Privacy & transparency
How we treat your data
We treat data as a relationship, not an asset. Federations are made of consent, given freely, and that consent has to be visible to itself or it isn't real. This page is the visible part.
We keep what we need to stay in honest contact with you. We don't track you across the web, sell your address, or send you anything you didn't ask for. The minute you decide you're done, you can take your data with you and have it removed, without going through anyone.
What follows is the long-form version of that promise, with the legal precision GDPR asks of us. Use the navigation below to jump to a section.
1. Who we are
Syntrociety Federation is the data controller of the information described on this page. You can reach us at:
Syntrociety Federation
Castro Marim · Portugal
contact@syntrociety.org
We don't have an EU representative under Art. 27 because we're established in the EU. For GDPR questions, write to the address above.
2. What we keep
Everything we have on you is visible to you. Open your transparency page (you'll need a magic link from an email we sent, or you can request a fresh one) to see your record verbatim. The categories are:
- Profile: the email address you signed up with, your first and last name if you gave them, your preferred language, and the timestamp of your sign-up and any updates.
- Memberships: which lists or programmes you joined (e.g. Friends, Newsletter), your subscription status (active / paused / unsubscribed), and the frequency you chose.
- Communications: a record of the emails we sent you and what happened to them (delivered, opened, bounced). We keep the subject line and the event type, not the rendered body.
- Tasks:if you're part of a programme that involves human follow-up (e.g. an admin reaching out for a meeting), there may be tasks on your record naming what's been done or is outstanding.
All of the above is exportable as a single JSON file from your transparency page.
3. What we never keep
What's missing is as deliberate as what's there:
- No third-party tracking pixels.Our emails don't carry tracking-pixel images that ping another company's server when you open them. Open / click events come from our mail provider (Resend) and live in our database, not theirs.
- No cross-site behavioural tracking. We don't use Google Analytics, Facebook Pixel, Hotjar, or similar. Our website doesn't care what else you do on the internet.
- No data sales. We never sell, rent, or barter your information with anyone.
- No password storage.The platform uses magic-link sign-in. We never know, hold, or hash your password; there isn't one to leak.
- No profiling for ads.We don't build advertising profiles or feed your data to ad networks. Your address is not for sale and never will be.
4. Why we keep it (lawful basis)
We rely on three lawful bases under Art. 6 GDPR, depending on the data:
- Consent(Art. 6(1)(a)): the dominant basis. Joining a list, requesting an access link, signing up to anything: each act is an explicit, specific, and revocable consent. You can withdraw it at any time and we won't treat that as a problem.
- Contract(Art. 6(1)(b)): when you're part of a programme (e.g. you're a Friend), some processing is necessary to deliver what we agreed to, like sending the seasonal updates that come with the programme.
- Legitimate interest(Art. 6(1)(f)) (narrowly applied). We rely on this for the audit log of administrative actions (so we can investigate mistakes), for fraud / abuse prevention, and for the minimum security telemetry needed to keep the platform running. We don't use this basis for marketing.
5. Your rights
GDPR gives you a set of rights over your data. You can exercise every one of them on the transparency page or by writing to contact@syntrociety.org.
- Right of access (Art. 15). See what we have on you. The transparency page shows you, and the JSON download gives you a portable copy.
- Right to rectification (Art. 16).Have wrong information corrected. For your own profile, email a federation admin; we don't expose admin-side editing of free-form fields to contacts directly so we can review the change for context.
- Right to erasure (Art. 17). Request deletion. The transparency page has a one-click deletion request; the platform applies a 30-day grace period in case the click was a mistake, then a daily cron permanently erases the record.
- Right to restriction (Art. 18). Tell us to stop using your data while a question is pending. In practice this overlaps with pausing your memberships, which you can do from the preferences page.
- Right to data portability (Art. 20). Take your data with you. The JSON export is in a portable, machine-readable format.
- Right to object (Art. 21). Object to processing based on legitimate interest. The one-click unsubscribe link in every email already acts on this for marketing; for non-marketing objections, write to us.
- Right to withdraw consent (Art. 7(3)). Take back any consent you gave. Withdrawing consent has no penalty and doesn't affect the lawfulness of processing we did before you withdrew.
- Right to lodge a complaint (Art. 77). You can lodge a complaint with the Portuguese data protection authority (CNPD) or with the supervisory authority where you live or work. We'd rather you tell us first so we can fix it. But we're not the gatekeeper of that right.
6. How to exercise them
The fastest path is the transparency page → (request a fresh access link, open it from your email, and you'll see view / download / delete affordances in one place. The link is valid for 30 days and we audit-log every send.
If you've lost access to the email entirely, write to contact@syntrociety.org and a federation admin will help. We won't hand a fresh access link to anyone who can't prove they own the mailbox). The human-loop check exists precisely so a leaked address can't become a leaked record.
We respond within 30 days, usually faster. There's no charge for any of these requests except in the rare case of manifestly excessive demands (Art. 12(5)), which we'd explain in writing first.
7. How long we keep it
Different categories have different retention windows:
- Your active record— kept for as long as your relationship with the federation is active. If you unsubscribe from everything, your contact row is kept (with status “unsubscribed”) so we don't accidentally re-mail you. To remove it entirely, use the deletion request.
- Deletion grace period — when you request deletion, the record is marked for purge and kept for 30 days before a daily cron permanently removes it. The grace period exists so you can change your mind.
- Email events (sent / delivered / bounced / opened) — kept alongside the contact row; deleted when the contact is deleted.
- Audit log— administrative actions (campaign sent, role changed, etc.) are kept for 2 years, then a weekly cron archives older rows. The audit log is about the federation's actions, not about you, and survives a contact deletion as a hashed entry that confirms the deletion happened without re-storing your address.
- Backups — Supabase keeps short-term encrypted backups for disaster recovery. Backup copies of deleted records are pruned in line with the backup rotation, typically within 30 days of the live delete.
8. Where the data lives
We use a small set of vetted sub-processors. All of them are bound by GDPR-compliant data-processing agreements and host data in the EU or under the EU Adequacy regime.
- Supabase — primary database. EU region. Encrypted at rest, accessed over TLS, protected by row-level security at the database layer. Your data never leaves this database except to render in the admin UI or your transparency page.
- Vercel— hosting and serverless compute. Code that processes your data runs in Vercel's European edge network. Vercel doesn't retain request bodies; only short-lived logs and metrics that we control via our log drain settings.
- Resend — transactional and publication email. We pass them your address and the rendered email at send time; they store the message metadata for delivery tracking. We process bounce / complaint webhooks back into our suppression list so undeliverable addresses stop receiving sends automatically.
- Upstash Redis— rate-limit counters. Keyed on hashes of your IP / email so the limiter store doesn't retain plaintext addresses.
We don't share your data with any company beyond this list. If we ever add a sub-processor, this section updates first.
10. Security
We work the security boundary as carefully as the privacy boundary:
- Transport encryption. Every request to and from this platform goes over TLS 1.2+.
- Encryption at rest. Supabase encrypts the database and its backups.
- No passwords.Magic-link sign-in for admins, magic-link tokens for contacts. There's no password to phish or leak.
- Token-only access for the contact-side surfaces. Tokens are HMAC-signed, scoped, and expire.
- Audit logs for every administrative action so we can investigate mistakes after the fact.
- Suppression list for hard-bounced and complaint addresses, keeping us off the path of accidentally re-mailing someone.
If you spot a security issue, write to contact@syntrociety.org and we'll respond within 72 hours. We don't run a paid bug-bounty programme but we treat reports as a gift and reply to every one.
11. Children
The platform is not directed at children under 16, and we don't knowingly collect data from them. If you believe a child's data is on the platform, write to us and we'll remove it.
12. Changes to this policy
We update this page when our practices change. The version and date are at the bottom of the page. Material changes are announced to anyone whose contact details we still have, via email — we don't silently change a privacy policy and pretend everyone agreed.
13. Contact
For privacy questions, deletion requests you can't make through the transparency page, or anything else that doesn't fit a button:
Syntrociety Federation
Castro Marim · Portugal
contact@syntrociety.org
For supervisory matters: Comissão Nacional de Protecção de Dados (CNPD), Portugal — cnpd.pt.
Version 2 · last updated 2 May 2026. Request a transparency link to see and act on your record now.