Privacy Statement
This Privacy Statement explains how OSYNK AI S.R.L. ("Osynk", "we", "us") collects, uses, shares, and protects personal data when you visit our website, use our products, or otherwise interact with us. The "Last updated" date shown above reflects the most recent revision of this statement.
Our service is sold strictly business-to-business. We act as a data controller for the personal data of visitors to our website and of the administrators and users of customer accounts, and for the data we need to operate, secure, and bill the Service. We act as a data processor, on each customer's documented instructions under an Article 28 data-processing agreement, for the personal data that a customer uploads to the platform or that we collect on the customer's behalf about that customer's own users, employees, and contacts.
1. Who we are
Osynk operates a multi-tenant business platform for revenue and operations teams, including the Anya AI assistant and the Sales Intelligence and ERP & Supply Chain products. The legal entity is OSYNK AI S.R.L., a company organised under the laws of Romania. Our full company registration details (trade register number, CUI, registered office) are published in the footer of this site. If you have questions about this statement or wish to exercise a right under applicable data-protection law, contact us at contact@osynk.ai.
2. Our roles: controller, processor, and joint-controller relationships
Most personal data inside a customer's workspace is data that the customer controls. For that data we are a processor: we process it only on the customer's documented instructions, under an Article 28 data-processing agreement. The customer is the controller and decides the purposes and means of processing.
Where a customer embeds Meta's tracking pixel or our Conversions API integration on the customer's own website or forms, the customer is, for that collection and transmission, a joint controller with Meta. Osynk's role in that arrangement is to act as the customer's processor, operating the pixel and conversion tooling on the customer's documented instructions under our Article 28 data-processing agreement. Osynk does not determine the purposes of that collection and does not decide to deploy a pixel; the customer does. Meta is not a subprocessor of Osynk for this data.
We are a controller for the personal data we need to run our own business: website-visitor data, account administration, security and audit logging, and our own customer relationships.
3. The personal data we process
3.1 Account & identity data
When you create an account or are invited to one, we collect your first name, last name, email address, hashed password, role, language preference, and the tenant(s) you belong to. Customers may also store profile fields about their own employees inside the platform.
3.2 Customer-uploaded content (CRM and business data)
Customers upload business content into the platform: CRM records, contacts, leads, deals, calendar and appointment entries, knowledge-base files, and other documents. Some of that content contains personal data about the customer's own users, employees, and contacts. We process that content strictly on the customer's instructions, as a processor.
3.3 Anya chat data
When a visitor or user interacts with the Anya AI assistant, we process the conversation: the messages exchanged, and the conversational state needed to maintain continuity within a session. Where Anya is embedded on a customer's site, that conversation data belongs to the customer's workspace and is processed on the customer's instructions.
3.4 AI prompts, responses, and uploaded files
When AI features are used, the prompts sent and the responses generated are processed by the AI model provider described in section 5 below. Prompts and the files submitted for AI processing (for example, documents uploaded for extraction or analysis) may contain personal data. How that data is handled by the model provider is set out in section 5.
3.5 Email-connector data
When a customer enables an email or productivity connector (Microsoft 365 or Google), we access the mailbox, calendar, or file scopes the customer explicitly authorises, for as long as the connection remains active, to provide the requested functionality. We store integration tokens encrypted at rest. A connector can be disconnected at any time from account settings, after which we no longer access the connected account.
3.6 Meta event-matching data
On customer sites that enable a Meta Pixel, the data used to match conversion events to Meta accounts may include hashed identifiers (such as a hashed email address or phone number), an external identifier, IP address, user agent, the Meta browser cookies _fbc and _fbp, and event data. This data is processed for the customer's conversion-attribution purposes, as described in section 2 and section 9 below.
3.7 Usage, technical, and audit data
We log information generated by interactions with the Service: IP address, browser type, device and operating-system identifiers, pages visited, features used, request timestamps, error traces, and performance telemetry. We also keep audit logs of administrative actions and data changes. We use this data to operate, secure, and improve the Service, and to investigate abuse.
3.8 Cookies and similar technologies
We use cookies and browser storage as summarised in section 9 below.
4. Why we process personal data
We process personal data for the following purposes and on the following legal bases (GDPR Article 6):
- Providing and securing the Service. Performance of contract (Art. 6(1)(b)) and our legitimate interest in operating a secure platform (Art. 6(1)(f)).
- Processing customer data on a customer's instructions. Performance of our data-processing agreement with that customer (Art. 28); the customer is the controller and sets the legal basis for the underlying processing.
- Account administration and customer communications. Performance of contract and our legitimate interest in maintaining customer relationships.
- Legal and accounting compliance. Compliance with a legal obligation (Art. 6(1)(c)), including the retention of accounting and tax records required by Romanian law.
- Product improvement. Our legitimate interest in understanding usage at an aggregated, de-identified level.
- Marketing to business contacts. Your consent where required (Art. 6(1)(a)), or our legitimate interest in promoting our products to business contacts. You can opt out at any time.
- Legal compliance, dispute resolution, fraud and abuse prevention. Legitimate interest and legal obligation.
5. Artificial intelligence
You are interacting with an AI system. The Anya assistant is an artificial-intelligence system. When you begin a conversation with Anya, you are communicating with an automated AI assistant, not with a human. Conversation data is used to generate responses, maintain the continuity of your session, and provide the assistant features the customer has configured.
AI features are powered by a third-party model provider that processes prompts, conversation context, submitted files, and completions to generate responses. The provider processes this data under contractual confidentiality and data-protection terms, and does not use customer data to train its foundation models. AI outputs may be reviewed by a person before they are acted upon. We do not make automated decisions that produce legal or similarly significant effects on individuals without human review. For example, AI lead-scoring never discards or rejects a person automatically; a human reviews before any consequential action.
AI processing is performed through Amazon Bedrock, with model inference kept within the EU geographic boundary. Prompts are processed inside AWS infrastructure rather than reaching the underlying model vendors, which do not receive customer prompts. The AI provider is Amazon Web Services (Amazon Bedrock), processing within the EU geographic boundary under the AWS GDPR Data Processing Addendum, which incorporates the EU Standard Contractual Clauses.
6. How we share personal data
We do not sell personal data. We share personal data only as described below:
- Within your tenant. Personal data inside a customer tenant is accessible to the users and administrators of that tenant in accordance with the roles and permissions configured by the tenant owner.
- Subprocessors. We use carefully selected vendors to host, secure, and operate the Service. They process personal data on our behalf under written Article 28 contracts that require equivalent protections.
- Legal disclosures. We may disclose personal data when required by law, a binding court order, or other lawful request, or to protect the rights, property, or safety of Osynk, our customers, or others.
- Corporate transactions. If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, personal data may be transferred subject to standard confidentiality protections and to this statement (or one materially equivalent).
7. International transfers
Our application data, database, file storage, and backups are hosted within the European Union. Some subprocessors (for example, certain AI, email-delivery, and Meta integrations) may process personal data outside the European Economic Area.
Where we transfer personal data outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) as the operative transfer mechanism, carried in each recipient's data-processing agreement, and we additionally rely on the EU-US Data Privacy Framework where the recipient is certified under it. We do not rely on the Data Privacy Framework alone. We carry out transfer-impact assessments and apply supplementary measures where required.
For transfers from the United Kingdom, we rely on the UK Extension to the Data Privacy Framework (the UK-US Data Bridge) and the UK International Data Transfer Agreement or Addendum as applicable. For transfers from Switzerland, we rely on the Swiss-US Data Privacy Framework. For flows involving Canada, the European Commission's adequacy decision for Canadian commercial organisations subject to PIPEDA applies. A copy of the relevant transfer mechanism is available on request to contact@osynk.ai.
8. How we record consent for tracking and conversion events
Where a customer collects consent through an Osynk form (for example, a marketing-consent checkbox), ticking the consent block creates a consent record in our consent ledger. Each record consists of a grant plus append-only evidence events that capture what was consented to, when it occurred, the source (for example, a public form), and the submitting browser's IP address and user agent. This ledger is the evidence surface that we and our customers rely on to demonstrate consent (GDPR Article 7(1)).
Conversion events for form submissions are sent to Meta only when a positive consent record exists; absent that record, the event is not sent. In limited cases, an authorised operator of the customer's account may record a consent decision on the customer's behalf (for example, where consent was collected outside Osynk). Such a record must attach the original evidence of consent (a form export, signed-document reference, or screenshot), the data subject's identifier, the date the original consent was given, the operator's identity, and the stated reason. Records lacking this minimum evidentiary standard are flagged, and Osynk reserves the right to suspend Conversions API event-sending for any consent record that does not meet it. The customer, as controller, bears the burden of demonstrating valid consent under Article 7(1) GDPR for any consent imported through this mechanism.
For data reaching Osynk through other channels the customer configures (such as appointment bookings or inbound webhooks from the customer's own systems), the customer is responsible for having collected valid consent before the data reaches Osynk.
9. Cookies and similar technologies
We use a small number of strictly necessary cookies to keep you signed in, remember your tenant context, and protect against cross-site request forgery. We do not run advertising tracking on osynk.ai itself.
When a customer enables a dedicated, per-customer Osynk Meta Pixel on a website or form that customer operates, the Osynk loader can write the Meta cookies _fbc and _fbp, load Meta's fbevents.js, and send a conversion event from both the browser and our servers (the Conversions API) using a shared event_id so that Meta deduplicates the browser and server copies of the event. The matching data sent to Meta uses hashed identifiers. The loader does not automatically fire a PageView, and nothing Meta-related loads until the host page signals consent.
10. How long we keep personal data
We keep personal data only as long as needed for the purposes for which it was collected. Our default retention windows are:
- CRM records and customer content. Until the customer deletes them or the account is closed. Deleted records are soft-deleted first, then purged; files placed in the CRM trash are purged after 30 days.
- Audit logs and change history. 24 months by default.
- Outbound email logs. 365 days by default. Message bodies are never stored; we keep only integrity hashes and metadata.
- Login sessions. Approximately 120 minutes of inactivity.
- Inbound lead and webhook events. 6 months, then pruned.
- Meta event-matching data. Raw identifiers are redacted after 7 days by default; event rows persist without the raw identifiers.
- Public-form temporary uploads. 24 hours if the form is abandoned.
- Backups. 30 days on a rolling basis.
Deleting data in the application marks it deleted immediately and hides it; permanent purges follow on the schedules above. Copies inside encrypted backups persist until backup rotation completes (up to 30 days), after which deleted data is unrecoverable.
Where Romanian accounting and tax law requires us to retain records (such as supporting accounting documents), we keep those records for the period the relevant law prescribes. Separately, where we need to retain records to establish, exercise, or defend a legal claim under Article 17(3)(e) GDPR, we limit that retention to the records reasonably necessary for identified or reasonably anticipated proceedings, and we assess each category individually rather than retaining data on a blanket basis. The detailed account-deletion and statutory-retention position is set out on our Data Deletion page.
11. Security
We maintain administrative, technical, and physical safeguards designed to protect personal data, including encryption of data in transit (HTTPS / TLS), strict tenant isolation at the database level, role-based access controls with least-privilege provisioning, encryption of integration credentials at rest, audit logging of administrative actions, and contractual safeguards with our subprocessors.
No system is perfectly secure. If you believe your account has been compromised, please contact contact@osynk.ai immediately.
12. Your rights
Subject to applicable law, you have the right to access, correct, delete, restrict, or object to our processing of your personal data, and to data portability. Where we rely on your consent, you can withdraw it at any time. You also have the right to lodge a complaint with a supervisory authority. In the European Union, that is the data-protection authority of your member state; in Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP).
If you are a user of a customer's workspace, the customer is the controller of that data. Please direct your request to that customer first; where we receive such a request, we will relay it to the relevant customer. To exercise rights against Osynk directly, or to request deletion, see our Data Deletion page or write to contact@osynk.ai. We respond within the timelines required by applicable law. Under GDPR, this is normally within one month of receipt, which we may extend by up to two further months for complex or numerous requests, notifying you of any such extension and its reasons within the first month.
13. Privacy contact
Our privacy contact receives and routes privacy and data-subject requests. You can reach this contact at contact@osynk.ai. This person does not hold the role of Data Protection Officer under Article 37 GDPR.
Based on our current assessment, Osynk does not meet the criteria under Article 37(1) GDPR that would make appointment of a Data Protection Officer mandatory. We review this assessment periodically as our processing activities evolve.
14. Quebec: person in charge of personal-information protection
Under Quebec's Law 25, Osynk designates a person in charge of the protection of personal information. That role is held by the Administrator, who can be reached at contact@osynk.ai.
15. Canada (PIPEDA)
For individuals in Canada, personal data is processed outside Canada, in Romania and elsewhere in the European Union, by Osynk and its subprocessors. We maintain comparable protection for that data through contractual safeguards with the parties that process it. You may request access to your personal data and may direct a complaint about our handling of it to the privacy contact in section 13; you may also complain to the Office of the Privacy Commissioner of Canada, and Quebec residents may complain to the Commission d'accès à l'information.
16. Children
The Service is intended for business use and is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
17. Changes to this statement
We may update this Privacy Statement from time to time. The "Last updated" date at the top of the page reflects the most recent revision. If we make material changes, we will provide additional notice (for example, by email or an in-app banner) before the changes take effect.
18. Contact
Privacy questions, rights requests, and all other correspondence: contact@osynk.ai. Our full company registration and legal details are published in the site footer.