Privacy & Compliance Policy
Last Updated: November 2025
1. Scope
This policy explains how Syntri and Craft Intelligence process, store, protect and use client and personal data in compliance with:
UK GDPR
EU GDPR (where applicable)
POPIA (South Africa)
Applicable international privacy standards
2. Data Collected
A. Organisational Data
Company name
Registration details
Billing information
Usage metrics
Uploaded PO/GRN/Invoice data
B. Personal Data
User names
Business email addresses
Login information
Contact details
Job titles
C. Technical Data
IP addresses
Device/browser information
Activity logs
3. How We Use Data
Data is used strictly for:
Providing the Syntri service
Authentication and access control
Improving platform performance
Support & incident response
Security & fraud monitoring
Legal compliance
We do not sell user data.
4. Legal Grounds for Processing
We process data based on:
Contractual necessity
Legitimate business interest
Legal compliance
User consent (cookies & optional analytics)
5. Data Storage & Security
We use:
ISO 27001-certified cloud providers
AES-256 encryption at rest
TLS 1.2+ in transit
Role-based access control
Audit logging
Daily backups
6. Data Retention
Data is retained:
As long as required to operate the Service
As required by contract or law
For 90 days after termination (after which it is deleted)
7. Data Subject Rights
Under GDPR/POPIA, users may request:
Access
Correction
Deletion
Restriction
Objection
Data portability
Requests can be sent to: [email protected]
8. International Transfers
If data moves outside the UK/EU/SA, Standard Contractual Clauses (SCCs), UK Transfer Addendum, or POPIA Section 72 compliance safeguards are applied.