Legal · Synaltix LLC
Privacy Policy
Transparency statement for the processing of personal data by Synaltix LLC.
Last updated: 2026-05-29 · Version: 1.0
1. Controller and contact details
The data controller is Synaltix LLC, a limited liability company organised under the laws of the State of New Mexico, USA, with its registered office at 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, United States.
- General: contact@synaltix.io
- Data requests: privacy@synaltix.io
- Security disclosures: security@synaltix.io
- Legal notices: legal@synaltix.io
- EU Representative (GDPR Art. 27): to be appointed; see Imprint for current details
- UK Representative (UK GDPR Art. 27): to be appointed
- Türkiye Representative (KVKK Art. 11/A): to be appointed
2. What we collect, why, and on what basis
2.1 Website visitors
We collect minimal browsing data to keep the site reachable and to detect abuse. Specifically:
- HTTP request metadata: IP address, user-agent, referrer, URL.
- Strictly-necessary cookies: session, CSRF, language preference.
- Analytics cookies (only after explicit consent): page views, time on page, navigation path. No cross-site tracking, no advertising profiles.
Lawful basis: Art. 6(1)(f) GDPR — legitimate interest in operating a secure website (for strictly necessary processing) and Art. 6(1)(a) GDPR — consent (for analytics). Equivalent KVKK md. 5/2(f) and 5/1.
2.2 Contact form
When you submit the form on /contact, we collect your name, email address, message body, and the submission IP address. Delivery is performed by Resend (processor) under EU Standard Contractual Clauses 2021/914 Module 2 and ancillary safeguards under KVKK Art. 9.
Lawful basis: Art. 6(1)(b) GDPR — pre-contractual steps at your request, plus 6(1)(f) — legitimate interest in responding to enquiries. KVKK md. 5/2(c) and 5/2(f).
Retention: 12 months from the last related message, unless a statutory retention obligation arises.
2.3 Server logs
Aggregated request logs are retained for 30 days for security monitoring, then truncated to coarse aggregates for capacity planning.
3. Sub-processors
- Vercel Inc. — hosting and edge runtime. EU/US data centres. Vercel DPA + SCCs Module 2.
- Resend Inc. — transactional email delivery. Resend DPA + SCCs Module 2.
- Cloudflare Inc. — DNS and DDoS protection. Cloudflare DPA + SCCs.
A current list of sub-processors is maintained at /imprint and updated with at least 30 days' notice for material changes.
4. International transfers
Some sub-processors are located in the United States. Transfers rely on EU Standard Contractual Clauses 2021/914 (Modules 2 and 3), with supplementary measures (encryption in transit and at rest, network access controls) per EDPB Recommendations 01/2020. For Türkiye, transfers rely on the appropriate safeguards under KVKK md. 9 as amended by Law No. 7499 (2024).
5. Your rights
Subject to your jurisdiction, you have the right to:
- access the personal data we hold about you;
- obtain rectification of inaccurate data;
- request erasure ("right to be forgotten");
- restrict or object to processing;
- receive your data in a portable format;
- withdraw consent at any time (without affecting prior processing);
- lodge a complaint with your national supervisory authority (e.g. KVKK Kurumu, ICO, your EU member-state DPA, the California Privacy Protection Agency).
Send requests to privacy@synaltix.io. We respond within 30 days (GDPR Art. 12(3) / KVKK md. 13) and may extend by a further two months for complex requests, with a reasoned notice.
6. Security and breach notification
We apply industry-standard technical and organisational measures: TLS 1.3 in transit, AES-256 at rest, role-based access control, MFA on administrative accounts, structured logging with PII scrubbing, and quarterly access reviews. In the event of a personal data breach, we notify the lead supervisory authority within 72 hours (GDPR Art. 33; KVK Kurulu Decision 2019/10) and affected data subjects without undue delay where the breach is likely to result in high risk to your rights.
7. Children
The site is not directed to children below the digital-consent age in your jurisdiction (typically 13–16 in the EU, 13 in the UK and US under COPPA, 18 in Türkiye for full contractual capacity). We do not knowingly collect data from such users; please contact privacy@synaltix.io if you believe we have.
8. Changes to this policy
Material changes are announced at least 30 days in advance via an on-site banner and (if applicable) by email. The version number above is bumped on every change.