Privacy Policy

1.Information We Collect

When you use Cynserus.com, we collect the following types of information:

• Account Information. Name, email address, company name, and role provided during registration.
• Intake Responses. Information you provide about your business, worksite, employees, and existing safety measures through our compliance intake forms.
• Incident Reports. Reports submitted through your workplace incident reporting portal, including anonymous submissions.
• Payment Information. Payment details processed securely by Stripe. We do not store credit card numbers on our servers.
• Usage Data. Information about how you interact with our platform, including pages visited, features used, timestamps, referral source, and UTM campaign parameters. We automatically record anonymous page views and funnel events via our first-party analytics system to improve our services and measure site performance. This data cannot identify you personally — it uses a randomly generated session identifier that resets when you close your browser tab, and we do not store your IP address. See Section 7.2 for full details.
• Technical Information at Account Events. When you accept our Terms of Service or log into your account, we collect your IP address and browser user-agent string. This information is retained as part of your Terms of Service acceptance record for audit and legal compliance purposes. We do not use this information for advertising or sell it to third parties.

2.How We Use Your Information

We use the information we collect to:

• Generate your customized Workplace Violence Prevention Plan and compliance documents
• Send transactional emails including document delivery notifications, account updates, and security alerts
• Send annual compliance reminders and renewal notices
• Process payments and manage your subscription
• Improve our services, including the accuracy and quality of generated compliance documents, using anonymous, non-identifying analytics data collected automatically (see Section 7.2)
• Measure advertising campaign performance using third-party marketing pixels (with your consent)
• Comply with legal obligations and respond to lawful requests from regulatory or law enforcement authorities

3.Third-Party Processors

We use the following third-party service providers to operate our platform. Each processor only receives the minimum data necessary to perform its function:

• Stripe: Payment processing. Stripe handles all credit card data in accordance with PCI DSS standards.
• Supabase: Database hosting and user authentication. Your account data and compliance records are stored with row-level security.
• Anthropic, Inc. (Claude API): We use Anthropic's Claude API to analyze your intake responses and generate your Workplace Violence Prevention Plan and compliance documents. This processing includes your business information, workplace details, and incident report data. Anthropic processes this data as our service provider under a Data Processing Addendum and is contractually prohibited from using your data for model training or any purpose other than providing the API service. Anthropic does not retain your data after processing is complete.
• Browserless.io: PDF document generation. Document content is rendered to PDF format and not retained by the processor.
• Resend: Transactional email delivery. Email addresses and message content are processed for delivery only.
• Vercel: Application hosting, infrastructure, and basic web analytics (page view counts and performance metrics).
• TikTok (ByteDance): If you consent to marketing cookies, we load the TikTok Pixel to measure advertising campaign performance. TikTok may set its own cookies. You can opt out at any time via "Manage Cookies" in our footer.

We do not sell your personal information. We do not share your data with third parties for advertising or marketing purposes.

4.Data Retention

4.1 Active Accounts. While your account is active, we retain your compliance documents, intake responses, incident reports, and all associated data.

4.2 Account Deletion. If you delete your account, your compliance documents will remain available for download for 30 days. After 30 days, all your data will be permanently deleted from our systems, including your WVPP, incident logs, training records, and intake responses.

4.3 Your Recordkeeping Responsibility. California Labor Code Section 6401.9 requires employers to retain workplace violence prevention records for at least 5 years. You are responsible for downloading and retaining your own copies of all compliance documents before your account is deleted. We strongly recommend using the Export Data feature before requesting deletion.

5.Data Security

We implement the following security measures to protect your data:

• Encryption in Transit. All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
• Row-Level Security. Database access is enforced at the row level, ensuring users can only access their own data.
• Signed URLs. Compliance documents are accessed via time-limited signed URLs rather than permanent public links.
• Server-Side Key Management. Sensitive API keys and service credentials are only accessible in server-side code and are never exposed to client browsers.

Security Breach Notification

If we become aware of a security incident that has resulted in unauthorized access to personal information we maintain, we will notify affected individuals within seventy-two (72) hours of confirmed discovery, consistent with California Civil Code §1798.82. We will send notice by email to the address associated with your account. The notice will describe the nature of the incident, the information involved, what we are doing in response, and what you can do to protect yourself.

6.Your Rights Under CCPA

As a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know. You may request a copy of the personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete. You may request that we delete your personal information, subject to certain exceptions including legal retention obligations.
• Right to Opt Out of Sale. We do not sell your personal information. You may opt out of non-essential tracking (analytics and marketing cookies) at any time by clicking "Manage Cookies" in our site footer.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights.

Deletion and Your Recordkeeping Obligations

If you request deletion of your account, we will honor that request. Your portal access will remain active for 30 days to allow you to download your compliance records. After 30 days, all personal information and compliance records will be permanently deleted. California Labor Code §6401.9 requires employers to retain workplace violence prevention records for at least 5 years. This is your obligation as the employer, not ours. Please download and retain your documents before your account is deleted.

How to Submit a Privacy Rights Request

To exercise your rights under CCPA/CPRA, email privacy@cynserus.com with the subject line "Privacy Rights Request."

Identity Verification: To protect your information, we must verify your identity before processing any request. For verified account holders, we will send a verification link to the email address on file for your account. For non-account holders requesting access to or deletion of their information (such as individuals named in incident reports), we require sufficient identifying information to locate your data and a signed declaration under penalty of perjury confirming your identity.

We will respond to all requests within 45 days. If we need additional time (up to 90 days total), we will notify you within the initial 45-day period.

Information About Third Parties in Incident Reports

Incident reports submitted through our platform may contain personal information about individuals who are not our clients, including witnesses, persons involved in incidents, and names referenced in law enforcement reports. This information is submitted by the employer-client and their employees.

Cynserus.com processes this third-party data as a service provider on behalf of the employer-client, who acts as the data controller for this information under the California Consumer Privacy Act (CCPA). The employer-client is responsible for their compliance obligations with respect to this data.

If you are a person named in an incident report and wish to exercise your privacy rights (including access, correction, or deletion), please contact the employer directly, as they are the controller of this data. You may also contact us at privacy@cynserus.com and we will direct your request to the appropriate employer-client. We will respond to all such inquiries within 5 business days.

7.Cookies and Tracking Technologies

We use cookies and similar technologies on our site. Our first-party analytics system collects anonymous, non-identifying usage data automatically to improve our services (see Section 7.2 below). Before any third-party marketing tracking activates, we ask for your explicit consent via a cookie banner. You can change your preferences at any time by clicking "Manage Cookies" in our site footer.

7.1 Essential Cookies (always active). These are required for the platform to function and cannot be disabled. They include:

• Authentication and session management cookies (Supabase)
• CSRF protection tokens
• Partner referral attribution cookies ("cynserus_ref", "cynserus_atty", "cynserus_chamber") set when you arrive via a partner link, used to attribute your visit to the referring partner. These expire after 90 days.

7.2 First-Party Analytics (collected automatically). We record anonymous page views and funnel events (e.g., pricing page views, signup completions) using our own first-party analytics system. This data is collected automatically without requiring your consent because it is anonymous, non-identifying, and processed solely on our own systems — it is never shared with third parties. This data includes:

• A randomly generated session identifier stored in your browser's session storage — it resets when you close your browser tab and is not linked to your identity
• Pages visited and referrer URL
• UTM campaign parameters (source, medium, campaign)
• Country (derived from your IP address via Cloudflare; your IP is not stored)
• Browser user-agent string

This data does not constitute "personal information" under the California Consumer Privacy Act (CCPA) because it cannot reasonably be linked to any particular consumer or household. We do not combine this data with any identifying information. We also use Vercel Web Analytics for basic performance and page view metrics. Vercel Analytics is privacy-focused and does not use cookies for cross-site tracking.

7.3 Marketing Cookies (requires your consent). With your permission, we load the TikTok Pixel to measure advertising campaign performance. When enabled, TikTok may set its own cookies and collect data according to TikTok's Privacy Policy. We do not serve targeted advertisements on our site.

7.4 How to Manage Your Preferences. You can accept or reject non-essential cookies when you first visit our site. To change your preferences later, click "Manage Cookies" in the site footer. If you reject non-essential cookies, no third-party marketing tracking will occur. First-party anonymous analytics (Section 7.2) continue to operate because they do not use cookies and cannot identify you.

7.5 Do Not Track. We respect browser Do Not Track (DNT) signals. If your browser sends a DNT header, we treat it as equivalent to rejecting third-party marketing cookies. First-party anonymous analytics (Section 7.2) are not affected by DNT signals because they do not track you across sites and cannot identify you.

8.Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect.

Your continued use of our services after the effective date of a revised Privacy Policy constitutes your acceptance of the revised terms.

9.Contact

If you have questions about this Privacy Policy or wish to exercise your rights under CCPA, contact us at:

privacy@cynserus.com

Cynserus.com
Santa Clara County, California