Privacy Policy

Ultimo aggiornamento: 15/01/2026

1. Data controller and contact information

The Data Controller for personal data is Syntro (hereinafter "Syntro", "we", "us" or "our").

Contact for privacy-related matters:

Email: [email protected]

This Privacy Policy ("Policy") describes how we collect, use, store, and protect the personal data of users who use the Syntro platform, in compliance with Regulation (EU) 2016/679 ("GDPR") and Italian data protection legislation (Legislative Decree 196/2003 and subsequent amendments).

2. Personal data collected

Syntro collects and processes the following categories of personal data:

2.1 Registration and profile data

  • Personal information: first name, last name
  • Contact data: email address
  • Access credentials: password (stored in encrypted form using bcrypt algorithm)
  • User preferences: preferred language, time zone
  • Account type: individual or agency, possible agency name

2.2 Authentication and session data

  • IP Address: for security purposes and session tracking
  • User-Agent: information about browser and operating system used
  • Session cookies: unique session identifier (httpOnly, secure, SameSite cookies)
  • Authentication tokens: temporary tokens for email confirmation and password reset

2.3 Service usage data

  • Created content: posts, titles, notes, social media texts
  • Media files: uploaded images and videos (formats: JPEG, PNG, MP4 up to 10MB)
  • Content scheduling: scheduled publication dates and times
  • Chat messages: communications between user and clients via shareable links
  • Dashboards and projects: names and configurations of created dashboards
  • Notifications: preferences and read status of in-app notifications

2.4 Data from third-party services (Social Media)

When you connect your social media accounts (Instagram Business, Facebook Pages) to Syntro, we collect:

  • OAuth access credentials: access token, refresh token, token expiration date (provided by Facebook/Instagram Graph API)
  • Social profile data: username, account ID, profile picture URL, biography
  • Account statistics: number of followers, following, published posts
  • Metrics and insights: daily analytical data for the last 180 days, including:
    • Instagram: impressions, reach, profile views, engagement (likes, comments, shares, saves), total interactions, profile link clicks
    • Facebook: page impressions (total, unique, organic, paid), engagement, consumptions, views, reactions, video views, new fans, lost fans
  • Connected Facebook page information: page ID, page name, page access token, page profile picture URL

Important note: Syntro does not store your social media account passwords. Access is exclusively through OAuth 2.0 protocol authorized by Facebook/Instagram. Access tokens are used exclusively for the purposes described in this policy.

2.5 Payment data

  • Subscription management: selected subscription plan (Free, Pro, Creator), subscription status
  • Stripe identifiers: Stripe customer ID, Stripe subscription ID
  • Note: payment data (credit cards, bank details) are managed exclusively by Stripe (Payment Card Industry Data Security Standard - PCI DSS compliant) and are never stored on Syntro servers.

2.6 Shareable link data

When you create shareable links to collaborate with external clients (feature available for Pro plan):

  • Unique link token: randomly generated identifier
  • Link name and description: label assigned by the user
  • Expiration date: link validity term
  • Client data (optional): client name, client email
  • Approval messages: comments and feedback on shared content

3. Processing purposes and legal basis

Personal data is processed for the following purposes and on legal basis compliant with GDPR:

Purpose Legal Basis (GDPR)
Registration and account management
User account creation and maintenance, authentication, profile management		 Contract performance (Art. 6(1)(b) GDPR)
Service provision
Social media content creation, scheduling and publishing, insights synchronization, PDF report generation		 Contract performance (Art. 6(1)(b) GDPR)
Payment and subscription management
Payment processing, subscription plan management, billing		 Contract performance (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR)
Service communications
Sending confirmation emails, service-related notifications, administrative communications		 Contract performance (Art. 6(1)(b) GDPR)
Security and fraud prevention
Session tracking, IP and user-agent logging, rate limiting, preventing unauthorized access		 Legitimate interest (Art. 6(1)(f) GDPR) - Protection of service and user security
Service improvement
Aggregate analysis of platform usage, feature optimization		 Legitimate interest (Art. 6(1)(f) GDPR) - Improving service quality
Legal compliance
Data retention for tax, accounting and legal obligations		 Legal obligation (Art. 6(1)(c) GDPR)
Marketing (if applicable)
Sending newsletters and promotional communications		 Explicit consent (Art. 6(1)(a) GDPR) - Revocable at any time

Consent for social media data: Connecting social media accounts requires explicit user consent through OAuth authorization. Users can revoke this consent by disconnecting the account from the "Connections" section of the platform at any time.

4. Processing methods and security measures

4.1 Processing methods

Personal data is processed using IT and telematic tools, according to principles of fairness, lawfulness, transparency, minimization, accuracy, storage limitation and integrity/confidentiality (Art. 5 GDPR).

4.2 Implemented security measures

  • Sensitive data encryption: Password hashing using bcrypt algorithm, social media access tokens encrypted at rest
  • Secure connections: Mandatory HTTPS/TLS protocol for all communications
  • Secure cookies: httpOnly attributes (XSS protection), secure (HTTPS only), SameSite:Lax (CSRF protection)
  • CSRF protection: Anti-CSRF tokens for all state-changing requests
  • Rate limiting: Login attempt limitation (max 10 in 3 minutes) to prevent brute-force attacks
  • Strong password validation: Minimum 8 characters, with at least 1 uppercase, 1 lowercase, 1 number and 1 special character
  • Session timeout: Inactive session expiration management
  • Access logging: IP and user-agent tracking for anomaly detection
  • SQL Injection prevention: Use of parameterized queries (ActiveRecord ORM)
  • Regular backups: Automatic database backups with encryption
  • Limited access: Only authorized personnel have access to personal data

4.3 Data retention

Personal data is retained for the time strictly necessary for the purposes for which it was collected:

  • Account data: for the duration of registration and up to 90 days after account deletion (for accidental recovery)
  • Session data: until logout or session expiration
  • Social media insights: retained to allow historical analysis, until account deletion or disconnection
  • Content and media: until manual deletion by user or account deletion
  • Billing data: 10 years (tax obligation pursuant to Presidential Decree 600/1973)
  • Security logs: maximum 12 months

5. Data sharing and communication

Syntro does not sell, rent or otherwise transfer users' personal data to third parties for marketing purposes.

Personal data may be communicated exclusively to the following categories of recipients:

5.1 Service providers (Data Processors)

  • Stripe: payment and subscription management (PCI DSS compliant)
  • Hosting services: server and database infrastructure
  • Email services: transactional email and notification delivery
  • Slack: internal notifications for administration (minimized data: only username and registration timestamp)

All service providers operate as data processors based on contractual agreements compliant with Art. 28 GDPR, with confidentiality and security obligations.

5.2 Social media platforms (Co-Controllers)

When you connect your Instagram/Facebook accounts, Syntro accesses data through official APIs of Meta Platforms Inc. (Facebook/Instagram Graph API). Meta remains an independent controller for data on its servers. Syntro acts as an independent controller only for data stored in its own databases.

5.3 Public authorities

Data may be communicated to public authorities (law enforcement, judicial authorities, tax authorities) in compliance with legal obligations or orders from competent authorities.

5.4 Extra-EU transfers

Some service providers (e.g. Meta Platforms Inc., Stripe Inc.) are based in the United States. Data transfers to non-EU countries occur based on:

  • Standard contractual clauses approved by the European Commission (Art. 46(2)(c) GDPR)
  • Adequate certifications (e.g. Data Privacy Framework for US transfers)
  • Assessment of adequacy of protection guarantees offered by the recipient

6. Data subject rights

In accordance with Arts. 15-22 of GDPR, users have the right to exercise the following rights regarding their personal data:

1. Right of access (Art. 15 GDPR)

Obtain confirmation of the existence of personal data and access processed data, including information on purposes, data categories, recipients, retention period.

2. Right to rectification (Art. 16 GDPR)

Correct inaccurate or incomplete personal data. Users can update their profile directly from the "Settings" section.

3. Right to erasure / "Right to be forgotten" (Art. 17 GDPR)

Request deletion of personal data when conditions provided by law are met (e.g. consent withdrawal, data no longer necessary, unlawful processing). Note: some data may be retained for legal obligations (e.g. billing data).

4. Right to restriction of processing (Art. 18 GDPR)

Request suspension of data processing (e.g. in case of contesting data accuracy, pending verification).

5. Right to data portability (Art. 20 GDPR)

Receive personal data provided in a structured, commonly used and machine-readable format (e.g. JSON, CSV), and transmit it to another controller without hindrance.

6. Right to object (Art. 21 GDPR)

Object to data processing based on legitimate interest (e.g. marketing purposes, profiling). In case of objection to direct marketing, processing will cease immediately.

7. Right to withdraw consent (Art. 7(3) GDPR)

Withdraw at any time consent given for specific purposes (e.g. social account connection, newsletter), without affecting the lawfulness of previous processing. Withdrawal can be done by disconnecting the account from the platform or unsubscribing from communications.

8. Right to lodge a complaint with supervisory authority (Art. 77 GDPR)

File a complaint with the Italian Data Protection Authority in case of privacy violations.

How to exercise rights

To exercise one or more of the above rights, users can send a written request to: [email protected]
Syntro will respond to requests within 30 days of receipt (extendable by an additional 60 days in complex cases, with reasoned communication).

Italian Data Protection Authority (Garante)

Piazza Venezia, 11 - 00187 Rome, Italy
Tel: +39 06.696771
Email: [email protected]
PEC: [email protected]
Website: www.garanteprivacy.it

7. Cookies and tracking technologies

7.1 Cookies used

Syntro uses cookies and similar technologies to ensure proper platform functioning and improve user experience. Detailed list below:

Cookie Type Name Purpose Duration Legal Basis
Technical / Necessary session_id User authentication, login session maintenance Permanent (until logout) Contract performance (exempt from consent)
Preferences locale Storage of user's preferred language Session (browser close) Legitimate interest (UX improvement)
Technical OAuth instagram_oauth_state CSRF protection during social media OAuth flow Session (temporary) Security (exempt from consent)

7.2 Third-party cookies

Syntro may use third-party services that install their own cookies (e.g. Stripe for payment management). Such cookies are governed by the respective providers' privacy policies.

7.3 Cookie management

Users can manage or disable cookies through their browser settings. Please note that disabling technical cookies may compromise proper platform functioning (e.g. inability to log in).

Instructions for cookie management in major browsers:

8. Automated decision-making and profiling

Syntro does not use fully automated decision-making processes pursuant to Art. 22 GDPR, nor does it carry out profiling activities that produce legal or similarly significant effects on users.

The analyses and insights generated by the platform are based on aggregated and statistical data provided by social media APIs and are used exclusively to provide analytical reports to users themselves, without commercial profiling or automated decision-making purposes.

9. Minors

Syntro is not intended for minors under 16 years of age (minimum age to consent to data processing pursuant to Art. 8 GDPR and Art. 2-quinquies Legislative Decree 196/2003).

If we become aware of having collected personal data from minors without parental responsibility holder's consent, we will proceed with immediate deletion of such data. If you believe a minor has provided personal data to Syntro, please contact us immediately at: [email protected]

10. Data breach and notifications

In case of personal data breach that poses a risk to the rights and freedoms of data subjects, Syntro will:

  • Notify the breach to the Data Protection Authority within 72 hours of discovery (Art. 33 GDPR)
  • Promptly communicate the breach to affected users, when it poses a high risk to their rights and freedoms (Art. 34 GDPR)
  • Adopt immediate measures to mitigate risks and prevent further breaches

11. Privacy policy changes

Syntro reserves the right to modify or update this Privacy Policy at any time, to adapt it to:

  • Regulatory changes (GDPR, Italian legislation, Authority guidelines)
  • Platform technological evolution
  • Introduction of new features or services
  • Security and privacy best practices

In case of substantial changes requiring new consent, Syntro will inform users through:

  • In-app notification upon first access after the change
  • Email to registered address
  • Informational banner on the platform

The "Last updated" date at the top of this page indicates the most recent version of the policy. Users are invited to periodically consult this page to stay informed about how Syntro protects personal data.

12. Applicable law and jurisdiction

This Privacy Policy is governed by Italian law and Regulation (EU) 2016/679 (GDPR).

For any dispute relating to the application, interpretation or execution of this policy, the Court of [insert Syntro legal headquarters] shall have exclusive jurisdiction, except for mandatory legal provisions.

13. Contact and requests

For any questions, doubts or requests regarding this Privacy Policy, personal data processing or exercise of GDPR rights, please contact the Data Controller at the following addresses:

Data controller

Syntro

Privacy Email: [email protected]

Support Email: [email protected]

We are committed to responding to all requests within 30 working days of receipt.

Privacy Policy compliant with Regulation (EU) 2016/679 (GDPR) and Legislative Decree 196/2003 (Italian Privacy Code).
Last updated: 15/01/2026