Privacy Policy

Last updated: April 22, 2026 · Effective date: April 22, 2026

1. Who we are

Syntra Solutions ("Syntra", "we", "our", "us") is a SaaS platform operated by JOST Soluciones IT, registered in Argentina. This Privacy Policy applies to the Syntra web application available at syntra.com.ar and app.syntra.com.ar, as well as the associated Meta App "JOST" (App ID 1652541815941944) used to integrate with WhatsApp Business Platform, Instagram Messaging API, and Facebook Messenger Platform.

Data Controller: JOST Soluciones IT — Corrientes 146, Concordia, Entre Ríos, Argentina.
Contact: contacto@jost.ar

2. Scope of this Policy

Syntra is a business-to-business platform. Our customers ("Business Users") are companies that use Syntra to automate conversations with their own end-customers ("End Users") through messaging channels. This Policy describes:

• Data we process about Business Users (account holders who sign up to Syntra).
• Data we process about End Users on behalf of Business Users, acting as a data processor.

3. Information we collect

3.1 From Business Users (directly)

• Registration data: email, full name, hashed password, company name.
• Business data: address, phone number, business hours, industry vertical.
• Billing data: plan selection, payment references (we do not store full card data; payments are processed by Stripe and MercadoPago).
• Integration credentials: encrypted access tokens for WhatsApp, Instagram, Messenger, MercadoLibre and Tiendanube, provided by the Business User via OAuth or Facebook Login for Business.

3.2 From End Users (via Meta platforms)

When a Business User connects a Facebook Page or Instagram Business account to Syntra, we receive the following data from Meta's APIs only as needed to deliver the messaging service:

• Page-scoped and Instagram-scoped user IDs (PSID / IGSID).
• Public profile information the user has shared with the Page (name, profile picture, locale).
• Message content sent to or from the connected Page / Instagram account (text, images, audio, video, stickers, attachments).
• Timestamps, message IDs, and delivery/read receipts.

3.3 Automatically collected

• Usage metrics: number of conversations, response times, feature usage.
• Technical logs: IP address, user agent, timestamps (retained for security and abuse prevention).

4. How we use information

We use the data described above to:

• Deliver the conversational AI service (route, respond to, and escalate messages).
• Allow Business Users to view and reply to conversations from their Syntra inbox.
• Generate metrics and reports for each Business User's own account.
• Improve model quality when the Business User has explicitly opted in (by default, End User messages are not used to train third-party models).
• Send service-related notifications and comply with legal obligations.

5. Use of Meta Platform data (Messenger & Instagram)

Syntra processes data received from the Facebook Messenger Platform and the Instagram Messaging API strictly in accordance with the Meta Platform Terms and Developer Policies. Specifically:

• We only request the permissions strictly necessary to deliver the service: pages_show_list, pages_messaging, pages_manage_metadata, business_management, instagram_basic, instagram_manage_messages, public_profile, and the Human Agent feature for late replies (24h+).
• We do not sell, license, or transfer Meta Platform data to data brokers, ad networks, or any third party for advertising purposes.
• We do not use Meta Platform data to build or enrich profiles for advertising or to target End Users outside of the Business User's owned Pages.
• Access tokens are encrypted at rest (AES-256-GCM) and access to raw messages is restricted to the Business User that owns the Page or Instagram account.

6. Sharing of data

We do not sell End User data. We share data only with the following categories of processors, bound by data processing agreements:

• Meta Platforms, Inc. — for sending and receiving messages through WhatsApp, Instagram and Messenger.
• Anthropic PBC — for natural language processing via Claude. Message content may be sent to Anthropic's API in real time to generate responses; Anthropic does not retain data for training on the default API tier we use.
• Infrastructure providers — Amazon Web Services (EC2, hosted in the US) and our own servers, for hosting and storage.
• Payment processors — Stripe and MercadoPago, for subscription billing.
• Legal authorities — where required by a valid legal process or to protect rights, property or safety.

7. Data retention

• Conversation data is retained while the Business User's account is active.
• Upon account cancellation, data is deleted within 30 days, except where retention is legally required.
• Business Users may request deletion of specific conversations or End User data at any time via the dashboard or by emailing contacto@jost.ar.
• End Users may request deletion of their data directly — see Section 10.

8. Security

• All data in transit is encrypted via HTTPS / TLS 1.2+.
• Access tokens and sensitive credentials are encrypted at rest with AES-256-GCM.
• Multi-tenant isolation: every query in our backend is scoped by tenantId to prevent cross-tenant access.
• Authentication uses JWT with short-lived tokens and bcrypt-hashed passwords.
• Webhook signatures from Meta (X-Hub-Signature-256) are verified before processing.

9. Your rights

Depending on your jurisdiction (Argentina Ley 25.326, GDPR if applicable, LGPD), you may have the following rights over your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion of your data (see Section 10).
• Restriction / Objection — object to certain uses of your data.
• Portability — request a machine-readable copy.

To exercise any of these rights, email contacto@jost.ar. We respond within 30 days.

10. Data deletion

Detailed instructions for End Users and Business Users to request data deletion are available at /data-deletion.html. In short:

• Business Users: go to Settings → Delete Account in the dashboard, or email contacto@jost.ar.
• End Users: send an email to contacto@jost.ar with your Page-scoped ID, Instagram username, or phone number. We will locate your records and delete them within 30 days.

11. Children

Syntra is not directed to children under 13. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. International transfers

Our infrastructure is hosted in the United States (AWS) and Argentina. By using Syntra you acknowledge that your data may be transferred to and processed in these jurisdictions.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced via email or in-app notification. The "Last updated" date at the top of this page reflects the latest revision.

14. Contact

For any question about this Privacy Policy, data processing, or to exercise your rights, contact:

JOST Soluciones IT
Corrientes 146, Concordia, Entre Ríos, Argentina
Email: contacto@jost.ar