Legal · Privacy policy
The short version: OAuth only, AES-256 at rest, send-only email access, GDPR-compliant. The long version is below.
This policy describes how Cynea AI Ltd. (“Cynea”, “we”, “us”) collects, uses, and protects personal data when you use the Cynea platform at cynea.ai and any subdomains.
It applies to operators (the people who sign in and run campaigns), their team members, and the prospects whose contact details are processed through Cynea on the operator's behalf.
Account data. Name, work email, and profile picture provided by your OAuth identity provider when you sign in.
Workspace data. Agency name, industry, timezone, branding preferences, and team-member emails you invite.
Campaign data. Prospect lists, email content drafted by Cynea, send/reply/booking events, and performance metrics.
Calendar data. Only your calendar.freebusy windows when you connect Google Calendar — meeting titles, attendees, and notes are never accessed.
We sign you in via OAuth (Google) or magic-link email. We never see, store, or transmit your password. Your provider hands us a short-lived token, and we hand it back when your session expires.
The Resend, Apollo, Hunter, and Anthropic API keys you configure are stored on your workspace, encrypted at rest, and only decrypted at the moment we call the corresponding API on your behalf.
Outbound email is sent through Resend on a domain you verify. Cynea requests send-only access — we can dispatch on the verified address, but we cannot read your inbox, impersonate you on other addresses, or download your mail history.
Reply ingestion, when enabled, runs through a separate verified inbound domain. You can revoke either at any time from Settings; revocation is immediate and irreversible from our side.
Data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Keys are managed by our cloud provider's KMS and rotated automatically.
Production data lives in EU and US regions only. We do not process personal data outside these regions, and we use Standard Contractual Clauses for any transfer between them.
We use the following sub-processors, each under a written DPA:
The current list is available on request to irene@cynea.ai and we notify customers in advance of material changes.
We are GDPR and UK GDPR compliant. As a data subject you have the right to:
To exercise any of these rights, email irene@cynea.ai. We respond within 30 days.
Workspace data is retained for the life of your account plus 30 days after cancellation, after which it is permanently deleted from primary storage. Encrypted backups are purged within 90 days.
Anonymized aggregate metrics (e.g. average reply rate by industry) may be retained beyond that window for product analytics — these can never be re-linked to an individual.
Privacy questions, DPA requests, and data-subject requests go to irene@cynea.ai.
Cynea AI Ltd. — registered in England and Wales. Data Protection lead: Irene at the address above.