Privacy Policy

Version 2026-04-20.1 · Effective 20 April 2026

1. Who is the controller

Synaptico, Avenue de Mai 32, 1200 Bruxelles, Belgium, enterprise number [BE enterprise no. — TBC], is the controller for personal data processed aboutthe Service’s users (account holders, invited colleagues, consultants and prospects).

For personal data contained inside the documents and chat messages Customers upload through the Service, the Customer is the controller and Synaptico is the processor. That processing is governed by the Data Processing Addendum, not by this Privacy Policy.

You can contact us at [privacy@synaptico.com — TBC] or, for matters requiring a Data Protection Officer, at [dpo@synaptico.com — TBC].

2. What we collect and why

2.1 Account data

Name, email, role, password hash, organisation, preferred language, authentication tokens and timestamps. Processed to operate the account and authenticate you (Article 6(1)(b) GDPR — performance of contract).

2.2 Usage telemetry

IP address, user-agent, event timestamps, pages viewed, actions taken, feature flags. Processed to run, secure, monitor and improve the Service, detect abuse, investigate incidents and meet our auditability obligations (Article 6(1)(f) GDPR — legitimate interests in running a secure SaaS service).

2.3 Billing data

VAT-relevant identifiers, payment-provider references, invoices. Processed to invoice and meet bookkeeping obligations (Article 6(1)(b) and (c) GDPR).

2.4 Support data

Messages you send to our support team. Processed to respond (Article 6(1)(b) GDPR).

2.5 Legal-acceptance ledger

Evidence that you accepted a particular version of our legal documents, including version string, timestamp, IP address and user-agent. Processed to evidence contractual consent (Article 6(1)(b) GDPR) and to comply with our own legal obligations (Article 6(1)(c) GDPR).

2.6 Marketing

If you subscribe to communications, we process your email on the basis of your consent (Article 6(1)(a) GDPR), which you can withdraw at any time via the unsubscribe link.

3. Sources

We collect personal data directly from you, from your colleagues who invite you, and automatically through your use of the Service.

4. Retention

• Account data: while your account exists and up to 24 months after closure, unless a shorter period is requested and our legitimate interest or legal duty permits deletion sooner.
• Usage telemetry: up to 18 months for security analytics; a subset for longer where required to meet audit obligations.
• Billing data: ten (10) years, per Article III.86 CDE.
• Legal-acceptance ledger: ten (10) years from the acceptance event, to cover the contractual limitation period.

5. Recipients and sub-processors

We share personal data only with service providers that act on our instructions under written contracts with the safeguards required by Article 28 GDPR, including:

• [Cloud hosting provider — TBC (e.g. AWS / GCP / Azure EU regions)], for hosting and storage;
• [LLM provider — TBC, e.g. Google Gemini via Vertex AI], for AI inference;
• [Email provider — TBC], for transactional email;
• [Stripe Payments Europe Ltd., Ireland], for payment processing;
• [Error-tracking provider — TBC], for application monitoring;
• where required, competent supervisory authorities, courts or professional advisers.

An up-to-date sub-processor list with the data each one accesses is available at [/legal/sub-processors — TBC] and is maintained in accordance with the DPA.

6. International transfers

Where a sub-processor processes personal data outside the European Economic Area (EEA), we rely on Article 46 GDPR safeguards — in particular the European Commission’s Standard Contractual Clauses (module 2 or module 3) with supplementary measures where our transfer-impact assessment indicates they are necessary. A copy of the relevant clauses can be requested at the address in clause 1.

7. Your rights

You have, under Articles 15–22 GDPR, the right to: access your personal data, rectify it, obtain its erasure or restriction, object to processing based on legitimate interests, receive a portable copy and — where processing is based on consent — withdraw that consent at any time without affecting the lawfulness of processing already carried out.

You can exercise these rights by writing to [privacy@synaptico.com — TBC]. We respond within one (1) month, extendable by two (2) months for complex requests under Article 12(3) GDPR.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit), Rue de la Presse 35, 1000 Bruxelles, autoriteprotectiondonnees.be, or with the supervisory authority of the EU Member State where you live or where the alleged infringement occurred.

8. Security

We implement technical and organisational measures appropriate to the risk, including role-based access control, encryption in transit and at rest, segregation of production and non-production environments, logging and monitoring, regular backups, written security policies and staff training. A summary is in Annex II of the DPA.

9. Automated decision-making

The Service applies AI and rule-based automation to produce draft classifications and assessments. These outputs are not taken autonomously: they are presented to users for human review, with the human remaining accountable for the decision that is eventually acted on. Accordingly, we do not rely on Article 22 GDPR for any decision having legal or similarly significant effects on a data subject.

10. Cookies and similar technologies

We use strictly necessary cookies to run the Service (for example to keep you signed in) and, where you consent, analytics cookies that help us understand how the Service is used. Details, and how to manage your preferences, are in our [Cookie Notice — TBC].

11. Changes to this policy

We will notify you of material changes at least thirty (30) days before they take effect. The current version is the one published on this page with the version string and effective date shown at the top.