Sync by Coglix Labs
Effective Date: 2026-03-04 · Version 1.0
All PHI is end-to-end encrypted (E2EE). View compliance details ↓
This compliance statement applies to all personal data processing performed by Coglix Labs. Under GDPR, PDPO, PIPEDA, and APP, Coglix Labs acts as a Data Controller / Data User for the personal data it determines the purposes and means of processing. In respect of Protected Health Information (PHI) processed on behalf of healthcare organisations, Coglix Labs operates as a Business Associate under HIPAA; the healthcare provider or institution is the Covered Entity. This statement covers users in all jurisdictions, including the European Economic Area (EEA), United Kingdom, Switzerland, Hong Kong (SAR), Canada, and Australia. For complete details on data collection and your rights, see the Privacy Policy and Terms of Service.
| Data Category | Purpose | Legal Basis (GDPR / PDPO / PIPEDA / APP) | Retention |
|---|---|---|---|
| Account information | Platform access & identity | Art. 6(1)(b) — Contractual necessity | Account lifetime + 30-day purge |
| Health & therapy data (PHI) | Rehabilitation delivery, clinical reporting | Art. 9(2)(a) — Explicit consent | Therapeutic relationship; purged within 30 days of deletion request |
| Usage data | Platform security, performance improvement | Art. 6(1)(f) — Legitimate interests | Session + 90 days |
| Audit logs | HIPAA & legal compliance | Art. 6(1)(c) — Legal obligation | 6 years (HIPAA §164.308) |
| Consent records | Proof of lawful processing | Art. 6(1)(c) — Legal obligation | Indefinitely |
| Control | Implementation | Standard |
|---|---|---|
| Encryption at Rest | AES-256-GCM; PBKDF2 with 600,000 iterations and random 32-byte salts | HIPAA §164.312(a)(2)(iv); ISO A.8.24 |
| Encryption in Transit | TLS 1.2+ enforced; HTTPS on all endpoints; HSTS enabled | HIPAA §164.312(e)(2)(ii); ISO A.8.24 |
| Access Control | Row-Level Security (RLS) in Supabase; JWT authentication; RBAC (patient / therapist / admin) | HIPAA §164.312(a)(1); ISO A.5.15 |
| Audit Logging | Immutable, append-only audit log of all PHI access events; 6-year retention | HIPAA §164.312(b); ISO A.8.15 |
| Session Security | 30-minute idle timeout; E2EE keys bound to browser session; keys not recoverable after tab close | HIPAA §164.312(a)(2)(iii); ISO A.8.5 |
| Multi-Factor Authentication | TOTP (authenticator app) + email OTP supported | HIPAA §164.312(d); ISO A.5.17 |
| Data Minimization | Raw biometric data stripped before cloud transmission; only processed scores stored | GDPR Art. 5(1)(c); ISO A.8.11 |
| Incident Response | Documented IR plan; 72-hour breach notification to supervisory authority; patient notification within HIPAA timelines | HIPAA Breach Rule; GDPR Art. 33; ISO A.5.26 |
| Business Continuity | RPO: 24 hours | RTO: 4 hours; documented runbook maintained by engineering team | HIPAA §164.308(a)(7); ISO A.5.29 |
| Rate Limiting | Per-IP rate limits on all authenticated API endpoints (flask-limiter); 429 responses for excess requests | ISO A.8.6; OWASP API Security |
Coglix Labs processes data using Supabase (servers in the United States). For users in the EEA, UK, and Switzerland, transfers to the US are governed by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c). A Data Processing Agreement (DPA) incorporating SCCs is in place with Supabase per GDPR Art. 28. Speech audio is transmitted in real-time to Google Cloud Speech-to-Text (US) solely for processing; audio is not retained by Google beyond each request. This transfer is covered by Google's DPA and SCCs.
| Sub-Processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Supabase | Primary database & authentication | United States | DPA + SCCs (GDPR Art. 46) |
| Google Cloud Speech-to-Text | Real-time speech analysis | United States | DPA + SCCs; audio not retained |
These rights are available to users globally, including in the EEA, UK, Switzerland, Hong Kong (SAR), Canada, and Australia. To exercise any right, contact privacy@coglixlabs.com. We respond to access requests within 30 days (max 40 days for HK PDPO). Please note we have signed Business Associate Agreements (BAA) and Data Processing Agreements (DPA) with our vendors to guarantee your rights.
Right of Access (Art. 15)
Request a copy of all personal data we hold about you. Delivered via email within 30 days.
Right to Rectification (Art. 16)
Request correction of inaccurate personal data. Contact us or use account settings.
Right to Erasure (Art. 17)
Request deletion of your data. Soft-deleted within 48 hours, permanently purged within 30 days. Audit logs exempt for legal compliance.
Right to Data Portability (Art. 20)
Export your data in machine-readable CSV format from the My Progress dashboard.
Right to Restriction (Art. 18)
Request that we limit processing of your data while a dispute is resolved.
Right to Object (Art. 21)
Object to processing based on legitimate interests (e.g., analytics). We will honour your objection unless compelling grounds override it.
Right to Withdraw Consent (Art. 7)
Withdraw consent for health data processing at any time. Your account will be deactivated and data scheduled for deletion.
Right to Lodge a Complaint (Art. 77)
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your local supervisory authority.
Supervisory Authority Contacts (Art. 77)
If we are unable to resolve your concern, you may contact your local supervisory authority. Key contacts: EU: find your national DPA at edpb.europa.eu · UK: Information Commissioner's Office (ICO) — ico.org.uk · Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
Right to Erasure — Exceptions (Art. 17(3))
Audit logs are exempt from erasure requests under Art. 17(3)(b) (legal obligation) and Art. 17(3)(e) (legal claims). Backup copies are purged within 30 days. All other personal data is erased within 48 hours of a valid request.
For compliance inquiries, to request a BAA, or to exercise your data rights:
Coglix Labs — Privacy Office
Email: privacy@coglixlabs.com
Also see: Privacy Policy · Terms of Service
This attestation reflects the state of Sync's compliance program as of 2026-03-04. It will be reviewed and updated at least annually or upon material changes to the platform's data processing activities.