Legal
Data Processing Addendum
Last updated: June 24, 2026
1. Parties and Roles
This DPA is between you (the "Customer") and the operator of Saynovo, Austin Tanner, a sole proprietor located in Paraguay, doing business as Saynovo, a product of SyntroAI ("Saynovo", "we", "us", "our"). The named entity and governing law in this DPA are pending final founder and legal sign-off and may be updated before signature.
For personal data that you submit, import, or generate through the Service - including business details, Google Business Profile data you connect, edit prompts, generated site content, and data submitted by visitors to your published site - you act as the controller (or, where you process it for another party, as a processor) and Saynovo acts as the processor (or sub-processor). For account and billing data we collect to operate the Service and bill you, Saynovo acts as an independent controller as described in the Privacy Policy.
2. Subject Matter and Duration
The subject matter of the processing is the provision of the Saynovo service: generating, editing, hosting, and publishing a website from the data you provide and the Google Business Profile you connect. Processing continues for the term of your subscription and ends when your data is deleted in accordance with Section 7 and the Privacy Policy.
3. Nature and Purpose of Processing
We process personal data only on your documented instructions, which include:
- generating a website from your business details and connected Google Business Profile;
- applying the changes you request when you talk to your site in the editor;
- publishing and hosting your site on your own custom domain, and provisioning SSL;
- sending the minimum content needed to our AI provider to generate the site and edits;
- providing support, security, abuse prevention, and troubleshooting;
- storing and deleting data as described in this DPA and the Privacy Policy.
We will not process the personal data for any other purpose, and we will inform you if we believe an instruction infringes applicable data protection law.
4. Categories of Data and Data Subjects
The personal data processed may include: business contact details, Google Business Profile information (name, address, phone, hours, categories, description, reviews, photos), the text of your edit prompts, generated site content, and information submitted by visitors to your published site (for example through a contact or quote form). The data subjects may include you, your staff, your customers, and visitors to your published site.
5. Security Measures
We implement appropriate technical and organizational measures to protect personal data, taking into account the state of the art and the risks of the processing, including:
- Encryption in transit - TLS for traffic to the Service and SSL on every published site;
- Encryption at rest - personal data and stored secrets are encrypted at rest, and credentials and tokens are kept out of plaintext storage;
- Tenant isolation - each customer's data is logically isolated and access is scoped per organization, so one customer cannot read or modify another's data;
- Access control - least-privilege access for staff, signed sign-in links instead of stored passwords, and audit logging of sensitive actions;
- Rate limiting and abuse controls - spend ceilings and rate limits that protect data and availability;
- Resilience - routine backups and recovery procedures for the Service.
6. Sub-processors
You authorize Saynovo to engage sub-processors to provide the Service. Our current sub-processors and the purpose of each are published and kept current at Sub-processors. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will give reasonable notice before adding or replacing a sub-processor so that you can object on reasonable data protection grounds; if we cannot resolve your objection, you may terminate the affected part of the Service.
7. Data Subject Rights and Deletion
Taking into account the nature of the processing, we will assist you, by appropriate technical and organizational measures and insofar as possible, in responding to requests from data subjects to exercise their rights (access, correction, deletion, restriction, objection, and portability). If we receive such a request directly, we will refer it to you and assist you in responding.
You can delete your data yourself at any time using the self-service "Delete my account and all data" action, and you can purge Google Business Profile data using the "Disconnect Google Business Profile" action, both described in Privacy Policy Section 9. On termination of the Service, and at your choice, we will delete or return the personal data we process on your behalf and delete existing copies, except where retention is required by law (such as billing records) or as part of routine backups that are purged on their normal rolling cycle.
8. Confidentiality and Personnel
We ensure that personnel authorized to process the personal data are bound by appropriate confidentiality obligations and are granted access only on a need-to-know basis to operate and support the Service.
9. Personal Data Breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting the personal data we process on your behalf, and will provide information reasonably available to us to help you meet your own notification obligations.
10. International Transfers
Personal data may be processed in the United States and other countries where we and our sub-processors operate. Where a transfer of personal data subject to the GDPR or UK GDPR takes place, we rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated into this DPA by reference.
11. Audit and Cooperation
On reasonable written request, and subject to confidentiality, we will make available information necessary to demonstrate compliance with this DPA and will cooperate with audits, including by providing existing reports and documentation, in a manner that does not compromise the security or privacy of other customers.
12. Governing Law and Order of Precedence
This DPA is governed by the same law as the Terms of Service. The governing law is pending final founder and legal sign-off and will be confirmed before this DPA is offered for signature. In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA controls. All other terms of the Terms of Service remain in full effect.
13. Contact
Questions about this DPA or to request a signed copy? Email [email protected].