Privacy Policy

1. Introduction

TOV «Sinaptic AI» (hereinafter “Sinaptic,” “we,” “us,” or “our”), a company registered under the laws of Ukraine and a resident of Diia.City, is committed to protecting the privacy and personal data of all individuals who interact with our products, services, and digital properties. This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with our AI-powered cybersecurity products — Browser DLP, Sinaptic AI Intent Firewall®, and Sinaptic® DROID+ — as well as our website at sinaptic.ai.

This policy is drafted in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Law of Ukraine “On the Protection of Personal Data” No. 2297-VI, and other applicable privacy legislation in jurisdictions where we operate.

By using our services, visiting our website, or otherwise engaging with Sinaptic, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for processing your personal data is:

Where Sinaptic processes personal data on behalf of enterprise clients through our Browser DLP, Sinaptic AI Intent Firewall®, or Sinaptic® DROID+ products, we act as a data processor. In such cases, the client organization is the data controller, and a Data Processing Agreement governs the relationship.

3. Personal Data We Collect

We collect and process the following categories of personal data, depending on how you interact with us:

3.1 Data Provided Directly by You

• Account Information: Full name, business email address, company name, job title, and phone number when you create an account, request a demo, or contact us.
• Communication Data: Content of emails, form submissions, and support tickets, including any personal data you choose to include.
• Billing Data: Company billing address, VAT identification number, and payment method details (processed via third-party payment processors).
• Feedback and Survey Data: Responses to product surveys, feedback forms, or research interviews.

3.2 Data Collected Automatically

• Device and Browser Data: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
• Usage Data: Pages visited, time spent on pages, click patterns, referral sources, and navigation paths on sinaptic.ai.
• Log Data: Server logs recording access timestamps, request URLs, HTTP status codes, and user-agent strings.

3.3 Data Processed Through Our Products

• Browser DLP: Browser activity metadata, data classification labels, and policy violation events. Actual content is classified on-device and is not transmitted to Sinaptic servers unless explicitly configured by the client’s administrator.
• Sinaptic AI Intent Firewall®: AI agent action requests, intent classification results, and approval/denial logs. Payload content is hashed and never stored in plaintext.
• Sinaptic® DROID+: Deployment configuration metadata, agent runtime telemetry, and performance metrics. Customer business data processed by deployed agents remains under the sole control of the client.

4. Purposes and Legal Basis for Processing

We process personal data only where we have a lawful basis to do so under Article 6 of the GDPR:

Where we rely on legitimate interest, we have conducted a balancing test to ensure that the processing does not override the fundamental rights and freedoms of the data subjects concerned.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:

• Account data: Retained for the duration of the contractual relationship plus 3 years after termination, unless a longer retention period is required by Ukrainian tax law.
• Billing and transaction records: 7 years in accordance with Ukrainian fiscal legislation.
• Support communications: 2 years after resolution of the inquiry.
• Website analytics data: 26 months from the date of collection, then aggregated or deleted.
• Product telemetry and logs: 90 days in identifiable form; thereafter anonymized and retained for product improvement.
• Marketing consent records: Retained for as long as consent is valid, plus 3 years for evidentiary purposes.

6. Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or Ukraine, you have the following rights with respect to your personal data:

• Right of Access (Art. 15): You may request confirmation of whether we process your personal data and, if so, obtain a copy of such data and information about how it is processed.
• Right to Rectification (Art. 16): You may request correction of inaccurate personal data or completion of incomplete data.
• Right to Erasure (Art. 17): You may request deletion of your personal data where there is no compelling reason for its continued processing, subject to applicable legal retention obligations.
• Right to Restriction (Art. 18): You may request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of contested data.
• Right to Data Portability (Art. 20): You may request to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object (Art. 21): You may object to processing based on legitimate interest, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, or with the Ukrainian Parliament Commissioner for Human Rights.

To exercise any of these rights, please contact us at hello@sinaptic.ai. We will respond to verified requests within 30 days.

7. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to provide functionality, analyze usage, and personalize your experience. We categorize cookies as follows:

• Strictly Necessary Cookies: Essential for the website to function (e.g., session management, CSRF protection). These do not require consent.
• Analytics Cookies: Help us understand how visitors interact with our website. Deployed only with your consent. We use privacy-focused analytics that do not create individual profiles.
• Functional Cookies: Remember your preferences (language, region) to provide a personalized experience. Deployed with your consent.

We do not use third-party advertising cookies or engage in behavioral targeting. You may manage your cookie preferences at any time through our cookie consent banner or your browser settings.

8. Third-Party Processors and Data Sharing

We do not sell personal data. We share personal data with third parties only in the following circumstances:

• Cloud Infrastructure Providers: We host our services on cloud platforms located within the EU and Ukraine. All providers are bound by Data Processing Agreements that ensure GDPR-equivalent protections.
• Payment Processors: Payment processing is handled by PCI DSS-compliant third-party providers. We do not store full credit card numbers.
• Communication Tools: Email delivery services used for transactional and marketing emails, bound by DPAs.
• Legal and Regulatory Authorities: Where required by applicable law, court order, or binding regulatory request.
• Professional Advisors: Legal counsel, auditors, and insurers, under appropriate confidentiality obligations.

A current list of sub-processors is maintained and made available to enterprise clients upon request under the terms of their Data Processing Agreement.

9. International Data Transfers

Sinaptic is headquartered in Ukraine. As a Diia.City resident, we operate within a regulatory framework designed to align with EU standards. Where personal data is transferred from the EEA to Ukraine, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission.
• Supplementary technical and organizational measures, including encryption in transit and at rest.
• Binding Data Processing Agreements with all sub-processors involved in cross-border transfers.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256).
• Role-based access controls and the principle of least privilege.
• Regular vulnerability assessments and penetration testing.
• Security incident response procedures with defined escalation paths.
• Employee security awareness training conducted quarterly.
• Physical security controls at data center facilities.

11. Data Protection Officer

Sinaptic has appointed a Data Protection Officer (DPO) to oversee compliance with this policy and applicable data protection legislation. The DPO can be contacted at:

12. Children’s Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete such data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or products. Material changes will be communicated through our website and, where appropriate, by direct notification to affected individuals. The “Effective” date at the top of this page indicates when this version was last updated. We encourage you to review this page periodically.