Start free trial

Start free trial

LEGAL

GDPR

Last Updated

GDPR NOTICE & ADDENDUM
VERSION 3.0
Effective Date: February 23, 2026
Syntari AI, Inc.
855 Boylston Street, Suite 1000
Boston, MA 02116
© 2026 Syntari International, Inc. All rights reserved.

  1. DOCUMENT PURPOSE AND SCOPE
    This GDPR Notice and Addendum ("Notice") supplements and updates Syntari AI, Inc.'s ("Company," "Data Controller," or "we") privacy policies and data processing agreements to address compliance with:
    ● Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR)
    ● Regulation (EU) 2023/1230 (EU AI Act)
    ● The EU-U.S. Data Privacy Framework (DPF) and UK Extension
    ● UK Data Protection Act 2018 and UK GDPR
    ● Swiss Federal Act on Data Protection (nFADP)
    ● UK International Data Transfer Agreement (UK IDTA)
    This Notice is specifically designed for data subjects and controllers processing personal data through Syntari AI's AI-native management consulting platform.

  2. DATA CONTROLLER INFORMATION
    2.1 Primary Contact
    Contact Role Information
    Data Protection Officer dpo@syntari.ai
    Privacy Officer privacy@syntari.ai
    EU Representative eu-representative@syntari.ai
    UK Representative uk-representative@syntari.ai
    Mailing Address 855 Boylston Street, Suite 1000, Boston, MA 02116, USA
    2.2 Data Controller Designation
    For the purposes of GDPR and UK GDPR, Syntari AI, Inc. acts as the Data Controller for personal data processed through the platform. Where personal data is processed by both the Company and our customers, we may act as a Joint Controller as outlined in Section 9.

  3. CATEGORIES OF PERSONAL DATA PROCESSED
    3.1 Standard Personal Data
    ● Identity information (name, email, job title, organization)
    ● Contact information (phone, physical address, IP address)
    ● Professional credentials and work history
    ● Authentication data (passwords, API keys, session tokens)
    ● Activity logs and user behavior analytics
    3.2 AI-Specific Personal Data
    ● Prompts and queries submitted by users to AI systems
    ● AI-generated outputs and recommendations
    ● Conversation logs and interaction history
    ● User preferences for AI model selection and parameters
    ● Metadata related to AI processing (timestamps, model versions, inference logs)
    ● Training data provenance information
    3.3 Special Categories
    ● Health data (when provided in consultation contexts)
    ● Diversity and inclusion metrics (when relevant to consulting engagements)

  4. LEGAL BASES FOR PROCESSING (ARTICLE 6 GDPR)
    We process personal data on the following lawful bases:
    ● Contractual necessity: Processing necessary to perform services you have requested
    ● Legitimate interests: Analytics, security, fraud prevention, and service improvement
    ● Legal obligation: Compliance with tax, employment, and regulatory requirements
    ● Consent: For marketing communications and optional service features (where applicable)
    ● Public interest: Consulting recommendations that promote professional services industry best practices
    4.1 Legitimate Interest Balancing Test for AI Processing
    When processing personal data through AI systems, we conduct the following balancing test:
    ● Necessity assessment: Whether AI processing is the least-intrusive means to achieve the purpose
    ● Proportionality review: Benefit to the data subject and company versus privacy impact
    ● Reasonable expectation analysis: Whether data subject would reasonably expect such processing
    ● Data minimization: Using only necessary data to train, fine-tune, or operate AI models
    ● Transparency measures: Clear disclosure of AI involvement in decision-making

  5. INTERNATIONAL DATA TRANSFERS
    5.1 EU-U.S. Data Privacy Framework (DPF)
    Syntari AI, Inc. complies with the EU-U.S. Data Privacy Framework (DPF) as set forth by the U.S. Department of Commerce, regarding the processing of personal data transferred from the European Union and the United Kingdom to the United States.
    ● DPF Certification: Syntari AI is certified under the DPF
    ● Swiss FADP Extension: We also comply with the DPF Swiss extension for Swiss personal data
    ● Accountability: We remain liable if we fail to comply with DPF principles
    ● Enforcement: Subject to the investigatory authority of the U.S. Federal Trade Commission (FTC)
    5.2 Standard Contractual Clauses (SCCs)
    Where the DPF is insufficient or for supplementary protection, we rely on Standard Contractual Clauses (Commission Decision 2021/914) for transfers to:
    ● Third-party AI service providers
    ● Technical infrastructure providers
    ● Subprocessors and sub-contractors
    5.3 UK-Specific Transfer Mechanisms
    For UK personal data, we use:
    ● UK Adequacy Decision (where applicable)
    ● UK International Data Transfer Agreement (UK IDTA)
    ● UK-specific Standard Contractual Clauses
    5.4 Transfer Impact Assessment (TIA) - Post-Schrems II
    We conduct Transfer Impact Assessments for all non-EEA transfers and implement supplementary safeguards:
    ● Assessment of national laws affecting EU data in recipient countries
    ● Evaluation of access by government authorities
    ● Implementation of encryption and access controls
    ● Documentation and audit trails for all cross-border transfers

  6. AI PROVIDERS AND SUB-PROCESSORS
    6.1 Authorized AI Sub-Processors
    The following AI service providers process personal data (including prompts, outputs, and conversation logs) on our behalf:
    AI Provider Service Type Processing Location Transfer Mechanism
    Anthropic PBC Large Language Model API United States EU-U.S. DPF, SCCs
    OpenAI Inc. ChatGPT/GPT-4 API United States EU-U.S. DPF, SCCs
    Google LLC Vertex AI / PaLM Models United States, Multi-region EU-U.S. DPF, SCCs
    6.2 Sub-Processor Audit Rights
    Controllers and data subjects (upon request) have the right to audit compliance of AI sub-processors through:
    ● Annual SOC 2 Type II reports (Service Organization Control certifications)
    ● ISO 27001 compliance certifications
    ● GDPR compliance attestations and Data Processing Addenda
    ● On-demand security assessments (with 30 days written notice)
    Audit reports may be requested via dpo@syntari.ai.

  7. AUTOMATED DECISION-MAKING AND AI ARTICLE 22
    7.1 Article 22 GDPR - Right Not to Be Subject to Solely Automated Decisions
    Data subjects have the right not to be subject to a decision based solely on automated processing (including AI) that produces legal or similarly significant effects.
    7.2 AI Decision Categories
    Syntari AI processes personal data through AI for:
    ● Recommendations (non-binding consulting insights)
    ● Risk assessment and profiling
    ● Performance analytics and benchmarking
    ● Staffing optimization suggestions
    7.3 Human Oversight Requirements
    For any decision with legal or significant effect, we provide:
    ● Human review by qualified consultants
    ● Clear explanation of AI involvement
    ● Right to request human decision-making
    ● Right to challenge AI-derived conclusions
    7.4 Right to Explanation
    Data subjects have the right to request explanation of:
    ● Why an AI model generated a particular output
    ● The logic and reasoning behind recommendations
    ● Which data inputs influenced the decision
    ● How training data affects outcomes

  8. EU AI ACT ALIGNMENT (ARTICLES 13-14)
    8.1 AI System Transparency (Article 13)
    For high-risk AI systems, we provide transparent documentation:
    ● AI system identification and purpose
    ● Intended use and target users
    ● Risk classification (low, medium, high)
    ● Training data source and provenance
    ● Model type and architecture overview
    ● Decision logic and limitations
    8.2 Human Oversight (Article 14)
    Human oversight requirements:
    ● Designated human reviewers for high-risk AI decisions
    ● Override capabilities for automated recommendations
    ● Training on AI system limitations and biases
    ● Documentation of override decisions
    8.3 AI Risk Classification
    Our AI processing activities are classified as:
    ● Low-risk: General analytics, performance dashboards
    ● Medium-risk: Recommendation engines, predictive analytics
    ● High-risk: Staffing decisions, compensation recommendations (where they have legal effect)

  9. DATA PROTECTION IMPACT ASSESSMENT (DPIA) FOR AI
    9.1 When DPIA is Required
    We conduct formal DPIAs when AI processing involves:
    ● Large-scale processing of personal data
    ● Automated decision-making with legal or significant effect
    ● Systematic monitoring of individuals
    ● Processing of sensitive or special categories of data
    ● Processing that could restrict rights or freedoms
    9.2 DPIA Components for AI Systems
    ● Purpose and necessity assessment
    ● Data minimization review
    ● Risk assessment (data security, bias, discrimination)
    ● Mitigation measures and safeguards
    ● Oversight mechanisms
    ● Sub-processor assessment
    9.3 DPIA Availability
    Completed DPIAs are available upon request to data subjects and supervisory authorities via dpo@syntari.ai.

  10. RECORDS OF PROCESSING ACTIVITIES (ROPA) - ARTICLE 30
    10.1 AI Processing Documentation
    We maintain detailed records for all AI processing activities including:
    ● Processing purpose and scope
    ● AI model name, version, and type
    ● Categories of data processed
    ● Recipients and sub-processors
    ● Retention periods
    ● Technical and organizational security measures
    ● Legal basis for processing
    10.2 Model Lifecycle Documentation
    ● Training data sources and preprocessing
    ● Fine-tuning activities and parameters
    ● Inference logging and access controls
    ● Model version control and updates
    ● Decommissioning and data deletion procedures

  11. JOINT CONTROLLER SCENARIOS
    11.1 Joint Controllership Assessment
    When customer organizations control the content and subject matter of AI-generated outputs, we may act as joint controllers. In such cases:
    ● A Joint Controllership Agreement is required (Article 26 GDPR)
    ● Responsibilities for subject rights requests are clearly allocated
    ● Data subject communication responsibilities are defined
    ● Sub-processor management responsibilities are assigned
    11.2 Separate Controller Scenarios
    Syntari AI acts as sole data controller for:
    ● Platform analytics and usage data
    ● System security and fraud prevention
    ● Contractual performance metrics
    ● Improvement of our platform features

  12. DATA SUBJECT RIGHTS AND REQUESTS
    12.1 Scope of Requests Including AI Data
    Data subject requests (DSRs) include the following AI-specific data:
    ● All prompts and queries submitted to AI systems
    ● Generated outputs and recommendations
    ● Complete conversation logs and interaction history
    ● Metadata and processing records
    ● Training data provenance (if the subject data was used)
    12.2 Right of Access (Article 15)
    Data subjects have the right to:
    ● Confirm whether we process their personal data
    ● Access all personal data including AI-generated outputs
    ● Obtain copies of data in machine-readable format
    ● Understand the logic and reasoning behind AI recommendations
    12.3 Right to Rectification (Article 16)
    Data subjects may request correction of inaccurate data, including:
    ● Corrections to input data
    ● Correction of AI model interpretations
    ● Retraining requests for models that systematically misinterpret data
    12.4 Right to Erasure (Article 17)
    Data subjects may request deletion subject to limitations:
    ● Storage cessation for personal data
    ● Removal from AI training and fine-tuning datasets
    ● Regeneration of outputs if personal data was used
    ● Exceptions: Legal obligation, legitimate interests, public task
    12.5 Right to Restrict Processing (Article 18)
    Data subjects may request processing restrictions for:
    ● Data of contested accuracy
    ● Processing pending erasure decision
    ● Processing no longer necessary but needed for legal claims
    ● Processing based on consent pending withdrawal
    12.6 Right to Data Portability (Article 20)
    Data subjects have the right to obtain and reuse data in machine-readable format:
    ● Export of all personal data in common formats (JSON, CSV, XML)
    ● Including conversation logs and AI interaction history
    ● Direct transmission to other services (where technically feasible)
    12.7 Right to Object (Article 21)
    Data subjects may object to processing for legitimate reasons:
    ● Processing for direct marketing
    ● Processing based on legitimate interests
    ● Processing for profiling and automated decision-making
    12.8 Rights Regarding Automated Decision-Making (Article 22)
    Data subjects have rights to:
    ● Request human review of AI-generated decisions
    ● Receive explanation of decision logic
    ● Challenge recommendations with human intervention
    ● Opt-out of purely automated decisions with legal effect

  13. DATA RETENTION PERIODS
    13.1 Standard Data Retention
    Data Category Retention Period Justification
    Account information Duration of service + 3 years Legal/contractual requirements
    Transaction records 5-7 years Tax and regulatory compliance
    Activity logs 12 months Security and service improvement
    Support communications 2 years Customer service records
    13.2 AI-Specific Retention
    AI Data Type Retention Period Justification
    Conversation logs 12-24 months Service quality, dispute resolution
    Model training data Training cycle + 1 year Model versioning, audit trail
    Inference logs 6-12 months System monitoring, debugging
    Fine-tuning datasets Until model decommissioned + 1 year Model performance tracking

  14. DATA SECURITY AND TECHNICAL MEASURES
    14.1 Security Standards
    ● ISO 27001 certification (Information Security Management)
    ● SOC 2 Type II compliance (for service organizations)
    ● NIST Cybersecurity Framework alignment
    14.2 Technical Safeguards
    ● End-to-end encryption for data in transit (TLS 1.3)
    ● Encryption at rest using AES-256
    ● Multi-factor authentication for administrative access
    ● Regular security audits and penetration testing
    ● Intrusion detection and prevention systems
    ● Data loss prevention tools
    14.3 Organizational Safeguards
    ● Access controls and least privilege principles
    ● Employee data protection training and NDAs
    ● Background checks for personnel with data access
    ● Incident response and breach notification procedures

  15. BREACH NOTIFICATION PROCEDURES
    15.1 48-Hour Notification Cascade
    Upon discovery of a personal data breach, we notify in the following sequence:
    Notification Stage Recipient Timeframe Method
    Stage 1 (Urgent) Customer/Controller Within 4 hours Email + phone call
    Stage 2 (Formal) Supervisory Authority Within 48 hours Written report to ICO/DPA
    Stage 3 (Transparency) Data Subjects (if high risk) Without undue delay Email with remediation steps
    15.2 Breach Investigation
    ● Immediate containment and preservation of evidence
    ● Root cause analysis within 72 hours
    ● Scope assessment (data affected, individuals impacted)
    ● Risk assessment (likelihood of harm to data subjects)
    ● Documentation of all breach response activities

  16. UK AND SWISS DATA PROTECTION
    16.1 UK GDPR Compliance
    For data subjects in the United Kingdom:
    ● Full compliance with UK Data Protection Act 2018 and UK GDPR
    ● Reliance on UK Adequacy Decision where applicable
    ● UK IDTA mechanisms for transfers to non-adequate countries
    ● UK-specific data processing documentation
    16.2 Swiss FADP (nFADP) Alignment
    For Swiss data subjects:
    ● Compliance with the new Swiss Federal Act on Data Protection (nFADP)
    ● Extended data protection rights and consent requirements
    ● Swiss DPF extension certification
    ● Data localization considerations where required

  17. CHILDREN'S DATA PROTECTION IN AI CONTEXT
    17.1 Age Verification
    Syntari AI's platform is intended for professional use by persons 18 years and older.
    ● Age verification mechanisms are implemented at account creation
    ● Parental consent required for users 13-17 years old (where applicable by jurisdiction)
    ● Users under 13 are not permitted to use the platform
    17.2 Restrictions on AI Features for Minors
    For users under 18, the following restrictions apply:
    ● Limited access to certain AI features
    ● No profiling or interest-based recommendations
    ● Enhanced transparency for any automated decision-making
    ● Parental notification of significant AI interactions

  18. PRIVACY CONTACT INFORMATION
    Inquiry Type Contact Email Response Time
    Data subject requests dpo@syntari.ai Within 30 days
    Privacy inquiries privacy@syntari.ai Within 5 business days
    EU requests eu-representative@syntari.ai Within 7 days
    UK requests uk-representative@syntari.ai Within 7 days
    Breach notification dpo@syntari.ai Immediate escalation
    Complaints dpo@syntari.ai Acknowledge within 24 hours

  19. SUPERVISORY AUTHORITIES AND COMPLAINTS
    19.1 Right to Lodge Complaint
    Data subjects have the right to lodge complaints with the relevant supervisory authority:
    ● European Data Protection Board (for EU data)
    ● Information Commissioner's Office (ICO) for UK data
    ● Swiss Federal Data Protection and Information Commissioner for Swiss data
    19.2 Cooperation with Authorities
    We fully cooperate with supervisory authority inquiries and provide:
    ● Timely responses to investigation requests
    ● Complete records of processing activities
    ● Documentation of compliance measures
    ● Data subject access when authorized

  20. DOCUMENT VERSION AND CONTROL
    Attribute Value
    Document Title GDPR Notice & Addendum
    Version 3.0
    Effective Date February 23, 2026
    Issued By Data Protection Officer
    Last Updated February 23, 2026
    Next Review Date February 23, 2027

This document supersedes all previous versions of the GDPR Notice.
For questions about this Notice, please contact dpo@syntari.ai.