Privacy Policy — Synfliq

1. Introduction

Synfliq BV ("Synfliq", "we", "us") is a private limited company registered in the Netherlands (KvK: 59274778). We operate the Synfliq service at app.synfliq.com — an AI-powered process mapping tool.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service. We process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch privacy law.

For questions about this policy or your personal data, contact us at: info@synfliq.com

2. Data we collect

Account data

When you register or request access:

Name
Email address
Password (stored as a one-way cryptographic hash — we cannot read your password)
Account creation date and last login date
Plan type (bundle or BYOK)

Usage data

When you use the service:

Credit balance and transaction history (operations performed, credits used, timestamps)
Access requests and approval status
Session and activity metadata (IP address, browser type) collected by our hosting infrastructure

API keys (BYOK users only)

If you connect your own Anthropic API key:

Your API key is encrypted using AES-256-CBC encryption before storage
It is never stored in plaintext and never logged
It is only decrypted in memory at the moment of an API call and is immediately discarded

Process content

Documents, images, and text you upload for processing are transmitted to the AI provider (Anthropic) to generate diagrams. We do not store your uploaded content on our servers. Content is passed through in-memory only and is not persisted after the API call completes.

3. How we use your data

Purpose	Data used	Legal basis
Providing and operating the service	Account data, usage data	Contract performance (Art. 6(1)(b) GDPR)
Authentication and security	Email, password hash, session tokens	Contract performance; Legitimate interest
Credit accounting and billing	Usage data, transaction history	Contract performance; Legal obligation
Service communications (account updates, policy changes)	Email address	Contract performance; Legitimate interest
Fraud prevention and abuse detection	Account data, usage data	Legitimate interest (Art. 6(1)(f) GDPR)
Compliance with legal obligations	As required	Legal obligation (Art. 6(1)(c) GDPR)

We do not sell your personal data to third parties. We do not use your data for advertising.

4. Third-party processors

We use the following sub-processors to operate the service:

Processor	Role	Location	Data shared
Anthropic	AI processing (Claude API)	United States	Process content you submit; no account data is sent
Railway	Cloud hosting & database	United States	All service data (hosted infrastructure)
GitHub	Database backups (encrypted)	United States	Encrypted database backups only

Each processor is bound by data processing agreements and their own privacy policies. International transfers are covered by Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms under GDPR Chapter V.

Anthropic does not use API inputs for model training by default. See anthropic.com/privacy for details.

5. Data retention

Account data: Retained for the duration of your account. Upon deletion, account data is permanently removed within 30 days.
Transaction history: Retained for 7 years to comply with Dutch tax and accounting law (Belastingdienst requirements).
Database backups: Retained for 30 days, then automatically deleted.
Process content: Not stored — content is processed in-memory only and is not persisted.
API keys (BYOK): Deleted immediately when you remove your key or delete your account.

6. Your rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Correct inaccurate or incomplete data. You can update your name directly in Account Settings.
Right to erasure (Art. 17): Request deletion of your account and all associated data via Account Settings → Danger zone → Delete account.
Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.

To exercise any of these rights, contact us at info@synfliq.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

7. Security

We implement appropriate technical and organisational measures to protect your personal data:

All connections to the service use TLS encryption in transit
Passwords are hashed using bcrypt (one-way, salted) — we cannot recover your password
API keys are encrypted at rest using AES-256-CBC with a server-side encryption key
Database access is restricted to application servers on a private network
Database backups are encrypted before transmission and storage
JWT session tokens expire after 30 days

No system is perfectly secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by GDPR Art. 33–34.

8. Cookies and local storage

Synfliq does not use tracking cookies or advertising cookies.

The application uses browser localStorage to store your authentication token (JWT) and application preferences. This data remains on your device and is not transmitted to third parties. It is cleared when you sign out or when you clear your browser data.

Our hosting infrastructure (Railway) may log standard HTTP access data (IP address, request path, response status) for operational purposes. These logs are retained in accordance with Railway's own data retention policy.

9. Children

Synfliq is a professional B2B service not directed at children. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us at info@synfliq.com and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we will notify registered users by email at least 14 days before the changes take effect.

Continued use of the service after the effective date of a change constitutes acceptance of the updated policy.

11. Contact

Synfliq BV
KvK: 59274778
Netherlands
info@synfliq.com

For privacy-related requests or questions about this policy, please email us directly. We aim to respond within 5 business days.