SinaptiSinapti

Last updated: 2026-06-12 · v2026-06-12

Privacy Policy

At Sinapti we take the protection of your personal data seriously. This policy explains, clearly and in layers, who processes your data, for what purpose, on what legal basis, for how long, with whom it is shared and what rights you have, in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD).

1. Data controller

The controller responsible for processing the personal data collected through the Sinapti application (https://app.sinapti.com) is:

For any matter relating to the processing of your data or the exercise of your rights, you may contact the email address indicated above.

2. Data Protection Officer (DPO)

No Data Protection Officer has been appointed, as none of the cases requiring one under Article 37 GDPR and Article 34 LOPDGDD apply. Specifically: the controller is not a public authority or body; its core activities do not consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale; and it does not carry out large-scale processing of special categories of data (Art. 9 GDPR) or of data relating to criminal convictions and offences (Art. 10 GDPR).

Nevertheless, you may raise any privacy-related query by writing to privacidad@sinapti.com.

3. Categories of data processed

We process the following categories of personal data:

4. Purposes and legal bases

We process your data for the following purposes, on the legal bases indicated:

PurposeLegal basis (GDPR Art. 6)
Provide the service and manage the accountPerformance of the contract (6.1.b)
Process payments and issue invoicesContract (6.1.b) + legal obligation (6.1.c)
Security, fraud and abuse preventionLegitimate interest (6.1.f)
Service (transactional) communicationsPerformance of the contract (6.1.b)
Analytics and RUMConsent (6.1.a)
Semantic search (embeddings)Consent (6.1.a)
Google Calendar synchronizationConsent (6.1.a) + contract (6.1.b)
Commercial communications / marketingConsent (6.1.a)

Where the legal basis is consent, you may withdraw it at any time, without affecting the lawfulness of processing prior to its withdrawal. Where the basis is legitimate interest, we have assessed that such interest does not override your rights and freedoms; you may object to the processing in accordance with the rights section.

5. Retention periods

We retain your data for the following periods:

6. Recipients and data processors

To provide the service we rely on the following data processors (sub-processors), who access the data solely for the functions indicated and under the relevant processing agreement:

ProcessorFunctionLocationTransfer safeguard
OVHHosting (compute, database, backups, file storage)France (EU)N/A (EU)
StripePayment processingIreland (Stripe Payments Europe) / USAEU-US DPF + SCC
GoogleOAuth login + Google CalendarEU / USA (Google Ireland / Google LLC)EU-US DPF + SCC
[Proveedor SMTP: ___]Transactional email[___][___]
OpenObserveTelemetry / RUMSelf-hosted on OVH (not a third party)N/A (EU)

We do not sell or transfer your personal data to third parties for commercial purposes.

7. International transfers

Some of our processors may process data outside the European Economic Area. In particular, Google LLC and Stripe (USA) may process data in the United States. Such transfers are carried out under the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCC) approved by the European Commission, which provide adequate safeguards in accordance with Chapter V of the GDPR.

8. Your rights as a data subject

You may exercise the following rights at any time:

To exercise these rights, write to privacidad@sinapti.com, indicating the right you wish to exercise. We may ask you to prove your identity. If you believe that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), through its electronic office at www.aepd.es.

9. Security measures

We apply appropriate technical and organizational measures to protect your data, including: encryption of communications via HTTPS, password storage using bcrypt hashing, encryption at rest of OAuth tokens, per-user access control (each user can only access their own data) and regular encrypted backups.

10. Automated decisions and profiling

We do not carry out automated decisions producing legal effects on the data subject or similarly significantly affecting them. Features such as the tag recommender or semantic search assist the user in organizing their information but do not produce legal or significant effects on them.

11. Minors

The Sinapti service is intended exclusively for persons aged 18 or over. We do not knowingly collect data from minors under that age. If we detect that a minor's data has been provided, we will proceed to delete it.

12. Semantic search (embeddings)

When you enable semantic search, embedding vectors are computed locally on your device from the title and text body of your items, and are then uploaded to our servers to power the search feature. The raw content of items is never sent to a third-party embedding service; the computation is performed entirely in your browser using a locally downloaded model (~25 MB). The embeddings are stored on the server and are deleted when you disable the feature and choose to erase your vectors.

This feature is optional and enabled on a per-device basis (opt-in): you must explicitly enable it on each device from which you wish to use it. There is also a global kill switch that allows the feature to be disabled at the service level.

Because embedding vectors are partially invertible — that is, they could allow partial reconstruction of the source text — we treat them with the same level of sensitivity and protection as the text body of your items. Vectors are never exposed to third parties nor included in API responses.

13. Changes to this policy and versioning

We may update this Privacy Policy to reflect legal, technical or service changes. Each version is identified by its version number and last-updated date, shown in the header of this document. Where changes are substantial, we will inform you by appropriate means. Continued use of the service after an updated version is published implies awareness of it.