Privacy Policy
Last updated: 5 July 2026
1. Data Controller
The data controller for personal data collected through syntra.business is: [LEGAL_ENTITY — Company name, registration number, registered address]. Data Protection contact: info@syntra.business.
2. Data we collect
We collect: (a) data you provide directly — name, email, hashed password, payment data processed by Stripe; (b) documents you upload — invoices, receipts, payslips, contracts; (c) usage data — logs, session metadata, performance metrics; (d) AI-extracted data — amounts, suppliers, tax rates, accounting categories. Important note on third-party invoices: when you upload a supplier invoice, it may contain personal data of third parties (name, tax ID, address). Syntra acts as a data processor for that data; you are the controller and must have a legal basis for its processing.
3. Purpose of processing
We process your data to: (a) provide the document and financial management service; (b) process subscription payments via Stripe; (c) send you service communications, updates and alerts; (d) improve the accuracy of AI extraction models (anonymised data); (e) comply with legal obligations for retention of fiscal and accounting documentation.
4. Legal basis for processing
Processing is based on: (a) performance of the service contract — Art. 6.1.b GDPR — to deliver the platform's functions; (b) explicit consent — Art. 6.1.a GDPR — for analytics cookies and marketing communications; (c) legitimate interests — Art. 6.1.f GDPR — for service security and fraud prevention; (d) legal obligation — Art. 6.1.c GDPR — for retention of tax documents as required by applicable law.
5. Sub-processors
We use the following sub-processors, with whom we have signed GDPR-compliant Data Processing Agreements (DPA): Supabase Inc. (data storage, EU servers); Vercel Inc. (hosting and CDN, EU DPA); Stripe Inc. (payment processing, PCI-DSS Level 1 certified); OpenAI Inc. (AI data extraction — documents are processed but not stored by OpenAI or used to train models); Twilio Inc. (WhatsApp messaging). No sub-processor sells your data or uses it for purposes other than those strictly necessary to provide the service.
6. International data transfers
Supabase, Vercel and Stripe operate with EU/EEA servers. OpenAI and Twilio, based in the US, process data under Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring a level of protection equivalent to the GDPR.
7. Data retention
We retain your data while your account is active. After account deletion: user data and documents are erased within 90 days; billing logs and tax documents are retained for 7 years as required by applicable accounting regulations. You may request earlier deletion except where legal retention obligations apply.
8. Your rights (GDPR)
You have the right to: access (a copy of your data), rectification, erasure ('right to be forgotten'), portability (export your data in a machine-readable format), restriction of processing, objection to processing based on legitimate interests, and not to be subject to solely automated decisions with significant effects. To exercise them: info@syntra.business, with a copy of your identity document. Response time: 30 days. You may also lodge a complaint with your national data protection authority.
9. Security
We apply: TLS 1.3 encryption in transit; AES-256 encryption at rest; Supabase Row Level Security (RLS) — each user only accesses their own data; multi-factor authentication available; access auditing for sensitive data. In the event of a personal data breach affecting your data, we will notify you within 72 hours as required by Art. 33 GDPR.
10. Cookies and tracking technologies
Strictly necessary cookies (authentication, session): no consent required. Analytics cookies (Google Analytics 4): only activated if you accept the consent banner. We implement Google Consent Mode v2 — by default, analytics operates in anonymised mode until you accept. We do not use advertising or retargeting cookies. You can manage your preferences via the banner or by contacting us.
11. Changes to this policy
We will notify you of any material changes by email at least 30 days in advance. Continued use of the service after that period implies acceptance. The previous version will remain accessible for 90 days.