1. Introduction

Syneriz sp. z o.o., with its registered office in Warsaw, Al. Jana Pawła II 22, 00-133 Warsaw, entered into the National Court Register under KRS number 0000730510, NIP 5252750039, REGON 380201801, sets out in this document the rules for the processing of personal data within the service of brand exposure analysis in language models, provided in the Software-as-a-Service model.
This document fulfills the obligations arising from data protection regulations and the Act on the Provision of Electronic Services, and also incorporates the guidelines of the AI Act.

2. Definitions

For the purpose of this Policy:

• Application – a cloud-based analytical system enabling the measurement of brand presence in large language models.
  
  

• Client – the entity that concludes a SaaS service agreement with the Company.
  
  

• Platform – the website providing access to the Application, available at https://chatleak.ai/.
  
  

• Personal Data – information relating to an identified or identifiable natural person.
  
  

• Processing – any operations performed on personal data.
  
  

3. Scope of Application

This Policy covers all data operations related to account registration, sales support, use of the Application, and analysis of content submitted by the Client.

4. Syneriz’s Roles in Data Processing

4.1 Data Controller

Syneriz acts as the Data Controller with respect to:

• account registration data (name, surname, company, position, email, phone),
  
  

• billing data (invoices, tax identification number),
  
  

• technical data (IP address, login metadata, cookies),
  
  

• marketing and communication data.
  
  

4.2 Data Processor

With respect to files, queries, and analysis results submitted by the Client, Syneriz acts solely on the documented instructions of the Client as a Data Processor. Detailed terms are defined in the Data Processing Agreement (section 15 of this Privacy Policy).

5. Categories and Sources of Data

• Administrative data – name, surname, company details, contact information, collected at registration or contract conclusion.
  
  

• Billing data – tax ID number, payment history, accounting records.
  
  

• Operational data – IP address, device identifiers, timestamps, API query paths.
  
  

• Analytical data – content and metadata submitted by the Client for brand exposure analysis.
  
  
  

6. Purposes and Legal Bases

• Processing of administrative and billing data is necessary to perform the contract and fulfill legal obligations.
  
  

• Processing of operational data ensures service security and performance improvement, based on the legitimate interest of the Controller.
  
  

• Processing of analytical data is performed solely to execute the Client’s instructions, in accordance with the Data Processing Agreement and Article 28 GDPR.
  
  
  

7. Automated Decisions and Profiling

The Application does not take legal decisions nor produce legal effects concerning individuals. Reports are statistical, based on aggregated results from LLMs, without individual profiling.

8. Data Recipients

Authorized Syneriz employees and hosting or technical subcontractors have access to data. They are bound by confidentiality and data protection obligations.

9. Data Transfers Outside the EEA

Transfers to third countries are based on standard contractual clauses, privacy impact assessments, and AI Act-required procedures, ensuring adequate data protection safeguards.

10. Data Security

Syneriz applies an information security management system aligned with ISO 27002 guidelines, encrypts data in transit and at rest, enforces multi-level access with two-factor authentication, and maintains GDPR-compliant incident response procedures.

11. Data Retention Period

• Account data are stored for the duration of the contract + 3 years.
  
  

• Accounting records are stored for 5 years, in accordance with Polish law.
  
  

• Client analytical data are deleted within 30 days after contract termination unless the Client issues other instructions.
  
  
  

12. Data Subject Rights

Data subjects have the right of access, rectification, erasure, restriction of processing, data portability, and objection. Where processing is based on consent, the right to withdraw consent applies. Requests should be sent to contact@logisignal.ai.

13. Cookies and Online Identifiers

The Application uses only technical cookies essential for proper user session operation. Analytical tools are locally hosted and anonymize data in line with the guidelines.

14. Privacy by Design and Privacy by Default

Priority is given to data minimization. Default settings restrict the scope of collected information, and integrations with third-party services require explicit user consent.

15. Data Processing Agreement

• The Client entrusts Syneriz with data processing solely for the provision of the service.
  
  

• Syneriz ensures confidentiality, adequate safeguards, and staff training.
  
  

• Upon contract termination, data are deleted.
  
  

16. Liability

Syneriz is liable for damages resulting from improper processing of entrusted data pursuant to Article 82 GDPR. Liability is limited to the equivalent of the last 6 months’ subscription fees, unless damage results from willful misconduct.

17. Policy Changes

This Policy may be amended to ensure compliance with regulations or to extend functionalities. Clients are notified of significant changes 14 days in advance.

18. Contact

For data protection matters, please contact the Data Protection Officer:

contact@logisignal.ai

Complaints may be submitted to the President of the Polish Data Protection Authority.