Privacy Policy

Our Commitment to Security & Privacy

Security and privacy are our top priorities. Synavistra is built on a zero-tracking, security-first architecture. We do not collect analytics data, tracking pixels, or persistent identifiers. We use secure HttpOnly cookies for authentication and encrypt all data in transit and at rest. Your data is your own.

1. Data Collection

Synavistra collects only the minimum data necessary to operate our Partnership and Learning Platform:

• Account Information: Email address and name (for account creation and communication)
• Course Data: Content you create, student enrollments, and opt-in learning progress
• Payment Information: Payment method details processed via secure third-party providers (not stored by us)
• Technical Logs: Security audit logs (hashed email, action type — retained for 365 days), email delivery logs (hashed recipient, status — retained for 90 days), and payment webhook logs (event type, order reference — retained for 365 days). All personal identifiers are encrypted at rest. Automated daily purge removes records past retention.

What we do NOT collect:

• Analytics or behavioral tracking
• Tracking cookies or persistent identifiers
• Third-party data from social networks
• Geolocation data
• Device fingerprinting

2. GDPR Compliance

Synavistra operates in full compliance with the General Data Protection Regulation (GDPR). As a data controller, we:

• Process only data you provide or authorize
• Maintain data processing agreements with all sub-processors
• Implement appropriate technical and organizational safeguards
• Honor data subject rights (access, rectification, erasure, portability)
• Maintain records of all processing activities

3. Data Storage & Location

All personal data is stored on Cloudflare infrastructure with primary location hints set to Western Europe (weur), ensuring compliance with EU data residency requirements. Data is encrypted both in transit (TLS 1.3) and at rest.

4. Third-Party Services

Synavistra uses the following third-party services:

• Cloudflare: Infrastructure provider (Workers, D1, KV, R2) - Privacy Policy
• Payment Processors: PCI-DSS compliant payment processors (e.g., Paddle) — payment card data is never transmitted to or stored by Synavistra. We retain only order references and event types for reconciliation (encrypted, purged after 365 days).
• Email Delivery: Transactional email services for account notifications only

All third-party processors are bound by data processing agreements ensuring GDPR compliance.

5. Your Rights

Under GDPR, you have the following rights:

• Right of Access: Request a copy of your personal data
• Right of Rectification: Correct inaccurate data
• Right of Erasure: Delete your data (subject to legal obligations)
• Right of Data Portability: Export your data in a standard format
• Right to Object: Object to processing of your data

To exercise these rights, contact us at privacy@synavistra.ai.

6. Data Retention

We retain personal data only as long as necessary. An automated daily purge permanently deletes records past their retention period:

• Account Data: Retained for the lifetime of your account (encrypted email, license records, seat assignments)
• Security Audit Logs: 365 days (hashed email, action type — used for security incident investigation)
• Email Delivery Logs: 90 days (hashed recipient, delivery status — no message content stored)
• Payment Webhook Logs: 365 days (event type, order reference — for payment reconciliation and dispute resolution)
• Course Content: Retained until you delete your account or course
• Payment Records: Retained for 7 years (Austrian accounting requirements, BAO §132)
• Authentication Tokens: Purged within minutes of expiry (OAuth state, session tokens — no long-term storage)

7. Security

Synavistra implements industry-standard security measures:

• HTTPS/TLS 1.3 encryption for all data in transit
• Encryption at rest for sensitive data
• Regular security audits and penetration testing
• Secure password requirements and multi-factor authentication support
• Access controls and role-based permissions

8. Cookies & Tracking

Synavistra does not use tracking cookies, analytics cookies, or third-party cookies. Our public marketing website is fully functional without any cookies. When you sign in to the portal, we use a single secure HttpOnly session cookie to maintain your authenticated session. This cookie contains no tracking data, expires when you close your browser or after 24 hours, and is never shared with third parties.

Under GDPR Article 6(1)(b), session cookies are classified as 'strictly necessary' for providing the service you requested (authenticated access). No consent is required for strictly necessary cookies.

8b. AI Document Processing

Our AI document analysis tools process documents entirely within your web browser. No document content, extracted entities, knowledge graphs, or processing results are transmitted to Synavistra servers or any third party. The AI model is downloaded once and cached locally. For complete details about our AI models and training data, see our AI Transparency page.

9. Contact & Data Protection Officer

For privacy-related inquiries or to exercise your rights:

• Email: privacy@synavistra.ai
• Company: Synavistra GmbH, Feldkirch, Vorarlberg, Austria