Privacy Policy

1. Data Controller

Sycrion [registered entity name], [registered address], is the data controller responsible for personal data processed in connection with the Service.

Contact for privacy matters: privacy@sycrion.com

2. Personal Data We Process

When you use the Service we may process the following categories of personal data:

• Identification data: name, business email, company name and role
• Account data: hashed password, login timestamps, session tokens
• Service data: domain(s) you submit for scanning, scan results, alert preferences
• Communication data: support messages, contact form submissions
• Technical data: IP address, browser type, device identifiers, language preference
• Usage data: pages viewed, features used, scan history
• Billing data: company billing address, VAT number, payment method (processed by our payment provider — we do not store full card numbers)

3. Purposes and Legal Bases (GDPR Art. 6)

• Performance of the contract (Art. 6(1)(b)): providing the Service, processing scans, delivering reports and alerts, billing
• Legitimate interests (Art. 6(1)(f)): service security, fraud prevention, product improvement, internal analytics
• Consent (Art. 6(1)(a)): optional marketing communications, where you have explicitly opted in
• Legal obligation (Art. 6(1)(c)): accounting, tax, and statutory reporting obligations

4. Recipients and Subprocessors

We share personal data only with carefully selected subprocessors who provide the technical infrastructure needed to deliver the Service. Current subprocessors include:

• Vercel Inc. — hosting and edge compute (EU region)
• Neon, Inc. — managed PostgreSQL database (EU region)
• Resend — transactional email delivery
• [Payment processor name] — payment processing
• [Customer support tool] — support ticketing

5. International Transfers

Our infrastructure is deployed in the European Union. Where a subprocessor processes data outside the EEA, we rely on Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, additional safeguards.

6. Retention Periods

• Free scan results: retained for 90 days from creation
• Subscription scan results: retained for the duration of the subscription plus 12 months
• Account data: retained for the lifetime of the account, then deleted within 90 days of closure
• Billing records: retained for the period required by applicable accounting law (typically 5–7 years)
• Support communications: retained for 24 months

7. Your Rights (GDPR Art. 15–22)

To exercise any of these rights, contact privacy@sycrion.com. We respond within 30 days.

• Right of access — obtain a copy of your personal data
• Right to rectification — correct inaccurate data
• Right to erasure ("right to be forgotten") — request deletion in defined circumstances
• Right to restriction of processing
• Right to data portability — receive your data in machine-readable form
• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time, where processing is based on consent
• Right to lodge a complaint with a supervisory authority

8. Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS), encryption at rest, access controls, audit logging and regular security reviews. No method of transmission or storage is 100% secure; we do not guarantee absolute security.

9. Cookies

We use only strictly necessary cookies (session, security, language preference). We do not use third-party analytics or advertising cookies by default. Where additional cookies are introduced, they will require explicit opt-in consent.

10. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified by email or prominent notice on the Service at least 30 days before they take effect.

11. Contact

For questions about this Policy or our processing of your personal data: privacy@sycrion.com