Privacy Policy Synai Portal

Version: 1.2
Last updated: March 2026

1. Introduction

Synai ("we", "us", "Synai") attaches great importance to the protection of your personal data. In this Privacy Policy, we explain which personal data we collect, why we collect it, and what your rights are under the General Data Protection Regulation (GDPR).

This Privacy Policy applies to the use of the Synai Portal and all associated services.

Important: The use of the Portal and the provision of your data is entirely at your own expense and risk.

2. Data Controller

SynAI B.V.
Chamber of Commerce (KVK): 42009196

Lindanusstraat 14 - 16
6031EA Nederweert
The Netherlands

Email: info@synai.eu
Phone: +31 85 369 5490
Website: https://synai.eu

For questions about this Privacy Policy or your personal data, you can contact us using the details above.

3. What Personal Data Do We Collect?

We may collect the following categories of personal data:

3.1 Account Data

• Name and email address
• Password (stored in encrypted form)
• Organisation data (Tenant information)
• User permissions and roles

3.2 Technical Data

• IP address
• Browser and device information
• Cookies and similar technologies
• Log files (access times, features used)

3.3 Portal Usage

• Created workflows and apps
• Connected external services (servers, APIs)
• AI usage statistics (credits)
• Files and data that you upload or process via the Portal
• Files stored in your dedicated Google Workspace Shared Drive

3.4 Communication

• Emails and messages between you and Synai
• Notifications and alerts

4. Why Do We Collect This Data?

We process your personal data for the following purposes and legal bases:

4.1 Performance of the Agreement

• Purpose: Providing the Portal and associated services
• Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

4.2 Technical Functionality

• Purpose: Ensuring the operation, security and optimisation of the Portal
• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

4.3 Customer Service and Support

• Purpose: Answering questions and providing support
• Legal basis: Performance of a contract and legitimate interest

4.4 Billing and Administration

• Purpose: Processing payments and maintaining records
• Legal basis: Performance of a contract and legal obligation (Art. 6(1)(c) GDPR)

4.5 Marketing and Communication (optional)

• Purpose: Sending newsletters and product information
• Legal basis: Consent (Art. 6(1)(a) GDPR) - you may unsubscribe at any time

5. With Whom Do We Share Your Data?

We only share your personal data with third parties if this is necessary for the provision of services or if we are legally required to do so:

5.1 Hosting Providers

• Party: DigitalOcean, Hetzner
• Purpose: Hosting of the Portal and databases
• Safeguards: Data processing agreements in accordance with the GDPR

5.2 AI Service Providers

IMPORTANT WARNING:

• Party: OpenRouter (AI API aggregator) and underlying AI models (OpenAI, Anthropic, Google, etc.)
• Purpose: Processing AI-related requests and generating AI content
• Safeguards: Data processing agreements where available

Users should be aware:

• Data that you process via AI services is forwarded to external AI providers
• These providers may be located outside the EU/EEA (particularly in the United States)
• YOU are fully responsible for what data you process via AI tools
• NEVER send sensitive personal data, trade secrets or confidential information via AI services
• Synai has no control over how external AI providers process, store or use your data
• AI providers may use your data to train their models
• Always consult the privacy policy of the relevant AI provider
• The use of AI services is entirely at your own risk

5.3 External APIs and Integrations

• Party: Services that you connect via the Portal yourself (e.g. external servers, third-party APIs)
• Purpose: Execution of your workflows and automations
• Note: For these integrations, you are responsible as the data controller

5.5 Legal Obligations

We may be obliged to provide personal data to:

• Tax authorities (fiscal administration)
• Government authorities in cases of legal obligations or court orders

6. Retention Periods

We do not retain your personal data longer than necessary for the purposes for which they were collected:

Data Category	Retention Period
Account data	As long as your account is active + 1 month after termination
Billing data	7 years (legal obligation - tax authorities)
Technical logs	6 months
Marketing data	Until withdrawal of consent or 2 years of inactivity
Support communication	3 years

7. Security of Your Data

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures, including:

• Encryption: HTTPS/TLS for data transport, encrypted storage of passwords
• Access control: Restricted access to personal data for employees on a need-to-know basis
• Multi-tenant isolation: Strict separation of data between different organisations (Tenants)
• Regular updates: Security updates and patches
• Monitoring: Proactive detection of unauthorised access

Disclaimer: Despite these measures, we cannot guarantee absolute security. No system is 100% secure. The use of the Portal is at your own risk. Should a data breach occur, we will report it in accordance with the GDPR to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and, if necessary, to you.

8. Your Rights

Under the GDPR, you have the following rights with respect to your personal data:

8.1 Right of Access (Art. 15 GDPR)

You have the right to know which personal data we process about you.

8.2 Right to Rectification (Art. 16 GDPR)

You may request us to correct inaccurate or incomplete data.

8.3 Right to Erasure (Art. 17 GDPR - 'Right to be Forgotten')

You may request the deletion of your personal data, unless we have a legal obligation to retain it.

8.4 Right to Restriction of Processing (Art. 18 GDPR)

You may request a temporary restriction of the processing of your data.

8.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used and machine-readable format.

8.6 Right to Object (Art. 21 GDPR)

You may object to the processing of your data on the basis of legitimate interest.

8.7 Right to Withdraw Consent

For processing based on consent, you may withdraw your consent at any time.

How do you exercise your rights?
You can submit a request by sending an email to info@synai.eu. We will respond to your request within 30 days.

9. Cookies and Tracking

The Portal uses cookies and similar technologies.

Essential Cookies

These cookies are necessary for the operation of the Portal (e.g. login, security features).

Analytical Cookies

We may collect anonymous statistics about the use of the Portal to improve the user experience.

You can manage cookies through your browser settings.

10. International Data Transfers

Your data is primarily processed within the European Economic Area (EEA). Should we transfer data to countries outside the EEA, we ensure that:

• The European Commission has determined that the country provides an adequate level of protection; or
• We have put in place appropriate safeguards (e.g. EU Standard Contractual Clauses).

10.1 AI Services and International Transfers

CRITICAL WARNING FOR USERS OF AI SERVICES:

1. Data transfer outside the EU/EEA: When using AI services via the Portal, your prompts and data are forwarded to external AI providers located in the United States or other countries outside the EU/EEA.

2. User responsibility - YOU are fully responsible for:

   • Deciding what data you process via AI services
   • Complying with the GDPR when processing personal data via AI
   • Obtaining consent from data subjects if you process their personal data via AI
   • Carrying out a Data Protection Impact Assessment (DPIA) if required
   • All consequences of using AI services

3. Risks of AI usage:

   • AI providers may use your data to train their models
   • Data may be retained longer than you expect
   • There is NO guarantee of confidentiality when using external AI services
   • You have no control over what happens with your data at the AI provider

4. NEVER send:

   • Special categories of personal data (health data, criminal records, etc.)
   • Sensitive business information or confidential data
   • Personal data without the explicit consent of the data subject
   • Data subject to confidentiality obligations
   • Information that could cause harm if made public

5. Synai's responsibility: Synai acts solely as a pass-through and is NOT the data controller for the data you process via AI services. You are the data controller for these processing activities.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We will inform you of material changes via email or a notification in the Portal.

Continued use of the Portal after changes constitutes acceptance of the amended Privacy Policy.

Last modified: March 2026

12. Complaints

If you are not satisfied with the way we handle your personal data, you may file a complaint with:

Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
Website: https://autoriteitpersoonsgegevens.nl
Phone: +31 88 1805 250

13. Contact

For questions about this Privacy Policy or your personal data:

SynAI B.V.
Chamber of Commerce (KVK): 42009196

Lindanusstraat 14 - 16
6031EA Nederweert
The Netherlands

Email: info@synai.eu
Phone: +31 85 369 5490
Website: https://synai.eu

By using the Synai Portal, you acknowledge that you have read and agree to this Privacy Policy. The use of this platform is entirely at your own risk.