PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA

pursuant to Art. 13 of Regulation (EU) 2016/679 (GDPR)

Website: www.synapsia.ai | Contractual relationships

Last updated: May 2026

DATA CONTROLLER

Synapsia S.r.l. Via Francesco Fazi 4/A – 06034 Foligno (PG) Tax Code and VAT No. 03841040540 E-mail: privacy@synapsia.ai | Website: www.synapsia.ai

To exercise the rights referred to in Art. 7 of this Notice: privacy@synapsia.ai

This Notice is provided by Synapsia S.r.l. (hereinafter, “Synapsia” or the “Controller”) to all natural persons whose personal data are processed by Synapsia as an independent Data Controller. The document is divided into two sections, each addressed to a distinct category of data subjects.

SECTION A — Website visitors and persons requesting information

1. Who this section is addressed to

This section applies to anyone who visits the website www.synapsia.ai and/or fills in the contact form available therein, regardless of the existence of a contractual relationship with Synapsia. The Site is informational in nature and constitutes the digital showcase of the services offered by Synapsia. There is no reserved area, e-commerce functionality or user registration.

2. Data processed, purposes and legal bases

2.1 Browsing data

The IT systems and software procedures used to operate the Site acquire, during their normal operation, technical information whose transmission is implicit in the use of Internet communication protocols: IP addresses, browser type, operating system, date and time of the request, pages visited, referring page.

Purpose: technical operation of the Site and IT security. Legal basis: legitimate interest of the Controller (Art. 6, para. 1, letter f), GDPR). Retention: maximum 30 days, unless necessary for the investigation of unlawful acts.

2.2 Data communicated through the contact form

Anyone who fills in the contact form voluntarily provides their name, surname, telephone number, e-mail address and the content of the message. Such data are processed in order to respond to the request received and, where applicable, to manage pre-contractual stages.

Purpose: response to the request; initiation of pre-contractual negotiations. Legal basis: pre-contractual measures at the request of the data subject (Art. 6, para. 1, letter b), alternatively, legitimate interest (letter f) GDPR). Retention: the time necessary to manage the request; if a contract derives from it, the retention period provided for in Section B applies.

The provision of data through the form is optional but necessary in order to receive a response.

2.3 Cookies and tracking tools

The Site uses technical cookies necessary for its operation and, subject to the user’s consent, analytical cookies for traffic measurement purposes (Google Analytics 4). Consent is managed through the Cookiebot platform (Usercentrics). For the complete list of cookies and the management of preferences, please refer to the Cookie Policy available at the bottom of the Site.

3. Processing methods and security

Personal data are processed using IT and telematic tools, according to logic strictly related to the purposes indicated. Synapsia adopts appropriate technical and organizational measures pursuant to Art. 32 GDPR, including: encryption of data in transit (HTTPS), access control, periodic updating of systems.

4. Recipients of the data

The data of visitors and persons requesting information may be made accessible to: authorized internal personnel of Synapsia; the Site hosting provider (Data Processor pursuant to Art. 28 GDPR); the e-mail service provider (Data Processor pursuant to Art. 28 GDPR); Google LLC for statistical analysis services, where consent has been given (Data Processor pursuant to Art. 28 GDPR); judicial or public security authorities, upon request by law. The data are not transferred to third parties for marketing purposes.

SECTION B — Contractual clients

5. Who this section is addressed to

This section applies to natural persons whose personal data are processed by Synapsia in the context of a contractual relationship: owners, legal representatives, shareholders, technical and administrative contacts of companies and entities that have entered into or are negotiating a contract with Synapsia.

Synapsia processes these data as an independent Data Controller, distinct and separate from the role of Data Processor that Synapsia assumes towards the client pursuant to the Data Processing Agreement (DPA) attached to the contract. The personal data of the client’s end users are processed within the scope of the DPA and are not covered by this Notice.

6. Data processed, purposes and legal bases

Purpose of processing	Legal basis and retention
Management of the pre-contractual and contractual relationship: collection and management of the client’s and its contacts’ identification and tax data, negotiation, conclusion and performance of the contract.	Art. 6, para. 1, letter b), GDPR — performance of the contract. Retention: duration of the contract + 10 years (Arts. 2214 et seq. of the Italian Civil Code; Presidential Decree 600/1973).
Invoicing, accounting and tax compliance.	Art. 6, para. 1, letter c), GDPR — legal obligation. Retention: 10 years from the accounting registration.
Research and development activities: management of relationships with clients who participate in or benefit from R&D projects, communications relating to project progress, technical documentation.	Art. 6, para. 1, letter b), GDPR — performance of the contract; alternatively letter f), legitimate interest. Retention: duration of the project + 10 years.
Operational communications in the context of the performance of the contract.	Art. 6, para. 1, letter b), GDPR. Retention: duration of the contract.
Protection of rights in out-of-court and judicial proceedings.	Art. 6, para. 1, letter f), GDPR — legitimate interest. Retention: duration of the proceedings + limitation periods (as a rule 10 years, Art. 2946 of the Italian Civil Code).
Compliance with obligations imposed by judicial, tax or supervisory authorities.	Art. 6, para. 1, letter c), GDPR — legal obligation. Retention: period imposed by the applicable legislation.

Synapsia does not process, as Controller, special categories of data pursuant to Art. 9 GDPR in the context of the contractual relationship with its clients.

7. Types of data processed

In the context of the contractual relationship, Synapsia processes the following categories of personal data relating to the client’s contacts: identification and contact data (name, surname, address, e-mail, telephone, certified e-mail address); tax data (tax code, VAT number, bank details, invoicing data); professional data (position, corporate role, signatures on contracts and documents); communications exchanged in the context of the contractual relationship.

8. Recipients of the data

The data of contractual clients may be communicated or made accessible to: Synapsia internal personnel authorized to process the data; professionals and consultants (accountant, lawyer) bound by confidentiality obligations; credit institutions and financial intermediaries for payment management; the Italian Revenue Agency and other tax authorities in compliance with legal obligations; judicial or public security authorities upon request. The data are not transferred to third parties for commercial or marketing purposes.

9. Transfers to third countries

The personal data of contractual clients are processed within the territory of the European Union. Where, due to operational needs related to providers of work tools, a transfer to third countries becomes necessary, Synapsia ensures that such transfer takes place in compliance with Chapter V of the GDPR (adequacy decision or Standard Contractual Clauses). Further information may be requested by writing to privacy@synapsia.ai.

COMMON PROVISIONS — Applicable to all data subjects

10. Automated decisions

Synapsia does not use automated decision-making systems that produce legal effects or significantly affect data subjects pursuant to Art. 22 GDPR. The only automatic mechanisms present concern the technical operation of the services provided and do not involve evaluations or profiling of data subjects.

Synapsia does not use the personal data of data subjects to train, optimize or improve third-party artificial intelligence models outside of what is expressly provided for by the contract and the relevant client instructions.

11. Personal data breaches

In the event of a personal data breach that may result in a risk to the rights and freedoms of data subjects, Synapsia notifies the event to the Italian Data Protection Authority without undue delay and, where possible, within 72 hours of becoming aware of it (Art. 33 GDPR). Where the breach presents a high risk, the data subjects will be informed directly (Art. 34 GDPR), unless the exemptions provided for by the rule apply.

12. Rights of data subjects

To exercise their rights, data subjects may write to: privacy@synapsia.ai. Synapsia responds within 30 days of receipt (extendable by a further 60 days in the event of particular complexity).

13. Updates to this Notice

This Notice may be updated at any time. Changes are published on this page with an indication of the update date. In the event of substantial changes affecting processing based on consent, Synapsia will collect the consent of the affected users again.