Last updated: 2026-06-12 · v2026-06-12
Privacy Policy
At Sinapti we take the protection of your personal data seriously. This policy explains, clearly and in layers, who processes your data, for what purpose, on what legal basis, for how long, with whom it is shared and what rights you have, in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD).
1. Data controller
The controller responsible for processing the personal data collected through the Sinapti application (https://app.sinapti.com) is:
- Controller: Fernando Moro (sole trader / self-employed)
- Tax ID (NIF):
[NIF: ___] - Address:
[Domicilio: ___] - Contact and exercise of rights: privacidad@sinapti.com
For any matter relating to the processing of your data or the exercise of your rights, you may contact the email address indicated above.
2. Data Protection Officer (DPO)
No Data Protection Officer has been appointed, as none of the cases requiring one under Article 37 GDPR and Article 34 LOPDGDD apply. Specifically: the controller is not a public authority or body; its core activities do not consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale; and it does not carry out large-scale processing of special categories of data (Art. 9 GDPR) or of data relating to criminal convictions and offences (Art. 10 GDPR).
Nevertheless, you may raise any privacy-related query by writing to privacidad@sinapti.com.
3. Categories of data processed
We process the following categories of personal data:
- Account data: email address, name, password hash (encrypted using bcrypt) and login provider (Google via OAuth or own credentials).
- User content: items (thoughts, tasks and resources), projects, notes written in the editor (BlockNote), tags and files uploaded by the user.
- Technical and usage data: activity logs, IP address, device identifiers and Real User Monitoring (RUM) telemetry: performance metrics (Web Vitals), errors and session data.
- Cookies and similar technologies: see the Cookie Policy for details of the cookies used and how to manage them.
- Payment data: handled entirely by Stripe. Sinapti does not store card data; it only retains customer and subscription identifiers and the subscription status.
- Google Calendar: synchronized events, only if the user voluntarily enables calendar synchronization.
- Semantic search embeddings: vectors computed on the user's device and stored on our servers (see the dedicated section below).
4. Purposes and legal bases
We process your data for the following purposes, on the legal bases indicated:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the service and manage the account | Performance of the contract (6.1.b) |
| Process payments and issue invoices | Contract (6.1.b) + legal obligation (6.1.c) |
| Security, fraud and abuse prevention | Legitimate interest (6.1.f) |
| Service (transactional) communications | Performance of the contract (6.1.b) |
| Analytics and RUM | Consent (6.1.a) |
| Semantic search (embeddings) | Consent (6.1.a) |
| Google Calendar synchronization | Consent (6.1.a) + contract (6.1.b) |
| Commercial communications / marketing | Consent (6.1.a) |
Where the legal basis is consent, you may withdraw it at any time, without affecting the lawfulness of processing prior to its withdrawal. Where the basis is legitimate interest, we have assessed that such interest does not override your rights and freedoms; you may object to the processing in accordance with the rights section.
5. Retention periods
We retain your data for the following periods:
- Account and content: for as long as the account remains active. After cancellation, the data is deleted within 30 days or less, with the purge completed in the next backup cycle (OVH's daily backups are retained for approximately 30 days).
- Grace period: you have 30 days to recover your account before it is permanently deleted.
- Billing data: retained for 4 to 6 years in compliance with commercial and tax obligations, even if the account has been deleted.
- Consent records: retained as proof of compliance for as long as they may be enforceable.
6. Recipients and data processors
To provide the service we rely on the following data processors (sub-processors), who access the data solely for the functions indicated and under the relevant processing agreement:
| Processor | Function | Location | Transfer safeguard |
|---|---|---|---|
| OVH | Hosting (compute, database, backups, file storage) | France (EU) | N/A (EU) |
| Stripe | Payment processing | Ireland (Stripe Payments Europe) / USA | EU-US DPF + SCC |
| OAuth login + Google Calendar | EU / USA (Google Ireland / Google LLC) | EU-US DPF + SCC | |
[Proveedor SMTP: ___] | Transactional email | [___] | [___] |
| OpenObserve | Telemetry / RUM | Self-hosted on OVH (not a third party) | N/A (EU) |
We do not sell or transfer your personal data to third parties for commercial purposes.
7. International transfers
Some of our processors may process data outside the European Economic Area. In particular, Google LLC and Stripe (USA) may process data in the United States. Such transfers are carried out under the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCC) approved by the European Commission, which provide adequate safeguards in accordance with Chapter V of the GDPR.
8. Your rights as a data subject
You may exercise the following rights at any time:
- Access: find out what data of yours we process.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request the deletion of your data where applicable.
- Restriction: request that processing be restricted in certain cases.
- Portability: receive your data in a structured, commonly used and machine-readable format, and transmit it to another controller.
- Objection: object to processing based on legitimate interest.
- Withdrawal of consent: revoke the consents granted, without retroactive effect.
- Not to be subject to automated decisions producing legal or significant effects.
To exercise these rights, write to privacidad@sinapti.com, indicating the right you wish to exercise. We may ask you to prove your identity. If you believe that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), through its electronic office at www.aepd.es.
9. Security measures
We apply appropriate technical and organizational measures to protect your data, including: encryption of communications via HTTPS, password storage using bcrypt hashing, encryption at rest of OAuth tokens, per-user access control (each user can only access their own data) and regular encrypted backups.
10. Automated decisions and profiling
We do not carry out automated decisions producing legal effects on the data subject or similarly significantly affecting them. Features such as the tag recommender or semantic search assist the user in organizing their information but do not produce legal or significant effects on them.
11. Minors
The Sinapti service is intended exclusively for persons aged 18 or over. We do not knowingly collect data from minors under that age. If we detect that a minor's data has been provided, we will proceed to delete it.
12. Semantic search (embeddings)
When you enable semantic search, embedding vectors are computed locally on your device from the title and text body of your items, and are then uploaded to our servers to power the search feature. The raw content of items is never sent to a third-party embedding service; the computation is performed entirely in your browser using a locally downloaded model (~25 MB). The embeddings are stored on the server and are deleted when you disable the feature and choose to erase your vectors.
This feature is optional and enabled on a per-device basis (opt-in): you must explicitly enable it on each device from which you wish to use it. There is also a global kill switch that allows the feature to be disabled at the service level.
Because embedding vectors are partially invertible — that is, they could allow partial reconstruction of the source text — we treat them with the same level of sensitivity and protection as the text body of your items. Vectors are never exposed to third parties nor included in API responses.
13. Changes to this policy and versioning
We may update this Privacy Policy to reflect legal, technical or service changes. Each version is identified by its version number and last-updated date, shown in the header of this document. Where changes are substantial, we will inform you by appropriate means. Continued use of the service after an updated version is published implies awareness of it.