Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that such processing complies with applicable law.

2. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR:

2.1 Article 6 — Lawfulness of Processing

• Contract performance (Article 6(1)(b)): Processing necessary to deliver the Service you have requested, including generating your peptide protocol, managing your account, and processing payments.
• Consent (Article 6(1)(a)): Where we rely on your consent, such as for marketing communications or the use of non-essential cookies. You may withdraw consent at any time.
• Legitimate interest (Article 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Service, preventing fraud, and ensuring security, provided these interests are not overridden by your fundamental rights and freedoms.
• Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, such as tax and accounting requirements.

2.2 Article 9 — Special Category Data (Health Data)

Your blood test results, biomarker data, and health questionnaire responses constitute special category data under GDPR Article 9. We process this data based on:

• Explicit consent (Article 9(2)(a)): Before we process any health data, we obtain your explicit, informed, and freely given consent. This consent is separate from general terms acceptance and is specifically requested when you submit health information through the platform.

You may withdraw your consent for health data processing at any time. However, please note that without your health data, we cannot generate or maintain your peptide protocol.

3. What Data We Collect

We collect the following categories of personal data:

4. How We Use Your Data

We use your personal data for the following purposes:

5. AI Processing Disclosure

5.1 What AI Systems We Use

We use Anthropic's Claude AI (via the Anthropic API) as part of our protocol generation and AI assistant features. Anthropic is a US-based AI safety company.

5.2 What Data Is Sent to the AI

When generating your protocol or when you interact with the AI assistant, the following data may be sent to Anthropic's API:

• Your health questionnaire responses (anonymized where possible)
• Blood test results and biomarker values
• Health profile data (age, sex, relevant medical history)
• Your stated health and fitness goals
• Questions or messages you send to the AI assistant

5.3 AI Data Handling

• Anthropic processes data in accordance with their data processing agreement and privacy policy.
• Under our agreement with Anthropic, data sent via the API is not used to train their AI models.
• We do not send your name, email, or other directly identifying information to the AI where it is not necessary for the service function.
• AI-generated outputs are stored on our servers and associated with your account.

5.4 Automated Decision-Making

Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Our protocol generation uses a combination of AI and rules-based systems. The generated protocols are informational only and do not produce legal effects. However, if you believe an automated decision has significantly affected you, you have the right to request human review by contacting us.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data to any third party. We share your data only with the following categories of recipients, and only to the extent necessary:

All third-party processors are bound by data processing agreements (DPAs) that require them to handle your data in compliance with GDPR and applicable law. We may also share data if required by law, court order, or governmental request.

7. International Data Transfers

Some of our third-party service providers are located outside the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

• Anthropic (USA): Data transferred to the United States for AI processing. Transfer is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, and supplementary technical measures including encryption in transit.
• Supabase (USA): Database infrastructure with EU-region hosting options. Where data is processed in the US, transfers are protected by SCCs.
• Vercel (USA): Application hosting with edge locations in the EU. Transfers protected by SCCs.

We regularly review the data protection practices of our third-party providers and the legal frameworks governing international transfers to ensure ongoing compliance. You may request a copy of the relevant safeguards by contacting us.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., payment records for tax purposes). AI-processed data that has already been sent to Anthropic's API is subject to Anthropic's data retention policies, though under our agreement it is not retained for model training.

9. Your Rights

Under the GDPR and Norwegian data protection law, you have the following rights regarding your personal data:

10. Health Data

Health data collected through Syntho is used exclusively for wellness protocol generation. Syntho does not maintain medical records and is not a healthcare provider. Given the sensitive nature of health data, we apply additional safeguards:

10.1 Explicit Consent

Before you submit any health information, we present a clear and specific consent request explaining what health data will be collected, how it will be processed, who will have access to it, and how long it will be retained. You must actively opt in before any health data processing begins. This consent is recorded and can be withdrawn at any time.

10.2 Enhanced Security Measures

• All health data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Access to health data is restricted on a need-to-know basis and subject to strict access controls
• Health data is logically separated from other personal data in our database architecture
• We maintain audit logs of all access to health data
• Regular security assessments and penetration testing are conducted

10.3 Consent Withdrawal

If you withdraw consent for health data processing, we will cease processing your health data and delete it within 30 days. This means your existing protocols will no longer be maintained or renewed, and we will be unable to generate new protocols for you. Withdrawal does not affect the lawfulness of any processing carried out before consent was withdrawn.

11. Cookies & Analytics

Syntho uses cookies, localStorage, and similar client-side technologies. Under Norwegian ekomloven § 2-7b and the EU ePrivacy Directive, any non-essential storage or tracking requires your prior, freely-given, granular consent. A consent banner is shown on your first visit; you can revisit your choice at any time from the site footer “Cookie settings” link.

11.1 Strictly necessary (no consent required)

Required for the service to function. Cannot be disabled.

• Supabase authentication — session cookies (“sb-*”) used to keep you signed in. First-party. Session lifetime.
• Consent state — “syntho.cookie-consent.v1” localStorage entry recording your consent choice. Without it we would re-prompt on every page load. First-party. Persists until you clear it or we publish a new consent-policy version.
• Cart and checkout state — localStorage entries holding the items you have added before checkout. First-party.

Legal basis: GDPR Article 6(1)(b) performance of a contract, and the ekomloven exemption for strictly necessary storage.

11.2 Analytics (consent required)

Used to understand which content helps users and to catch errors in production. No health-questionnaire or biomarker data is ever shared with analytics providers.

The Google tag is present in the page markup so its presence can be verified, but operates in Google Consent Mode v2 with all non-essential categories set to denied by default. No measurement events, cookies, or identifiers are transmitted until you grant consent; when you opt out, the tag stops collecting immediately.

• Google Analytics 4 (measurement ID G-WW30NLDLEF) — page views, device category, coarse geographic region, referrer, and routing within the site. IP addresses are anonymised before storage. Cookies set: _ga, _ga_*. Retention: 14 months. Processor: Google LLC (United States). Transfer mechanism: EU-US Data Privacy Framework. Google privacy policy.
• Vercel Analytics — page-view metrics tied to the site infrastructure. Vercel describes its analytics as cookieless and aggregated, but client-side fingerprints are still personal data under Norwegian interpretation, so we gate it on the same consent toggle. Processor: Vercel Inc. (United States). Retention: 12 months.

Legal basis: GDPR Article 6(1)(a) consent. Withdraw anytime from the footer “Cookie settings” link.

11.3 Marketing (reserved, not currently in use)

Syntho does not run advertising, retargeting, or share data with ad networks. The “Marketing” toggle in the consent banner is a forward-compatible placeholder; turning it on does nothing today.

11.4 Changing or withdrawing consent

You have the right to withdraw consent at any time and as easily as you gave it (GDPR Article 7(3)). Three ways:

• Click Cookie settings in the footer of any page; the preferences dialog opens and saves your new choice immediately.
• Clear site data in your browser; the next visit will re-prompt.
• Email privacy@syntho.no if the site mechanisms do not work for you.

Withdrawing consent does not delete data already processed; to request erasure of existing analytics data, see Section 9 (“Your Rights”).

12. Children & Age Restriction

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age.

If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data as promptly as possible. If you believe that a minor has provided us with personal data, please contact us immediately at privacy@syntho.no.

13. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data at rest and in transit
• Secure authentication mechanisms including hashed passwords
• Role-based access controls limiting data access to authorized personnel
• Regular security audits and vulnerability assessments
• Incident response procedures for potential data breaches
• Employee training on data protection and security best practices

While we strive to protect your data, no method of electronic transmission or storage is completely secure. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority (Datatilsynet) as required by GDPR Article 33 and Article 34, without undue delay.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you by email or through a prominent notice on the platform
• Where changes affect health data processing or require renewed consent, we will request your explicit consent before the changes take effect

We encourage you to review this Privacy Policy periodically.

15. Contact & Data Protection

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us: