Our custody commitment. We never sell, rent, trade, or exchange personal data. We use a small number of service providers who process data solely on our behalf, under contract, for the purposes described here. They may not use it for their own purposes, retain it beyond our instructions, or disclose it further. Personal data exists only within systems we administer or processors under contract; we maintain data maps documenting every location; retention is bounded and deletion propagates to processors and backups on schedule.
1. Who we are
Syntropy Scientific is an Iowa-registered DBA of Macawi LLC (Iowa, USA), the data controller for the personal data described here. Questions or requests: privacy@syntropyscientific.com.
2. What we collect, and why (purpose limitation)
We state the purpose at each point of collection and commit that processing never exceeds it. Collecting, using, or retaining personal data beyond what is reasonably necessary and proportionate to that primary purpose is something we treat as out of bounds.
Partner & client inquiries
When you submit the partner-inquiry form, we collect your name, email, organization, and message to respond to and evaluate a potential working relationship. These reach us as an internal notification; we reply to what warrants a reply.
cyBRRD beta waitlist
When you join the waitlist, we collect your name, email, organization, role, and stated interest to manage cyBRRD beta access and communicate about it. We record your consent and the version of this policy in force when you gave it, so custody is evidenced, not merely asserted.
Telemetry
Our web server (Caddy) keeps minimal access logs — timestamp, IP address, requested path, response status, and user-agent — for security and reliability, retained for 30 days and then deleted. We run no third-party analytics and no advertising trackers at launch. If we later add analytics, it will be a self-hosted, privacy-preserving, minimized tool (Plausible/Umami-class), and this policy will be updated to say so before it goes live.
3. Processors, not data-sharing (controller–processor)
The service providers we use are processors acting on our documented instructions — not third parties we "share" data with. Each is bound by a data-processing agreement (a GDPR Article 28 DPA / the CCPA-CPRA service-provider contract terms) that forbids using your data for their own purposes, retaining it beyond our instructions, or disclosing it further. That contract is the instrument by which we never lose custody.
Subprocessor list
We maintain a vendor register, require DPAs with every processor, review their subprocessor lists, and verify their certifications (e.g. SOC 2, GDPR). Our current processors:
- Vultr (Constant Company, LLC) — infrastructure hosting for this website, United States.
- Google Workspace (Google LLC) — email, files, and collaboration through which inquiries reach us.
- Odoo (Odoo S.A.) — billing and customer/prospect management, upon activation of paid services.
We update this list before adding a processor that handles personal data.
4. No duplication outside the controlled environment
Backups, security telemetry, disaster-recovery replication, and email all technically duplicate data. Our commitment is that personal data exists only within systems we administer or processors under contract. We maintain data maps documenting every location it lives; retention is bounded; and when we delete, deletion propagates to processors and to backups on the defined schedule. No shadow copies, no data exchange, no custody leakage.
5. Retention
We keep personal data only as long as needed for the purpose it was collected for, then delete it:
- Partner & client inquiries — up to 24 months after our last contact, unless a working relationship makes longer retention necessary and proportionate.
- cyBRRD waitlist — until beta onboarding or your withdrawal, whichever comes first.
- Server access logs — 30 days.
Deletion propagates to processors and to backups on their rotation schedule.
6. Your rights, and how to exercise them
- Access — a copy of the personal data we hold about you.
- Correction — fix anything inaccurate.
- Deletion — erase it; we propagate the erasure to processors and backups.
- Opt-out — including honoring Global Privacy Control browser signals, which we treat as a valid opt-out request.
Exercise any of these by emailing privacy@syntropyscientific.com. We verify the request comes from you — typically by confirming control of the email address on record — and respond within 30 days, or sooner where the applicable law requires.
7. Breach notification
If a breach affects your personal data, we will notify affected individuals and the relevant authorities without undue delay — and within 72 hours of becoming aware where notification is required — with a description of what happened, what data was involved, and what we are doing about it.
8. AI & automated decision-making
Given what we build, we are candid about this. No customer personal data is used to train AI models — ours or anyone else's. Where automated processing touches your data (for example, routing or triaging an inquiry), it does not make legally or similarly significant decisions about you without human review, and you may request human review or object.
9. International users
We are based in Iowa, USA, and process personal data in the United States under the commitments above. We do not currently target users in the EU/EEA; where we do process EU personal data, we act as controller under the GDPR's Article 5 principles, contract with processors under Article 28, and rely on Standard Contractual Clauses for transfers.
10. Changes to this policy
We review this notice at least annually and whenever a regulatory or business change requires it. Each version carries a version identifier (this is 2026-07-13), and we record which version was in force when you gave consent.