Legal · GDPR Compliant

Privacy Policy

Last updated: 15 May 2026 · Effective: 15 May 2026

Written to comply with GDPR (EU) 2016/679 and the NIS2 Directive. Plain language — no legalese.

Contents

01Who we are (Data Controller)02What data we collect and why03How long we keep your data04Who we share your data with05Your rights under GDPR06Cookies & tracking07Security measures (Art. 32 GDPR)08Data breach notification09Children's data10Changes to this policy
01

Who we are (Data Controller)

Sycrion is the data controller responsible for your personal data. We operate the cybersecurity compliance platform available at sycrion.com.

Controller: Sycrion

Email: privacy@sycrion.com

DPO contact: dpo@sycrion.com

This policy applies to all users of our platform and is written in compliance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the EU NIS2 Directive.

02

What data we collect and why

Account data

Contract · Art. 6(1)(b)
  • Email address
  • Full name
  • Company name
  • Password hash (bcrypt)
  • Subscription tier

Purpose: To create and manage your account and deliver the service.

Payment data

Contract + Legal obligation
  • Processed by Stripe (PCI DSS Level 1)
  • We store only: Stripe customer ID, subscription status, last-4 digits

Purpose: Billing and VAT compliance. We never see or store full card numbers.

Scan & audit data

Contract · Art. 6(1)(b)
  • Target domain/URL you submit
  • Publicly accessible DNS, TLS, HTTP headers
  • Scan results and compliance reports

Purpose: To perform the security audit you requested. We only read publicly visible information.

Technical & usage data

Legitimate interest · Art. 6(1)(f)
  • IP address (hashed after 24h)
  • Browser type and OS
  • Pages visited, features used
  • Error logs

Purpose: Platform reliability, security, and improvement. No advertising use.

API keys

Contract · Art. 6(1)(b)
  • Key prefix (non-reversible)
  • SHA-256 hash of the key only
  • Allowed domains and usage count

Purpose: Widget API access. Full key is shown once and never stored in plain text.

03

How long we keep your data

We keep your data only as long as necessary for the stated purpose.

Data typeRetention
Account dataUntil deletion + 30 days grace period
Scan results12 months, or until you delete them
Payment records7 years (EU tax law requirement)
Security logs / IP90 days, then anonymised
API keys (hash only)Until revoked or account deleted
Email communications3 years
04

Who we share your data with

We do not sell your personal data. We share it only with processors required to operate the service, each bound by a Data Processing Agreement (DPA):

Vercel Inc.

Hosting & CDN · EU region — Frankfurt

DPA signed

Neon Inc.

PostgreSQL database · EU — Frankfurt (AWS eu-central-1)

DPA signed

Stripe Inc.

Payment processing · USA — SCCs per Art. 46 GDPR

DPA signed

Resend Inc.

Transactional email · USA — SCCs per Art. 46 GDPR

DPA signed

Transfers outside the EU/EEA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46 GDPR.

05

Your rights under GDPR

As an EU/EEA resident you have the following rights. Email privacy@sycrion.com to exercise any of them. We respond within 30 days (Art. 12 GDPR).

Access (Art. 15)

Request a copy of all data we hold about you.

Rectification (Art. 16)

Correct inaccurate or incomplete personal data.

Erasure (Art. 17)

Request deletion of your data ("right to be forgotten").

Restriction (Art. 18)

Restrict how we process your data in certain circumstances.

Portability (Art. 20)

Receive your data in a machine-readable format (JSON/CSV).

Objection (Art. 21)

Object to processing based on legitimate interest.

Withdraw consent

Where we rely on consent, you can withdraw at any time.

Lodge a complaint

File with your national DPA — e.g. CNIL (FR), BfDI (DE), ICO (UK).

06

Cookies & tracking

We use minimal, strictly necessary cookies. No advertising or cross-site tracking cookies.

NamePurposeDuration
sessionAuthentication — httpOnly, Secure, SameSite=Strict7 days
_vercel_no_cachePrevents edge caching on auth pagesSession

We do not use Google Analytics, Facebook Pixel, or any behavioural ad tracking.

07

Security measures (Art. 32 GDPR)

Technical and organisational measures (TOMs) we implement:

TLS 1.3 encryption in transit
AES-256 encryption at rest (Neon)
Passwords hashed with bcrypt (cost 12)
API keys stored as SHA-256 hashes only
Session tokens rotated on each login
Login rate limiting (5 attempts / 15 min)
Infrastructure in EU Frankfurt
SOC 2 Type II — in progress

Security vulnerability disclosure: security@sycrion.com

08

Data breach notification

In the event of a personal data breach we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR). If the breach presents a high risk to your rights and freedoms, we will notify you directly without undue delay (Art. 34 GDPR), stating what happened, what data was affected, and what steps we have taken.

09

Children's data

Our services are directed at businesses, not individuals under 16. We do not knowingly collect personal data from children. If you believe we have done so inadvertently, contact privacy@sycrion.com and we will delete it immediately.

10

Changes to this policy

We may update this Privacy Policy periodically. Material changes will be communicated by email (if you have an account) and by notice on our website at least 14 days before taking effect. The "Last updated" date above always reflects the current version. Continued use after the effective date constitutes acceptance.

Questions about your data?

Our Data Protection Officer responds to all requests within 30 days, as required by GDPR Art. 12.

privacy@sycrion.com →