Privacy Policy

1. Definitions

For the purposes of this Policy, the following terms have the meanings set out below unless the context requires otherwise:

• Personal data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on personal data, including collection, storage, disclosure, and erasure.
• Marketing website — the informational site at syntexa.pl, which is not the product platform.
• Platform — the Syntexa service provided under a B2B agreement with a customer (broker, brokerage, or managing general agent).
• Customer — the entity that has entered into a services agreement with Syntexa.
• User — a person using the Marketing website or, after account creation, the Platform on behalf of a Customer.

2. Data controller

The controller of personal data within the scope of this Policy is Syntexa Sp. z o.o. Registration details are available in public business registers; for data protection correspondence, the e-mail address stated in the introduction is sufficient.

With respect to personal data of brokers’ end customers (e.g. insured persons or employees covered by group programs) that a Customer uploads to the Platform, the Customer remains the controller. Syntexa acts as a processor under Article 28 GDPR pursuant to a data processing agreement, unless the parties agree otherwise in contractual documentation.

3. Scope of this Policy

This Policy applies to:

• use of the Marketing website, including browsing content, navigation, and — where applicable — cookies;
• submission of a product demonstration request via the form on the Marketing website;
• e-mail correspondence with Syntexa regarding commercial inquiries or cooperation;
• use of the Platform after conclusion of a Customer agreement and performance of obligations arising therefrom.

The Marketing website does not require user registration. The Platform is governed by separate commercial terms, terms of use, or onboarding documentation provided to the Customer. In the event of conflict between this Policy and a Platform agreement, the Platform agreement prevails for platform services.

4. Categories of personal data

Depending on how you interact with Syntexa, we may process the following categories of data:

• Identification and contact data — name, work e-mail, company or brokerage name, telephone number (if provided), message content.
• Technical and usage data — IP address, date and time of connection, session identifier, browser and operating system type, referring URL, basic device information necessary to operate the Marketing website and maintain security.
• Inquiry source data — if you access the Marketing website via a link in our B2B communication: campaign or message information to the extent necessary to handle your inquiry and measure the effectiveness of professional outreach.
• Platform user data — login credentials, account identifiers, roles and permissions, data entered when using Platform features, including documents and content submitted by the Customer.
• Data contained in documents — the Platform may contain personal data of third parties (e.g. insured persons); the Customer, as controller, is responsible for the lawfulness of providing such data.

We do not intend to collect special categories of data under Article 9 GDPR through the demonstration form or the Marketing website. Please do not submit such data in form fields or initial correspondence unless necessary and agreed with us.

5. Purposes, legal bases, and retention

We process personal data only for specific, lawful purposes. The main purposes, legal bases, and indicative retention criteria are as follows:

• Responding to demo requests and commercial contact — legal basis: Article 6(1)(b) GDPR (steps prior to contract at the data subject’s request) and Article 6(1)(f) GDPR (legitimate interest in handling inquiries and developing B2B relationships). Retention: until the commercial dialogue ends, claims become time-barred, or an effective objection is raised, within statutory limits.
• Conclusion and performance of the Platform services agreement — legal basis: Article 6(1)(b) GDPR and, where applicable, legal obligation (Article 6(1)(c)). Retention: for the term of the agreement and thereafter as required by law or limitation periods.
• Processing of Customer data as processor — legal basis: Article 28 GDPR and the data processing agreement. Retention: as defined in the processing agreement and retention documentation provided to the Customer.
• Marketing website analytics — legal basis: Article 6(1)(f) GDPR (legitimate interest in aggregated understanding of site use) or consent (Article 6(1)(a)) where required by law or our analytics configuration. Retention: per the relevant tool’s policy or until consent is withdrawn.
• Security, abuse prevention, and claims — legal basis: Article 6(1)(f) GDPR. Retention: as long as necessary to secure evidence and defend claims, subject to limitation rules.
• Compliance with legal obligations — legal basis: Article 6(1)(c) GDPR (e.g. tax and accounting rules). Retention: as required by applicable law.

6. Recipients and categories of processors

Personal data may be disclosed only to authorized recipients and processors acting on our instructions, to the extent necessary for the purposes described in this Policy. We do not sell personal data or share it for unrelated third-party marketing.

• EU-based hosting and IT infrastructure providers;
• e-mail and business communication tool providers;
• customer relationship, support, or website analytics providers — configured in compliance with the GDPR;
• technology providers supporting document processing within the Platform — under processing agreements or as sub-processors per the Customer contract;
• legal, accounting, or advisory service providers — where necessary for the Controller’s affairs;
• public authorities — where required by law.

We provide the detailed sub-processor list for the Platform service to Customers in contractual documentation. Prospective partners may request information on categories of processors by contacting the Controller.

7. Transfers outside the European Economic Area

Data related to the Marketing website and demonstration form is generally stored and processed within the European Union.

For the Platform service, after conclusion of a Customer agreement and with appropriate legal mechanisms (including the European Commission’s standard contractual clauses or other GDPR-recognized safeguards), certain operations may involve technology providers established outside the EEA. Such transfers occur only to the extent necessary to deliver the service, with contractual safeguards and without using Customer data to train those providers’ general models. The Marketing website and demonstration form are not used to submit policy documents to such providers.

8. Rights of data subjects

You have the following rights under the GDPR, subject to conditions and exceptions set out therein:

• Right of access — to obtain confirmation whether we process your data and receive a copy.
• Right to rectification — to request correction of inaccurate or completion of incomplete data.
• Right to erasure — in cases provided for in Article 17 GDPR.
• Right to restriction of processing — in cases provided for in Article 18 GDPR.
• Right to data portability — to receive data in a structured format and transmit it to another controller where processing is based on consent or contract and carried out by automated means.
• Right to object — to processing based on Article 6(1)(f) GDPR on grounds relating to your particular situation.
• Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal, where processing is based on consent.
• Right to lodge a complaint — with a supervisory authority; in Poland, the President of the Personal Data Protection Office (PUODO).

To exercise your rights, contact: kontakt@syntexa.pl. We will respond without undue delay and within the time limits set by the GDPR. We may request additional information to verify your identity. For data processed in the Platform by a broker, direct requests regarding that data to the broker as controller.

9. Voluntary provision of data and consequences of refusal

Providing data in the demonstration form is voluntary but necessary to establish commercial contact and schedule a product presentation. Failure to complete required fields will prevent us from handling your inquiry. Telephone number and message content are optional.

Browsing the Marketing website without submitting the form does not require identifiable personal data, except for technical data automatically generated by your browser.

10. Automated decision-making and profiling

In connection with the Marketing website and demonstration form, we do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. The Platform may include technology-assisted features — details on logic and significance are provided to Customers in contractual documentation where applicable.

11. Cookies and similar technologies

The Marketing website may use cookies and similar technologies for:

• Essential purposes — basic site functionality, security, and remembering choices (e.g. language).
• Analytics — aggregated, statistical measurement of site traffic without behavioral advertising profiling, where we deploy such tools — on legitimate interest or consent as required by law.

After logging into the Platform, session cookies and authentication mechanisms apply as described to service users. Browser settings allow restriction or blocking of cookies; this may affect site functionality.

12. Security of personal data

We implement technical and organizational measures appropriate to the risk of infringement of the rights and freedoms of data subjects, including access control, transmission encryption, credential policies, training, and incident response procedures. A summary for teams evaluating cooperation is available on our Security page.

13. Changes to this Policy

We may update this Policy when laws, services, or processing practices change. The current version is published on this page with the date of the last update. Material changes may be communicated to contracted Customers through additional channels.