Privacy Policy
This Policy explains what data Sycrion processes, why, on what legal basis, with whom we share it, and what rights you have. It is GDPR-aligned and applies to all visitors and customers of the Sycrion Service.
Who we are (data controller)
The Sycrion Service is operated by [LEGAL ENTITY NAME], registered at [REGISTERED ADDRESS], company number [REG. NUMBER], VAT [VAT NUMBER] (“Sycrion”, “we”, “us”).
For visitors of our website, registered users and paying customers we act as the data controller. When we process personal data that you submit on behalf of your own end-users or employees (e.g. emails checked against a breach database) we act as data processor under our Data Processing Addendum.
You can contact us at any time about this Policy at privacy@sycrion.com. Our EU representative (if applicable) is [EU REP NAME / ADDRESS].
What we collect and why
We collect only what we need to provide and improve the Service:
- Account data. Name, business email, password hash, role, organisation and time zone. Used to authenticate you and operate your account. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
- Billing data. Billing address, VAT number, plan, invoice history. Card details never touch our servers — they are processed directly by our payment provider, currently [PAYMENT PROCESSOR — e.g. Stripe]. Legal basis: performance of contract and legal obligation (tax).
- Scan data. Targets you submit (domains, IPs, subdomains), scan configuration, the raw output of our scanner modules, threat-intelligence matches, AI-generated reports, evidence files and curl reproducers. Legal basis: performance of contract.
- Threat-intelligence personal data. When we match your domain against breach corpora we briefly process exposed emails, hashed passwords and similar artefacts. We never store credentials in plaintext and we never attempt to authenticate using them. Legal basis: legitimate interest in operating a security service (Art. 6(1)(f) GDPR), balanced by minimisation and pseudonymisation.
- Product telemetry. Anonymous page views, feature usage, performance and error logs. We do not use third-party advertising trackers. Legal basis: consent (where required by ePrivacy law) or legitimate interest.
- Communications. Emails you send to support, sales or legal, and our replies. Retained as long as needed to handle your request and for our legal records.
How we use the data
- To operate the Service, run scans, generate reports and send alerts.
- To bill you and meet tax / accounting obligations.
- To detect, prevent and respond to abuse, fraud and security incidents.
- To improve detection logic and reporting quality, using de-identified, aggregated data only.
- To communicate with you about your account, service changes, security advisories and (if you opted in) product updates.
- To comply with legal obligations and respond to lawful requests from authorities.
We do not sell personal data, do not share it for third-party advertising, and do not use your scan outputs to train publicly-available AI models.
Sub-processors
To deliver the Service we rely on a small number of carefully selected sub-processors. Each is bound by a written data-processing agreement with confidentiality, security and EU Standard Contractual Clauses where required:
- Hosting & compute. [HOSTING PROVIDER — e.g. Vercel, AWS] — EU regions.
- Database & storage. [DATABASE PROVIDER] — EU regions.
- Payments. [PAYMENT PROCESSOR].
- Email delivery. [EMAIL PROVIDER].
- AI providers. Anthropic (Claude), DeepSeek, OpenRouter, Google (Gemini), Groq, xAI (Grok) — used only to interpret scan output. Prompts are configured to disable training on customer data where the provider offers that option.
- Threat-intelligence feeds. Nuclei community templates, NVD / MITRE CVE database, breach-aggregation feeds.
- Error & uptime monitoring. [MONITORING PROVIDER].
The current sub-processor list is available at privacy@sycrion.com. We give at least thirty (30) days’ notice before adding a new sub-processor; you may object on reasonable data-protection grounds.
International transfers
The Service is built in the EU and we keep customer data in the EU/EEA by default. Where a sub-processor processes data outside the EEA we rely on:
- An adequacy decision of the European Commission, or
- The 2021 EU Standard Contractual Clauses, plus supplementary technical measures (encryption in transit and at rest, minimisation, access logging), and where relevant the EU–US Data Privacy Framework certification of the recipient.
How long we keep data
- Account data: while your account is active, plus up to 12 months for re-activation.
- Scan reports & evidence: 24 months by default; you can delete them earlier from the dashboard.
- Billing & tax records: as required by tax law (typically 7–10 years).
- Telemetry logs: 90 days, then aggregated and irreversibly anonymised.
- Support correspondence: 24 months after resolution.
When the retention period ends we delete or irreversibly anonymise the data. Backups are purged on a rolling 35-day cycle.
Your rights
Subject to applicable law (GDPR, UK GDPR, Swiss FADP and equivalents) you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate data;
- Erase data (“right to be forgotten”), where the legal basis allows;
- Restrict or object to processing based on legitimate interest;
- Receive your data in a portable format;
- Withdraw consent at any time, without affecting the lawfulness of prior processing;
- Lodge a complaint with your local data-protection authority. Our lead supervisory authority is [LEAD DPA NAME].
To exercise any of these rights, email privacy@sycrion.com. We respond within thirty (30) days. We may ask for proof of identity to prevent unauthorised disclosure.
Security
We protect data with measures appropriate to the risk: TLS 1.2+ in transit, AES-256 at rest, scoped access controls, audited admin actions, hardened cloud infrastructure, secrets management, isolated scan workers, automated dependency scanning and routine penetration testing.
No system is perfectly secure. If we become aware of a personal-data breach affecting you, we will notify you and the competent authority without undue delay and, where feasible, within 72 hours, in line with Art. 33–34 GDPR.
Cookies & similar technologies
We use only strictly-necessary cookies (authentication, CSRF protection, load-balancing) and, with your consent, anonymous analytics cookies that help us understand how the product is used. We do not place advertising cookies or cross-site trackers.
You can manage cookie preferences at any time from the banner displayed on first visit or by clearing them from your browser. Refusing optional cookies will not break the Service.
Automated decision-making & AI
The Service uses automated processing (including large language models) to interpret scan output and produce business-language verdicts. These outputs are decision-support; they do not produce legal effects for individuals and are not used to evaluate credit, employment, insurance or similar high-stakes decisions about natural persons.
You may at any time request a human review of any verdict generated about your assets by emailing privacy@sycrion.com.
Children
The Service is intended for businesses and IT professionals. It is not directed to children under sixteen (16) and we do not knowingly collect their personal data. If you believe a child has provided us data, contact privacy@sycrion.com and we will delete it promptly.
Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by email or in-product banner at least thirty (30) days before they take effect. The “Effective” date at the top of this page indicates the latest version. Continued use after the effective date constitutes acceptance.
Contact
Privacy enquiries: privacy@sycrion.com
Security incidents: security@sycrion.com
Postal address: [REGISTERED ADDRESS]