Privacy & Data Protection Policy
Compliant with GDPR (EU 2016/679) | Polish Data Protection Act (2018) | AI Act (EU 2024/1689)
Effective from: March 5, 2026
1. Introduction and Scope
This Privacy and Data Protection Policy (hereinafter: "Policy") sets out the rules for collecting, processing, storing and protecting personal data by Syntalith sp. z o.o. (hereinafter: "Syntalith", "we", "us").
Syntalith designs, builds and deploys artificial intelligence systems, including:
- AI agents (autonomous task-executing systems)
- AI chatbots (conversational text interfaces)
- AI voicebots (voice conversation systems)
- AI training (workshops and training programs on artificial intelligence)
Processing personal data is an integral part of providing these services. This Policy describes in detail and transparently how we handle personal data - in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
Legal bases of this Policy
- EU Regulation 2016/679 (GDPR) - the primary act governing personal data protection
- Polish Act of 10 May 2018 on Personal Data Protection (Journal of Laws 2018, item 1000) - national implementation
- EU Regulation 2024/1689 (AI Act) - regulations concerning artificial intelligence systems
- Directive 2002/58/EC (ePrivacy) and Polish Telecommunications Law - regarding cookies and electronic communications
2. Data Controller
The controller of your personal data within the meaning of Art. 4(7) GDPR is:
Syntalith sp. z o.o., Stefana Batorego 18/108, 02-591 Warsaw, KRS: 0001194852
For matters related to personal data protection, you can contact us:
- by email: privacy@syntalith.ai (response within 3 business days)
- by mail: to our registered address with the note "Data Protection"
Data Protection Officer (DPO)
Syntalith is not required to appoint a Data Protection Officer under Art. 37 GDPR, as at the current stage of operations we do not process personal data on a large scale, nor do we systematically process special categories of data as a core activity.
Should the scale of data processing increase (particularly voice/biometric data), Syntalith will reassess the obligation to appoint a DPO and promptly update this Policy.
3. What Personal Data We Process
We process various categories of personal data depending on the nature of your relationship with Syntalith and which product or service you use.
3.1 Business clients and users (B2B)
3.2 End users (AI interactions)
When a user interacts with Syntalith AI systems (chatbots, voicebots, AI agents), we process:
NOTE: Voice data - special category
Voice recordings processed by Syntalith voicebots may constitute biometric data under Art. 4(14) GDPR if used for identification based on voice characteristics.
If voice identification features are implemented: processing is carried out solely on the basis of explicit user consent (Art. 9(2)(a) GDPR) or another explicitly defined legal basis.
Standard conversation recordings (without biometric identification) are treated as ordinary personal data and processed under Art. 6 GDPR.
3.3 Website visitors
3.5 AI training participant data
When B2B client employees participate in AI training conducted by Syntalith, we process:
3.4 Data we do NOT collect
Syntalith commits to NOT processing the following categories of data without an explicit legal basis:
- Data revealing racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Genetic or biometric data for identification purposes (without explicit consent)
- Data concerning health or sexual life
- Data of children under 13 years of age (in accordance with Polish data protection law)
4. Legal Bases for Data Processing
Every personal data processing operation by Syntalith is based on one of the following legal bases under Art. 6 GDPR:
Contract performance (Art. 6(1)(b))
Providing AI services under a concluded contract; client account management; invoicing; fulfilling orders for chatbot/voicebot/AI agent deployment.
Legitimate interest (Art. 6(1)(f))
IT systems security; detecting API abuse; quality analysis and AI model improvement (without user profiling); direct marketing to B2B clients.
User consent (Art. 6(1)(a))
Sending newsletters and marketing communications; placing non-essential analytical and marketing cookies; voice biometric identification (if implemented).
Legal obligation (Art. 6(1)(c))
Storing accounting documents and invoices (5 years + current year); obligations under tax law and Polish Commercial Companies Code.
Sensitive data (Art. 9(2)(a))
Processing biometric data (voice identification) - solely on the basis of explicit, voluntary and specific user consent.
If processing is based on your consent (Art. 6(1)(a) or Art. 9(2)(a) GDPR), you may withdraw it at any time without negative consequences by contacting privacy@syntalith.ai. Withdrawal of consent does not affect the lawfulness of processing prior to its withdrawal.
5. Purposes of Personal Data Processing
We process personal data solely for specified, explicit and legitimate purposes in accordance with the purpose limitation principle (Art. 5(1)(b) GDPR):
Running and maintaining chatbots, voicebots and AI agents for clients; processing input data necessary for AI model response generation.
Responding to inquiries and reports; account management; technical support for deployments.
Analyzing conversation patterns for AI model training and improvement (solely on anonymized data or with consent).
Detecting and preventing AI system abuse; attack protection; audit logs.
Issuing invoices, payment records, refund processing.
Informing business clients about new AI products and features (based on legitimate interest or consent).
Fulfilling obligations under GDPR, AI Act, tax law, Polish Commercial Companies Code.
Organizing and conducting AI workshops; sending training materials; issuing certificates; 30-day post-training support; training quality evaluation.
6. Data Processing in AI Systems - AI Act Requirements
Information pursuant to Art. 50 of EU Regulation 2024/1689 (AI Act): Syntalith creates and deploys artificial intelligence systems. If you use our products (chatbot, voicebot or AI agent), we inform you of the following:
AI Act disclosure - what you need to know as a user
6.1 External AI Models (Sub-processors)
To provide AI services, we use external AI models and platforms. User input data (conversation content) may be transferred to the following sub-processors:
GPT models (text generation, chatbots). HQ: San Francisco, USA. Data transfer: SCC + DPA. Data processed solely in accordance with the API Data Usage Policy.
Claude models (AI agents, text analysis). HQ: San Francisco, USA. Data transfer: SCC + DPA. Data is not used for model training without consent.
Gemini models and Vertex AI platform (language processing, automation). HQ: Mountain View, USA. Data transfer: SCC + Google Cloud DPA. Certifications: ISO 27001, SOC 2 Type II.
Each of the above providers is contractually obligated (Data Processing Agreement + Standard Contractual Clauses) to process personal data solely in accordance with Syntalith's instructions and in compliance with GDPR. Full list of sub-processors available upon request: privacy@syntalith.ai
7. Data Retention Periods
We store personal data no longer than necessary to fulfill the purpose for which it was collected (Art. 5(1)(e) GDPR):
8. Data Recipients and International Transfers
8.1 Categories of data recipients
Personal data may be shared with the following categories of recipients:
- AI model providers: OpenAI, Anthropic, Google - as sub-processors (see section 6.1)
- Infrastructure providers: hosting and cloud providers - solely under DPA agreements
- SaaS tool providers: CRM systems, helpdesk, email marketing - solely after concluding data processing agreements
- Government authorities: UODO, courts, tax authorities - solely based on legal obligation and to the required extent
- Auditors and advisors: law firms, auditors - bound by professional secrecy
8.2 Transfers outside the European Economic Area (EEA)
Using AI providers (OpenAI, Anthropic, Google) involves transferring data to the United States. For each such transfer, we apply the following safeguards:
- Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914) - concluded with all AI providers
- Data Processing Agreements (DPA) with each AI provider, specifying scope and purpose of processing
- Transfer Impact Assessment (TIA) - risk assessment for specific transfers to the USA
- OpenAI and Google hold EU-US Data Privacy Framework (DPF) certification - additional protection mechanism
- Data is processed in European server regions where available (e.g., Google Cloud region europe-west)
9. Your Rights as a Data Subject
Under GDPR, you have the following rights. We fulfill them free of charge within 30 days of receiving your request (Art. 12(3) GDPR). For particularly complex requests, the deadline may be extended by a further 60 days.
Right of access (Art. 15)
You may request information about whether we process your data, what data, for what purpose, to whom we disclose it and how long we store it. You have the right to a copy of your processed data.
Right to rectification (Art. 16)
You may request correction of inaccurate or completion of incomplete personal data.
Right to erasure (Art. 17)
You may request deletion of data if: the processing purpose has ceased; you withdrew consent; data was processed unlawfully. This right does not apply to data we must retain due to legal obligation.
Right to restriction (Art. 18)
You may request suspension of data processing in certain situations (e.g., you contest data accuracy or have filed an objection - pending its review).
Right to object (Art. 21)
You may object to processing of your data based on legitimate interest (including profiling) or for direct marketing purposes. Objection to marketing is absolute.
Right to data portability (Art. 20)
If we process your data based on consent or contract in an automated manner - you may receive it in a structured, machine-readable format (JSON, CSV) or request transfer to another controller.
Right to lodge a complaint (Art. 77)
You have the right to lodge a complaint with the President of UODO (uodo.gov.pl) or supervisory authorities in other EU member states if you believe we process your data unlawfully.
Right not to be subject to automated decisions (Art. 22)
You have the right not to be subject to decisions made solely by automated means (including profiling) which produce legal effects concerning you or similarly significantly affect you.
How to submit a rights request?
- ›Email: privacy@syntalith.ai (subject: GDPR - [type of request])
- ›Mail: to Syntalith sp. z o.o. registered address with the note "Data Protection"
- ›We will respond within 30 days of receiving a complete request
- ›We may request identity verification to protect your data from unauthorized access
- ›Exercising rights is free of charge; in case of manifestly unfounded or excessive requests, we may charge an administrative fee (Art. 12(5) GDPR)
10. Cookies and Tracking Technologies
Our website (www.syntalith.ai) and Syntalith applications use cookies and similar tracking technologies:
Client panel login, user session, security (CSRF token), cookie preference storage. Basis: legitimate interest / technical necessity.
Google Analytics - traffic analysis, page popularity, visit sources. Stored for up to 13 months. You can refuse consent or withdraw it in cookie settings.
Remarketing and personalized ads (if implemented). You can refuse in the cookie management panel on our site.
Social media plugins (LinkedIn, Twitter/X) may place their own cookies. Please refer to their privacy policies.
You can manage your cookie preferences at any time by clicking "Cookie Settings" in the footer of our site or by changing your browser settings.
11. Personal Data Security
We apply appropriate technical and organizational measures (Art. 32 GDPR) ensuring a level of security appropriate to the risk:
11.1 Technical measures
Data encryption in transit: TLS 1.2 or higher for all connections
Data encryption at rest: AES-256 for stored personal data
Two-factor authentication (2FA) for administrative system access
Access control on a "need-to-know" basis - access only for authorized personnel
Regular security testing and vulnerability scanning of AI systems and infrastructure
Real-time monitoring and alerting for unauthorized access attempts
Automated backups with encrypted storage
11.2 Organizational measures
- Employee training in data protection and AI literacy (per AI Act Art. 4)
- Clean desk and screen policy for employees with data access
- Security incident handling procedures (see section 12)
- Regular reviews and internal audits of data protection policy
- Confidentiality agreements (NDA) with employees and contractors having access to personal data
12. Data Breaches - Incident Procedure
Syntalith maintains an internal procedure for responding to personal data breaches in accordance with Art. 33 and 34 GDPR:
Procedure following detection of a data security breach
STEP 1 - Detection and escalation
The employee detecting the incident immediately notifies the person responsible for data protection at Syntalith.
STEP 2 - Risk assessment (within 12 hours)
Assessment of whether the breach may result in a risk to the rights or freedoms of natural persons.
STEP 3 - Notification to UODO (within 72 hours)
If the breach poses a risk - Syntalith reports the incident to the President of UODO via uodo.gov.pl portal (Art. 33 GDPR).
STEP 4 - Notification of data subjects
If the breach poses a HIGH risk - we promptly inform directly affected individuals (Art. 34 GDPR).
STEP 5 - Documentation
Every breach is documented in the breach register (Art. 33(5) GDPR) regardless of whether it is subject to notification to UODO.
If you suspect your data has been compromised or have information about a security incident - please contact us immediately: privacy@syntalith.ai
13. Children's Data Protection
Minimum age: 13 years (per Polish law)
In accordance with Art. 8 GDPR and Art. 7a of the Polish Data Protection Act, Syntalith services are intended for persons who have reached 13 years of age.
Persons aged 13-16 may use our services only with parental or legal guardian consent.
If we learn that we have collected data of a child under 13 without verifiable parental consent - we will promptly delete such data.
We ask parents and guardians to contact privacy@syntalith.ai if they suspect their child has shared their data without consent.
14. Changes to the Privacy Policy
Syntalith reserves the right to update this Policy in the following cases:
- Changes in legislation (GDPR, AI Act, UODO, telecommunications law)
- Introduction of new AI products or services processing data in new ways
- Changes in technology providers or sub-processors
- Recommendations from supervisory authorities (UODO, EDPB)
We will notify about significant changes:
- B2B clients: by email to the contact address with 30 days' advance notice
- Website users: by an information banner on www.syntalith.ai
- Everyone: by updating the "Last updated" date in the document header
Archived versions of the Policy are available upon request: privacy@syntalith.ai
15. Contact Details and Supervisory Authority
For matters concerning personal data protection, contact us:
Syntalith sp. z o.o., Stefana Batorego 18/108, 02-591 Warsaw, Poland
www.syntalith.ai
President of the Personal Data Protection Office (PUODO)
ul. Stawki 2, 00-193 Warsaw
22 531 03 00
kancelaria@uodo.gov.pl
This document was prepared in Polish and constitutes the binding version of Syntalith's Privacy Policy. Version 2.0 supersedes all previous versions.