SYMPHONIC by Digi Labs Core, LLCSYMPHONIC

Privacy

Privacy Policy

SYMPHONIC by Digi Labs Core, LLC

Effective Date: May 11, 2026

Last Updated: May 16, 2026

1. Introduction

Digi Labs Core, LLC (“DLC,” “we,” “our,” or “us”), an Oklahoma limited liability company, operates the SYMPHONIC software-as-a-service platform (the “Service”). This Privacy Policy explains how we collect, use, share, retain, and protect information when you visit symphonicco.com, sign up for the Service, or use a SYMPHONIC tenant deployment hosted at a subdomain of symphonicco.com. This policy applies to: (a) Customers who subscribe to the Service, (b) Authorized Users that a Customer adds to their tenant, and (c) Visitors who browse our public marketing site. Where this policy uses the term “you,” it refers to the relevant category in context. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Definitions

Customer
A business or individual that has entered into a subscription agreement with DLC for use of the Service.
Authorized User
A person authorized by the Customer to access the Customer’s SYMPHONIC tenant (for example, employees, contractors, or seat holders).
Customer Data
Any business information that Customers or Authorized Users upload, generate, or store within their SYMPHONIC tenant, including but not limited to client records, invoices, quotes, project information, equipment registries, vendor records, and related operational data.
Tenant
A dedicated, isolated instance of the Service provisioned for a single Customer, typically accessed at clientname.symphonicco.com.
Personal Data
Information that identifies, relates to, or could reasonably be linked with an individual.

3. Information We Collect

3.1 Information You Provide Directly

When you sign up for, configure, or use the Service, you may provide:

  • Account information — name, business name, email address, phone number, billing address, and the subdomain slug you select for your tenant.
  • Payment information — billing details processed through our payment processor (see Section 6). DLC does not store full credit card numbers on its own systems.
  • Profile and configuration data — branding preferences, user roles, seat assignments, and platform settings.
  • Customer Data— all business information you upload to or generate within your tenant.
  • Support communications — content of support tickets, emails, and other communications you send to us.

3.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Usage data— pages viewed, features accessed, timestamps, session duration, and similar operational telemetry.
  • Device and connection data — IP address, browser type, operating system, device identifiers, and approximate location derived from IP address.
  • Authentication and security logs — login timestamps, password change events, session tokens, multi-factor authentication events, and failed login attempts.
  • Audit logs— automated records of administrative access to your tenant, as described in Section 8.

3.3 Information from Third-Party Integrations

If you connect a third-party service to your SYMPHONIC tenant (for example, your bank account through Plaid, your email through Microsoft or Google, or your tax data through TaxJar), the Service receives and stores information from that integration as needed to deliver the integration’s functionality. See Section 6 for details on each integration.

4. How We Use Information

We use the information described in Section 3 to:

  1. Provide, operate, and maintain the Service.
  2. Provision and configure your tenant, including our automated provisioning system at signup.
  3. Process payments, generate invoices, and manage subscription billing.
  4. Authenticate Authorized Users and enforce role-based access controls.
  5. Respond to support requests and troubleshoot service issues.
  6. Send service announcements, billing notices, security notifications, and other transactional communications.
  7. Detect, investigate, and prevent fraud, abuse, and security incidents.
  8. Comply with legal obligations, court orders, subpoenas, and lawful government requests.
  9. Improve the Service through aggregated, de-identified analysis of usage patterns.

We do not sell Personal Data or Customer Data to third parties. We do not use Customer Data to train machine learning models or for any purpose other than operating the Service for your benefit.

5. How We Share Information

5.1 Service Providers

We share information with vendors who help us operate the Service. These providers process information solely on our behalf under contractual confidentiality obligations. See Section 6 for the current list.

5.2 Legal Requirements

We may disclose information if required to do so by law, regulation, court order, subpoena, or other lawful government request. Where permitted, we will notify the affected Customer before disclosure so they have the opportunity to seek a protective order or other appropriate remedy.

5.3 Business Transfers

If DLC is involved in a merger, acquisition, asset sale, or similar transaction, information held by DLC may be transferred as part of that transaction. The successor entity will be bound by this Privacy Policy or a substantially similar policy.

5.4 With Your Authorization

We may share information with third parties when you direct us to do so (for example, when you enable a new integration or grant a support agent access to your tenant).

6. Third-Party Integrations and Services

The Service relies on the following third-party providers. Each provider has its own privacy policy, which governs the information they receive and process.

Stripe (Payment Processing)

Purpose:
Subscription billing, payment processing, and invoice generation.
Information shared:
Customer billing name, business name, email, billing address, and payment method tokens. DLC does not retain full credit card numbers; tokenization is handled by Stripe.
Provider’s policy:
https://stripe.com/privacy

Plaid (Bank Account Connectivity)

Purpose:
Connecting a Customer's bank account for transaction synchronization and financial reporting features within the tenant.
Information shared:
Account credentials are entered directly into Plaid's secure interface and never pass through DLC systems. Plaid returns to the Service the access tokens and transaction data the Customer has authorized.
Provider’s policy:
https://plaid.com/legal/

TaxJar (Sales Tax Calculation)

Purpose:
Automated sales tax calculation on invoices and optional sales tax calculation on quotes.
Information shared:
Transaction amounts, jurisdictions, and product categories necessary for tax calculation.
Provider’s policy:
https://www.taxjar.com/privacy-policy/

Microsoft (Outlook Email Integration)

Purpose:
Optional integration that allows Authorized Users to send and receive email from within the Service.
Information shared:
OAuth tokens granted by the user via Microsoft Graph API. The Service stores these tokens to maintain the integration on the user's behalf.
Provider’s policy:
https://privacy.microsoft.com/

Google (Gmail Integration)

Purpose:
Optional integration that allows Authorized Users to send and receive email from within the Service.
Information shared:
OAuth tokens granted by the user via Google's authorization flow. The Service stores these tokens to maintain the integration on the user's behalf.
Provider’s policy:
https://policies.google.com/privacy

Anthropic (Embedded AI Features)

Purpose:
AI-assisted features within the tenant, including in-dashboard query support and operational assistance.
Information shared:
Customers who enable AI features may provide their own Anthropic API key, in which case API requests run under their account. Where AI requests are processed through a DLC-managed Anthropic key, request contents may be transmitted to Anthropic per their API terms.
Provider’s policy:
https://www.anthropic.com/legal/privacy

Railway (Cloud Infrastructure)

Purpose:
Hosting of per-tenant deployments, including application servers and databases.
Information shared:
All Customer Data necessary to operate the tenant. Railway operates as an infrastructure provider under contractual confidentiality obligations.
Provider’s policy:
https://railway.com/legal/privacy

Resend (Transactional Email)

Purpose:
Delivery of transactional emails, including account notifications, password resets, billing notices, and similar communications.
Information shared:
Recipient email addresses and message content.
Provider’s policy:
https://resend.com/legal/privacy-policy

We may add, remove, or change service providers from time to time as the Service evolves. Material changes will be reflected in this section and announced in accordance with Section 15.

7. Limited Use Disclosure for Google Workspace APIs

SYMPHONIC by Digi Labs Core, LLC uses Google Workspace APIs (specifically the Gmail API) to send transactional emails on behalf of authenticated users from within the SYMPHONIC platform.

SYMPHONIC’s use and transfer of information received from Google Workspace APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, SYMPHONIC commits to the following:

  • We use Google user data only to provide and improve user-facing features that are prominent in the SYMPHONIC application.
  • We do not transfer Google user data except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user’s explicit consent.
  • We do not use Google user data to serve advertisements.
  • We do not allow humans to read Google user data unless we have obtained the user’s explicit consent, it is necessary for security purposes, to comply with applicable law, or for internal operations where the data has been aggregated and anonymized.
  • We do not use Google user data to develop, improve, or train generalized AI or machine learning models.

8. Administrative Access to Customer Data

The Service’s per-tenant Railway architecture gives each Customer a dedicated database. No Customer Data is co-mingled across tenants. However, DLC personnel retain administrative access to all tenant infrastructure as a technical reality of operating the platform. The following governance framework binds DLC and prevents that access from becoming a privacy violation.

8.1 Our Commitment to Customers

SYMPHONIC by Digi Labs Core, LLC commits to not access your business data without your explicit authorization. Should we need to access your data to resolve a support issue, we will request your permission first. In rare emergency situations (such as resolving an active outage affecting your service or responding to a legal subpoena), we may access your data to restore service or fulfill legal obligations. In such cases, we will disclose the access to you within 24 hours, including details of what was accessed and why. You may request a complete audit log of all administrative access to your data at any time, free of charge.

8.2 Internal Access Policy

The following policy binds all DLC personnel:

  • No unauthorized access. DLC personnel do not access any Customer’s business data without that Customer’s explicit authorization, granted via support ticket, written request, or signed waiver.
  • Audit logging. Every administrative access to a Customer database is automatically logged with timestamp, accessing user, scope of access, and stated reason. Logs are retained for 7 years.
  • Customer audit rights. Any Customer may request a complete audit log of all administrative access to their database at any time, free of charge, delivered within 5 business days.
  • Emergency access disclosure. Where emergency access occurs without prior authorization, DLC will disclose the access to the affected Customer within 24 hours, including what was accessed, by whom, and why.
  • Termination of unauthorized access. Any DLC personnel found to have accessed Customer Data without authorization is subject to immediate termination and may be reported to relevant authorities depending on the nature of the access.

9. Data Security

We implement administrative, technical, and physical safeguards designed to protect information from unauthorized access, use, alteration, and destruction. These safeguards include:

  • Encryption of data in transit using industry-standard TLS.
  • Encryption at rest for sensitive credentials and tokens stored in our systems.
  • Role-based access controls and forced first-login password changes for Authorized Users.
  • Password hashing using bcrypt with salts.
  • Multi-factor authentication on all DLC administrative accounts.
  • Per-tenant database isolation, with no co-mingling of Customer Data across tenants.
  • Automated audit logging of administrative access (see Section 8).
  • Regular review of access privileges and security posture.

No method of transmission or storage is perfectly secure. While we use reasonable measures to protect your information, we cannot guarantee absolute security. If we become aware of a security incident affecting your information, we will notify you in accordance with applicable law.

10. Data Retention

10.1 Active Accounts

While your subscription is active, we retain Customer Data as long as it is needed to provide the Service.

10.2 Account Cancellation or Suspension

Following cancellation of your subscription or suspension of your account for non-payment, we retain your Customer Data for a 30-day grace period. During this period, you may reactivate your account or export your data. After the 30-day grace period expires, your Customer Data is permanently deleted from active systems. Backups containing residual data are rotated out in the normal course of business.

10.3 Data Export

You may export your Customer Data at any time while your account is active, in standard formats, at no additional charge.

10.4 Audit Logs

Administrative access audit logs are retained for 7 years from the date of access, as described in Section 8.

10.5 Legal Hold

We may retain information beyond the periods stated above when required to comply with legal obligations, resolve disputes, or enforce our agreements.

11. Tenant Isolation and Data Segregation

Each Customer’s tenant is provisioned on dedicated infrastructure with its own database. Customer Data is not co-mingled across tenants. This isolation applies at the database layer, the application layer, and the subdomain layer (clientname.symphonicco.com).

12. Your Rights and Choices

12.1 Access, Correction, and Deletion

You may access, update, or correct the Customer Data and account information within your tenant at any time using the platform’s built-in tools. To request deletion of Personal Data that is not accessible through the platform, contact us using the information in Section 18.

12.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the right to: (a) know what categories of Personal Data we collect and the purposes for which we use it, (b) request access to specific pieces of Personal Data, (c) request deletion of Personal Data, subject to legal exceptions, (d) opt out of the “sale” or “sharing” of Personal Data (we do not sell or share Personal Data as those terms are defined under the CCPA / CPRA), and (e) non-discrimination for exercising your rights. To submit a request, contact us using the information in Section 18.

12.3 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation and equivalent laws, including the right of access, rectification, erasure, restriction of processing, data portability, and objection. The legal bases on which we process Personal Data include performance of a contract, our legitimate interests in operating the Service, compliance with legal obligations, and your consent where applicable.

12.4 Marketing Communications

We send transactional communications (billing notices, security alerts, service announcements) to all Customers. You may not opt out of these communications while your account is active. You may opt out of marketing communications at any time by following the unsubscribe link in those emails or by contacting us.

13. Cookies and Tracking Technologies

The Service uses cookies and similar technologies for authentication, session management, security, and basic usage analytics. We do not use third-party advertising cookies. You may configure your browser to refuse cookies, but doing so may impair functionality of the Service (in particular, authentication will not work without session cookies).

14. Children's Privacy

The Service is intended for business use by adults aged 18 and older. We do not knowingly collect Personal Data from children under 13. If we learn that we have inadvertently collected Personal Data from a child under 13, we will delete it promptly. If you believe a child has provided Personal Data to us, please contact us using the information in Section 18.

15. International Users

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, processed, and stored in the United States. By using the Service, you consent to this transfer.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will: (a) update the “Last Updated” date at the top of this policy, (b) post the updated policy on symphonicco.com, and (c) where required by law, provide notice to Customers via email or through the Service. Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the updated policy.

17. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the State of Oklahoma, without regard to its conflict of laws principles. Any dispute arising from or related to this Privacy Policy will be brought exclusively in the state or federal courts located in Tulsa County, Oklahoma, unless otherwise required by applicable law.

18. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or want to submit a privacy-related request, please contact:

Digi Labs Core, LLC
Attn: Privacy
Tulsa, Oklahoma
Email: info@digilabscore.com

We aim to respond to all privacy inquiries within 30 days. Audit log requests will be fulfilled within 5 business days as described in Section 8.

← Back to home