This notice explains how Synelo Studio ("Synelo", "we", "us") processes personal data when you visit synelostudio.com, receive a website audit ("scan"), engage us for a project, or receive outreach from us. It is written to satisfy Articles 13 and 14 of the EU General Data Protection Regulation (GDPR).
1. Data controller
Synelo Studio
EU
Email: privacy@synelostudio.com
2. What we collect, why, and on what legal basis
| Activity | Data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Website browsing | IP address, user agent, page paths, referrer | Operate the site, security, abuse prevention, anonymous analytics | Legitimate interest (Art 6(1)(f)) — security; Consent (Art 6(1)(a)) for analytics | Server logs 30 days; analytics 14 months |
| Website scan / AIRS audit | The URL you submit, public website content, technical signals | Generate and store an audit report for you | Performance of a request you submitted (Art 6(1)(b)) | 90 days from creation; deleted on request |
| Cold outreach | Publicly-listed business email, website data, name (if public) | Send a one-time relevant offer based on a website audit | Legitimate interest (Art 6(1)(f)) — B2B prospecting | Suppressed forever once you ask us to stop; otherwise 12 months |
| Concierge bot (chat) | Email, optional name, your messages, IP, timestamps | Answer your questions; let the team follow up | Consent (Art 6(1)(a)) — you submit the form | 24 months from last message |
| Project engagement | Contact details, billing data, project artifacts, communications | Deliver the engagement; comply with tax law | Contract (Art 6(1)(b)); Legal obligation (Art 6(1)(c)) for invoices | For the project; invoices kept 10 years (Czech accounting law) |
| Email delivery | Recipient address, delivery + open metadata | Send transactional and outbound email; bounce/complaint handling | Legitimate interest (Art 6(1)(f)) | 90 days for delivery logs |
3. Who we share data with (processors and recipients)
We use the following sub-processors. We have a Data Processing Agreement (DPA) with each. See our DPA page for the legal terms.
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | Hosting / CDN | USA + EU edge | EU SCCs |
| Supabase Inc. | Database | EU (Frankfurt) | Within EEA |
| Resend, Inc. | Transactional email | USA | EU SCCs |
| Anthropic PBC | AI inference (audits, bot) | USA | EU SCCs + zero retention |
| Stripe Payments Europe Ltd. | Payments | Ireland / USA | EU SCCs |
| Cloudflare Inc. | Bot mitigation (Turnstile) | USA / global | EU SCCs |
| Google LLC (GTM / GA4) | Analytics (consent-gated) | USA | EU SCCs + Consent Mode v2 |
We do not sell personal data and we do not share it for behavioural advertising.
4. International data transfers
Where data is transferred outside the EEA (mostly to US processors above), the transfer is covered by the EU Standard Contractual Clauses (Module 2 / Module 3 as applicable) and supplementary technical measures (TLS in transit, encryption at rest, minimised data scope). The full list of sub-processors and their SCCs is available on our DPA page.
5. Your rights
Under GDPR you have the right to:
- Access (Art 15) — get a copy of your personal data.
- Rectification (Art 16) — correct inaccurate data.
- Erasure (Art 17) — "right to be forgotten".
- Restriction (Art 18) — limit how we process your data.
- Portability (Art 20) — receive your data in a machine-readable format.
- Object (Art 21) — including to direct-marketing emails, at any time and free of charge.
- Withdraw consent (Art 7(3)) at any time, without affecting processing prior to withdrawal.
- Complain to a supervisory authority — for us that is the Czech ÚOOÚ (uoou.cz).
To exercise any of these rights, email privacy@synelostudio.com. We respond within 30 days (extendable to 90 in complex cases per Art 12(3)).
6. Automated decision-making and profiling
Our audit pipeline uses AI to score a website and propose fixes. This is decision-support, not an automated decision producing legal or similarly significant effects on you (GDPR Art 22 does not apply). A human operator reviews every report before any outreach.
7. Security
Encryption in transit (TLS 1.2+); encryption at rest at every processor; HSTS preload; HMAC-signed admin sessions; rate-limited public endpoints; secrets stored in Vercel/Supabase secret stores only. We will notify affected individuals and the supervisory authority within 72 hours of a confirmed data breach per Art 33–34.
8. Children
Our services are not directed at children under 16 and we do not knowingly process their data.
9. Changes to this notice
We will post the updated notice here with a new "Last updated" date. Material changes will be communicated via the site and to registered project clients via email.