Launching Summer 2026

Privacy Policy

Synavistra's privacy policy — GDPR-compliant data handling, zero-tracking architecture, and the data-subject rights you can exercise under EU law.

Our Commitment to Security & Privacy

Security and privacy are our top priorities. Synavistra is built on a zero-tracking, security-first architecture. We do not collect analytics data, tracking pixels, or persistent identifiers. We use secure HttpOnly cookies for authentication and encrypt all data in transit and at rest. Your data is your own.

Data Collection

Synavistra processes data in four distinct contexts, each with its own minimum-necessary data flow:

  • Marketing site (synavistra.ai): No personal data collected. Zero analytics, zero tracking, no accounts. The site is fully unauthenticated and stateless from a user-data perspective.
  • Public AI Document Pipeline demo: Zero data leaves your device. The tool runs entirely in your browser; your PDFs and analysis results stay on your local machine. The model file is fetched once on first use from our CDN (no user identity attached). No upload endpoints, no Synavistra-side log of your content.
  • Institutional-licensee portal (portal.synavistra.ai): Email address and display name (via Google OAuth, only when a licensee signs in to manage their organization's seats), license records, seat-occupancy assignments, and admin-action audit trails. The portal is access-restricted; no public-facing data collection.
  • Engagement context: Customer documents and processing artifacts during a paid engagement are governed entirely by the signed SOW. Data is processed on Synavistra's accounts during the engagement window; the customer takes home all artifacts at delivery and Synavistra deletes its working copies per the SOW's data-handling terms. See the Services page for engagement-variant details.

What we do NOT collect:

  • Analytics or behavioral tracking
  • Tracking cookies or persistent identifiers
  • Third-party data from social networks
  • Geolocation data
  • Device fingerprinting

GDPR Compliance

Synavistra operates in full compliance with the General Data Protection Regulation (GDPR). As a data controller, we:

  • Process only data you provide or authorize
  • Maintain data processing agreements with all sub-processors
  • Implement appropriate technical and organizational safeguards
  • Honor data subject rights (access, rectification, erasure, portability)
  • Maintain records of all processing activities

Data Storage & Location

All personal data is stored on Cloudflare infrastructure with primary location hints set to Western Europe (weur), ensuring compliance with EU data residency requirements. Data is encrypted both in transit (TLS 1.3) and at rest.

Third-Party Services

Synavistra uses the following third-party services:

  • Cloudflare: Infrastructure provider (Workers, D1, KV, R2) - Privacy Policy
  • Payment processing: Synavistra does not process payments through the website. Engagement fees are invoiced directly per the signed SOW. If we add a payment processor in the future, this section will be updated to disclose its identity, scope, and PCI-DSS standing.
  • Email Delivery: Transactional email services for account notifications only

All third-party processors are bound by data processing agreements ensuring GDPR compliance.

Your Rights

Under GDPR, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right of Rectification: Correct inaccurate data
  • Right of Erasure: Delete your data (subject to legal obligations)
  • Right of Data Portability: Export your data in a standard format
  • Right to Object: Object to processing of your data

To exercise these rights, contact us at privacy@synavistra.ai.

Data Retention

We retain personal data only as long as necessary. An automated daily purge permanently deletes records past their retention period:

  • Account Data: Retained for the lifetime of your account (encrypted email, license records, seat assignments)
  • Security Audit Logs: 365 days (hashed email, action type — used for security incident investigation)
  • Email Delivery Logs: 90 days (hashed recipient, delivery status — no message content stored)
  • Payment webhooks: Not applicable. No payment system is in operation. If introduced, retention will be disclosed here.
  • License records: Retained for the duration of the license + 1 year for audit and renewal-record purposes.
  • Engagement records: Per the signed SOW. Customer documents and processing artifacts are deleted from Synavistra-side storage at engagement delivery; only the executed SOW and provenance manifest are retained for tax + audit purposes (typically 7 years per Austrian commercial law).
  • Authentication Tokens: Purged within minutes of expiry (OAuth state, session tokens — no long-term storage)

Security

Synavistra implements industry-standard security measures:

  • HTTPS/TLS 1.3 encryption for all data in transit
  • Encryption at rest for sensitive data
  • Regular security audits and penetration testing
  • Secure password requirements and multi-factor authentication support
  • Access controls and role-based permissions

Cookies & Tracking

Synavistra does not use tracking cookies, analytics cookies, or third-party cookies. Our public marketing website is fully functional without any cookies. When you sign in to the portal, we use a single secure HttpOnly session cookie to maintain your authenticated session. This cookie contains no tracking data, expires when you close your browser or after 24 hours, and is never shared with third parties.

Under GDPR Article 6(1)(b), session cookies are classified as 'strictly necessary' for providing the service you requested (authenticated access). No consent is required for strictly necessary cookies.

AI Document Processing

Our AI document pipeline processes documents entirely within your web browser. No document content, extracted entities, knowledge graphs, or processing results are transmitted to Synavistra servers or any third party. The AI model is downloaded once and cached locally. For the full system card, EU AI Act Art. 50 compliance statement, and operational transparency details, see our Compliance & Transparency page.

Contact & Data Protection Officer

For privacy-related inquiries or to exercise your rights:

  • Email: privacy@synavistra.ai
  • Company: Synavistra GmbH, Feldkirch, Vorarlberg, Austria
  • Legal information & company registration: See our Impressum for company-registration details, Geschaeftsfuehrer, Firmenbuchnummer, and the Austrian §5 ECG-required legal information.

Frequently Asked Questions

Q: Does Synavistra use cookies or tracking?

A: No. We use a zero-tracking architecture with no analytics cookies, no third-party tracking pixels, and no social media integrations that could compromise your privacy. We only use essential session cookies for logged-in users.

Q: How can I request deletion of my data?

A: Contact privacy@synavistra.ai to request data deletion. Under GDPR, you have the right to erasure ('right to be forgotten'). We will process your request within 30 days and confirm deletion.

Q: Where is my data stored?

A: Your data is stored on Cloudflare's global edge network with primary storage in the EU. All data is encrypted in transit (TLS 1.3) and at rest. We maintain GDPR compliance with appropriate data processing agreements.

Q: What are my GDPR rights?

A: Under GDPR, you have the right to access, rectify, erase, and port your data. You can also object to processing and restrict how we use your information. Contact privacy@synavistra.ai to exercise any of these rights.