Privacy Policy.

01 / WHO WE ARE

Who we are and the data controller.

Sygil (Sygil, we, us, our) is a human content review and EU AI Act Article 50(4) compliance documentation service. Sygil is operated by Abid Nawaz, MD, from India, with a reviewer network distributed across India and the European Union.

Data controller: Sygil, operated by Abid Nawaz, India.

EU representative: An EU representative under Article 27 of the GDPR will be appointed before 2 August 2026 (the date Article 50 of the EU AI Act becomes operative). Until that appointment, EU data subjects may contact Sygil directly for data protection requests at the address below.

Contact for data protection requests: founder@sygil.co. The alias privacy@sygil.co is reserved for routing data requests once that alias is provisioned on our mail infrastructure.

02 / WHAT WE COLLECT

What personal data we collect.

Sygil collects the following categories of personal data:

• Inquiry form data. Name, work email address, organization name, role, country, and free-text inquiry content submitted through the scoping call form or any other contact form on our website.
• Scoping call metadata. Calendar booking details (name, email, time zone, scheduled time), meeting notes, and any attachments shared during or before the call.
• Customer content submitted for review. The text content the customer submits for human editorial review under an active engagement. This may include names, quotes, attributions, and other personal data embedded in the content.
• Reviewer notes. Notes recorded by the assigned human reviewer in the course of performing the review work, which may reference the customer organization and the content under review.
• Attestation logs. Per-article attestation entries recording reviewer name, customer identifier, article identifier, timestamp, methodology version, and a verification hash.
• Account and billing data. Where the customer is invoiced, the billing contact name, address, tax identification number, and payment metadata. Payment card details are NOT stored by Sygil and are handled by our payment processor.
• Website analytics. Minimal, functional analytics provided by Vercel. Anonymized request metadata, page views, and referrer information. No third-party tracking cookies, no advertising tags, no remarketing pixels.

Sygil does not collect special category data (health, race, religion, biometrics) unless that data is embedded in customer content submitted for review. Where it is, the customer is responsible for ensuring lawful basis and appropriate safeguards for the inclusion of that data in the submitted content.

03 / LAWFUL BASIS

Lawful basis for processing.

Sygil processes personal data under the following GDPR lawful bases:

• Performance of a contract (Article 6(1)(b)). Inquiry form data, scoping call metadata, account and billing data, and customer content submitted for review are processed on the basis of pre-contract steps and the performance of the customer engagement.
• Legitimate interest (Article 6(1)(f)). Reviewer notes, internal operational logs, attestation logs retained for compliance evidence, and minimal website analytics are processed on the basis of Sygil's legitimate interest in delivering the service, maintaining audit-grade compliance evidence, and improving the website. The legitimate interest is balanced against data subject rights and is documented in our internal records.
• Legal obligation (Article 6(1)(c)). Tax and accounting records are retained as required by applicable law in the jurisdiction of operation.
• Consent (Article 6(1)(a)). Where consent is required for a specific processing activity (for example, future newsletter sign-ups, if introduced), consent is collected explicitly and may be withdrawn at any time without affecting the lawfulness of past processing.

04 / HOW WE USE IT

How we use personal data.

Sygil uses personal data for the following purposes:

• To respond to inquiries and arrange scoping calls.
• To provide the contracted human content review service to customers under an active engagement.
• To produce and maintain compliance documentation including the procedure document, reviewer roster, editorial responsibility designation, attestation logs, and monthly evidence reports.
• To bill customers and maintain account records.
• To respond to regulator inquiries about a customer's content, with the customer notified within 48 hours of receipt unless the regulator instructs otherwise.
• To improve the operational quality of our service and the readability of our website.
• To meet legal, tax, and audit obligations in the jurisdictions in which we operate.

Sygil does NOT use personal data to:

• Train any AI model or machine learning system.
• Sell or rent contact lists to third parties.
• Build advertising profiles.
• Run remarketing campaigns or any third-party tracking.

05 / WHO WE SHARE WITH

Who we share personal data with.

Sygil shares personal data only with the following categories of recipient, and only to the extent necessary to deliver the service:

• Reviewer network. The named human reviewers assigned to a customer's roster. Each reviewer is bound by a written reviewer agreement that includes confidentiality obligations.
• Cloud infrastructure providers (sub-processors):

• Vercel (US, with EU edge presence) hosts the Sygil website and serves static pages.
• Cloudflare (US, with global edge) provides DNS, registrar, and basic edge protection for Sygil domains.
• Google Workspace (US, with EU data residency for inbox storage) hosts the founder mailbox and aliases on the primary domain.
• Zoho Mail (EU data center) hosts mailboxes on the Sygil outbound burner domain.
• Smartlead (US) orchestrates Sygil outbound email sequences from the burner mailboxes.
• Cal.com (EU) handles scoping call scheduling.
• The payment processor identified in the customer engagement letter handles payment card and bank transfer flows. Sygil does not store payment card details.

Each sub-processor is engaged under a written agreement that includes data protection terms and, where applicable, GDPR Article 28 processor obligations. Sygil maintains an internal record of sub-processors and updates the list when sub-processors change. Customers under an active engagement are notified of material changes to the sub-processor list.

Sygil does not share personal data with any third party for marketing, advertising, or analytics purposes beyond the minimal Vercel website analytics described above.

06 / INTERNATIONAL TRANSFERS

International data transfers.

Sygil operates from India with a reviewer network in India and the European Union, and uses sub-processors in the United States and the European Union. Personal data may therefore be transferred between India, the European Union, and the United States in the course of providing the service.

For transfers from the European Union to India and the United States, Sygil relies on the European Commission's Standard Contractual Clauses (SCCs) as the safeguard required under Chapter V of the GDPR. The SCCs are incorporated into the relevant sub-processor agreements and are available on request.

Sygil does not currently rely on adequacy decisions for India. The legal status of cross-border data transfers between the EU and India is monitored as part of our compliance posture and is subject to adjustment as the legal landscape evolves.

Customers with specific data residency requirements may discuss those requirements during the scoping call. Where the customer requires data residency entirely within the European Union, Sygil can route the engagement through EU-resident reviewers and EU-resident sub-processors at additional cost.

07 / RETENTION

How long we retain personal data.

Sygil retains personal data only as long as necessary for the purpose for which it was collected, except where a longer retention period is required by law or by the customer engagement.

• Inquiry form data and scoping call metadata. Retained for 24 months from the date of inquiry, then deleted, unless the inquiry results in an active engagement (in which case the data is retained as engagement records).
• Customer content submitted for review. Deleted 90 days after the engagement ends, unless the customer requests earlier deletion or longer retention in writing.
• Reviewer notes. Retained for the duration of the engagement plus 90 days, then deleted alongside the customer content.
• Attestation logs. Retained for seven years for compliance evidence purposes, in line with the regulatory limitation period for the EU AI Act and the customer's audit needs. Attestation logs contain reviewer identity, timestamps, methodology version, and a verification hash; they do not contain the underlying article text.
• Account and billing records. Retained for the period required by applicable tax and accounting law (typically six to ten years).
• Procedure document and reviewer roster (customer-specific instances). Retained for the duration of the engagement plus seven years, alongside attestation logs.
• Website analytics data. Retained for the period set by Vercel's default retention, which is currently up to 12 months.

When a retention period ends, Sygil deletes the data from primary storage and from routine backups within a reasonable time. Long-term archival backups are handled in line with the sub-processor's deletion procedures.

08 / YOUR RIGHTS

Your rights under the GDPR.

If you are in the European Union, the European Economic Area, or the United Kingdom, you have the following rights in respect of personal data Sygil holds about you:

• Right of access (Article 15). You can ask Sygil to confirm whether we hold personal data about you and to provide a copy of that data.
• Right to rectification (Article 16). You can ask Sygil to correct inaccurate or incomplete personal data.
• Right to erasure (Article 17). You can ask Sygil to delete personal data we hold about you, subject to exceptions where retention is required by law or for legitimate interest (for example, attestation logs retained for seven years).
• Right to data portability (Article 20). You can ask Sygil to provide personal data you have given us in a structured, commonly used, machine-readable format and to transmit that data to another controller where technically feasible.
• Right to restrict processing (Article 18). You can ask Sygil to restrict the processing of your personal data in defined circumstances.
• Right to object (Article 21). You can object to processing based on legitimate interest, subject to Sygil demonstrating compelling legitimate grounds that override your interest.
• Right to withdraw consent. Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of past processing.
• Right not to be subject to automated decision-making. Sygil does not subject any data subject to automated decision-making, including profiling, that produces legal effects or similarly significant effects.

To exercise any of these rights, write to founder@sygil.co. Sygil responds to verified requests within 30 days, in line with Article 12 of the GDPR.

09 / COOKIES

Cookies and similar technologies.

Sygil uses minimal, functional cookies only. Specifically:

• Session and security cookies set by the hosting layer (Vercel and Cloudflare) for basic functionality such as request routing, attack mitigation, and load balancing.
• Vercel analytics records anonymized request metadata. Vercel analytics is opt-in and does not set tracking cookies on visitors who have not consented.

Sygil does NOT use:

• Third-party advertising cookies.
• Remarketing pixels.
• Cross-site tracking technologies.
• Social media tracking pixels.

If we add any cookie that requires consent under the ePrivacy Directive or its successor, we will deploy a consent banner and update this section before the cookie is set.

10 / CONTACT FOR DATA REQUESTS

How to contact us about your data.

For any question or request related to personal data Sygil holds about you, write to:

founder@sygil.co

The alias privacy@sygil.co is reserved for routing data protection requests once the alias is provisioned. Until then, all data protection requests are routed through the founder address above.

When you contact us about a data request, please include enough information for us to identify you and verify your right to make the request. Sygil will respond to verified requests within 30 days as required by Article 12 of the GDPR.

11 / SUPERVISORY AUTHORITY

Right to lodge a complaint.

If you believe Sygil has handled your personal data in a way that breaches the GDPR, you have the right to lodge a complaint with the supervisory authority in the EU or EEA member state where you live, where you work, or where the alleged breach took place.

A list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.

Sygil would prefer the chance to address any concern directly before a complaint is lodged. You can write to us at founder@sygil.co at any time.

12 / CHANGES TO THIS POLICY

Changes to this privacy policy.

Sygil may update this privacy policy from time to time as the service evolves, as sub-processors change, or as legal and regulatory requirements develop.

When material changes are made, Sygil will update the effective date at the top of this page. Customers under an active engagement will be notified of material changes by email. Visitors to the website are responsible for reviewing this page from time to time to stay informed about how Sygil handles personal data.

Effective 2026-04-07. Data controller: Sygil, operated by Abid Nawaz, India. Representative in the European Union: to be appointed before 2 August 2026.