Legal

Privacy policy

Last updated: May 2026

Versiunea în limba română va fi disponibilă în curând.

We try to keep this readable. SynChain is operated by DoroLabs-Core S.R.L., a small Romanian company. This page explains what data we collect, why, who we share it with, and what you can do about it. If anything below is unclear, write to hello@synchain.eu and a human will read the message.

1. Who we are

SynChain is a product operated by DoroLabs-Core S.R.L., a limited liability company registered in Romania.

  • Legal name: DOROLABS-CORE S.R.L.
  • Trading as: SynChain
  • CUI: 53958730
  • Reg. Com.: J2026010438000
  • Registered address: Str. Alexandru Ioan Cuza, Nr. 120, Poiana Mare, Jud. Dolj, România
  • Contact for data protection matters: hello@synchain.eu

DoroLabs-Core S.R.L. is the data controller for personal data processed via SynChain (account holders, billing contacts, contact-form submitters), except for tenant business data uploaded by customers, where DoroLabs-Core S.R.L. acts as data processor and the customer organisation is the controller. A separate Data Processing Agreement (DPA) governs that relationship and is available on request.

2. What data we collect

We collect three honest buckets of data:

When you sign up and use SynChain

  • Your corporate email address (used as account identifier).
  • Your full name and company name.
  • Your IP address (logged in security and audit logs).
  • Session cookie identifiers (so we can keep you signed in).
  • Billing contact details when we issue an invoice (name, company, VAT ID, address).

When you use the product

  • KPI values, cascade content, assessment transcripts, custom KPI proposals.
  • CSV uploads.
  • Free-text inputs you provide to our AI agents (problems, context, strategy text).

This is tenant business data. We process it on behalf of the customer organisation under the DPA. Personal data inside that business data (your employees' names, email addresses, performance figures) is governed by your organisation's own privacy policy.

When you contact us

  • Email content, your name, and any attachments you send.

3. Why we collect it

Each category of processing rests on a legal basis under Article 6(1) of the GDPR:

  • Contract performance (Art. 6(1)(b)) — running your account, delivering the service, billing.
  • Legal obligation (Art. 6(1)(c)) — issuing and retaining invoices under Romanian tax law (Codul Fiscal art. 25 requires 10-year retention of accounting records).
  • Legitimate interest (Art. 6(1)(f)) — security logging, abuse prevention, and product error monitoring (via Sentry, error events only).
  • Consent (Art. 6(1)(a)) — only used for optional analytics cookies (see §7). We do not currently send marketing emails. If we change that, we will ask first.

4. Who we share it with

We use a short list of named subprocessors. Each is bound by a written agreement including Standard Contractual Clauses (SCCs) where the transfer leaves the EEA:

  • Anthropic, PBC (United States) — LLM inference for our cascade and diagnostic agents. SCCs in place via Anthropic's commercial DPA. Anthropic does not train its models on customer inputs sent through the commercial API.
  • Voyage AI (United States) — text embeddings for KPI retrieval and tenant memory. SCCs in place.
  • Resend (United States) — transactional email delivery (welcome, invoice, payment confirmation, password reset). SCCs in place.
  • Sentry GmbH (Germany, EU region) — application error tracking. No data transfer outside the EU. Error events only — tracing and session replay are disabled.
  • Hetzner Online GmbH (Germany / Finland) — VPS hosting, host Postgres database, application runtime. No data transfer outside the EU.
  • Cloudflare, Inc. (United States HQ, EU-routable) — DNS, TLS termination at the edge, inbound email routing. SCCs in place via Cloudflare's DPA.
  • Google Ireland Limited (Ireland; onward transfer to Google LLC in the United States under SCCs) — Google Analytics 4 and Google Consent Mode, loaded only after you accept analytics cookies. IP anonymisation is enabled.

We will not share your data with any other party except where compelled by a court order, a tax authority, or another legal obligation we cannot refuse. If that ever happens we will tell you, unless the order itself forbids it.

5. AI-generated content and automated decisions

SynChain uses Anthropic Claude to generate recommendations: KPI suggestions, problem reframings, strategy options, and initiative proposals. These are decision-support outputs intended to help your team think. The human user remains the decision-maker at every step.

We do not make fully automated decisions that produce legal or similarly significant effects on you, within the meaning of Article 22 GDPR. The inputs to the LLM may include the free-text and KPI data described in §2. Anthropic does not train on data sent through the commercial API used by SynChain — see Anthropic's commercial terms.

6. Your rights under GDPR

You have the following rights over your personal data:

  • Access — ask us what data we hold about you.
  • Rectification — ask us to correct anything that's wrong.
  • Erasure — ask us to delete your data (subject to legal retention obligations like invoice law).
  • Restriction — ask us to stop processing while a dispute is resolved.
  • Portability — ask us to give you a copy in a portable, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — at any time, with no penalty, for any processing that depends on your consent.

Email hello@synchain.eu to exercise any of these. We will respond within 30 days. Account holders can also export and delete their own data directly from Settings → Reset account.

If you believe we are not handling your data correctly, you have the right to complain to the Romanian data protection authority, ANSPDCP.

7. Cookies & tracking

SynChain uses two categories of cookies. Honestly described:

Strictly necessary (always on)

  • authjs.session-token (or __Secure-authjs.session-token in production) — keeps you signed in. Set by Auth.js, our authentication library.
  • A CSRF token cookie — protects form submissions against cross-site request forgery.
  • sae-theme — remembers your light/dark theme choice.
  • sae-cookie-consent and sae-cookie-analytics — record your consent choice (set after you interact with the banner described below).

Analytics (only with your consent)

The marketing surface (this site, including the homepage, pricing, and how-it-works pages) uses Google Analytics 4 with Google Consent Mode v2 to understand how visitors find and use the public pages. Analytics cookies and the gtag.js script are only loaded after you explicitly accept analytics via our cookie banner. If you reject, no analytics data is collected and the gtag.js script is never downloaded. IP addresses are anonymised. You can change your choice at any time from the “Cookie settings” link in the footer.

The application surface (everything behind sign-in) loads no analytics scripts at all — only error monitoring via Sentry, which is described in §4.

8. How long we keep it

  • Contact form / inbound inquiry emails: 24 months.
  • Account data while your tenant is active: for the lifetime of the engagement.
  • Account and tenant data after you delete your account (via Settings → Reset account): a 30-day soft-delete window, then permanent purge.
  • Invoices and billing records: 10 years (Romanian Codul Fiscal art. 25).
  • Application error logs (Sentry): 90 days, then auto-purged.
  • VPS access logs (nginx, Hetzner): 14 days, then auto-rotated.
  • LLM call audit logs (used for cost reconciliation): 24 months.

9. Contact us about this policy

Questions, complaints, or rights requests go to hello@synchain.eu. A human will read the message.

Privacy — Synchain