Privacy Policy
Last updated: June 2026
Overview
SynapseData provides QEEG data analysis tools for licensed clinical practitioners. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. It applies to all users of the SynapseData platform.
For information about how de-identified QEEG data may optionally be used for research purposes, see our separate Research Data Use Agreement.
Data We Collect
We collect only the information necessary to provide our services:
- Account information: name, email address, organization name, and account credentials
- Clinical data you upload: QEEG data files, clinician-assigned patient identifiers, patient age (integer only), symptom records, and protocol records
- Login session data: for each login we record your IP address, approximate location (city, region, country derived from your IP via Vercel's edge network), browser and device type, login time, and session expiry. This data is used to detect unauthorized access, enforce the concurrent session limit, and provide you with session management controls under Settings → Active Sessions.
- Usage data: server logs and activity for security and troubleshooting purposes
Login Session Data Retention
Login session records are retained for 2 months from the date of login, after which they are automatically deleted. Active sessions are retained until they expire (within 24 hours of login) or are revoked by you or an administrator. You can view and revoke your active sessions at any time from Settings → Active Sessions.
Patient Privacy
SynapseData does not store real patient names, dates of birth, contact details, or any of the 18 patient identifiers specified under HIPAA Safe Harbor (45 CFR §164.514(b)). All patient records use clinician-assigned identifiers only. Patient age (as an integer) is stored in place of date of birth.
The mapping between clinician-assigned identifiers and real patients is maintained solely by the clinician. SynapseData has no access to this mapping.
How We Use Your Data
We use your data solely to:
- Provide, maintain, and improve the SynapseData platform
- Authenticate your account and secure your session
- Send transactional emails (account registration, shared report notifications, security alerts)
- Investigate security incidents and resolve support requests
We do not sell your data or use it for advertising. Unless you have opted out of research data contribution, see the Research Data Use Agreement for how de-identified data may additionally be used.
Data Security
All data is transmitted over TLS and all data at rest is encrypted using AES-256-GCM. Access is scoped per user — clinicians can only access their own patient data. We maintain access controls, audit logging, and security monitoring to protect against unauthorized access.
In the event of a data breach that may affect your personal information, we will notify you by email within 72 hours of becoming aware, consistent with applicable law.
Third-Party Service Providers
We use third-party infrastructure providers to operate the platform. Each processes data only as necessary to perform their service:
- Database and file storage provider — stores your account data, clinical records, and uploaded files
- Background processing provider — runs QEEG file analysis jobs outside the main request lifecycle
- Transactional email provider — delivers OTP codes, share notifications, and security alerts
- Application hosting provider — serves the platform and handles edge delivery
- Payment processor (Clover/Fiserv) — processes subscription payments. Your card details are entered directly into Clover’s secure form and are never received or stored by SynapseData; we retain only a payment token and limited card metadata (brand, last four digits, expiry)
We do not share your data with any other third parties without your explicit consent.
Payment Information
SynapseData subscriptions are billed through Clover (a Fiserv company). When you subscribe, your card information is captured directly by Clover’s PCI-DSS compliant payment form. SynapseData does not receive, process, or store your full card number or security code. We store only a payment token supplied by Clover and non-sensitive display metadata (card brand, last four digits, and expiration) so we can show you which card is on file and recover a declined renewal. With your authorization, your card is securely stored with Clover for recurring billing until you cancel. Clover’s handling of your payment data is governed by its own privacy policy.
Cookies and Tracking
SynapseData uses only session cookies necessary for authentication. We do not use advertising cookies, third-party tracking pixels, or analytics services that share data with external parties.
Data Retention
Your account data and uploaded clinical data are retained for as long as your account is active. You may request deletion of your account and all associated data at any time by contacting info@synapsedata.org.
Exception: If you have opted in to research data contribution, de-identified data already incorporated into aggregate analyses cannot be retroactively removed. See the Research Data Use Agreement for details.
Server and security logs are retained for up to 90 days.
HIPAA
SynapseData is designed to avoid storing Protected Health Information (PHI) as defined by HIPAA. Because no patient names, dates of birth, or other direct identifiers are collected or stored by the platform, SynapseData does not act as a HIPAA Business Associate with respect to the data it stores. Clinicians are responsible for maintaining their own HIPAA compliance obligations, including obtaining appropriate patient authorizations for QEEG data collection and storage.
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Rectification: Request correction of inaccurate personal data
- Erasure: Request deletion of your personal data (subject to the research data exception above)
- Portability: Request your data in a machine-readable format
- Restriction: Request that we limit processing of your data in certain circumstances
- Objection: Object to processing based on legitimate interests
To exercise any of these rights, contact info@synapsedata.org. EU/EEA users may also lodge a complaint with their local data protection authority.
California residents: SynapseData does not sell personal information. You have the right to know what personal information we collect and to request deletion, consistent with the CCPA.
Governing Law
This Privacy Policy is governed by the laws of the State of Delaware, United States.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered address at least 14 days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision.
Contact
For privacy-related questions or to exercise your rights, contact us at info@synapsedata.org.
