GDPR Compliance
Last updated: May 2026
1. Overview
This page summarises how Sintora Labs handles personal data under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and complements our full Privacy Policy.
2. Data Controller
For personal data collected through this Website and our commercial communications we act as the data controller.
For data we process on behalf of clients in the course of a Service Agreement (e.g. data inside an application we build for you), we typically act as a processor and the client is the controller. The roles and obligations are set out in a Data Processing Agreement (DPA) signed alongside the engagement.
3. Legal Bases We Rely On
- Contract performance — to respond to your enquiry, prepare a proposal, and deliver agreed services;
- Legitimate interests — to operate, secure and improve the Website, prevent abuse, and conduct routine business communication;
- Consent — for analytics and marketing cookies, optional newsletters, and third-party tools loaded on demand (e.g. the Calendly scheduler);
- Legal obligation — to comply with tax, accounting, anti-money-laundering and other applicable rules.
4. Your Rights as a Data Subject
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Have inaccurate or incomplete data corrected.
Right to Erasure
Have your data deleted in the circumstances foreseen by law.
Right to Restrict Processing
Limit how we use your data while a request is being resolved.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests, including direct marketing.
Withdraw Consent
Withdraw any consent at any time, without affecting prior lawful processing.
Lodge a Complaint
Complain to your local data-protection authority (see below).
5. Retention
Specific retention periods are listed in our Privacy Policy. We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.
6. International Transfers
Some of our service providers are located outside the EEA, primarily in the United States. Where personal data is transferred outside the EEA we rely on the European Commission's Standard Contractual Clauses (Module 2 / Module 3), supplementary measures where required, and providers' published transfer-impact mechanisms. The complete sub-processor list is in section 5 of our Privacy Policy.
7. Security and Breach Notification
We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls, monitoring, regular updates, and staff confidentiality undertakings. In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and where the risk is high, we will inform affected individuals without undue delay.
8. Exercising Your Rights
To exercise any of the rights listed above, write to:
Email: privacy@sintoralabs.com
Subject: GDPR Data Subject Request
We will respond within one month. Where requests are particularly complex, we may extend by a further two months and will let you know if that is the case.
9. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe your data-protection rights have been infringed.
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39, 10134 Tallinn, Estonia
Web: www.aki.ee
You may also contact the supervisory authority in the EU country of your habitual residence, place of work, or place of the alleged infringement.
10. Updates
We update this notice from time to time to reflect changes in how we operate or in the law. The date at the top of this page reflects the most recent revision.