Start free trial

Login

Start free trial

Login

LEGAL

GDPR

Last Updated

Jan 10, 2026

GENERAL DATA PROTECTION REGULATION (GDPR) NOTICE

Effective Date: March 18, 2025

1. Introduction and Scope

This GDPR Notice explains how Syntari International, Inc. ("Syntari," "we," "us," or "our") collects, uses, discloses, and protects personal data of individuals located in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, and the Swiss Federal Act on Data Protection.

This Notice supplements our Privacy Policy and applies to all personal data processing activities related to:

   •  Syntari Platform (app.syntari.ai) – Our AI-native consulting workflow platform

   •  Syntari Advisory Services – Professional management consulting services

   •  Syntari Academy – Educational courses, workshops, and training programs

   •  Syntari Websites – syntari.ai and all related subdomains

This Notice should be read in conjunction with our Terms of Service, Privacy Policy, Cookie Policy, and Acceptable Use Policy.

2. Data Controller Information

For the purposes of the GDPR, the data controller responsible for your personal data is:

 

Company Name: Syntari International, Inc.

Registered Address: One Marina Park Drive, Suite 1410, Boston, MA 02210, United States

Email: privacy@syntari.ai

Data Protection Officer (DPO): dpo@syntari.ai

 

For enterprise customers using Syntari through workplace accounts, your employer may be the data controller for certain processing activities. In such cases, Syntari acts as a data processor on behalf of your employer pursuant to a Data Processing Agreement (DPA).

3. Categories of Personal Data We Process

3.1 Personal Data Provided Directly

We collect the following categories of personal data that you provide directly:

Category

Examples

Identity Data

Full name, job title, company name, profile photo

Contact Data

Email address, phone number, business address

Account Data

Username, password (hashed), account preferences

Financial Data

Billing address, payment method details (processed by Stripe)

Content Data

Documents, files, prompts, queries, and deliverables uploaded to the platform

Communications Data

Support messages, feedback, survey responses

3.2 Personal Data Collected Automatically

When you use our Services, we automatically collect:

Category

Examples

Technical Data

IP address, browser type and version, operating system, device identifiers

Usage Data

Pages visited, features used, click paths, session duration, referral source

Location Data

Approximate location based on IP address (precise location only with consent)

Log Data

Error messages, API calls, security events, login attempts

3.3 Personal Data from Third Parties

We may receive personal data from:

   •  Authentication providers (Google OAuth, Microsoft OAuth, Apple Sign-In)

   •  Integration services (Google Workspace, Microsoft 365, Slack, Notion, Box)

   •  Payment processors (Stripe)

   •  Business contact enrichment services (for B2B marketing)


4. Legal Bases for Processing

Under GDPR Article 6, we process your personal data only when we have a valid legal basis. The following table sets forth the purposes of processing and corresponding legal bases:

Purpose

Legal Basis

GDPR Article

Account creation and service delivery

Performance of contract

Art. 6(1)(b)

Payment processing and billing

Performance of contract

Art. 6(1)(b)

Platform functionality and customer support

Performance of contract

Art. 6(1)(b)

Security, fraud prevention, and abuse detection

Legitimate interest

Art. 6(1)(f)

Analytics and service improvement

Legitimate interest or Consent

Art. 6(1)(f) or Art. 6(1)(a)

Marketing communications

Consent

Art. 6(1)(a)

Targeted advertising and remarketing

Consent

Art. 6(1)(a)

AI training on non-sensitive data

Legitimate interest

Art. 6(1)(f)

AI training on sensitive client data

Explicit consent

Art. 6(1)(a) + Art. 9(2)(a)

Compliance with legal obligations

Legal obligation

Art. 6(1)(c)

Establishment, exercise, or defense of legal claims

Legitimate interest

Art. 6(1)(f)

4.1 Legitimate Interests Assessment

Where we rely on legitimate interests as a legal basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. Our legitimate interests include:

   •  Operating and improving our AI-native consulting platform

   •  Protecting the security and integrity of our Services

   •  Detecting and preventing fraud, abuse, and security threats

   •  Understanding how users interact with our Services to improve functionality

   •  Conducting business-to-business marketing activities

You have the right to object to processing based on legitimate interests at any time. See Section 7 for details on exercising this right.

5. Data Sharing and Recipients

5.1 Categories of Recipients

We may share your personal data with the following categories of recipients:

Recipient Category

Purpose

Examples

Cloud Infrastructure Providers

Hosting, storage, and computing

Amazon Web Services, Google Cloud Platform

AI/LLM Providers

AI-powered platform features

OpenAI, Google (Gemini), Anthropic (Claude)

Payment Processors

Billing and subscription management

Stripe

Analytics Providers

Usage analytics and insights

Google Analytics

Email Service Providers

Transactional and marketing emails

SendGrid, HubSpot

Customer Support Tools

Live chat and ticketing

Intercom, Zendesk

Professional Advisors

Legal, accounting, audit services

Law firms, auditors, consultants

5.2 AI and Large Language Model Processing

When you use Syntari's AI features, your prompts, uploaded content, and conversation history may be sent to our third-party LLM providers:

   •  OpenAI (GPT-4, GPT-4 Turbo): API data is NOT used for model training by default; retained for 30 days for abuse monitoring

   •  Google (Gemini Pro, Gemini Ultra): API data is NOT used for model training for enterprise customers

   •  Anthropic (Claude): API data is NOT used for model training; retained for 90 days for Trust & Safety

We implement strict data isolation controls. Enterprise customers may enable zero-retention mode and opt-out of AI training entirely.

5.3 Data Sharing We Do NOT Engage In

We do NOT:

   •  Sell your personal data to third parties for monetary compensation

   •  Share your data with data brokers

   •  Use your data to train AI models for other customers without explicit consent

   •  Share client-specific data between customers


6. International Data Transfers

Syntari is headquartered in the United States. When you use our Services from the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States and other countries where our service providers operate.

6.1 Transfer Mechanisms

We ensure appropriate safeguards are in place for all international transfers of personal data in compliance with GDPR Chapter V:

   •  Standard Contractual Clauses (SCCs): We use the European Commission-approved SCCs (Decision 2021/914) for transfers to third countries without an adequacy decision

   •  Adequacy Decisions: Where available, we rely on European Commission adequacy decisions

   •  Data Processing Agreements: All service providers sign DPAs incorporating appropriate transfer mechanisms

   •  Supplementary Measures: Where required, we implement additional technical, organizational, and contractual safeguards

6.2 UK International Data Transfers

For transfers from the UK, we rely on:

   •  UK International Data Transfer Agreement (IDTA)

   •  UK Addendum to EU SCCs

   •  UK adequacy regulations where applicable

6.3 Obtaining Transfer Documentation

You may request a copy of the Standard Contractual Clauses or other transfer mechanisms by contacting our Data Protection Officer at dpo@syntari.ai.

7. Your Data Protection Rights

Under the GDPR, you have the following rights regarding your personal data. We are committed to facilitating the exercise of these rights without undue delay.

7.1 Right of Access (Article 15)

You have the right to:

   •  Obtain confirmation as to whether we are processing your personal data

   •  Receive a copy of your personal data

   •  Receive information about the purposes of processing, categories of data, recipients, retention periods, and your rights

7.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data without undue delay.

7.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data ("right to be forgotten") where:

   •  The data is no longer necessary for the purposes for which it was collected

   •  You withdraw consent (where processing is based on consent)

   •  You object to processing based on legitimate interests and there are no overriding legitimate grounds

   •  The data has been unlawfully processed

   •  Erasure is required for compliance with a legal obligation

This right does not apply where processing is necessary for compliance with legal obligations, establishment/exercise/defense of legal claims, or archiving in the public interest.

7.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing where:

   •  You contest the accuracy of your personal data (during verification)

   •  Processing is unlawful and you oppose erasure

   •  We no longer need the data but you require it for legal claims

   •  You have objected to processing (pending verification of legitimate grounds)

7.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller where:

   •  Processing is based on consent or contract performance

   •  Processing is carried out by automated means

7.6 Right to Object (Article 21)

You have the right to object to:

   •  Processing based on legitimate interests (including profiling): We will cease processing unless we demonstrate compelling legitimate grounds or the processing is necessary for legal claims

   •  Processing for direct marketing purposes (including related profiling): We will immediately cease such processing upon objection

7.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you, except where:

   •  Necessary for entering into or performing a contract

   •  Authorized by applicable law with adequate safeguards

   •  Based on your explicit consent

Syntari does not currently engage in solely automated decision-making that produces legal effects. AI-generated outputs are provided for informational purposes and require human review.

7.8 Right to Withdraw Consent (Article 7)

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. You may withdraw consent by:

   •  Updating your account preferences

   •  Using our Cookie Preferences Center

   •  Contacting us at privacy@syntari.ai


8. How to Exercise Your Rights

8.1 Submitting Requests

You may exercise your rights by contacting us through the following channels:

   •  Email: privacy@syntari.ai or dpo@syntari.ai

   •  Online Form: GDPR Request Portal at syntari.ai/gdpr-request

   •  Mail: Syntari International, Inc., Attn: Data Protection Officer, One Marina Park Drive, Suite 1410, Boston, MA 02210, United States

8.2 Identity Verification

To protect your personal data, we may verify your identity before fulfilling your request. Verification methods may include:

   •  Confirmation of account credentials

   •  Verification of information we have on file

   •  Additional documentation in certain circumstances

8.3 Response Timeframes

We will respond to your request within one (1) month of receipt. This period may be extended by two (2) additional months where necessary, taking into account the complexity and number of requests. We will inform you of any extension within one month of receipt, together with the reasons for the delay.

8.4 Fees

We provide information free of charge. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, particularly due to their repetitive character. Where we refuse a request, we will inform you of the reasons and your right to lodge a complaint.

8.5 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. The agent must provide written proof of authorization signed by you, and we may verify your identity directly.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Data Category

Retention Period

Legal Basis / Rationale

Account data

Duration of account + 90 days

Contract performance, support

Payment and billing records

7 years

Tax and legal compliance

Platform usage logs

18 months

Analytics, fraud prevention

AI conversation history

90 days (or until deleted)

Platform functionality

Marketing consent records

Until opt-out + 30 days

Consent tracking

Support tickets

3 years

Customer service, legal

Security and audit logs

2 years

Fraud prevention, legal

Upon expiration of the retention period, personal data is permanently deleted or anonymized. Backup copies are purged within 90 days of primary data deletion.

10. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32:

10.1 Technical Measures

   •  Encryption at Rest: AES-256 encryption for stored data

   •  Encryption in Transit: TLS 1.2+ for all data transmission

   •  Password Security: Bcrypt hashing with salts

   •  Access Controls: Role-based access control (RBAC), multi-factor authentication

   •  Network Security: Firewalls, DDoS protection, intrusion detection systems

   •  Vulnerability Management: Regular security audits and penetration testing

10.2 Organizational Measures

   •  Security Policies: Comprehensive information security policies and procedures

   •  Employee Training: Security awareness training for all personnel

   •  Vendor Management: Security assessments and DPAs with all sub-processors

   •  Incident Response: Documented breach response procedures

   •  Certifications: SOC 2 Type II compliance (in progress)

11. Data Breach Notification

In the event of a personal data breach, we will comply with our obligations under GDPR Articles 33 and 34:

11.1 Notification to Supervisory Authority

We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons, unless the breach is unlikely to result in such risk.

11.2 Notification to Data Subjects

Where a breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay, unless:

   •  We have implemented appropriate technical and organizational protection measures rendering the data unintelligible (e.g., encryption)

   •  Subsequent measures ensure the high risk is no longer likely to materialize

   •  Individual notification would involve disproportionate effort (in which case public communication is made)

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes the GDPR.

12.1 Lead Supervisory Authority

As Syntari is established in the United States with no establishment in the EEA, the lead supervisory authority is determined by your place of residence:

   •  EEA Residents: Contact your local Data Protection Authority (DPA). A list is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

   •  UK Residents: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom (https://ico.org.uk)

   •  Swiss Residents: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Bern, Switzerland (https://www.edoeb.admin.ch)

12.2 Before Filing a Complaint

We encourage you to contact us first to resolve any concerns. Our Data Protection Officer is available at dpo@syntari.ai and will respond to your inquiry promptly.

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies in accordance with the ePrivacy Directive (2002/58/EC) as amended by Directive 2009/136/EC. For full details, please refer to our Cookie Policy.

13.1 Cookie Categories

   •  Strictly Necessary Cookies: Essential for core functionality; cannot be disabled (Legal basis: Contract performance)

   •  Performance/Analytics Cookies: Help us understand usage patterns (Legal basis: Consent or Legitimate interest)

   •  Functional Cookies: Remember your preferences (Legal basis: Consent)

   •  Targeting/Advertising Cookies: Deliver relevant ads (Legal basis: Consent)

13.2 Managing Cookie Preferences

You can manage your cookie preferences through:

   •  Our Cookie Preferences Center (accessible via the cookie banner or syntari.ai/cookie-preferences)

   •  Your browser settings

   •  Industry opt-out tools (NAI, DAA)

14. Children's Personal Data

Our Services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@syntari.ai, and we will take steps to delete such information.

For children between 13 and 16 in certain Member States where national law permits, consent may be given by the child. However, Syntari's Services are designed for business professionals and are not intended for use by minors.

15. EU and UK Representative

Pursuant to GDPR Article 27 and UK GDPR Article 27, we have appointed representatives in the European Union and United Kingdom:

EU Representative: [To be appointed – Contact dpo@syntari.ai for current information]

UK Representative: [To be appointed – Contact dpo@syntari.ai for current information]

Our representatives are authorized to receive communications from supervisory authorities and data subjects on matters relating to our processing of personal data.

16. Data Processing Agreements

For enterprise customers subject to GDPR who require Syntari to act as a data processor:

   •  We execute Data Processing Agreements (DPAs) upon request

   •  DPAs incorporate Standard Contractual Clauses where required

   •  DPAs include Annex I (List of Parties), Annex II (Technical and Organizational Measures), and Annex III (List of Sub-processors)

To request a DPA or obtain our current list of sub-processors, contact dpo@syntari.ai.

17. Changes to This Notice

We may update this GDPR Notice periodically to reflect changes in our processing activities, legal requirements, or service offerings.

17.1 Notification of Changes

For material changes:

   •  We will provide at least 30 days' advance notice via email

   •  We will post a prominent notice on our website

   •  Where changes affect processing based on consent, we will obtain fresh consent where required

17.2 Version History

Previous versions of this Notice are available upon request. The current version is effective as of the date stated at the top of this document.

18. Contact Information

For questions, concerns, or requests related to this GDPR Notice or our data protection practices:

 

Data Protection Officer: dpo@syntari.ai

General Privacy Inquiries: privacy@syntari.ai

AI & LLM Privacy: ai-privacy@syntari.ai

 

Mailing Address:

Syntari International, Inc.

Attn: Data Protection Officer

One Marina Park Drive, Suite 1410

Boston, MA 02210

United States

 

END OF GDPR NOTICE

© 2025 Syntari International, Inc. All rights reserved.