Skip to main content
Synapse-AI
Sign inStart free

Synapse-AI Legal

DRAFT — REVIEW WITH LEGAL COUNSEL BEFORE SHIPPING TO USERS.

Last updated: 2026-05-03

Digital Personal Data Protection Act (DPDPA) Disclosure

This page summarises how Synapse-AI complies with the Digital Personal Data Protection Act, 2023 ("DPDPA"). It accompanies the Privacy Policy and Terms of Service; the three documents should be read together.

Section 17 — Data residency

Sarvam Saaras v3 (ASR) and Supabase (Postgres + Storage) are locked to the India-South region (Mumbai / Hyderabad). Verified region support on both at the time of writing. Production region pinning is enforced at backend startup via enforce_region_pinning (see backend/app/core/region_check.py) which emits warnings in dev and exits the process in production on any violation.

Out-of-region inference (Anthropic)

Anthropic Claude does not yet host an India-region inference endpoint. Mitigation:

  1. All Claude calls originate from the India-hosted FastAPI backend. Flutter never calls Anthropic directly. FastAPI is the DPDPA §17 data-residency boundary.
  2. PII redaction runs before egress: party names, Aadhaar numbers, phone numbers, and case numbers are tokenised (e.g., to [PARTY_1], [DATE_1]). The token map lives in-memory per session and is evicted on session close. Re-hydration of redacted tokens happens on the response path, inside the India-hosted FastAPI process.
  3. A Zero Data Retention contract with Anthropic is under negotiation. Until it lands, Anthropic's commercial terms retain inputs up to 30 days for abuse review; commercial-tier inputs are not used for training.

Section 11 — Right to access

You can read every action you have taken, with timestamps and target IDs, via Settings → Activity log (GET /v1/audit/me).

Section 12 — Right to correction and erasure

  • Correction: edit your profile fields (full name, bar council ID, specialization) from Settings → Profile at any time. Privacy Mode is also patchable from the same screen.
  • Erasure: Settings → Purge all my data triggers a hard delete of every case, transcript, document, draft, hearing, audio segment, and research item you own. Storage objects are wiped simultaneously. The auth row + profile remain so you can sign back in to an empty workspace; if you need full-account deletion, email dpo@synapse.ai.

Section 25 — Data Protection Officer

You can contact our Data Protection Officer at dpo@synapse.ai for any DPDPA-specific query, including grievance redressal. Response within 7 working days.

Section 8(5) — Reasonable security safeguards

  • TLS for all network egress.
  • Row Level Security on every Supabase table; firm-share rows visible only to active firm seats.
  • Audit log on every mutating action.
  • Hard purge wipes both Postgres rows and Supabase Storage objects atomically.
  • Session-scoped PII redaction map; no party-name maps outlive the FastAPI process.

Significant Data Fiduciary

Synapse-AI does not currently meet the volume / nature thresholds that would trigger the Significant Data Fiduciary obligations under DPDPA §10. We will publish a revised disclosure if and when those thresholds are met.

Updates

We may revise this disclosure. The "Last updated" date at the top of this page reflects the current version.