Data controller: SyndicSage, operated by Christopher Ndi — hello@syndicsage.com — syndicsage.com — Belgium.
This policy applies to the SyndicSage platform and website. It complies with the EU General Data Protection Regulation (GDPR) and Belgian data protection law.
1. What data we collect
Account data
When you create an account, we collect your email address, name, and phone number (optional). If you sign in via Google, Microsoft, or Apple, we receive your name and email from that provider — we never see your password.
Building and management data
Information you enter about the buildings you manage: building name, address, VME number, insurance policy details, financial records, co-owner and renter information, maintenance records, meeting minutes, votes, and documents you upload.
Usage data
We log actions taken within the platform (audit log) for security and legal accountability. This includes what was created, edited, or deleted, by whom, and when. We do not sell or share this data.
Technical data
IP address (hashed, not stored in plain text), browser type, and session information — collected automatically to secure your account and detect abuse.
2. Why we process your data
| Purpose | Legal basis |
|---|---|
| Providing the SyndicSage service | Contract performance (Art. 6(1)(b) GDPR) |
| Sending login codes and notifications | Contract performance (Art. 6(1)(b) GDPR) |
| Audit logging for legal accountability | Legal obligation (Art. 6(1)(c) GDPR) |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f) GDPR) |
| Improving the platform | Legitimate interest (Art. 6(1)(f) GDPR) |
| Compliance with Belgian VME law | Legal obligation (Art. 6(1)(c) GDPR) |
3. Data processors (sub-processors)
We use the following trusted third-party services to operate the platform. All are GDPR-compliant and process data exclusively in the EU, except Anthropic (covered by a Data Processing Agreement).
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Ireland / Frankfurt) |
| Vercel | Web application hosting | EU (Frankfurt) |
| Railway | API server hosting | EU (West) |
| Resend | Transactional email (login codes, notifications) | EU |
| Anthropic | AI Sage assistant (document analysis, Q&A) | US — DPA in place. No raw personal data sent. |
4. Data retention
- Financial records (charges, payments): 7 years — required by Belgian accounting law
- Personal data of active users: Duration of the syndic contract + 30-day grace period
- Audit logs: 5 years — required for legal accountability; anonymised on account deletion
- Uploaded documents: Until deleted by the syndic, or on account deletion
- Login codes (OTP): Expire after 10 minutes
5. Your rights under GDPR
As a data subject, you have the following rights. To exercise any of them, contact us at hello@syndicsage.com. We respond within 30 days.
- Right of access — request a copy of all personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your personal data (subject to legal retention requirements)
- Right to data portability — receive your data in a machine-readable format (JSON)
- Right to object — object to processing based on legitimate interest
- Right to restrict processing — request that we limit how we use your data
- Right to withdraw consent — where processing is based on consent, you may withdraw at any time
You also have the right to lodge a complaint with the Belgian Data Protection Authority: dataprotectionauthority.be
6. Data security
We take security seriously. Measures in place include:
- All data encrypted in transit (TLS) and at rest
- Row-level security on all database tables — users can only access their own organisation's data
- IP addresses stored as one-way hashes — never in plain text
- No passwords stored — authentication uses one-time codes and OAuth only
- All file uploads scanned for malware before being made accessible
- Audit log of all data access and changes, immutable and server-side only
7. Cookies
SyndicSage uses only strictly necessary cookies to maintain your session. We do not use advertising, tracking, or analytics cookies. No cookie consent banner is required as we only use essential cookies.
8. Children's data
SyndicSage is a professional platform intended for adults. We do not knowingly collect data from anyone under the age of 18.
9. Changes to this policy
We may update this policy when we add new features or processors. Significant changes will be communicated by email. The "last updated" date at the top of this page always reflects the current version.
10. Contact
For any privacy-related question, data request, or complaint:
- Email: hello@syndicsage.com
- Website: syndicsage.com