syntact
Legal

Privacy Policy

This policy explains what personal data we collect when you visit syntact.io or contact us, why we collect it, and the rights you have under the EU General Data Protection Regulation (GDPR).

Last updated: 20 May 2026

1. Controller

The controller responsible for the processing of personal data on this website within the meaning of Art. 4(7) GDPR is:

Brainformance IT-Services GmbH
THE ICON VIENNA, Wiedner Gürtel 13, 1100 Wien, Austria
Email: privacy@syntact.io

For any questions about this policy or to exercise your rights, contact us at the email above.

2. Data we process

We process the following categories of data:

  • Server log data — when you visit the site, our hosting provider automatically processes IP address, user agent, referrer, requested URL and timestamp for security and stability (Art. 6(1)(f) GDPR — legitimate interest in operating a secure service). Logs are retained for up to 30 days.
  • Contact form / demo requests — name, business email, company, role and the message you send us. We use this to respond to your enquiry and, where applicable, to follow up on a potential business relationship (Art. 6(1)(b) and (f) GDPR).
  • Analytics and advertising — only with your consent (Art. 6(1)(a) GDPR and § 25(1) TTDSG / ePrivacy). See section 4.

3. Cookies and similar technologies

We use strictly necessary cookies and local storage to remember your cookie choice and to keep the site functional. These do not require consent.

Optional analytics and advertising cookies are only set after you click Accept in the cookie banner. You can withdraw your consent at any time by clearing the cookie-consent entry in your browser storage and reloading the page.

4. Analytics and advertising

Subject to your consent, we use the following third-party services. All are loaded with Google Consent Mode v2 defaulting to denied; no identifiers are set until you accept.

  • Google Analytics 4 (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland) — measurement of traffic and on-site behaviour. Property ID: G-9KCZT2BPC8.
  • Google Ads (Google Ireland Ltd.) — measurement of advertising effectiveness and conversion tracking. Account ID: AW-18175304514.

These services may transfer personal data (including online identifiers) to the United States. Google LLC is certified under the EU–US Data Privacy Framework, which the European Commission has recognised as providing an adequate level of protection (Commission Decision of 10 July 2023). Additional safeguards include Standard Contractual Clauses.

Legal basis: your consent under Art. 6(1)(a) GDPR and § 25(1) TTDSG.

5. Hosting and processors

The website is delivered via Cloudflare (Cloudflare, Inc., 101 Townsend St, San Francisco, CA, USA) with EU edge locations. Backend services run on Supabase infrastructure with EU data residency. Both act as processors under Art. 28 GDPR on the basis of a data processing agreement.

6. Recipients

We do not sell personal data. We share data only with the processors listed above, with our certified solution partners when you ask us to, and with public authorities where legally required.

7. International transfers

Where personal data is transferred to a country outside the EEA, we rely on an adequacy decision of the European Commission or on appropriate safeguards under Art. 46 GDPR (in particular Standard Contractual Clauses).

8. Retention

We keep personal data only as long as necessary for the purpose it was collected for, or as required by law. Demo and contact enquiries are kept for up to 24 months after our last interaction unless a contractual or legal obligation requires longer retention. Analytics data is retained according to Google's default settings (14 months) unless otherwise configured.

9. Your rights

Under the GDPR you have the right to:

  • access your personal data (Art. 15);
  • rectification of inaccurate data (Art. 16);
  • erasure (Art. 17);
  • restriction of processing (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interests (Art. 21);
  • withdraw consent at any time, without affecting the lawfulness of processing before the withdrawal (Art. 7(3)).

To exercise any of these rights, email privacy@syntact.io. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).

10. Security

We implement appropriate technical and organisational measures (Art. 32 GDPR) including TLS in transit, encryption at rest, role-based access, audit logging and EU data residency.

11. Changes

We may update this policy to reflect changes in our practices or the law. The current version is always available on this page, with the “Last updated” date at the top.

Looking for our security and deployment posture? See Security & deployment.