Skip to main content
syntacfor therapists
FeaturesSecurityPricingLog InApply for Beta
Privacy & Security

We cannot read your client data.

Not “we promise not to.” Not “our policy says we won't.” Mathematically cannot. The architecture makes it impossible.

Zero-Knowledge EncryptedClient-Side EncryptionPIPEDA Compliant
How It Works

Zero-knowledge encryption, explained simply.

When you onboard, Syntac generates a cryptographic key pair in your browser. Your private key is encrypted with a passphrase that only you know, then stored. We never see the passphrase or the unencrypted private key.

When you save client data, it's encrypted in your browser before it ever leaves your device. Our servers store ciphertext — scrambled data that is meaningless without your private key.

This means even if our servers were breached, your client data would be unreadable. Even under a court order, we could not produce readable client records. We don't have the key.

Your browser
Data encrypted with your key before sending
Our servers
Only encrypted ciphertext stored
Your browser
Decrypted with your passphrase
Syntac sees: aGVsbG8gd29ybGQ...
You see: Client intake notes, contact info, session details

What Syntac can and cannot see.

Transparency builds trust. Here's exactly what our systems have access to.

We Cannot See

  • Client full names
  • Email addresses or phone numbers
  • Dates of birth
  • Home addresses
  • Session notes (encrypted)
  • Treatment plan details (encrypted)
  • Homework assignments (encrypted)
  • Any data in the encrypted blob

We Can See

  • First name only (for display)
  • Session dates and types
  • Modality tags (e.g., “IFS”, “EMDR”)
  • Presenting issue categories
  • Session count
  • Account and billing information
Minimal metadata needed for the app to function. No PHI.
What the AI receives:
Age range: 30-39
Session count: 12
Modality: IFS, Somatic
Presenting issues: Anxiety, Trauma
Last session SUD: 7 → 4
Name: REDACTED
Email: REDACTED
DOB: REDACTED
Notes: ENCRYPTED — NEVER SENT
De-Identified AI

AI that helps without seeing.

When Syntac's AI generates session prep or intake analysis, it works exclusively with de-identified, structured data. Names are stripped. Dates of birth become age ranges. Encrypted notes are never sent.

This follows the HIPAA Safe Harbor de-identification standard: all 18 categories of protected health information identifiers are removed before any AI processing.

The AI sees patterns. It never sees people.

Technical specifics.

For the security-minded practitioner who wants to know exactly what's under the hood.

RSA-OAEP 4096-bit

Asymmetric key pair generated in your browser using the Web Crypto API. The same standard used by banks and governments.

PBKDF2 + AES-256-GCM

Your private key is encrypted with your passphrase using PBKDF2 (600,000 iterations) and AES-256-GCM. Even if stolen, it's useless without your passphrase.

Client-Side Only

All encryption and decryption happens in your browser. Unencrypted data never touches our servers. Keys never leave your device unprotected.

Recovery Key

During setup, you download a one-time recovery key. If you forget your passphrase, this is the only way to regain access. We cannot reset it for you.

Zero-Retention AI

AI queries use de-identified data only. No client data is stored by AI providers. No data is used to train models. Processing is ephemeral.

Audit-Ready

Every API access is logged. Encryption versions are tracked per record. The architecture is designed for regulatory review.

Our compliance posture, honestly.

What we are

  • Designed to meet HIPAA technical safeguards (encryption, access controls, audit logging)
  • PIPEDA compliant for Canadian practitioners
  • Zero-knowledge architecture that exceeds most EHR security standards
  • Built by people who believe therapist-client confidentiality is sacred

What we're working toward

  • Business Associate Agreements (BAAs) with infrastructure vendors
  • SOC 2 Type II certification
  • Third-party penetration testing
  • Full HIPAA administrative safeguard documentation

We believe in earning trust through transparency, not marketing claims. Many platforms call themselves “HIPAA compliant” without the BAAs or audits to back it up. We'd rather tell you exactly where we are and let the architecture speak for itself.

Privacy as architecture, not policy.

Apply for the founding beta. Your data is encrypted from day one.

Apply for Beta →
© 2026 Syntac · Built for Mental Health Professionals
HomeLog InPrivacy PolicyTermsContact