Legal information
Privacy & Data Protection Policy
Explains GDPR information duties, the Polish Data Protection Act, and the technical AI Act context. It is not legal advice.
Version 2.1 | July 2026 · Effective from: July 2, 2026
Document summary
- Data Controller
- Syntalith sp. z o.o., Stefana Batorego 18/108, 02-591 Warsaw, Poland
- Privacy Contact
- [email protected]
- Data Protection Officer
- Not appointed (no obligation at current scale of operations)
- Territorial Scope
- European Union and European Economic Area
- Binding Language
- Polish; translations are for informational purposes only
- Supervisory Authority
- President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw
Sections
- 1. Introduction and Scope
- 2. Data Controller
- 3. What Personal Data We Process
- 4. Legal Bases for Data Processing
- 5. Purposes of Personal Data Processing
- 6. Data Processing in AI Systems - AI Act Requirements
- 7. Data Retention Periods
- 8. Data Recipients and International Transfers
- 9. Your Rights as a Data Subject
- 10. Cookies and Tracking Technologies
- 11. Personal Data Security
- 12. Data Breaches - Incident Procedure
- 13. Children's Data Protection
- 14. Changes to the Privacy Policy
- 15. Contact Details and Supervisory Authority
1. Introduction and Scope
This Privacy and Data Protection Policy (hereinafter: "Policy") sets out the rules for collecting, processing, storing and protecting personal data by Syntalith sp. z o.o. (hereinafter: "Syntalith", "we", "us").
Syntalith designs, builds and deploys artificial intelligence systems, including:
- AI agents (autonomous task-executing systems)
- AI apps and automations (LLM-based process systems)
- AI chatbots and voicebots under affiliated brands (sprzeda.ai, odbierze.ai)
- AI training (workshops and training programs on artificial intelligence)
Processing personal data is an integral part of providing these services. This Policy describes in detail and transparently how we handle personal data - in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
Legal bases of this Policy
- EU Regulation 2016/679 (GDPR) - the primary act governing personal data protection
- Polish Act of 10 May 2018 on Personal Data Protection (Journal of Laws 2018, item 1000) - national implementation
- EU Regulation 2024/1689 (AI Act) - regulations concerning artificial intelligence systems
- Directive 2002/58/EC (ePrivacy) and Polish Telecommunications Law - regarding cookies and electronic communications
2. Data Controller
The controller of your personal data within the meaning of Art. 4(7) GDPR is:
Syntalith sp. z o.o., Stefana Batorego 18/108, 02-591 Warsaw, KRS: 0001194852
For matters related to personal data protection, you can contact us:
- by email: [email protected] (response within 3 business days)
- by mail: to our registered address with the note "Data Protection"
Data Protection Officer (DPO)
Syntalith is not required to appoint a Data Protection Officer under Art. 37 GDPR, as at the current stage of operations we do not process personal data on a large scale, nor do we systematically process special categories of data as a core activity.
Should the scale of data processing increase (particularly voice/biometric data), Syntalith will reassess the obligation to appoint a DPO and promptly update this Policy.
3. What Personal Data We Process
We process various categories of personal data depending on the nature of your relationship with Syntalith and which product or service you use.
3.1 Business clients and users (B2B)
- Identification data
- First and last name, job title, company name, company tax ID
- Contact data
- Business email address, phone number, company address
- Contractual data
- Billing details, order history, contract parameters
- Access data
- Login, encrypted password, API tokens, authentication logs
- Communication data
- Email correspondence history, meeting notes, sales call records
- Prospective client representatives (B2B prospecting)
- Name, role, business email address and phone number obtained from publicly available sources (company website, KRS/CEIDG registers), used solely for a first business contact, including a request for consent to send information about our services
3.2 End users (AI interactions)
When a user interacts with AI systems of Syntalith and its affiliated brands (AI agents, apps, sprzeda.ai chatbots, odbierze.ai voicebots), we process:
- Text conversation data
- Message content, chat history, session metadata (time, duration)
- Voice conversation data
- Audio recordings, text transcriptions, call metadata
- Behavioral data
- Interaction patterns with AI system, usage frequency, preferences
- Technical data
- IP address, browser/device type, session identifier, language
- Contextual data
- Information provided by B2B client as AI agent operation context
NOTE: Voice data - special category
Voice recordings processed by voicebots of the affiliated brand odbierze.ai may constitute biometric data under Art. 4(14) GDPR if used for identification based on voice characteristics.
If voice identification features are implemented: processing is carried out solely on the basis of explicit user consent (Art. 9(2)(a) GDPR) or another explicitly defined legal basis.
Standard conversation recordings (without biometric identification) are treated as ordinary personal data and processed under Art. 6 GDPR.
3.3 Website visitors
- Technical data
- IP address, browser type, operating system, screen resolution
- Navigation data
- Pages visited, time spent on site, referral source
- Cookie data
- Cookie identifiers, consent preferences, analytics data (Google Analytics 4, Microsoft Clarity), marketing data (LinkedIn, Meta)
- Form data
- Name, email, message content (contact form)
3.4 Data we do NOT collect
Syntalith commits to NOT processing the following categories of data without an explicit legal basis:
- Data revealing racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Genetic or biometric data for identification purposes (without explicit consent)
- Data concerning health or sexual life
- Data of children under 13 years of age (in accordance with Polish data protection law)
3.5 AI training participant data
When B2B client employees participate in AI training conducted by Syntalith, we process:
- Participant identification data
- First and last name, job title, department, employer company name
- Contact data
- Business email address (for sending materials and post-training support)
- Skills assessment data
- Pre-training survey responses (knowledge level, learning goals, AI tools used at work)
- Exercise data
- Hands-on exercise results, prompts written during workshops, AI tool output from practice sessions
- Evaluation data
- Post-training satisfaction surveys, trainer ratings, topic suggestions
- Certificate data
- First and last name, completion date, training program name, certificate number
- Post-training support data
- Email correspondence during 30-day post-training support period
4. Legal Bases for Data Processing
Every personal data processing operation by Syntalith is based on one of the following legal bases under Art. 6 GDPR:
- Contract performance (Art. 6(1)(b))
- Providing AI services under a concluded contract; client account management; invoicing; fulfilling orders for the deployment of automations, apps and AI agents, and of conversational systems under affiliated brands; delivering AI training under a contract with a B2B client; issuing completion certificates.
- Legitimate interest (Art. 6(1)(f))
- IT systems security; detecting API abuse; quality analysis and AI model improvement (without user profiling); direct marketing to B2B clients; initiating first contact with prospective business clients whose business contact details we obtained from publicly available sources (company website, KRS/CEIDG), respecting the right to object and electronic communication law requirements.
- User consent (Art. 6(1)(a))
- Sending newsletters and marketing communications; placing non-essential analytical and marketing cookies; voice biometric identification (if implemented).
- Legal obligation (Art. 6(1)(c))
- Storing accounting documents and invoices (5 years + current year); obligations under tax law and Polish Commercial Companies Code.
- Sensitive data (Art. 9(2)(a))
- Processing biometric data (voice identification) - solely on the basis of explicit, voluntary and specific user consent.
5. Purposes of Personal Data Processing
We process personal data solely for specified, explicit and legitimate purposes in accordance with the purpose limitation principle (Art. 5(1)(b) GDPR):
- AI service delivery
- Running and maintaining automations, apps and AI agents for clients, and conversational systems under affiliated brands (sprzeda.ai, odbierze.ai); processing input data necessary for AI model response generation.
- Customer support
- Responding to inquiries and reports; account management; technical support for deployments.
- AI quality improvement
- Analyzing conversation patterns for AI model training and improvement (solely on anonymized data or with consent).
- Security
- Detecting and preventing AI system abuse; attack protection; audit logs.
- Billing
- Issuing invoices, payment records, refund processing.
- B2B marketing
- Informing business clients about new AI products and features, and first contact with prospective B2B clients, including a request for consent to electronic communication (based on legitimate interest or consent).
- Legal compliance
- Fulfilling obligations under GDPR, AI Act, tax law, Polish Commercial Companies Code.
- AI training delivery
- Organizing and conducting AI workshops; sending training materials; issuing certificates; 30-day post-training support; training quality evaluation.
6. Data Processing in AI Systems - AI Act Requirements
Information pursuant to Art. 50 of EU Regulation 2024/1689 (AI Act): Syntalith creates and deploys artificial intelligence systems. If you use our products (an AI agent, an LLM app, or a conversational system of an affiliated brand), we inform you of the following:
AI Act disclosure - what you need to know as a user
- YOU ARE TALKING TO AI
- All our products (AI agents, apps and automations, and the chatbots and voicebots of our affiliated brands) are artificial intelligence systems. You are not speaking with a human unless explicitly informed otherwise.
- RISK CLASSIFICATION
- Standard conversational systems under our affiliated brands are limited-risk systems under the AI Act. If high-risk systems are deployed (e.g., HR or financial decision support), you will be separately informed.
- AI LIMITATIONS
- AI systems may make errors, generate incorrect information or responses. Do not treat AI outputs as legal, medical or financial advice.
- TRAINING DATA
- Syntalith may use conversation data to improve AI models solely in anonymized form or based on your explicit consent.
- NO AUTOMATED DECISIONS
- Syntalith does not make automated decisions with legal effects on users (Art. 22 GDPR) without prior notification and consent.
6.1 External AI Models (Sub-processors)
To provide AI services, we use external AI models and platforms. User input data (conversation content) may be transferred to the following sub-processors:
- OpenAI, L.L.C. (USA)
- GPT models (text generation, chatbots). HQ: San Francisco, USA. Data transfer: SCC + DPA. Data processed solely in accordance with the API Data Usage Policy.
- Anthropic, PBC (USA)
- Claude models (AI agents, text analysis). HQ: San Francisco, USA. Data transfer: SCC + DPA. Data is not used for model training without consent.
- Google LLC (USA)
- Gemini models and Vertex AI platform (language processing, automation). HQ: Mountain View, USA. Data transfer: SCC + Google Cloud DPA. Certifications: ISO 27001, SOC 2 Type II.
7. Data Retention Periods
We store personal data no longer than necessary to fulfill the purpose for which it was collected (Art. 5(1)(e) GDPR):
- B2B client data (contracts, invoices)
- 5 years from the end of the tax year in which the contract expired (tax and commercial law obligation)
- Conversation history - text chatbot
- Up to 12 months from last interaction, unless the B2B client specified a shorter period in the contract
- Voice recordings - voicebot
- Up to 90 days from recording; then automatic deletion or anonymization
- Voice conversation transcriptions
- Up to 12 months from recording (same as text chatbot history)
- User account data
- Duration of contract + 30 days after termination (data export window)
- Security logs (access, API)
- Up to 12 months from log generation
- Marketing data (newsletter, consents)
- Until consent withdrawal or 3 years from last contact
- Prospective client data (B2B prospecting)
- Until objection or 12 months from first contact without a response; addresses of persons who declined contact stay permanently on an internal exclusion list, solely to honor the objection
- Analytics cookies
- Up to 13 months (Google Analytics 4); up to 12 months (Microsoft Clarity)
- Contact form data
- Up to 12 months from responding to the inquiry
- Training participant data (surveys, exercise results)
- Up to 12 months from training completion; shorter period on B2B client request
- Training certificates
- Up to 5 years from issue date (for verification purposes)
- Post-training support correspondence
- Up to 6 months from end of support period
8. Data Recipients and International Transfers
8.1 Categories of data recipients
Personal data may be shared with the following categories of recipients:
- AI model providers: OpenAI, Anthropic, Google - as sub-processors (see section 6.1)
- Infrastructure providers: hosting and cloud providers - solely under DPA agreements
- SaaS tool providers: CRM systems, helpdesk, email marketing - solely after concluding data processing agreements
- Analytics and marketing providers: Google (Analytics 4), Microsoft (Clarity), LinkedIn, Meta - within the scope described in the cookie policy and according to the consents you grant
- Government authorities: UODO, courts, tax authorities - solely based on legal obligation and to the required extent
- Auditors and advisors: law firms, auditors - bound by professional secrecy
8.2 Transfers outside the European Economic Area (EEA)
Using AI providers (OpenAI, Anthropic, Google) involves transferring data to the United States. For each such transfer, we apply the following safeguards:
- Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914) - concluded with all AI providers
- Data Processing Agreements (DPA) with each AI provider, specifying scope and purpose of processing
- Transfer Impact Assessment (TIA) - risk assessment for specific transfers to the USA
- OpenAI and Google hold EU-US Data Privacy Framework (DPF) certification - additional protection mechanism
- Data is processed in European server regions where available (e.g., Google Cloud region europe-west)
9. Your Rights as a Data Subject
Under GDPR, you have the following rights. We fulfill them free of charge within 30 days of receiving your request (Art. 12(3) GDPR). For particularly complex requests, the deadline may be extended by a further 60 days.
- Right of access (Art. 15)
- You may request information about whether we process your data, what data, for what purpose, to whom we disclose it and how long we store it. You have the right to a copy of your processed data.
- Right to rectification (Art. 16)
- You may request correction of inaccurate or completion of incomplete personal data.
- Right to erasure (Art. 17)
- You may request deletion of data if: the processing purpose has ceased; you withdrew consent; data was processed unlawfully. This right does not apply to data we must retain due to legal obligation.
- Right to restriction (Art. 18)
- You may request suspension of data processing in certain situations (e.g., you contest data accuracy or have filed an objection - pending its review).
- Right to object (Art. 21)
- You may object to processing of your data based on legitimate interest (including profiling) or for direct marketing purposes. Objection to marketing is absolute.
- Right to data portability (Art. 20)
- If we process your data based on consent or contract in an automated manner - you may receive it in a structured, machine-readable format (JSON, CSV) or request transfer to another controller.
- Right to lodge a complaint (Art. 77)
- You have the right to lodge a complaint with the President of UODO (uodo.gov.pl) or supervisory authorities in other EU member states if you believe we process your data unlawfully.
- Right not to be subject to automated decisions (Art. 22)
- You have the right not to be subject to decisions made solely by automated means (including profiling) which produce legal effects concerning you or similarly significantly affect you.
How to submit a rights request?
- Email: [email protected] (subject: GDPR - [type of request])
- Mail: to Syntalith sp. z o.o. registered address with the note "Data Protection"
- We will respond within 30 days of receiving a complete request
- We may request identity verification to protect your data from unauthorized access
- Exercising rights is free of charge; in case of manifestly unfounded or excessive requests, we may charge an administrative fee (Art. 12(5) GDPR)
10. Cookies and Tracking Technologies
Our website (www.syntalith.ai) and Syntalith applications use cookies and similar tracking technologies:
- Essential cookies · no consent needed
- Client panel login, user session, security (CSRF token), cookie preference storage. Basis: legitimate interest / technical necessity.
- Analytics cookies · consent required
- Google Analytics 4 and Microsoft Clarity - traffic analysis, visit sources, page popularity, and experience-quality signals (session recordings, heatmaps). They run in consent mode: without analytics consent they set no cookies and send only anonymous aggregate signals; full measurement starts after consent, which you can withdraw in cookie settings.
- Marketing cookies · consent required
- LinkedIn Insight Tag and Meta Pixel - campaign measurement, offer engagement, and conversions. They load only after marketing consent; you can refuse or withdraw consent in the cookie panel.
- Third-party scripts · depends on category consent
- GA4 and Clarity belong to analytics; LinkedIn and Meta belong to marketing. We do not load social plugins or embedded maps/video without a separate implementation and disclosure.
11. Personal Data Security
We apply appropriate technical and organizational measures (Art. 32 GDPR) ensuring a level of security appropriate to the risk:
11.1 Technical measures
- Data encryption in transit: TLS 1.2 or higher for all connections
- Data encryption at rest: AES-256 for stored personal data
- Two-factor authentication (2FA) for administrative system access
- Access control on a "need-to-know" basis - access only for authorized personnel
- Regular security testing and vulnerability scanning of AI systems and infrastructure
- Real-time monitoring and alerting for unauthorized access attempts
- Automated backups with encrypted storage
11.2 Organizational measures
- Employee training in data protection and AI literacy (per AI Act Art. 4)
- Clean desk and screen policy for employees with data access
- Security incident handling procedures (see section 12)
- Regular reviews and internal audits of data protection policy
- Confidentiality agreements (NDA) with employees and contractors having access to personal data
12. Data Breaches - Incident Procedure
Syntalith maintains an internal procedure for responding to personal data breaches in accordance with Art. 33 and 34 GDPR:
Procedure following detection of a data security breach
- STEP 1 - Detection and escalation
- The employee detecting the incident immediately notifies the person responsible for data protection at Syntalith.
- STEP 2 - Risk assessment (within 12 hours)
- Assessment of whether the breach may result in a risk to the rights or freedoms of natural persons.
- STEP 3 - Notification to UODO (within 72 hours)
- If the breach poses a risk - Syntalith reports the incident to the President of UODO via uodo.gov.pl portal (Art. 33 GDPR).
- STEP 4 - Notification of data subjects
- If the breach poses a HIGH risk - we promptly inform directly affected individuals (Art. 34 GDPR).
- STEP 5 - Documentation
- Every breach is documented in the breach register (Art. 33(5) GDPR) regardless of whether it is subject to notification to UODO.
13. Children's Data Protection
In accordance with Art. 8 GDPR and Art. 7a of the Polish Data Protection Act, Syntalith services are intended for persons who have reached 13 years of age.
Persons aged 13-16 may use our services only with parental or legal guardian consent.
If we learn that we have collected data of a child under 13 without verifiable parental consent - we will promptly delete such data.
We ask parents and guardians to contact [email protected] if they suspect their child has shared their data without consent.
14. Changes to the Privacy Policy
Syntalith reserves the right to update this Policy in the following cases:
- Changes in legislation (GDPR, AI Act, UODO, telecommunications law)
- Introduction of new AI products or services processing data in new ways
- Changes in technology providers or sub-processors
- Recommendations from supervisory authorities (UODO, EDPB)
We will notify about significant changes:
- B2B clients: by email to the contact address with 30 days' advance notice
- Website users: by an information banner on www.syntalith.ai
- Everyone: by updating the "Last updated" date in the document header
15. Contact Details and Supervisory Authority
For matters concerning personal data protection, contact us:
- [email protected]
- Address
- Syntalith sp. z o.o., Stefana Batorego 18/108, 02-591 Warsaw, Poland
- Website
- www.syntalith.ai
- Supervisory authority for Syntalith:
- President of the Personal Data Protection Office (UODO)
- UODO
- ul. Stawki 2, 00-193 Warsaw
- Phone
- 22 531 03 00
- UODO email
- [email protected]
- UODO website
- www.uodo.gov.pl
This document was prepared in Polish and constitutes the binding version of Syntalith's Privacy Policy. Version 2.1 supersedes all previous versions.
Syntalith.ai · Warsaw, Poland