SYNERGIK PRIVACY POLICY

1.1. Purpose of this Privacy Policy

This Privacy Policy explains how Synergik collects, uses, discloses, stores, protects and otherwise processes personal data in connection with the Website, Synergik accounts, workspaces, dashboards, subdomains, Synergik Platforms, Products, Services, Deliverables, communications, payments, professional services, provider services and related activities.

This Privacy Policy is intended to provide transparent information to Website visitors, Clients, account users, authorised users, founders, shareholders, directors, managers, beneficial owners, representatives, personnel, service providers and other natural persons whose personal data may be processed through or in connection with Synergik.

1.2. Synergik as an ecosystem

Synergik is the brand used for an online business, legal, regulatory, compliance and technology services ecosystem. The Website at synergik.io operates as a common entry point and brand gateway. Certain services may be accessed through separate subdomains, workspaces, dashboards or platform environments.

Synergik may include, without limitation, company incorporation workflows, licensing and regulatory workflows, legal and advisory services, compliance services, vISO-related services, pentesting-related services, training services, payment-related and card-related provider access, document-generation services, document-review workflows, automated processing and third-party provider integrations.

Use Cases

Please take a moment to understand which use case(s) set out in this Privacy Policy apply to you:

Please take a moment to understand which use case(s) set out in this Privacy Policy apply to you:

Website Visitor

You are a “Website Visitor” by definition when you visit our website and any other eventual subdomains associated with our principal domain. As a website visitor, we use your navigation statistical information for our own purposes, primarily for improving the use of our website and to provide you with more relevant content.

User

You become a “User” if you contact us in order to benefit of our services. If you are a User, our primary purpose of using your personal data is for providing the services to you. We retain your personal information for a limited time and for limited purposes, such as to make it easier for you to re-join our service in the future or to wish you offers for services that we think you may be interested in.

1.3. Scope of this Privacy Policy

This Privacy Policy applies to personal data processed in connection with:

• the Website and all Synergik subdomains;
• account creation, login, authentication and account administration;
• workspaces, dashboards, matter files, service files and user permissions;
• company incorporation, licensing, compliance, advisory and professional-service workflows;
• uploaded documents, evidence files, questionnaires, forms and communications;
• generated documents, reports, summaries, classifications and other outputs;
• billing, payments, invoicing, accounting and tax records;
• support, complaints, legal notices and service communications;
• provider onboarding, KYC, KYB, AML, sanctions, fraud, risk and security checks;
• cookies, analytics, security logs, audit logs and platform activity logs;

AI-assisted, automated and document-processing functionality made available through Synergik.

1.4. When another privacy notice may also apply

Platform-Specific Terms, provider terms, professional engagement terms, regulated-provider terms or separate privacy notices may apply to particular Products or Services. Where a third-party provider, Professional Service Provider or regulated provider acts as an independent controller, that provider is responsible for its own privacy notices and data protection compliance.

1.5. If you do not agree

If you do not agree with this Privacy Policy, you should not create a Synergik account, access a Synergik Platform, upload Client Content, request Products or Services, submit information, accept a Service Order, or otherwise use the Synergik ecosystem.

2.1. Controller

Unless otherwise stated in this Privacy Policy, the controller for the processing of personal data described in this Privacy Policy is Carstoiu Remus Cosmin Legal Office, registered in Romania under no. 20879657, with registered office in Sibiu, Romania.

Synergik is a brand used by the Legal Office. References to Synergik, we, us or our should be read as references to the controller identified above, except where the context identifies another Synergik Party, provider or Professional Service Provider as responsible for a specific processing activity.

2.2. Data protection contact

Data protection requests and questions may be sent to: office@synergik.io.

2.3. Data Protection Officer

Synergik has not appointed a Data Protection Officer as at the effective date of this Privacy Policy, unless a separate notice on the Website states otherwise. If Synergik appoints a Data Protection Officer, the contact details will be published on the Website or otherwise made available through the account or Terms Register.

2.4. Legal Advisor

Where legal services are provided, Carstoiu Remus Cosmin Legal Office, or another lawyer, law firm, legal professional or legal office identified in the applicable engagement, may process personal data in its capacity as a legal professional and, depending on the matter, may act as an independent controller. Legal services may also be subject to professional secrecy, legal confidentiality, conflict-check obligations and legal file-retention rules.

3.1. Documents that may apply

This Privacy Policy should be read together with the Synergik Terms and Conditions, Platform-Specific Terms, the Cookie Policy, the Data Processing Addendum where applicable, the Acceptable Use Policy, the AI and Automation Policy, Service Orders, quotations, professional engagement terms, regulated-provider terms and third-party provider terms.

3.2. Master account model

The Client may accept the Synergik Terms and incorporated documents at account creation. This Privacy Policy forms part of the information made available in connection with that account-level acceptance model and applies to the processing of personal data connected with the Synergik ecosystem.

3.3. Processing under a Data Processing Addendum

Where Synergik processes personal data as processor on behalf of a Client, the Data Processing Addendum applies to that processing. In the event of conflict between this Privacy Policy and the Data Processing Addendum in relation to processor activities, the Data Processing Addendum prevails for those processor activities.

3.4. Provider terms

Where a provider processes personal data as an independent controller, its own privacy notice and terms may apply. Synergik is not responsible for the independent privacy practices of such providers, except to the extent required by applicable law or expressly agreed in writing.

4.1. Website visitors

This Privacy Policy applies to persons who visit the Website or any Synergik subdomain, including persons who browse public pages, submit inquiries, access public forms, review service descriptions, use contact forms, interact with cookie banners, or otherwise communicate with Synergik before creating an account.

4.2. Clients and account users

This Privacy Policy applies to Clients, Account Owners, workspace administrators, authorised users, invited users, billing contacts, legal contacts, technical contacts, support contacts and other persons who access or use the Synergik account, workspaces or platforms.

4.3. Persons connected with a Client

This Privacy Policy may apply to persons whose personal data is provided by or on behalf of a Client, including founders, shareholders, beneficial owners, directors, managers, officers, employees, consultants, contractors, representatives, advisers, customers, counterparties, signatories, contact persons and persons named in uploaded documents.

4.4. Provider and professional-service contacts

This Privacy Policy may apply to persons acting for third-party providers, Professional Service Providers, regulated providers, corporate service providers, payment providers, card issuers, banks, consultants, trainers, technical providers and other service providers connected with Synergik.

4.5. California and other non-EEA individuals

Where local privacy laws apply to a person outside the European Economic Area, including certain California or United States residents, additional rights or disclosures may apply to the extent required by applicable law. Section 23 and Annex 1 contain the principal transparency information that applies generally, subject to local law.

5.1. Controller activities

Synergik generally acts as controller where it determines the purposes and means of processing personal data for its own operations. This includes account registration, authentication, billing, support, service administration, marketing, security, compliance, fraud prevention, legal records, platform administration and enforcement of the Terms.

5.2. Processor activities

Synergik may act as processor where it processes personal data on behalf of a Client and in accordance with the Client’s documented instructions. This may include processing of Client Content, uploaded documents, workspace data, evidence files, forms, questionnaires and project materials submitted by a business Client for the purpose of receiving Products or Services.

5.3. Legal Advisor and Professional Service Providers

Legal Advisors and Professional Service Providers may act as independent controllers where they determine the purposes and means of processing required for professional services, legal engagements, conflict checks, file management, professional obligations, insurance, compliance, legal claims and record retention.

5.4. Independent providers

Third-party providers and regulated providers may act as independent controllers. This may apply to payment institutions, electronic money institutions, banks, card issuers, incorporation providers, corporate services providers, identity verification providers, KYC/KYB providers, AML/sanctions screening providers, public registries, regulators, authorities, accountants, auditors, notaries, translators and other providers.

5.5. Joint controller situations

In limited circumstances, Synergik and another party may jointly determine the purposes and means of processing. Where joint controllership applies and applicable law requires a joint-controller arrangement, Synergik and the other controller will determine their respective responsibilities and make the essence of the arrangement available where required.

5.6. Client responsibility where Synergik acts as processor

Where Synergik acts as processor, the Client remains responsible for determining the lawful basis, providing notices, responding to data subject requests where applicable, ensuring the accuracy and relevance of personal data, and ensuring that personal data provided to Synergik may lawfully be processed for the requested Products or Services.

6.1. Data subjects whose data may be processed

Personal data processed through Synergik may relate to:

• Website visitors and persons submitting inquiries;
• Clients, Account Owners, authorised users and invited users;
• natural persons creating a business account before incorporation;
• founders, promoters, shareholders, beneficial owners and controlling persons;
• directors, managers, officers, authorised representatives and signatories;
• employees, consultants, contractors and advisers of a Client;
• customer, supplier, counterparty or partner contacts named in Client Content;
• lawyers, compliance consultants, trainers, technical providers and other Professional Service Providers;
• payment, card, banking, incorporation, KYC/KYB and regulated-provider personnel;
• persons named in uploaded documents, contracts, corporate records, policies, compliance files, evidence or submissions.

6.2. No unnecessary personal data

The Client should provide only personal data that is relevant and necessary for the applicable Product, Service, account, workspace, provider process or professional engagement.

7.1. Account and identity data

We may process name, email address, phone number, username, user ID, password hash, authentication information, role, permissions, account status, workspace membership, invitation records and account activity records.

7.2. Business and corporate data

We may process business name, company name, registration number, registered office, head office, tax details, VAT number, group structure, ownership and control information, shareholder information, UBO information, director and manager information, constitutional documents, corporate certificates and business-contact information.

7.3. Legal, regulatory and compliance data

We may process matter information, legal instructions, regulatory status, licence information, business model, policies, procedures, governance information, risk-management information, compliance files, regulatory submissions, due diligence information, evidence files, correspondence and professional-service records.

7.4. KYC, KYB, AML, sanctions and fraud data

Where required, we may process identity documents, company documents, beneficial ownership information, source-of-funds information, source-of-wealth information, adverse media information, sanctions screening results, AML risk information, fraud-risk indicators, provider due diligence and related verification data.

7.5. Uploaded documents and Client Content

We may process documents, files, forms, questionnaires, policies, agreements, reports, certificates, IDs, corporate records, business plans, white papers, token documentation, technical documentation, compliance materials, evidence files, screenshots, emails and other Client Content uploaded or submitted through Synergik.

7.6. Automated processing data

We may process prompts, instructions, generated documents, automated reports, extracted facts, classifications, summaries, missing-item lists, risk flags, workflow outputs, AI-assisted responses, document-processing metadata, review status and related audit logs.

7.7. Billing and transaction data

We may process billing contact details, invoicing details, transaction references, payment status, invoice records, tax records, payment method metadata, crypto payment transaction hashes, stablecoin payment information, card payment status and payment processor information. Synergik does not intentionally store full payment card numbers where a payment processor processes the transaction.

7.8. Technical, usage and security data

We may process IP address, device information, browser type, operating system, referral source, date and time of access, pages visited, platform actions, session data, log-in records, audit logs, error logs, security logs, cookie identifiers, authentication logs and support diagnostics.

7.9. Communications data

We may process messages, emails, support tickets, complaint records, meeting notes, call records where recorded with notice, legal notices, service communications, provider communications and metadata associated with communications.

8.1. Data provided directly

We collect personal data directly from you when you visit the Website, create an account, complete a form, submit an inquiry, upload documents, answer questions, configure a workspace, accept a Service Order, communicate with us, make a payment, request support or use a Synergik Platform.

8.2. Data provided by Clients or authorised users

We may receive personal data about other individuals from Clients, Account Owners, authorised users, workspace administrators, representatives, lawyers, consultants, corporate service providers or other persons acting on behalf of a Client.

8.3. Data from providers and public sources

We may receive personal data from Professional Service Providers, regulated providers, incorporation providers, identity verification providers, payment providers, card issuers, banks, public registries, regulators, authorities, sanctions lists, adverse media sources, corporate registers and other lawful sources relevant to the requested Products or Services.

8.4. Data collected automatically

We may collect technical, usage, cookie, security, audit and log data automatically when you access the Website, account, workspace or Synergik Platform.

9.1. General

We process personal data only where we have a lawful basis under applicable data protection law. Depending on the processing activity, the lawful basis may be performance of a contract, steps taken before entering into a contract, compliance with legal obligations, legitimate interests, consent, protection of vital interests, or another lawful basis recognised by applicable law.

9.2. Contractual necessity

We process personal data where necessary to create and administer accounts, provide access to workspaces, provide Products and Services, perform quotations and Service Orders, deliver legal or advisory services, generate or review documents, provide support, process billing and administer the contractual relationship.

9.3. Legal obligation

We process personal data where necessary to comply with legal, tax, accounting, professional, data protection, regulatory, AML, sanctions, fraud-prevention, security, court, authority, reporting, record-retention or other legal obligations.

9.4. Legitimate interests

We process personal data where necessary for legitimate interests pursued by Synergik or a third party, provided such interests are not overridden by the rights and freedoms of the relevant individual. Legitimate interests may include service administration, platform security, fraud prevention, business operations, support, product improvement, enforcement of rights, defence of claims, provider coordination, professional administration and limited business communications.

9.5. Consent

We may rely on consent for certain processing activities, including non-essential cookies, certain marketing communications, optional disclosures, specific international transfers where no other safeguard applies, or other cases where consent is the appropriate lawful basis. Consent may be withdrawn at any time, without affecting processing carried out before withdrawal.

9.6. Processing table

Annex 1 contains a processing activities table describing the main processing activities, data categories, purposes, lawful bases, recipients and retention approach.

10.1. Account creation

We process personal data to create, verify, activate and administer Synergik accounts, including account owner information, authentication information, role information, acceptance records, version records, security logs and workspace association.

10.2. Workspaces and user permissions

We process personal data to create and maintain workspaces, assign roles, manage access permissions, invite users, remove users, track activity, maintain audit logs and restrict access where required.

10.3. Account owner and administrator visibility

Account Owners and workspace administrators may be able to view information about authorised users, workspace activity, documents, service files, billing records, permissions and other account information, depending on the functionality made available and the permissions granted.

10.4. Audit logs

We may record and retain audit logs concerning user access, acceptance, uploads, downloads, changes, submissions, approvals, payments, support requests, provider actions, generated outputs and other material account or workspace activity.

10.5. Account transfer following incorporation

Where a natural person creates an account before incorporation of a company, we may process information required to associate, transfer or update the account, workspace, billing record, provider process or Service Order after incorporation, subject to verification and acceptance by Synergik.

11.1. Legal and advisory matters

Where legal, consulting, advisory, document-drafting, regulatory, compliance or related professional services are provided, we may process personal data contained in instructions, documents, correspondence, matter files, evidence, drafts, deliverables, invoices, conflict checks and professional records.

11.2. Professional secrecy and legal confidentiality

Personal data processed in connection with legal services may be subject to professional secrecy, legal confidentiality, lawyer-client confidentiality, conflict rules, professional independence requirements and legal file-retention obligations.

11.3. Conflict checks

We may process identity, corporate, matter, counterparty and relationship information for conflict checks, independence checks, professional compliance and risk management.

11.4. Legal file retention

Legal and advisory records may be retained for periods required or permitted by law, professional rules, insurance, accounting, tax, dispute-resolution and legal-claims purposes.

12.1. Incorporation workflows

Where company incorporation or corporate services are requested or accessed, personal data may be processed for company formation, corporate structuring, registry filings, registered office arrangements, corporate administration, verification, provider onboarding and related services.

12.2. Persons whose data may be processed

Incorporation processing may include data relating to founders, shareholders, beneficial owners, directors, managers, officers, company secretaries, authorised representatives, registered office contacts and service-provider contacts.

12.3. Providers and authorities

Personal data may be shared with incorporation providers, corporate service providers, public registries, notaries, tax authorities, banks, identity verification providers, KYC/KYB providers and other persons necessary for the incorporation or corporate services process.

13.1. Licensing and regulatory workflows

Where licensing, regulatory, compliance or similar services are requested or accessed, personal data may be processed to assess business status, ownership, control, governance, personnel, policies, procedures, evidence, regulatory perimeter, compliance readiness, provider requirements and documentation requirements.

13.2. Types of information

Processing may include applicant entity information, director and manager information, shareholder and UBO data, key function information, staff profiles, fit-and-proper information, CVs, qualifications, compliance documents, technical documents, risk documents and correspondence with advisers or providers.

13.3. Regulatory and authority use

Where expressly instructed or required for a Product or Service, personal data may be prepared for submission or disclosure to competent authorities, regulators, public registries, banks, providers, advisers or other recipients involved in the relevant matter.

13.4. No unnecessary regulatory data

The Client should not provide data that is not relevant to the applicable licensing, compliance or regulatory workflow. Synergik may request removal, correction or limitation of excessive or irrelevant data.

14.1. Payment processing

We process billing and transaction data to issue invoices, collect payments, reconcile payments, manage subscriptions, administer refunds, handle chargebacks, keep accounting records and comply with tax and legal obligations.

14.2. Payment providers

Payment transactions may be processed by third-party payment processors, banks, crypto payment processors or other payment-service providers. Such providers may act as independent controllers or processors depending on their role and terms.

14.3. Card, banking and regulated-provider onboarding

Where the Client requests access to payment processing, card issuing, banking or other regulated-provider services, personal data may be shared with the relevant regulated provider for onboarding, KYC, KYB, AML, sanctions, fraud, risk, transaction monitoring, account administration and service delivery.

14.4. Provider decisions

Regulated providers may independently approve, reject, suspend, monitor or terminate services. Their processing of personal data may be governed by their own privacy notices and legal obligations.

15.1. Use of automated systems

Synergik may use automated systems, AI-assisted tools, document-processing tools, extraction tools, classification tools, workflow automation and document-generation systems in connection with Products and Services.

15.2. Purposes

Automated processing may be used for onboarding, document extraction, document classification, evidence organisation, requirement mapping, gap identification, missing-item detection, report generation, document drafting, workflow routing, status tracking, risk flagging, support assistance, quality control, security monitoring and service administration.

15.3. Data processed through automation

Automated systems may process Client Input, uploaded documents, prompts, instructions, forms, questionnaires, extracted text, generated documents, classifications, summaries, reports, audit logs, metadata and review status.

15.4. Human review and legal effect

Automated outputs are support tools and may require Client review, Human Review or professional review. Synergik does not make decisions based solely on automated processing that produce legal or similarly significant effects concerning individuals, unless separately disclosed, legally permitted and subject to applicable safeguards.

15.5. AI and technology providers

Synergik may use third-party technology, cloud, document-processing or AI providers to provide automated functionality. Where such providers process personal data on behalf of Synergik, contractual restrictions and data protection safeguards will apply. Synergik does not permit third-party providers to use Client Content for training general public models unless this is expressly disclosed and a lawful basis applies.

15.6. Client responsibility

The Client is responsible for ensuring that personal data submitted into automated workflows may lawfully be processed and is relevant, accurate and necessary for the requested Product or Service.

16.1. General

Synergik may use cookies, local storage, pixels, tags, analytics tools, security tools and similar technologies in connection with the Website and Synergik Platforms.

16.2. Categories of cookies

Cookies may include strictly necessary cookies, authentication cookies, security cookies, preference cookies, analytics cookies and marketing cookies, where enabled.

16.3. Consent

Strictly necessary cookies may be used without consent where required to provide the Website or platform. Non-essential cookies, including analytics and marketing cookies where required by law, will be used only where a valid consent or another lawful basis applies.

16.4. Cookie settings

Users may manage cookies through the cookie banner, cookie settings tool, browser settings or other mechanisms made available by Synergik. Blocking cookies may affect certain Website or platform functions.

16.5. Cookie table

Annex 3 contains a summary cookie table. The actual cookies, providers and durations may be updated through the Website or cookie settings tool.

17.1. Service communications

Synergik may send account, operational, security, legal, billing, support, service, provider, platform and administrative communications where necessary for the operation of the Synergik ecosystem, performance of Products and Services, legal compliance or protection of rights.

17.2. Marketing communications

Synergik may send marketing communications where permitted by applicable law. This may include information about Synergik services, updates, events, offers, platform developments or related professional services.

17.3. Consent and opt-out

Where consent is required for marketing, Synergik will request consent. Where marketing is based on legitimate interests or a soft opt-in permitted by law, users may opt out at any time. Opting out of marketing does not affect service, legal, billing, security or account communications.

17.4. Retargeting and advertising

Where Synergik uses advertising or retargeting technologies, such processing will be disclosed through the cookie banner, Cookie Policy or relevant notice, and consent will be obtained where required.

18.1. General

We may disclose personal data where reasonably necessary for the purposes described in this Privacy Policy, the Terms, Platform-Specific Terms, Service Orders, professional engagements, provider terms or applicable law.

18.2. Categories of recipients

Personal data may be shared with Synergik Parties, internal users, Legal Advisors, Professional Service Providers, regulated providers, third-party providers, cloud and hosting providers, support providers, payment processors, identity verification providers, KYC/KYB providers, AML and sanctions providers, incorporation providers, corporate services providers, banks, card issuers, payment institutions, auditors, accountants, tax advisers, public authorities, courts, regulators and other recipients required for the relevant Product or Service.

18.3. Disclosures required by law

We may disclose personal data where required or permitted by applicable law, court order, regulator request, public authority request, professional rule, provider obligation, security requirement, dispute-resolution need or enforcement of legal rights.

18.4. Client authorised disclosures

We may disclose personal data to persons authorised by the Client, including Account Owners, authorised users, advisers, lawyers, providers, group companies, shareholders, directors, managers or other persons invited or instructed by the Client.

19.1. Sub-processors

Where Synergik acts as processor, Synergik may engage sub-processors in accordance with the Data Processing Addendum. Sub-processors may provide hosting, cloud infrastructure, authentication, communications, document processing, storage, analytics, security, support, payment administration, workflow automation and related services.

19.2. Material provider categories

Annex 2 contains categories of providers and sub-processors that may be involved in the Synergik ecosystem. Synergik may maintain a more detailed provider or sub-processor list through the Terms Register, Website or account dashboard.

19.3. Changes

Synergik may add, replace or remove providers and sub-processors where reasonably necessary for service delivery, security, compliance, provider availability, business development or legal reasons, subject to applicable law and the Data Processing Addendum where applicable.

20.1. General

Personal data may be transferred to, accessed from, stored in or otherwise processed in countries outside the European Economic Area, including where providers, Professional Service Providers, regulated providers, cloud infrastructure, support personnel or technical systems are located outside the EEA.

20.2. Transfer safeguards

Where required, Synergik will use appropriate transfer safeguards, which may include adequacy decisions, Standard Contractual Clauses, transfer impact assessments, supplementary measures, contractual commitments, provider due diligence or another lawful transfer mechanism.

20.3. Article 49 derogations

For exceptional or occasional transfers where no other transfer mechanism is available, Synergik may rely on derogations permitted by applicable data protection law, including explicit consent, performance of a contract, important reasons of public interest, legal claims or other permitted derogations.

20.4. Provider transfers

Independent providers may conduct their own international transfers under their own privacy notices, terms and legal obligations.

21.1. Security measures

Synergik implements appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access and other unlawful processing.

21.2. Measures may include

access controls and role-based permissions;

authentication controls;

audit logs and activity records;

secure storage and transmission where appropriate;

segregation or logical separation of workspace data;

backup and recovery controls;

provider due diligence;

confidentiality obligations for personnel and providers;

security monitoring and incident response procedures;

least-privilege access principles;

internal restrictions on access to Client files and professional materials.

21.3. Client responsibility

The Client is responsible for protecting its own devices, systems, networks, credentials, authorised users, email accounts and internal access arrangements. The Client must promptly notify Synergik of suspected credential compromise, unauthorised access or security incidents affecting the account or workspace.

21.4. No absolute security guarantee

No system can be guaranteed to be completely secure. Synergik does not warrant that the Website, account, workspace or Synergik Platforms will be free from all security risks, defects, attacks or interruptions.

22.1. General retention principle

Synergik retains personal data for as long as reasonably necessary for the purposes for which it was collected, including account administration, service delivery, legal, regulatory, professional, accounting, tax, audit, security, dispute-resolution, insurance, provider, compliance and enforcement purposes.

22.2. Retention criteria

Retention periods may depend on the type of data, account status, Product or Service, legal obligations, professional file-retention obligations, provider obligations, limitation periods, accounting and tax rules, security requirements, regulatory requirements and the need to establish, exercise or defend legal claims.

22.3. Retention schedule

Annex 4 contains an indicative retention schedule. Specific retention periods may be adjusted where required by law, professional rules, provider requirements, litigation, investigations, audits, security incidents, disputes or legitimate business needs.

22.4. Deletion, anonymisation and archival

When personal data is no longer required, Synergik may delete, anonymise, archive or restrict access to it in accordance with applicable law, professional obligations, the Terms and internal retention rules.

23.1. Rights under GDPR and similar laws

Subject to applicable law and legal conditions, individuals may have the right to be informed, access personal data, request rectification, request erasure, request restriction of processing, object to processing, request data portability, withdraw consent where processing is based on consent, and not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

Synergik would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

• The right to be informed – You have the right to be informed about the personal data we collect from you, and how we process it.
• The right to access – You have the right to request Synergik for copies of your personal data. We may charge you a small fee for this service.
• The right to rectification – You have the right to request that Synergik correct any information you believe is inaccurate. You also have the right to request Synergik to complete the information you believe is incomplete.
• The right to erasure – You have the right to request that Synergik erase your personal data, under certain conditions.
• The right to restrict processing – You have the right to request that Synergik restrict the processing of your personal data, under certain conditions.
• The right to object to processing – You have the right to object to Synergik’s processing of your personal data, under certain conditions.
• The right to data portability – You have the right to request that Synergik transfer the data that we have collected to another Company, or directly to you, under certain conditions.

23.2. How to exercise rights

Requests may be sent to office@synergik.io. Synergik may require information necessary to verify identity, locate the data and assess the request.

23.3. Response period

Synergik will respond to data subject requests within the period required by applicable law. Under GDPR, this is generally one month from receipt of the request, subject to lawful extension where the request is complex or multiple requests are made.

23.4. Requests where Synergik acts as processor

Where Synergik processes personal data as processor on behalf of a Client, Synergik may refer the request to the Client or handle it in accordance with the Data Processing Addendum.

23.5. Limitations

Data subject rights may be limited where necessary or permitted for legal obligations, professional secrecy, legal confidentiality, legal claims, security, fraud prevention, protection of third-party rights, provider obligations, public interest, regulatory obligations, court orders, tax and accounting obligations or other lawful reasons.

23.6. California and US privacy rights

Where California privacy law applies to Synergik and to the relevant individual, California residents may have rights to know, access, correct, delete, opt out of sale or sharing of personal information, limit use of sensitive personal information where applicable, and not be discriminated against for exercising privacy rights. Synergik does not sell personal data in the ordinary sense of exchanging it for money. If Synergik engages in any activity that qualifies as sale or sharing under applicable California law, Synergik will provide the required notice and opt-out mechanism.

23.7. Authorised agents

Where applicable law permits an authorised agent to act for an individual, Synergik may require proof of authorisation and verification of identity before acting on the request.

24.1. Contact Synergik first

Individuals are encouraged to contact Synergik at office@synergik.io if they have questions or concerns about the processing of personal data.

24.2. Supervisory authority

Individuals located in Romania or whose data protection rights are affected by processing under Romanian jurisdiction may contact the Romanian National Supervisory Authority for Personal Data Processing, known as ANSPDCP.

24.3. ANSPDCP contact details

ANSPDCP can be contacted at 28-30 G-ral Gheorghe Magheru Blvd., District 1, 010336, Bucharest, Romania. General email: anspdcp@dataprotection.ro. Website: www.dataprotection.ro.

24.4. Other supervisory authorities

Where another supervisory authority is competent under applicable law, the individual may lodge a complaint with that authority.

25.1. Data provided about others

The Client may provide personal data about other persons where necessary for the requested Product or Service, including data about directors, managers, shareholders, beneficial owners, founders, employees, consultants, representatives, advisers, customers, counterparties and providers.

25.2. Client obligations

Before providing such personal data, the Client must ensure that it has a lawful basis, has provided required notices, has obtained required consents where consent is relied upon, has authority to disclose the data, and does not provide excessive or irrelevant data.

25.3. Assistance

The Client shall cooperate with Synergik in relation to data subject requests, corrections, deletion requests, provider requirements, regulator requests or other privacy matters involving personal data supplied by or on behalf of the Client.

26.1. Legal services

Where personal data is processed in connection with legal services, the processing may be subject to professional secrecy, legal confidentiality, conflict rules, professional independence duties and legal file-retention requirements.

26.2. Restrictions on disclosure and deletion

Synergik or the Legal Advisor may be unable to disclose, delete, return or restrict certain information where doing so would breach professional obligations, legal file-retention rules, court duties, regulatory obligations, conflict-check requirements, insurance obligations or the need to establish, exercise or defend legal claims.

26.3. Confidential client files

Access to legal and advisory files may be restricted to the Legal Advisor, authorised personnel and persons necessary for the agreed professional service, subject to confidentiality and professional obligations.

27.1. Business-use platform

Synergik is intended for business, professional, commercial, incorporation, licensing, compliance, advisory and related purposes. It is not intended for children.

27.2. No intentional collection from children

Synergik does not knowingly collect personal data from children for the purpose of providing direct services to them. If Synergik becomes aware that a child has created an account or provided personal data without appropriate authority, Synergik may delete or restrict the data and account, subject to applicable law.

27.3. Minors named in documents

Where personal data concerning minors appears in Client Content, the Client is responsible for ensuring that such data may lawfully be provided and processed.

28.1. Updates

Synergik may update this Privacy Policy from time to time to reflect changes in law, platform functionality, Products, Services, provider arrangements, professional obligations, security practices, data processing activities or business operations.

28.2. Notice

Updated versions may be made available through the Website, account dashboard, Terms Register, email notice, platform notice, cookie banner or other reasonable means.

28.3. Continued use

Continued use of the Website, account, workspace, Synergik Platform, Product or Service after the updated Privacy Policy becomes effective may be treated as acknowledgement of the updated Policy, subject to mandatory law and any consent requirements applicable to specific processing activities.

29.1. Privacy requests

Privacy requests, questions or complaints may be sent to: office@synergik.io.

29.2. Controller address

Carstoiu Remus Cosmin Legal Office, registered in Romania under no. 20879657, with registered office in Sibiu, Romania.

29.3. Response

Synergik will assess privacy requests in accordance with applicable law, this Privacy Policy, the Data Processing Addendum where applicable, professional obligations and provider obligations.

This table summarises the main processing activities. It is not exhaustive and should be read together with the main body of this Privacy Policy.

Synergik may maintain a more detailed provider or sub-processor list through the Terms Register, Website, account dashboard or other appropriate notice mechanism. Provider names may change over time due to availability, security, commercial, legal or operational reasons.

The actual cookies, provider names, durations and consent settings may be made available through the cookie banner or cookie settings tool. Users may manage non-essential cookies through the tools made available by Synergik and through browser settings.

Retention may be extended where necessary for legal claims, disputes, audits, investigations, security incidents, professional obligations, regulatory requirements, provider obligations, court orders, public authority requests or other lawful reasons.