Cynkli
Home/Privacy Policy

Privacy Policy

Last updated: March 31, 2026

1. Data Controller

Cynkli ("we", "our", or "us") is the data controller responsible for your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, desktop application, and related services (collectively, the "Service").

2. Information We Collect

Account Information

  • Email address and password (hashed) for account registration and authentication
  • Display name you provide
  • Profile avatar image if you upload one
  • Device information (device name, platform, and device identifiers for pairing)

Usage Data

  • Text commands and voice transcripts you send through the Service
  • Session metadata (start/end times, provider selection)
  • Screenshots you capture through the Service (stored in cloud object storage)

Voice and Audio Data

  • The app requests microphone access for voice commands
  • Voice audio is transcribed on your device using the operating system's speech recognition
  • We do not store raw audio recordings - only the resulting text transcription is transmitted to our servers
  • Transcribed text is sent to our backend for routing to your desktop device

Live View and Remote Control Data

  • When you use Live View, your desktop screen content is captured as image frames and transmitted through our servers to your mobile device in real time
  • Remote input actions (mouse clicks, keyboard input, text) are transmitted through our servers to your desktop
  • Live view frames and input events are not stored or logged - they are relayed in real time and discarded

Technical Data

  • IP address and connection information
  • Operating system, device type, and platform
  • App version and error logs
  • Real-time connection metadata (connection times, device pairings)

Device Permissions

The mobile app may request the following permissions:

  • Microphone: For voice command input (transcribed on-device)
  • Camera: For scanning QR codes during device pairing
  • Photo Library: For uploading a profile avatar
  • Network: For communicating with the backend and desktop device

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases as defined by GDPR Article 6:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service - account management, command routing, device pairing, screenshot storage, and live view functionality.
  • Consent (Art. 6(1)(a)): Where we request optional permissions such as microphone access for voice commands or camera access for QR code scanning. You may withdraw consent at any time through your device settings.
  • Legitimate Interest (Art. 6(1)(f)): For maintaining security, preventing fraud, improving the Service, and troubleshooting technical issues. Our legitimate interests do not override your fundamental rights and freedoms.

4. How We Use Your Information

  • To provide and maintain the Service, including routing commands between your mobile and desktop devices
  • To authenticate your identity and manage your account
  • To pair your mobile and desktop devices securely via QR codes
  • To forward your commands to AI providers (Claude, GitHub Copilot, Codex) as selected by you
  • To transmit live view frames and remote input between your devices
  • To store and serve screenshots you capture
  • To improve, troubleshoot, and optimize the Service
  • To communicate with you about updates and changes to the Service

5. Third-Party AI Providers

When you use Cynkli to send commands to AI providers, your commands and any attached screenshots are processed by those providers on your local machine through their respective VS Code extensions or CLI tools. We route the command text and screenshot references from our backend to your desktop device, where the AI provider processes them locally.

The AI providers available through the Service include:

Each provider's own privacy policy governs their processing of your data on your local machine.

6. Data Storage, Security, and International Transfers

Your data is stored on servers hosted by Amazon Web Services (AWS) and may be processed in the United States or other jurisdictions where our service providers operate.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: when your data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions where applicable.

Security measures we implement include:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Industry-standard password hashing
  • Token-based authentication with automatic expiration
  • Secure device pairing via time-limited, single-use QR codes
  • Access controls and principle of least privilege

7. Data Sub-processors

We use the following categories of sub-processors to provide the Service:

  • Cloud Infrastructure: Amazon Web Services (hosting, database, object storage)
  • Object Storage: S3-compatible storage for screenshots and avatars

We do not sell, rent, or share your personal data with advertisers or data brokers.

8. Data Retention

  • Account data: Retained for as long as your account is active
  • Commands and sessions: Retained for service functionality; deleted when you delete your account
  • Screenshots: Retained until you delete them or your account is closed
  • Profile avatar: Retained until you change it or delete your account
  • Live view data: Not stored - relayed in real time and immediately discarded
  • Voice audio: Not stored - transcribed on-device and only the text is transmitted
  • Error logs: Retained for up to 90 days for troubleshooting, then deleted

Upon account deletion, all your personal data is permanently deleted within 30 days. Some anonymized, aggregated data may be retained for analytics purposes.

9. Cookies and Tracking

The Cynkli mobile and desktop applications do not use cookies or third-party tracking technologies. We do not use analytics SDKs, advertising identifiers, or cross-app tracking. The Cynkli website (cynkli.com) may use essential cookies for functionality purposes only.

10. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. AI provider responses are generated on your local machine and are not used by us for any decision-making purposes.

11. Your Rights

Rights Under GDPR (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Request that we limit processing of your data
  • Data Portability: Request your data in a structured, machine-readable format (JSON)
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time
  • Lodge a Complaint: File a complaint with your local data protection authority

Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

CCPA Categories of Personal Information Collected:

  • Identifiers (email address, device identifiers, IP address)
  • Internet or electronic network activity (commands, session data, connection logs)
  • Audio information (voice transcripts - not raw audio)
  • Visual information (screenshots, profile avatar, live view frames)

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not offer financial incentives related to your personal information.

To exercise any of these rights, contact us at contact form. We will verify your identity before processing your request. You may also designate an authorized agent to make requests on your behalf. We will respond within 30 days (GDPR) or 45 days (CCPA).

12. Account Deletion

You can delete your account at any time from within the app (Settings > Delete Account). Upon deletion:

  • Your account, profile, and authentication data are permanently deleted
  • All commands, sessions, and device pairings are permanently deleted
  • All screenshots and avatar images are permanently deleted from storage
  • Deletion is completed within 30 days of your request

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email and/or in-app notification without undue delay. Where required by law (including GDPR Article 33), we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

14. Children's Privacy

The Service is not intended for children under the age of 13 (or 16 in jurisdictions where GDPR applies). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without verified parental consent, we will delete that information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date and, where appropriate, through in-app notifications or email. Continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights: