1. Who we are
For the purposes of EU GDPR and UK GDPR, the data controller is SynthEx, an Egyptian Company registered with the General Authority for Investment and Free Zones (GAFI), Cairo, Arab Republic of Egypt. Contact: privacy@synthex.ltd.
For the purposes of CCPA/CPRA, SynthEx is a "business" as defined under California law when we handle personal information of California residents in our own capacity (e.g., website visitors, prospects, employees). When we process client data on behalf of business customers, we act as a "service provider" under CCPA and a "processor" under GDPR.
2. Scope
This policy explains how we handle personal information collected through:
- The synthex.ltd website and any subdomains we operate.
- Direct contact: email, contact forms, Calendly bookings, phone calls.
- The performance of our services for paying clients.
Where we process data on behalf of a client (for example, leads captured by a chatbot we deployed for that client), the client is the data controller and SynthEx is the processor. The terms of that processing are set out in a Data Processing Agreement (DPA) signed with the client.
3. Data we collect
| Category | Examples | Source |
|---|
| Identifiers | Name, business name, work email, business phone, IP address, cookie identifiers. | You provide directly (forms, email, contracts) or via cookies on our site. |
| Commercial info | Services purchased, audit responses, payment records. | You provide; our payment processors and bank confirm. |
| Internet/network activity | Pages visited, time on page, referrer, device type. | Our website analytics (privacy-respecting; see Cookies section). |
| Professional info | Job title, industry, company size. | You provide via forms or LinkedIn outreach. |
| Communications | Email content, meeting notes, recorded discovery calls (with consent). | You provide; we never record without your prior consent. |
| Client data (as processor) | End-user inputs to chatbots, voice transcripts, leads captured. | Generated through services we deliver to our clients. |
We do not knowingly collect special-category data (race, religion, health, sexual orientation, etc.) under GDPR Article 9, nor "sensitive personal information" under CPRA, unless a client engagement requires it and an appropriate legal basis and additional safeguards are in place.
4. Why we use your data
- To deliver services you've engaged us for — including onboarding, building automations, and ongoing support.
- To communicate with you — responding to inquiries, sending project updates, invoicing.
- To run our business — accounting, tax, legal compliance, internal analytics, fraud prevention.
- To improve our services — anonymized, aggregated learnings about which workflows perform best.
- To market our services — to prospects who have opted in or whose business contact information we have lawfully obtained for B2B outreach.
We do not sell your personal information. We do not use your data to train third-party large language models.
5. Legal basis under GDPR
Where GDPR applies, we rely on the following legal bases (Article 6):
- Contract performance — to deliver services you have engaged us for.
- Legitimate interests — to run our business, communicate with prospects, secure our systems, and conduct B2B outreach where the recipient would reasonably expect contact. You may object to this at any time (see Section 10).
- Consent — for non-essential cookies, recorded calls, and marketing emails to individuals. You may withdraw consent at any time.
- Legal obligation — to comply with tax, accounting, and regulatory requirements.
6. Who we share data with
We share personal information only with the following categories of recipients, and only as necessary:
- Sub-processors who help us deliver services, in the following categories: conversational AI and chatbot platform providers; voice orchestration, voice synthesis, and speech-to-text services; telecommunications providers; large-language-model API providers; productivity, email, and workspace tools; cloud hosting, CDN, and security providers. Each sub-processor is bound by data-protection terms in our agreements with them.
- Payment processors: Merchant-of-Record providers (for card payments), international payments platforms (for bank settlement), and our business bank (for direct wire transfers). They process payment data under their own privacy policies.
- Professional advisors: our accountants, lawyers, and auditors, under confidentiality obligations.
- Regulators, courts, or law enforcement where legally required.
- Successors in the event of a merger, acquisition, or asset sale; you will be notified of any change in data controller.
A current list of named sub-processors is provided to business clients as an exhibit to the Data Processing Agreement (DPA), and can be requested at privacy@synthex.ltd. We notify active clients in advance of any material changes to the sub-processor list.
7. International transfers
SynthEx is based in Egypt. Many of our sub-processors are based in the United States, the European Union, or the United Kingdom. Where we transfer personal data outside the EEA or the UK, we rely on:
- Adequacy decisions by the European Commission where they exist.
- Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by Data Transfer Impact Assessments (DTIAs) where required.
- Equivalent safeguards for transfers to other jurisdictions, including contractual data-protection obligations.
A copy of the safeguards applied to any specific transfer can be requested at privacy@synthex.ltd.
8. How long we keep data
| Data type | Retention period |
|---|
| Active client records | Duration of engagement plus 7 years (tax and audit obligations). |
| Prospect records (no engagement) | 24 months from last interaction, then deleted or anonymized. |
| Website analytics | 14 months at the source; aggregated indefinitely. |
| Email correspondence | 5 years. |
| Recorded calls (where consent given) | Until project closes plus 12 months; deleted on request. |
| Payment records | 10 years (Egyptian tax and accounting law). |
| Client end-user data (we process for clients) | Per the client's DPA. Typically deleted within 30 days of engagement termination. |
9. Security
We apply reasonable and proportionate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) for all web traffic and API calls.
- Encryption at rest for client data stored in our managed databases.
- Role-based access controls and least-privilege principles for staff and contractors.
- Multi-factor authentication on all internal accounts and sub-processor consoles.
- Regular access reviews and offboarding procedures for departing staff.
- Documented incident-response procedures (see Section 15).
No method of transmission or storage is 100% secure. We cannot guarantee absolute security but commit to industry-standard practices proportionate to the sensitivity of the data we hold.
10. Your rights under GDPR
If GDPR applies to your data, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — ask us to delete your personal data where there is no overriding lawful reason to keep it.
- Restriction — ask us to limit how we process your data while a query is resolved.
- Data portability — receive your data in a structured, machine-readable format and transmit it to another controller.
- Object — object to processing based on legitimate interests, including direct marketing. We will stop unless we have compelling legitimate grounds that override your rights.
- Withdraw consent at any time where processing is based on consent.
- Complain to a supervisory authority, including the data-protection authority in your EU/EEA member state of residence.
11. Your rights under CCPA / CPRA
If you are a California resident, you have the right to:
- Know what categories and specific pieces of personal information we have collected, the sources, purposes, and categories of third parties with whom we share it.
- Delete personal information we have collected about you, subject to legal exceptions.
- Correct inaccurate personal information.
- Opt out of sale or sharing. We do not sell personal information and do not share it for cross-context behavioral advertising. There is no opt-out required, but you may submit a request and we will confirm.
- Limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond those reasonably necessary to provide the services.
- Non-discrimination. We will not deny services, charge a different price, or provide a different level of quality because you exercised any CCPA right.
You may designate an authorized agent to make a CCPA request on your behalf. We will verify the agent's authority before processing the request.
Do Not Sell or Share My Personal Information
We do not sell or share personal information. If you'd like written confirmation, email
privacy@synthex.ltd with the subject "CCPA Confirmation Request."
12. How to exercise your rights
Send your request to privacy@synthex.ltd with the subject line "Privacy Request — [your right]." We will:
- Acknowledge your request within 5 business days.
- Verify your identity using information already on file (we will not request additional sensitive identifiers solely to verify a request).
- Respond substantively within 30 days (GDPR), or 45 days (CCPA), extendable once by a further 60 days in complex cases, with notice to you.
- Provide the response free of charge, except where requests are manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or refuse.
13. Cookies & tracking
Our website uses a minimal set of cookies and tracking technologies:
- Strictly necessary — for site functionality, security (provided by our CDN/security partner), and form submission. No consent required.
- Analytics — privacy-respecting (no cross-site tracking; IP addresses anonymized). You can opt out by enabling "Do Not Track" in your browser or by emailing us.
We do not use third-party advertising cookies, retargeting pixels, or social-media tracking pixels on synthex.ltd at this time. If we add them in future, we will update this policy and surface a consent banner where required.
14. Children's privacy
Our services are intended for businesses. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided personal information through our site, email privacy@synthex.ltd and we will delete it promptly.
15. Breach notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:
- Notify the relevant EU supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33.
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
- For client end-user data we process as a processor, notify the affected client within 24 hours of becoming aware, providing the information they need to meet their own breach-notification obligations.
16. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by email to active clients at least 30 days in advance and posted here with a revised "Last updated" date.
For privacy questions, requests to exercise your rights, or complaints:
- Email: privacy@synthex.ltd
- Subject line for rights requests: "Privacy Request — [your right]"
- EU/UK representative: if required under GDPR Article 27, we will appoint a representative and update this section. Until then, all requests can be sent to the email above.