Privacy Policy
Last updated: February 2026
Synaptical (“we,” “us,” or “our”) is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR), applicable Spanish data protection law (LOPDGDD), and the EU Artificial Intelligence Act (Regulation (EU) 2024/1689).
Data Controller
Synaptical Ventures SL
NIF: B123456X
Address: Pg. de Gràcia, 17, 9th Floor, Eixample, 08007 Barcelona, Spain
Email: hello@synaptical.co
What Data We Collect
We collect personal data in the following situations:
1. Contact and enquiry forms
When you get in touch with us, we collect:
- Name
- Email address
- Company name
- Message content
2. AI Readiness Assessment
When you complete our assessment, we collect:
- Name and email address
- Company name and size
- Industry/sector
- Current AI usage
- Business challenges and priorities
- Responses to assessment questions
3. Service engagement
When you become a client, we additionally collect:
- Billing information
- Company registration details
- Project-related business data as defined in our service agreement
4. Website analytics
We use Vercel Web Analytics to collect anonymised usage data. This service does not use cookies and does not collect personally identifiable information. Data collected is exclusively aggregated and includes:
- Pages visited
- Referral source
- Device type and browser
- Approximate geographic location (country/city level)
It is not possible to identify or track individual visitors through this data.
5. Calendar scheduling
When you book a call, Google Calendar processes your name, email, and selected time slot.
6. Meeting feedback questionnaires
After a meeting with Synaptical, you may receive a personalised feedback questionnaire via email. When you complete it, we collect:
- Email address (provided by the meeting organiser)
- Responses to feedback questions (multiple choice selections)
- Session rating (0 to 10 scale)
- Free-text comments you choose to provide
- How you heard about Synaptical (optional)
Feedback questionnaires are accessed through a unique, time-limited URL that expires 24 hours after sending. No account or password is required. Your responses are shared only with Alejandro at Synaptical and are not processed by AI systems.
Legal Basis for Processing
We process your data under the following GDPR Article 6 legal bases:
| Data | Legal Basis |
|---|---|
| Contact form submissions | Consent (Article 6(1)(a)) |
| Assessment form data | Consent (Article 6(1)(a)) |
| Client project data | Performance of a contract (Article 6(1)(b)) |
| Analytics data | Legitimate interest (Article 6(1)(f)) |
| Business communications | Legitimate interest (Article 6(1)(f)) |
| Meeting feedback responses | Consent (Article 6(1)(a)) |
Where processing is based on consent, you can withdraw that consent at any time by contacting us at hello@synaptical.co.
How We Use Your Data
We use your data to:
- Respond to your enquiries
- Generate your personalised AI Readiness Assessment brief
- Deliver our consulting services
- Send you information about our services (only with your consent)
- Analyse website traffic and improve our site
- Schedule and manage meetings
We do not sell, rent, or share your personal data with third parties for marketing purposes.
AI Processing and Agentic AI Systems
In line with the AEPD's guidance on agentic AI and data protection (February 2026) and the transparency obligations of the EU AI Act, we provide the following information about how AI processes your data.
How AI is used in our services
When you complete our AI Readiness Assessment, your responses are processed by AI agent systems to generate a personalised analysis brief. These AI agents:
- Analyse your responses against our 8-dimension value framework
- Identify potential AI use cases for your organisation
- Generate a personalised document delivered via a unique, time-limited URL
This process uses agentic AI systems, meaning multiple specialised AI components work together to complete the analysis. A human reviews the configuration and design of these systems, though the individual assessment output is generated by AI.
AI service providers
To process assessment data, we use the following AI model providers:
| Provider | Models | Location | Data Training Policy |
|---|---|---|---|
| Anthropic | Claude (Opus, Sonnet, Haiku) | United States | Data submitted via API is not used for model training |
| Gemini (all available models) | United States | Data submitted via API is not used for model training when using paid API services | |
| OpenAI | GPT (all available models) | United States | Data submitted via API is not used for model training |
All AI providers are engaged as data processors. Contractual safeguards are in place including Standard Contractual Clauses (SCCs) and/or EU-US Data Privacy Framework certification for international transfers.
What data is sent to AI providers
Only the following data is transmitted to AI systems for processing:
- Your assessment responses (business information you provide)
- Your company name and sector (for contextualised analysis)
Your name, email address, and other directly identifying personal data are not sent to AI model providers. Assessment responses are transmitted via secure API connections and are not stored by AI providers beyond the duration of the processing request.
AI agent memory and data retention
Our AI agent systems use short-term memory only for the duration of each assessment processing task. No long-term memory or persistent user profiles are created within the AI systems. Once your assessment brief is generated, no data about you is retained within the AI agent architecture.
Assessment results are stored in our own database (Railway, Netherlands) and are subject to the retention periods described in this policy.
Data minimisation in AI processing
In accordance with GDPR Article 5(1)(c) and the AEPD's guidance on data minimisation in agentic AI systems, we design our AI processing to use only the minimum data necessary. AI agents do not access data beyond what you submit in the assessment form and do not access broader organisational data, external databases, or third-party services to enrich your profile.
No automated decision-making with legal effects
In accordance with GDPR Article 22 and the AEPD's guidance on automated decisions in agentic AI systems, we confirm that:
- The AI Readiness Assessment does not produce decisions that have legal effects on you or similarly significantly affect you
- The assessment output is informational guidance, not a binding recommendation, evaluation, or decision about you as an individual
- No profiling is carried out that would produce legal or similarly significant effects
- You have the right to request human review of your assessment results at any time by contacting us at hello@synaptical.co
Third-Party Processors
We use the following third-party services to process your data:
| Service | Purpose | Location | Safeguards |
|---|---|---|---|
| Vercel | Website hosting and analytics | United States | EU-US Data Privacy Framework certification, SCCs |
| Railway | Database hosting (PostgreSQL) | Netherlands (EU) | Data within EU, no international transfer required |
| Resend | Transactional email delivery | United States | EU Standard Contractual Clauses (SCCs) |
| Google Calendar | Meeting scheduling | United States | EU-US Data Privacy Framework certification, SCCs |
| Anthropic | AI processing (Claude models) | United States | SCCs, API data not used for training |
| AI processing (Gemini models) | United States | EU-US Data Privacy Framework certification, SCCs | |
| OpenAI | AI processing (GPT models) | United States | SCCs, API data not used for training |
US-based processors maintain appropriate safeguards for international data transfers, including Standard Contractual Clauses and/or EU-US Data Privacy Framework certification as required by Chapter V of the GDPR.
International Data Transfers
Your personal data is processed within the EU (Railway, Netherlands) and transferred to the United States (Vercel, Resend, Google, Anthropic, OpenAI) with the following safeguards:
- EU-US Data Privacy Framework: Vercel, Google, and OpenAI are certified under the DPF
- Standard Contractual Clauses: all US-based processors have SCCs in place
- AI processing data is minimised before transfer (no directly identifying data sent to AI providers)
Data Retention
We retain your data for the following periods:
- Contact form enquiries: 12 months from last contact, then deleted
- Assessment data: 12 months from completion, then deleted
- Assessment results (generated briefs): 12 months from generation, then deleted
- Client project data: Duration of engagement plus 5 years (Spanish commercial law requirement)
- Analytics data: Permanently anonymised, no personal data stored
- Meeting feedback responses: 12 months from submission, then deleted
- Email communications: 12 months from last contact
- AI processing logs: No data retained by AI providers beyond the processing request
After these periods, data is securely deleted or anonymised.
Your Rights
Under the GDPR, you have the right to:
- Access your personal data, including any data processed by AI systems, and receive a copy
- Rectification of inaccurate or incomplete data
- Erasure (“right to be forgotten”) of your personal data, including data stored in connection with AI processing
- Restriction of processing in certain circumstances
- Data portability to receive your data in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time where processing is based on consent
- Human review of any AI-generated assessment results
These rights extend to all personal data processed in connection with our AI systems, including any data held in AI agent working memory or processing logs during the assessment.
To exercise any of these rights, contact us at hello@synaptical.co. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.
Security
We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (HTTPS), secure database access controls, secure API connections to AI providers, and regular security reviews. AI processing is conducted through authenticated API connections with data encrypted in transit.
Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by posting a notice on our website. The “last updated” date at the top of this page indicates when the policy was most recently revised.