SynaptoFlow

Privacy Policy

Effective date: April 1, 2026

Plain-language summary: SynaptoFlow stores patient names, dates of birth, surgery dates, surgery types, and the patients' answers to a pre-operative checklist. Each surgeon only sees their own patients. We do not sell or share your data. Data is encrypted in transit and at rest. Surgeons remain the data controller for their patients; SynaptoNex is the data processor.

1. Who we are

SynaptoNex (“we”, “us”, “our”) operates SynaptoFlow, a pre-operative patient compliance tracking service. This policy applies to the SynaptoFlow website (synaptoflow.vercel.app) and the underlying service. Contact: synaptonex@gmail.com.

2. Roles under data protection law

Under UK GDPR, EU GDPR, and equivalent frameworks, the surgeon (or surgical practice) using SynaptoFlow is the data controller of their patients' information. SynaptoNex acts as data processor, processing data only on the surgeon's instructions and only for the purposes set out in this policy.

Under HIPAA (United States), the surgeon is the covered entity and SynaptoNex is a business associate. Business Associate Agreements (BAAs) are being negotiated with our infrastructure providers; until BAAs are in place this Service should not be used with HIPAA-protected patient data outside permitted exceptions or for limited evaluation purposes. The Pakistan pilot operates under Pakistan's data protection framework.

3. Data we collect

Surgeon-entered data:

  • Patient name. used to identify the patient on the dashboard and the patient checklist
  • Patient date of birth (DOB). used for identity verification when the patient opens the link
  • Patient medical record number (MRN, optional). links the SynaptoFlow record to the surgeon's own record system
  • Patient email and/or phone number (optional). used to send the checklist link and reminders
  • Scheduled surgery date and surgery type. used to drive the checklist and time-based prompts
  • Surgeon-provided pre-op instructions (free text, optional). shown to the patient on their checklist

Patient-entered data:

  • Checklist responses. six fixed clinical items (medication cessation, blood count, blood pressure, fasting, smoking, instructions read) plus any procedure-specific items generated for the patient
  • Blood pressure reading (when entered). numeric systolic/diastolic value, used to flag uncontrolled BP to the surgeon
  • Consent timestamp. records when the patient acknowledged this Privacy Policy

System-generated data:

  • Compliance percentage and clearance status. computed from the checklist responses
  • Audit log entries. every change is recorded with a timestamp and the actor type (surgeon or patient)
  • Last accessed timestamp. records when the patient last opened their checklist

We do not collect: insurance information, payment information, full clinical history, free-text clinical notes other than what the surgeon provides, location data, biometric data, or any data from cameras or microphones.

4. Lawful bases for processing (UK/EU GDPR)

  • Article 6(1)(b) — performance of a contract. with the surgeon, to deliver the Service they have signed up for
  • Article 6(1)(c) — legal obligation. where required by law to retain audit data
  • Article 6(1)(f) — legitimate interests. minimal session-storage state needed to provide the Service safely
  • Article 9(2)(h) — health and social care purposes. where checklist data constitutes special category health data

5. How we use the data

  • Display the patient's pre-op compliance status to their enrolling surgeon and that surgeon's designated team
  • Send the patient their checklist access link and reminder emails
  • Calculate compliance and clearance status in real time
  • Generate procedure-specific checklist items via AI assistance (see Section 7)
  • Maintain an audit log so the surgeon can verify what was done and when
  • Provide technical support when requested by the surgeon
  • Improve the Service through aggregated, fully anonymised usage statistics

We do not use your information for advertising, marketing to third parties, or training third-party AI models on your data.

6. Who has access

  • The surgeon who enrolled the patient, and that surgeon's designated care team within their account
  • The patient themselves, via the link sent to them
  • SynaptoNex technical staff, on a least-privilege basis, only when necessary for support, debugging, or security incident response

Row-level security is enforced at the database layer: a surgeon's queries cannot return another surgeon's patients.

7. Sub-processors

SynaptoFlow uses the following third-party processors. Each receives only the data it needs for its specific function.

  • Supabase (database, authentication, storage). all primary patient and surgeon data; encrypted at rest. EU/US regions; data residency configurable
  • Vercel (hosting and edge runtime). serves the application code; processes inbound requests; does not durably store patient data
  • Resend (transactional email delivery). recipient email address, patient first name, and the checklist link, when an invitation or reminder is sent
  • Anthropic (AI feature generation). patient first name (no surnames), surgery type, dates relative to surgery (e.g. "in 2 days"), and clinical compliance flags. We do not send dates of birth, MRNs, full names, contact details, or free-text clinical notes. Anthropic does not use API data to train its models

We will update this list when we change sub-processors. Material changes will be communicated to active surgeon accounts by email.

8. International transfers

Some of our sub-processors operate from servers outside Pakistan, the United Kingdom, and the European Economic Area (typically the United States). Where personal data of UK or EU residents is transferred internationally, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or other appropriate safeguards as required by law.

9. Security

  • All transit is over HTTPS using TLS 1.2 or higher
  • Data at rest is encrypted by our database provider
  • Access is controlled via row-level security and per-account authentication
  • API endpoints are rate-limited to mitigate abuse and protect against brute-force attempts
  • Strict Content Security Policy and standard hardening headers are applied to every response
  • Audit logs record changes to patient records

No internet-connected service is perfectly secure. If we become aware of a breach affecting your data, we will notify the relevant data controller (the surgeon) without undue delay and within 72 hours where required by GDPR.

10. Retention

Patient records are retained for as long as the surgeon maintains an active account and for the duration the surgeon needs them for clinical or audit purposes. Surgeons can delete individual patient records at any time from the dashboard. On account closure, all associated patient data is deleted within 30 days, except where retention is required by law (in which case the data is isolated from active use).

11. Your rights

Subject to applicable law, you have the right to:

  • Access — request a copy of personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — ask us to delete your data
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing on legitimate-interest grounds
  • Withdrawal of consent — at any time, by stopping use of the Service or contacting us
  • Complaint — lodge a complaint with the relevant supervisory authority (the UK Information Commissioner's Office; an EU data protection authority; or the comparable authority in your jurisdiction)

For patients: most rights are exercised through the surgeon (the data controller). For surgeons: contact us at synaptonex@gmail.com. We respond within 30 days.

12. Cookies and similar technologies

We use the minimum technical state required to keep you logged in (Supabase authentication tokens) and to remember consent within a browser session. We do not use advertising cookies, third-party analytics that build user profiles, marketing pixels, or cross-site tracking.

13. Children

SynaptoFlow may be used in paediatric surgical care. Where the patient is a minor in the relevant jurisdiction, the surgeon, with appropriate parental or guardian consent, is the data controller and is responsible for compliance with applicable child-protection rules including, where relevant, the United States Children's Online Privacy Protection Act (COPPA), UK GDPR Article 8, and equivalent frameworks. SynaptoFlow does not market to or knowingly collect data directly from children.

14. Pakistan-specific notice

For users in Pakistan, this policy is intended to operate consistent with the Personal Data Protection Bill and the Prevention of Electronic Crimes Act 2016 (PECA) where applicable. Until a Pakistan data protection regulator is fully established, we honour the substantive principles of GDPR for all users globally.

15. Changes to this policy

We may update this Privacy Policy as the Service evolves. The effective date above will be updated. Material changes will be notified to active surgeon accounts by email. Continued use of the Service after changes constitutes acceptance.

16. Contact

Privacy questions, sub-processor list updates, and data subject requests: synaptonex@gmail.com
We aim to respond within 5 working days and complete formal requests within 30 days.

SynaptoFlow · SynaptoNex