Privacy Notice — Syno

1. Who we are

Controller / Provider
Syntactiq Dynamics FlexCo
Paradisgasse 11/13
1190 Vienna, Austria
Email: [email protected]

Depending on how Syno is used, we act:

• as a data processor (processing data on behalf of a customer), or
• as an independent data controller (for account data, service security, and limited operational purposes).

Where Syno is provided under a Data Processing Agreement, Syntactiq acts as a processor for customer-uploaded data and as a controller only for limited account, security, and compliance-related processing.

2. What Syno is (and is not)

Syno is a domain-agnostic data intelligence and analytics platform designed for research, professional, and organisational use.

Syno:

• supports data ingestion, structuring, harmonisation, and analysis,
• is used for analytical and decision-support preparation,
• does not provide professional advice,
• does not perform autonomous decision-making,
• does not execute actions or interventions,
• does not perform automated decision-making within the meaning of Article 22 GDPR.

3. Categories of personal data we process

3.1 Account and access data

• Name
• Email address
• Organisation and organisational unit
• Role and permissions
• Authentication metadata (e.g. login timestamps)

3.2 Usage and security data

• System logs
• Access logs
• Error and performance logs
• Audit trails related to data access and exports

These data are minimised, access-controlled, and used primarily for security, integrity, and compliance purposes.

3.3 Customer-uploaded or accessed data

Depending on the deployment model, Syno may process:

• research data,
• observational or longitudinal datasets,
• datasets that may include personal or sensitive data.

4. Sensitive and health-related data

Syno may be used by customers and organisations in research or analytical contexts that involve special-category data (such as health data under GDPR Article 9).

In these cases:

• the customer or data-controlling organisation is responsible for determining whether such data may lawfully be uploaded or accessed via Syno,
• the customer is responsible for establishing an appropriate legal basis (e.g. explicit consent, research exemption, or other lawful ground),
• the customer is responsible for meeting any additional ethical, institutional, or regulatory requirements applicable to their use case.

Syntactiq:

• does not determine the nature or sensitivity of customer-uploaded datasets,
• does not decide whether health or other special-category data should be processed,
• provides technical and organisational safeguards suitable for high-risk research environments.

Where required by law or agreement, processing of such data is supported by documented safeguards and data protection impact assessments (DPIAs).

This allocation of responsibility is consistent with the Syno Terms of Use, which require users to access and process data only within the scope of their legal rights, dataset access conditions, and organisational authorisations.

5. Purposes of processing

We process personal data only for clearly defined purposes, including:

• providing and operating Syno
• user authentication and access control
• maintaining platform security and integrity
• preventing misuse, unauthorised access, and data exfiltration
• complying with legal and regulatory obligations

6. Legal bases for processing

We do not sell personal information.

We do not share personal information for cross-context behavioral advertising.

Data is disclosed only to service providers, contractors, or research partners under written agreements that prohibit secondary use, re-identification, and onward disclosure.

Where processing is based on legitimate interests, we conduct balancing assessments to ensure that such interests are not overridden by data subject rights.

European Union (GDPR)

Depending on the context, processing is based on:

• Contractual necessity (Art. 6(1)(b))
• Legitimate interests (Art. 6(1)(f)), particularly for security and abuse prevention
• Legal obligations (Art. 6(1)(c))
• Explicit consent (Art. 6(1)(a), Art. 9(2)(a)) where required

United States

Processing is aligned with:

• contractual obligations,
• legitimate business purposes,
• applicable state privacy laws (e.g. CCPA/CPRA where relevant).

7. Deployment models and responsibility

Syno can be provided under different deployment models:

Responsibility for availability, security, and compliance depends on the deployment model and applicable agreements.

8. Data sharing and sub-processors

We share personal data only:

• with authorised subprocessors necessary to provide the service,
• only in the EU, unless otherwise required for an individual deployment for an individual customer,
• under written agreements (including DPAs),
• with appropriate safeguards for international transfers.

Where Syno is deployed in a company-hosted configuration, Syntactiq may use Google Cloud Platform (including managed analytics and inference services such as Vertex AI) as a sub-processor. For on-premise deployments, no customer research data is transferred to cloud infrastructure unless explicitly agreed.

9. International data transfers

Where personal data is transferred outside the EU/EEA:

• we rely on adequacy decisions, or
• standard contractual clauses (SCCs), or
• equivalent lawful transfer mechanisms.

10. Data retention

We retain personal data only for as long as necessary for:

• providing the service,
• fulfilling legal obligations,
• ensuring security and auditability.

Customer-uploaded data is retained according to customer instructions and contractual terms.

Account and security log data are retained according to internal retention schedules aligned with security and legal requirements.

11. Security measures

We apply technical and organisational measures aligned with:

• GDPR Article 32
• ISO/IEC 27001
• established practices of trusted research environments

Measures include:

• encryption in transit and at rest,
• strict access control and least-privilege principles,
• logging and monitoring of access and exports,
• incident detection and response procedures,
• where cloud infrastructure is used, we rely on providers certified to ISO/IEC 27001 and equivalent standards, and configure services to restrict data residency to the European Union.

12. Your rights

EU / GDPR users

You have the right to:

• access your personal data
• rectify inaccurate data
• request erasure
• restrict processing
• object to processing
• data portability
• withdraw consent at any time
• lodge a complaint with a supervisory authority

The competent supervisory authority in Austria is the Austrian Data Protection Authority (Datenschutzbehörde).

US users

Depending on your state, you may have rights to:

• access
• deletion
• correction
• opt out of certain processing

Requests can be made via [email protected].

13. Monitoring and misuse prevention

To protect users and datasets, we actively monitor usage for:

• unauthorised access
• misuse of credentials
• unauthorised data export or exfiltration

Monitoring is proportionate, security-focused, and aligned with research ethics and legal obligations.

14. Changes to this policy

We may update this Privacy Policy to reflect changes in law, technology, or our services. Material changes will be communicated appropriately.