Privacy Policy

1. Who We Are

Synergia360 Ltd ("we", "us", "our") is a company registered in England and Wales (Company No. 13495021). We operate the Synergia360 platform — a multi-tenant SaaS e-commerce analytics and management platform ("the Platform") — and the marketing website at synergia360.app.

For the purposes of UK GDPR and the Data Protection Act 2018, Synergia360 Ltd is the data controller for personal data processed through our website and our Platform when used in its own right. Where we process personal data on behalf of our customers (for example, end-customer data that a merchant uploads), we act as a data processor under a separate Data Processing Agreement — see our DPA.

Our registered address and contact details are at section 13 below. We are registered with the Information Commissioner's Office (ICO).

2. Data We Collect

2.1 Account and registration data

When you create a Synergia360 account or start a free trial, we collect: full name, business email address, company name, telephone number (optional), billing address, VAT number (optional), and password (hashed with bcrypt — we never store plaintext passwords).

2.2 Usage and platform data

As you use the Platform, we automatically record: pages and features accessed, actions taken (such as creating or updating orders and listings), session durations, error events, and feature-flag exposures. This data is used to improve the product and to provide support.

2.3 Technical and device data

We collect IP address, browser type and version, operating system, referring URL, and device identifiers. This data is collected automatically via server logs and analytics tools.

2.4 Communications

If you contact us by email, chat, or our support portal, we retain those communications and any attachments for the purpose of responding and improving our support.

2.5 Payment data

We use Stripe as our payment processor. Card numbers, CVV codes, and full payment instrument details are handled entirely by Stripe and are never stored on our servers. We store only Stripe customer IDs, subscription IDs, and invoice summaries.

2.6 Marketing data

If you sign up for our waitlist or newsletter, or attend a webinar, we collect your name, email address, company name, and any other information you choose to share. You may opt out at any time.

2.7 Merchant data (processor role)

Customers who connect their e-commerce channels (for example, Amazon, Shopify, eBay) through the Platform upload or stream data about their own customers, orders, and inventory. We process that data strictly as a processor under our Data Processing Agreement.

3. How We Use Your Data

4. Legal Basis for Processing

We rely on the following legal bases under UK GDPR:

• Contract (Art. 6(1)(b)): Processing is necessary to perform our contract with you or to take steps at your request prior to entering into a contract.
• Legal obligation (Art. 6(1)(c)): Processing is necessary to comply with UK law (for example, HMRC record-keeping requirements).
• Legitimate interests (Art. 6(1)(f)): Processing is necessary for our legitimate business interests (for example, security monitoring and product analytics), provided those interests are not overridden by your rights and freedoms. We document our legitimate-interest assessments (LIAs) internally.
• Consent (Art. 6(1)(a)): Where we rely on consent (for example, optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5. Sharing and Disclosure

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

5.1 Service providers (processors)

We engage trusted sub-processors to help deliver the Platform. All are bound by data processing agreements and provide appropriate safeguards. Key sub-processors include:

• Microsoft Azure (UK South and West Europe regions) — hosting, compute, storage, and database
• Stripe — payment processing
• Plausible Analytics — privacy-preserving website analytics (no cookies, no personal data stored)
• Azure Communication Services — transactional email
• Flagsmith (self-hosted on our infrastructure) — feature flags

A full and up-to-date list of sub-processors is maintained in our DPA.

5.2 Legal requirements

We may disclose personal data to law enforcement or regulatory bodies if required to do so by law, court order, or other legal process, or where necessary to protect the rights, property, or safety of Synergia360, our customers, or others.

5.3 Business transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy.

5.4 With your consent

We may share data with third parties for other purposes if you have given explicit consent.

6. International Data Transfers

Our primary infrastructure is hosted in Azure UK South (London). Some sub-processors (for example, Stripe) may process data in the United States or other countries outside the UK. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including:

• UK adequacy regulations (where applicable);
• UK International Data Transfer Agreements (IDTAs) or UK Addenda to EU Standard Contractual Clauses.

You may request a copy of the relevant transfer mechanism by contacting us at legal@synergia360.app.

7. Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by law.

8. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data in certain circumstances ("right to be forgotten").
• Right to restriction (Art. 18): Request that we restrict processing of your data.
• Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making (Art. 22): Not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us at legal@synergia360.app. We will respond within one calendar month of receiving your request. We may ask you to verify your identity before acting on a request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Cookies

Our website uses a limited number of cookies. We use Plausible Analytics for website analytics — a privacy-preserving tool that collects no personal data and sets no cookies. For full details of all cookies used, including how to opt out, please see our Cookie Policy.

10. Security

We implement technical and organisational measures appropriate to the risk, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Azure Key Vault for all secrets — no plaintext credentials stored in code or configuration
• Role-based access controls and multi-factor authentication for internal systems
• Regular security assessments and penetration testing
• Audit logging of all material data access and changes
• Incident response procedures aligned with our 72-hour breach notification obligation under UK GDPR Art. 33

Despite these measures, no system is 100% secure. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you without undue delay.

11. Children

The Platform and our website are directed at businesses and individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 13. If you believe we have collected data from a child under 13 in error, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and display a prominent notice on the Platform. The "Last updated" date at the top of this page will always reflect the most recent revision. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

13. Contact Us