Section, and where reasonably practicable notify account-holders by email, before adding or replacing a sub-processor that materially affects the processing of your personal information.

7.1 Categories of Sub-Processors

• Authentication & database providers - manage your account credentials, sessions, and structured user data.
• Object storage & CDN providers - store your uploaded media files and deliver Platform assets to your device.
• Hosting & serverless compute providers- run the Platform’s application and processing workloads.
• Payment processors - handle subscription billing and card data. We do not receive or store your card number, CVV, or full payment details.
• OAuth identity providers - if you use a third-party sign-in option, that provider shares basic profile information with us under your OAuth permissions.
• AI model providers - third-party AI/ML inference APIs process your content strictly to return outputs to you, under contractual prohibitions on using your content for their own foundation-model training.
• Transactional email providers - deliver account, billing, and security notifications to your verified email address.
• Analytics & observability providers - receive anonymised or aggregated usage and error data to help us monitor reliability and product quality.
• Rate-limiting & caching providers - hold short-lived technical state to protect the Platform from abuse and to improve performance.

7.2 Named Sub-Processors

The third-party providers we currently engage are:

• Supabase - identity, authentication, and primary application database (account credentials, sessions, structured project data). Processing in the United States and European Union.
• Cloudflare - object storage for uploaded media (R2), content delivery network, DDoS protection, and edge networking. Global edge with regionally located primary storage.
• Vercel - application hosting, serverless function execution, and product analytics. Primarily United States with a global edge.
• Stripe - subscription billing and payment processing. Stripe holds card data directly; we receive only transaction status. United States and Ireland.
• Upstash - distributed cache and rate-limiting for abuse prevention and performance. Holds only short-lived technical state.
• Resend - delivery of transactional email (account verification, password reset, billing notifications). United States.
• Google - optional sign-in via Google OAuth, and bot/abuse protection on sign-up forms via reCAPTCHA.
• Apple - optional sign-in via Apple ID.
• AI inference providers - third-party AI/ML inference APIs that power editing features. These providers process Your Content solely to return outputs to us, under contractual prohibitions on using your content to train their own foundation models. Provider names are not disclosed individually to protect proprietary product information; the contractual data-protection terms applied to every AI sub-processor are equivalent.

7.3 Legal and Compliance

We may disclose your personal information to government authorities, law enforcement agencies, or regulators if required to do so by law, court order, or enforceable government request, or if we reasonably believe disclosure is necessary to protect the safety or rights of any person.

7.4 Business Transfers

If we are involved in a merger, acquisition, asset sale, corporate restructure, or change of ownership, your personal information may be transferred to the relevant third party as part of that transaction. We will notify you of any such transfer via your registered email address or a notice on the Platform.

8. International Data Transfers

Because we operate globally and use cloud-based sub-processors, your personal information may be transferred to, stored in, and processed in countries other than the one in which you reside, including Australia, the United States, and other jurisdictions where our sub-processors operate. The data protection laws in those countries may differ from those in your country.

Safeguards we apply. Whenever we transfer personal information across borders, we put in place appropriate safeguards consistent with applicable law. These include:

• contractual obligations on each sub-processor requiring them to protect your personal information to a standard consistent with our obligations under Australian Privacy Principle 8;
• selecting reputable providers that publish their own privacy and security practices, and reviewing those practices before engagement; and
• encryption of data in transit, access controls, and data minimisation across all transfers.

By using the Platform, you acknowledge that your personal information may be processed outside your country of residence subject to the safeguards described above. You may request further information about the safeguards that apply to specific transfers by contacting us at hello@syneticstudio.com.

9. Your Rights

You have the following rights in relation to the personal information we hold about you. These rights apply to all users globally. Users in the European Economic Area, the United Kingdom, and other jurisdictions with comparable data protection laws have additional rights set out in Section 17 (EEA, UK & GDPR-Equivalent Rights).

• Access: request a copy of the personal information we hold about you and information about how we process it;
• Rectification: ask us to correct any information about you that is inaccurate, incomplete, or out of date;
• Erasure: delete any of Your Content from within the Platform at any time, or request that we delete the personal information we hold about you. Some information may need to be retained for legal, accounting, or regulatory reasons - we will tell you if any such retention applies;
• Portability: receive a copy of the personal information you provided to us in a structured, commonly used, machine-readable format, or have it transmitted directly to another provider where technically feasible;
• Restriction: ask us to restrict the processing of your personal information in certain circumstances (for example, while we verify a correction request);
• Objection: object to processing of your personal information that is based on our legitimate interests, including any direct marketing;
• Withdraw consent: withdraw any consent you have given us at any time - including consent to AI model improvement (see Section 6.2). Withdrawal does not affect the lawfulness of processing carried out before withdrawal;
• Opt out of marketing: unsubscribe from marketing emails at any time using the unsubscribe link in each email, or by contacting us directly;
• Not be subject to solely automated decisions: we do not make decisions that produce legal or similarly significant effects about you based solely on automated processing; and
• Make a complaint: lodge a complaint with us or with a supervisory authority (see Section 16).

To exercise any of these rights, please contact us at hello@syneticstudio.com. We will respond to your request within 30 days (and within one month for users entitled to GDPR rights). We may need to verify your identity before processing your request. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive.

10. Data Security

We implement industry-standard security measures to protect your personal information from unauthorised access, disclosure, alteration, and destruction. This includes:

• encrypted data transmission (TLS/HTTPS);
• access controls and authentication requirements for our team;
• use of reputable cloud infrastructure providers with their own security certifications; and
• regular security reviews as part of our development process.

Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your information. If you believe your account has been compromised, please contact us immediately.

Data breach notification. We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a personal data breach that is likely to result in serious harm to you, we will:

• notify the Office of the Australian Information Commissioner (and any other supervisory authority with jurisdiction over the breach) as soon as practicable;
• notify affected individuals without undue delay, providing a description of the nature of the breach, the likely consequences, the measures we have taken or propose to take, and a point of contact for further information; and
• document the facts relating to each breach, its effects, and the remedial actions we have taken.

11. Data Retention & Deletion

We retain your personal information for as long as your account remains active, and for as long as reasonably necessary to provide the Platform, comply with our legal obligations, resolve disputes, and enforce our agreements. We do not automatically delete Your Content based on the passage of time. Deletion is user-initiated:

11.1 User-Initiated Deletion

• Deleting individual content: you may delete any of Your Content (videos, projects, exports, prompts, generated outputs) from within the Platform at any time. Once deleted by you, the item is removed from our active systems.
• Deleting your account: you may close your account at any time. When you do, we will permanently delete Your Content and your personal account information from our active production systems within a reasonable time following your request.
• Backups: copies of deleted data may persist in encrypted, access-restricted backup snapshots until they are overwritten or destroyed in the ordinary course of our backup rotation. Backup data is not used for any purpose other than disaster recovery and is not accessible to operational staff in the normal course.

11.2 Hard Deletion

When we delete personal information, we do so by hard deletion - the records are removed from our production databases and object storage, not merely flagged as inactive. We do not retain shadow copies for analytics, marketing, or model training purposes once you have requested deletion.

11.3 Information We Must Retain

Limited categories of information may be retained beyond account deletion where the law requires it or where it is necessary to establish, exercise, or defend legal claims:

• Billing and tax records: invoices and transaction records are retained for the period required by applicable financial and tax legislation (typically 7 years under Australian law);
• Security and abuse logs: minimal records evidencing breaches of these Terms, fraud, or abuse may be retained for the period necessary to address those issues;
• Anonymised analytics: aggregated, non-identifying usage statistics may be retained indefinitely as they do not identify you; and
• Legal hold: where we are subject to a court order, regulator request, or active legal claim, we may retain specific records until the matter is resolved.

12. Beta and Waitlist Data

If you join our waitlist or participate in the Platform during its beta period, your contact information (name and email address) is used solely to:

• notify you when access is available;
• communicate product updates and developments; and
• invite you to provide optional feedback during the beta period.

We will not use waitlist or beta data for unsolicited commercial communications or share it with third parties for marketing purposes. You may unsubscribe from any communications at any time using the unsubscribe link included in our emails.

13. Third-Party Links

The Platform may contain links to third-party websites, tools, or services. We are not responsible for the privacy practices of those third parties. We recommend reviewing the privacy policy of any third-party service you access through or in connection with the Platform.

14. Children

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18 without appropriate consent, we will take steps to delete that information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasonable reasons. When we make material changes, we will notify you by email or by posting a notice on the Platform before the changes take effect.

Your continued use of the Platform after the updated Policy takes effect constitutes your acceptance of the changes. The date at the top of this page indicates when the Policy was last updated.

16. Contact & Complaints

If you have any questions, concerns, or complaints about how we handle your personal information, please contact us at:

SyneticStudio Pty Ltd
Email: hello@syneticstudio.com
Website: syneticstudio.com/contact

We will acknowledge your inquiry promptly and aim to respond fully within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (“OAIC”):

Office of the Australian Information Commissioner
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Website: www.oaic.gov.au

Users in the EEA, the UK, or the United States also have the right to lodge complaints with their local supervisory authority - see Sections 17 and 18.

17. EEA, UK & GDPR-Equivalent Rights

This Section applies in addition to the rest of this Policy where the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) or the UK GDPR applies to our processing of your personal information - including where you are located in the European Economic Area, the United Kingdom, or Switzerland, and where we offer the Platform to you in those regions.

17.1 Controller

For the purposes of the GDPR and UK GDPR, the controller of your personal information is SyneticStudio Pty Ltd (ABN 52 696 129 049), contactable at hello@syneticstudio.com.

17.2 Legal Bases for Processing

We rely on the following legal bases under Article 6(1) GDPR:

• Contract (Art. 6(1)(b)): to create and operate your account, deliver the Platform, process your uploaded content into Outputs, take payment, and provide customer support;
• Consent (Art. 6(1)(a)): for processing of your uploaded content by AI systems (Section 6.1), for AI model improvement using your data (Section 6.2, opt-in only), for non-essential cookies and analytics, and for marketing communications. You may withdraw any consent at any time without affecting the lawfulness of prior processing;
• Legitimate interests (Art. 6(1)(f)): to secure the Platform, prevent fraud and abuse, monitor reliability, defend legal claims, and conduct internal business administration. We have balanced these interests against your rights and freedoms;
• Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, anti-money-laundering, and other obligations imposed on us by law.

We do not knowingly process special categories of personal data (Article 9 GDPR). If you choose to upload content containing special category data, you do so on the basis of your explicit consent under Article 9(2)(a) and you confirm you have a lawful basis for doing so.

17.3 Your GDPR Rights

In addition to the rights in Section 9, you have the right to:

• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22);
• be informed about the source, recipients, and retention period of your personal information (Articles 13-15);
• lodge a complaint with the supervisory authority in the EU Member State or UK region where you live, work, or where the alleged infringement occurred (Article 77).

In the United Kingdom you may complain to the Information Commissioner’s Office (ICO) at ico.org.uk. In Ireland the Data Protection Commission can be reached at dataprotection.ie. A list of EEA supervisory authorities is published at edpb.europa.eu.

17.4 Retention

Retention periods are set out in Section 11. Where personal information is processed solely on the basis of consent, we will cease processing once that consent is withdrawn and delete the relevant data in accordance with Section 11.1.

17.5 Contacting Us About GDPR Matters

GDPR-related enquiries may be sent to hello@syneticstudio.com with the subject line “GDPR request”.

18. United States State Privacy Rights

This Section applies to residents of US states whose privacy laws extend rights to consumers. It supplements, and does not replace, the rest of this Policy. We extend the substantive rights described below to residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, Tennessee, Indiana, and any other US state with materially equivalent legislation, regardless of whether we are technically in scope under each statute.

18.1 Notice of Collection (CCPA/CPRA)

In the preceding 12 months we have collected the following categories of personal information from California residents, for the purposes described in Section 5, from the sources described in Section 3:

• identifiers (name, email, IP address, account identifier);
• customer records (billing email, profile information);
• commercial information (subscription history, payment status);
• internet or other network activity information (usage logs, device and browser metadata);
• geolocation data (approximate location inferred from IP);
• audio, electronic, visual, or similar information (content you upload, prompts you submit, generated outputs); and
• inferences drawn from the above (preferences, content categorisations).

We disclose these categories to the sub-processors described in Section 7.

18.2 No Sale or Sharing of Personal Information

We do not sell your personal information for monetary consideration, and we do not share your personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA or equivalent state laws. We have not engaged in any such sale or sharing in the preceding 12 months.

18.3 Sensitive Personal Information

We do not use or disclose sensitive personal information for purposes beyond those permitted under CPRA section 1798.121(a) and the equivalent provisions of other state laws (i.e. purposes necessary to provide the service you requested, security, and limited internal operations). You are therefore not required to submit a separate request to limit use of sensitive personal information, although you may do so by contacting us.

18.4 Your State Privacy Rights

Subject to verification of your identity, you have the right to:

• Know / access: request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of recipients;
• Delete: request deletion of personal information we have collected from you, subject to statutory exceptions;
• Correct: request correction of inaccurate personal information;
• Portability: receive personal information in a portable, machine-readable format;
• Opt out of sale or sharing: although we do not engage in either, you may submit a confirming opt-out request;
• Opt out of targeted advertising: although we do not engage in targeted advertising, you may submit a confirming opt-out;
• Opt out of profiling: we do not engage in profiling that produces legal or similarly significant effects; and
• Non-discrimination: we will not discriminate against you for exercising any of these rights.

18.5 How to Submit a Request

To exercise any of these rights, email hello@syneticstudio.com with the subject line “US Privacy Request”. We will respond within 45 days, with one 45-day extension where reasonably necessary and where we notify you of the extension. We honour the Global Privacy Control (GPC) browser signal as a valid opt-out request from the browser submitting it.

18.6 Authorised Agents

You may use an authorised agent to submit a request on your behalf. We require written proof of the authorisation (such as a signed power of attorney or written permission) and may also require you to verify your own identity directly with us.

18.7 Notice of Financial Incentive

We do not offer financial incentives in exchange for the collection, sale, or deletion of personal information.

18.8 Minors

The Platform is not directed to individuals under 18 (see Section 14). We do not knowingly collect personal information from minors and therefore do not sell or share the personal information of consumers under 16, as those terms are used under the CCPA/CPRA.

18.9 Shine the Light (California)

California Civil Code § 1798.83 permits California residents to request information about third parties to whom we disclose personal information for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.