// PRIVACY_POLICY

Syphio is a software-as-a-service platform operated from France. We provide AI-powered Shopify code auditing and repair services.

Contact: contact@syphio.io — Response within 72 hours for GDPR requests.

Account data: Email address, name (optional), authentication tokens. Required to provide the service.

Code submissions: Liquid, JS, CSS, JSON code you submit for analysis. Processed in-memory. Not persisted for training purposes.

Session data: Thread history, repair results. Stored in your account for your reference. Deleted on account deletion.

Billing data: Managed entirely by Stripe. Syphio does not store credit card numbers or payment details.

Usage data: Synapse consumption, feature usage. Used for billing and product improvement.

Technical data: IP addresses (for rate limiting), browser type, error logs. Retained for 30 days maximum.

Code you submit to Syphio is processed exclusively to provide the audit and repair service. It is:

✓ Never stored permanently outside your thread history

✓ Never used to train or fine-tune AI models

✓ Never shared with third parties

✓ Never logged to analytics or monitoring tools

✓ Accessible only by you via your authenticated account

Primary database: Supabase (PostgreSQL), hosted in EU-WEST-3 (Paris, France).

Backups: Encrypted, stored in the European Union.

Edge processing: Vercel Edge Network — some request processing occurs at edge nodes globally, but persistent data stays in EU.

Billing: Stripe — US-based, but covered by Stripe's DPA and Standard Contractual Clauses for EU data transfers.

Contract performance: Processing your code to provide the audit service you requested.

Legitimate interest: Security monitoring, fraud prevention, service improvement.

Legal obligation: Tax records, invoicing, compliance requirements.

Consent: Marketing communications — opt-in only, withdrawable at any time.

As an EU resident, you have the following rights regarding your personal data:

→ Right of access — request a copy of all data we hold about you

→ Right to rectification — correct inaccurate personal data

→ Right to erasure — delete your account and all associated data

→ Right to data portability — export your data in machine-readable format

→ Right to object — opt out of marketing communications at any time

→ Right to restrict processing — limit how we process your data

To exercise any right, email contact@syphio.io. We respond within 30 days.

Syphio uses strictly necessary cookies only:

supabase-auth-token: Authentication session (Session)

stripe-mid: Stripe fraud prevention (1 year)

We do not use tracking cookies, advertising cookies, or third-party analytics cookies without explicit consent.

Supabase: Database & authentication — EU-WEST-3

Stripe: Payment processing — US (DPA + SCC)

Vercel: Hosting & edge network — EU primary

Anthropic / OpenAI: AI model inference — US (DPA)

→ Account data: retained while your account is active + 30 days after deletion

→ Thread history: retained while your account is active — deleted on account deletion

→ Technical logs: 30 days maximum

→ Billing records: 10 years (legal obligation)

For privacy requests: contact@syphio.io

For Data Processing Agreements (enterprise): contact@syphio.io

Supervisory authority: Commission Nationale de l'Informatique et des Libertés (CNIL), France — www.cnil.fr