GDPR Compliance | Synthesis AI

Data Controller Information

Synthesis AI acts as the data controller for personal data collected through our services.

Entity	Details
Company Name	MYG Media SRL (operating as Synthesis AI)
Registration Number	RO50059004
Registered Address	Bulevardul GEORGE ENESCU, Nr. 23, Bloc G45, Scara B, Ap. 6, Judet Suceava, Romania
Data Protection Officer	dpo@synthesis-ai.com
Representative in EU	Not required (established in EU - Romania)

Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

Right to Access

Request a copy of your personal data we hold

Right to Rectification

Correct any inaccurate or incomplete data

Right to Erasure

Request deletion of your personal data

Right to Restriction

Limit how we process your data

Right to Portability

Receive your data in a machine-readable format

Right to Object

Object to certain types of processing

How to Exercise Your Rights: You can exercise any of these rights by contacting our Data Protection Officer at dpo@synthesis-ai.com or through your account dashboard.

Legal Basis for Processing

We process your personal data under the following legal bases:

1. Contract Performance

Account creation and management
Service delivery and support
Billing and payment processing
API access and usage tracking

2. Legitimate Interests

Improving our services and AI models
Fraud prevention and security
Analytics and performance monitoring
Direct marketing to existing customers

3. Legal Obligations

Tax and accounting requirements
Compliance with court orders
Anti-money laundering regulations

4. Consent

Marketing communications to non-customers
Optional features and services
Cookies and tracking technologies

Data Processing Activities

Data Category	Purpose	Legal Basis	Retention Period
Account Information	Service provision	Contract	Account lifetime + 1 year
Payment Data	Billing	Contract	7 years (tax requirements)
Usage Data	Service improvement	Legitimate interest	2 years
AI Interactions	Service delivery	Contract	90 days
Support Tickets	Customer service	Contract	3 years
Marketing Preferences	Communications	Consent	Until withdrawn

International Data Transfers

When we transfer your data outside the EEA, we ensure appropriate safeguards:

Transfer Mechanisms

Standard Contractual Clauses (SCCs): EU Commission-approved contracts for data transfers
Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
Binding Corporate Rules: For intra-group transfers

Third-Party Processors

Note: Some of our sub-processors (OpenAI, Anthropic) may process data in the United States. We ensure all transfers are covered by appropriate safeguards.

Technical and Organizational Measures

Data Subject Request Process

We've streamlined the process for exercising your GDPR rights:

Step 1: Submit Request

Contact us via email, dashboard, or web form with your request

Step 2: Identity Verification

We verify your identity to protect your data (within 48 hours)

Step 3: Processing

We process your request and gather relevant data (within 30 days)

Step 4: Response

We provide the requested information or action confirmation

No Fees: We do not charge fees for data subject requests unless they are manifestly unfounded or excessive.

Cookie Policy Summary

We use cookies in compliance with GDPR requirements:

Cookie Categories

Essential Cookies: Required for service functionality (no consent needed)
Performance Cookies: Help us improve our services (consent required)
Marketing Cookies: Used for targeted advertising (explicit consent required)

Cookie Management

You can manage your cookie preferences:

Through our cookie consent banner
In your account settings
Via browser settings
Using our cookie preference center

Third-Party Data Sharing

We share data with third parties only when necessary and with appropriate safeguards:

Category	Purpose	Data Shared	Location
Payment Processor (Stripe)	Payment processing	Payment details	EU/US
AI Providers	AI processing	User queries (anonymized)	US
Cloud Infrastructure	Data storage	All user data	EU
Analytics	Service improvement	Usage data	EU

Data Breach Response Plan

In the unlikely event of a data breach, we follow a strict response protocol:

Our Commitments

Detection: Continuous monitoring for security incidents
Assessment: Immediate evaluation of breach scope and impact
Notification to Authorities: Within 72 hours to relevant supervisory authority
User Notification: Without undue delay if high risk to your rights
Mitigation: Immediate steps to contain and remedy the breach
Documentation: Full breach documentation for compliance

Breach History: We maintain full transparency about any data breaches. To date, we have had zero reportable data breaches.

Contact Our Data Protection Officer

For any GDPR-related queries, concerns, or to exercise your rights:

📧 Email

dpo@synthesis-ai.com

📮 Post

Data Protection Officer
MYG Media SRL
Bulevardul GEORGE ENESCU, Nr. 23
Bloc G45, Scara B, Ap. 6
Judet Suceava, Romania

🌐 Online Form

Submit GDPR Request

Response Time: We aim to respond to all GDPR requests within 72 hours and complete them within 30 days as required by law.

Right to Lodge a Complaint

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

EU Supervisory Authorities

You can find your local authority at: European Data Protection Board Members

Lead Supervisory Authority

Our lead supervisory authority is:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1
București, 010336, Romania
Phone: +40 318 059 211
Email: anspdcp@dataprotection.ro

Policy Updates

This GDPR compliance page was last updated on June 28, 2025.

We regularly review and update our GDPR compliance measures. Any material changes will be communicated through:

Email notifications to registered users
Dashboard notifications
Website announcements

Data Protection

EU Data Residency

72-Hour Breach Notification