Privacy Policy
Last updated: April 2026
1. Data Controller
Synapsrix B.V., registered under KvK number 96abolrad at the Netherlands Chamber of Commerce, is the data controller for personal data processed through synapsrix.com and the AIComply platform.
2. What Data We Collect
2.1 Website visitors
We use privacy-focused analytics as described in the Analytics section below.
2.2 Contact form submissions
When you submit our contact form, we collect your name, email address, company name, and message. This data is processed to respond to your enquiry (Article 6(1)(b) GDPR — pre-contractual measures).
2.3 AI Act Risk Scanner
When you use our free Risk Scanner, we collect your email address, company details, and responses to the assessment questionnaire. This data is processed to generate your compliance report and to follow up with relevant information (Article 6(1)(a) GDPR — consent, and Article 6(1)(b) — service delivery).
Analytics
We use Plausible Analytics, a privacy-focused service:
- No cookies
- No personal data collected
- No cross-site tracking
- Hosted in the EU (Germany)
- Fully GDPR, CCPA, and PECR compliant by design (see Plausible's approach)
We respect the browser Do Not Track signal: when DNT is enabled, our analytics script does not load and conversion events are not recorded.
You can view our public analytics dashboard at plausible.io/synapsrix.com if we enable public access.
3. Data Storage and Transfers
All personal data is stored within the European Union. Our infrastructure providers are:
- Vercel — Frankfurt, Germany (hosting)
- Supabase — Frankfurt, Germany (database and authentication)
- Resend — EU region (transactional email)
- Sentry — Frankfurt, Germany (error monitoring)
No personal data is transferred outside the European Economic Area.
4. Your Rights
Under the GDPR, you have the right to:
- Access your personal data (Article 15)
- Rectify inaccurate data (Article 16)
- Erase your data (Article 17)
- Restrict processing (Article 18)
- Data portability (Article 20)
- Object to processing (Article 21)
Your data rights: under the GDPR you can export a copy of your data and delete your account from Settings → Privacy in AIComply. Account deletion includes a 30-day grace period during which you can reverse the request. After that, we permanently erase your personal data, keeping only anonymised audit log entries for up to 7 years where required by regulatory obligations. For other requests or questions, contact [email protected].
5. Data retention periods
We apply storage limitation (GDPR Article 5(1)(e)) with the following retention periods:
| Data type | Retention | Basis |
|---|---|---|
| Active account data | Duration of service | Contract performance |
| Scanner leads (not converted to customer) | 24 months | Legitimate interest |
| Scanner PDF reports | 90 days | Legitimate interest and proportionality |
| Compliance export files | 30 days after delivery | Minimum necessary for delivery |
| Deleted accounts (soft delete) | 30-day grace period | GDPR Article 17 |
| Audit log (anonymised after account deletion) | 7 years | Legal obligation (KvK, tax, regulatory) |
| Annex IV PDFs after subscription cancellation | 90 days then deletion | Minimum for retrieval |
| Email job records (successful) | 180 days | Support troubleshooting |
| Email job records (permanently failed) | 90 days | Incident investigation |
6. Cookies
We only use strictly necessary cookies for authentication sessions. We do not use tracking cookies, advertising cookies, or any third-party cookies. No cookie consent banner is required.
7. Sub-processors
We engage a small number of sub-processors to deliver the service. A current list, including the country of processing and links to each vendor data processing terms, is maintained on our Sub-processors page. We provide at least 30 days advance notice of material changes to that list; you can subscribe to email notifications on the same page.
8. Data Processing Agreement
Our standard Data Processing Agreement (DPA) template for enterprise customers is available to read online and to download as a PDF from the Sub-processors page (the PDF includes verification metadata). For execution or redlines, contact [email protected].
9. Contact
For privacy-related questions: [email protected]
Synapsrix B.V.
The Netherlands
10. Supervisory Authority
You have the right to lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at autoriteitpersoonsgegevens.nl.