cyBRRD enterprise drone airspace defense — beta opens September 2, 2026 Join the waitlist
PRIVACY & DATA CUSTODY

We keep custody of your data. Here is the proof.

Most privacy policies describe what a company is allowed to do with your data. This one describes what we commit to — a custody attestation, in the same spirit as everything Syntropy Scientific builds: provenance you can check, custody that can't be quietly severed. We never sell, rent, trade, or exchange personal data. Full stop.

Version 2026-07-13 · Effective 2026-07-13 · Reviewed at least annually

THE SHORT VERSION
QuestionAnswer
What we collectOnly what you give us at a specific point: partner-inquiry (name, email, organization, message) and cyBRRD waitlist (name, email, organization, role, interest, plus your consent record). Plus minimal server logs (see Telemetry).
WhySolely the purpose stated where you gave it — to reply to your inquiry, or to manage cyBRRD beta access. Nothing more.
Who processes itUs, and a small number of named service providers acting only on our documented instructions under contract. Our subprocessor list is public. We never sell or share for anyone else's purposes.
How longBounded per data category (see Retention); deletion propagates to processors and backups on schedule.
Your rightsAccess, correction, deletion, and opt-out — including honoring Global Privacy Control signals. How to exercise them.
AINo customer personal data is used to train AI models. Our AI disclosure.

Our custody commitment. We never sell, rent, trade, or exchange personal data. We use a small number of service providers who process data solely on our behalf, under contract, for the purposes described here. They may not use it for their own purposes, retain it beyond our instructions, or disclose it further. Personal data exists only within systems we administer or processors under contract; we maintain data maps documenting every location; retention is bounded and deletion propagates to processors and backups on schedule.

1. Who we are

Syntropy Scientific is an Iowa-registered DBA of Macawi LLC (Iowa, USA), the data controller for the personal data described here. Questions or requests: privacy@syntropyscientific.com.

2. What we collect, and why (purpose limitation)

We state the purpose at each point of collection and commit that processing never exceeds it. Collecting, using, or retaining personal data beyond what is reasonably necessary and proportionate to that primary purpose is something we treat as out of bounds.

Partner & client inquiries

When you submit the partner-inquiry form, we collect your name, email, organization, and message to respond to and evaluate a potential working relationship. These reach us as an internal notification; we reply to what warrants a reply.

cyBRRD beta waitlist

When you join the waitlist, we collect your name, email, organization, role, and stated interest to manage cyBRRD beta access and communicate about it. We record your consent and the version of this policy in force when you gave it, so custody is evidenced, not merely asserted.

Telemetry

Our web server (Caddy) keeps minimal access logs — timestamp, IP address, requested path, response status, and user-agent — for security and reliability, retained for 30 days and then deleted. We run no third-party analytics and no advertising trackers at launch. If we later add analytics, it will be a self-hosted, privacy-preserving, minimized tool (Plausible/Umami-class), and this policy will be updated to say so before it goes live.

3. Processors, not data-sharing (controller–processor)

The service providers we use are processors acting on our documented instructions — not third parties we "share" data with. Each is bound by a data-processing agreement (a GDPR Article 28 DPA / the CCPA-CPRA service-provider contract terms) that forbids using your data for their own purposes, retaining it beyond our instructions, or disclosing it further. That contract is the instrument by which we never lose custody.

Subprocessor list

We maintain a vendor register, require DPAs with every processor, review their subprocessor lists, and verify their certifications (e.g. SOC 2, GDPR). Our current processors:

We update this list before adding a processor that handles personal data.

4. No duplication outside the controlled environment

Backups, security telemetry, disaster-recovery replication, and email all technically duplicate data. Our commitment is that personal data exists only within systems we administer or processors under contract. We maintain data maps documenting every location it lives; retention is bounded; and when we delete, deletion propagates to processors and to backups on the defined schedule. No shadow copies, no data exchange, no custody leakage.

5. Retention

We keep personal data only as long as needed for the purpose it was collected for, then delete it:

Deletion propagates to processors and to backups on their rotation schedule.

6. Your rights, and how to exercise them

Exercise any of these by emailing privacy@syntropyscientific.com. We verify the request comes from you — typically by confirming control of the email address on record — and respond within 30 days, or sooner where the applicable law requires.

7. Breach notification

If a breach affects your personal data, we will notify affected individuals and the relevant authorities without undue delay — and within 72 hours of becoming aware where notification is required — with a description of what happened, what data was involved, and what we are doing about it.

8. AI & automated decision-making

Given what we build, we are candid about this. No customer personal data is used to train AI models — ours or anyone else's. Where automated processing touches your data (for example, routing or triaging an inquiry), it does not make legally or similarly significant decisions about you without human review, and you may request human review or object.

9. International users

We are based in Iowa, USA, and process personal data in the United States under the commitments above. We do not currently target users in the EU/EEA; where we do process EU personal data, we act as controller under the GDPR's Article 5 principles, contract with processors under Article 28, and rely on Standard Contractual Clauses for transfers.

10. Changes to this policy

We review this notice at least annually and whenever a regulatory or business change requires it. Each version carries a version identifier (this is 2026-07-13), and we record which version was in force when you gave consent.