Privacy Policy
Effective Date: April 19, 2026
Cynosure is operated by A3RN LLC ("A3RN," "we," "us," or "our") and is built with privacy at its core. This Privacy Policy applies to users of the Cynosure application ("Service") within the United States. This policy explains what data we collect, how we use it, and how we protect it. Our end-to-end encryption architecture is designed so that we cannot read your personal content.
1. Data We Collect
Account Information
- Email address
- Display name (if provided)
- Passkey credential metadata (device type, usage timestamps)
- Account creation date and last activity timestamp
Encrypted Content
Your visions, goals, and activity descriptions are encrypted on your device using AES-256-GCM before being transmitted to our servers. We store this data as encrypted blobs that we cannot decrypt. Activity and goal titles are stored in plaintext to enable navigation within the app.
Device Information
- Device type and operating system (for multi-device sync)
- App version
- Platform (iOS, Android, or Web)
Usage Preferences
- Theme preference (light/dark)
- AI features opt-in status
- Analytics opt-in status
- Archive retention duration
- Biometric authentication preference
2. End-to-End Encryption
Cynosure uses mandatory end-to-end encryption with keys derived from your recovery phrase using industry-standard key derivation. Your encryption keys never leave your device. Our servers store only encrypted data that we cannot read, access, or decrypt.
3. How We Use Your Data
We use your account information to:
- Authenticate you and maintain your session
- Send verification code emails for passwordless login
- Process subscription payments
- Send subscription renewal reminders
- Sync your encrypted data across your devices
- Respond to support requests submitted through the app
4. Third-Party Services
Payment Processing
Subscription purchases made through the Apple App Store are processed by Apple, and purchases made through Google Play are processed by Google. A3RN does not receive or store payment card details for those purchases.
Subscription purchases made on a3rn.com are processed by Paddle.com Market Ltd., which acts as Merchant of Record. Paddle shares with A3RN only the limited information needed to manage your subscription (such as a customer ID, email, subscription status, and summary transaction data); payment card details remain with Paddle.
For Enterprise customers billed offline, A3RN retains only the contact and billing information necessary to invoice and manage the subscription.
AI Features
A3RN may offer AI-powered features that process data on your device using platform-provided capabilities (such as Apple Intelligence, Google Gemini Nano, or browser-based language models). When AI features run on-device, no content is sent to external servers. If Cynosure introduces AI features that require server-side processing in the future, this policy will be updated accordingly.
5. Data We Do NOT Collect
As of the effective date of this policy:
- We do not use third-party analytics, advertising, or tracking SDKs
- We do not use cookies beyond secure session tokens
- We do not collect location data
- We do not sell or share your data with advertisers
- We do not use tracking pixels or fingerprinting
- Biometric data (Face ID, Touch ID) is processed on-device only and never sent to our servers
These practices may change over time. Any material changes will be reflected in an updated version of this policy.
6. Do Not Sell or Share
A3RN does not sell, rent, or share your personal information with third parties for their marketing purposes. We do not use or disclose sensitive personal information for purposes other than providing the Service.
7. Data Retention
We retain your data in accordance with our retention practices, which vary by data type:
- Deleted content: Retained during a soft-delete period, then permanently removed
- Temporary data (authentication tokens, data exports, access codes): Retained briefly after use or expiry
- Operational data (audit logs, sync history, AI usage logs, payment event logs): Retained for a limited period
- Archived tasks: Retained based on your configured preference
- Shared team content: Content you contribute to a shared team owned by another user is retained by the team owner if you leave or delete your account. Your author reference is removed
- Server backups: Retained for a limited period
A3RN reserves the right to adjust retention periods at any time. Data may be retained longer than indicated if required by law or necessary to resolve disputes.
Service Discontinuation: If A3RN permanently discontinues the Service, A3RN may provide advance notice to allow you to export your data, but is not obligated to do so. Following discontinuation, user data will be deleted from our servers in accordance with our retention practices.
8. Account Features
A3RN provides the following account management features:
- Access: View all data associated with your account
- Export: Download data from your personal workspace and shared teams you own in JSON format at any time
- Delete: Permanently delete your account and all data from teams you own. Content contributed to shared teams owned by other users is retained by the team owner with your author reference removed
- Correct: Update personal information in your account settings
- Opt out: Disable AI features and analytics at any time
These features are provided as part of the Service and may be modified or discontinued at any time in accordance with our Terms of Service. To use these features, access the relevant options in your account settings.
9. Security Measures
- Transport: All communications use encrypted transport (HTTPS)
- Encryption at rest: Server-side database encryption
- End-to-end encryption: Industry-standard encryption for all user content
- Authentication: Passwordless by design
- Token security: All tokens are cryptographically hashed before storage
- Access control: Security controls ensure users can only access their own data
- No backdoors: Even Cynosure staff cannot decrypt your encrypted content
Breach Notification: No system is completely secure. In the event of a security breach that affects your personal data, A3RN's notification obligations are limited to those imposed by applicable U.S. state law. Because your content is end-to-end encrypted, a server-side breach would not expose the contents of your visions, goals, or activity descriptions. However, account metadata (email address, display name, activity timestamps) and plaintext titles could be affected. A3RN makes no guarantees regarding the timeliness of breach detection or notification beyond what is required by law.
Security Monitoring: By using the Service, you consent to A3RN logging, monitoring, and analyzing usage patterns, access logs, and system activity for security, fraud prevention, abuse detection, and service integrity purposes. This monitoring may include automated analysis of login patterns, API usage, device information, and IP addresses. Security monitoring data is retained in accordance with the schedules in Section 7 and is not used for advertising or sold to third parties.
10. Age Restriction
The Service is intended only for adults aged 21 and older who are residents of the United States. We do not knowingly collect personal information from anyone under 21. If we learn that a user under 21 has created an account, we may terminate that account and delete associated data without notice.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or how your data is handled, please contact us through the Contact form in the app settings or email us at .
© 2026 A3RN LLC. All rights reserved.