Privacy Policy

Last updated: 31 May 2026 · Version 3.0

1. Data Controller

SYNDICATES("we", "us", "our") is the data controller for the personal data processed through the Syndicates platform.

CVR-nummer: [CVR-nummer tilføjes]
Registered address: [Adresse tilføjes], Danmark
Email: privacy@syndicates.cc
DPO Contact: dpo@syndicates.cc

This Privacy Policy is issued in compliance with the EU General Data Protection Regulation ("EU GDPR" or "GDPR") and the Danish Data Protection Act.

2. Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account and Profile Data

  • Full name
  • Email address
  • Password (hashed using bcrypt; we never store plaintext passwords)
  • Avatar image (optional)
  • Referral code and referrer information

2.2 Authentication and Security Data

  • Two-factor authentication (TOTP) secrets (encrypted with AES-256-GCM)
  • Failed login attempt counts and account lockout timestamps
  • JWT refresh token hashes
  • Token revocation records

2.3 Payment Data

  • Stripe Customer ID
  • Stripe Subscription ID and Price ID
  • Invoice amounts, statuses, and Stripe invoice/payment intent IDs
  • Subscription status, plan type, start/end dates

We do not store full payment card numbers, CVV codes, or bank account details. All payment processing is handled securely by Stripe.

2.4 Discord Integration Data

  • Discord User ID
  • Discord username
  • Discord OAuth refresh token (encrypted with AES-256-GCM)

2.5 Course Progress Data

  • Lesson completion status
  • Watch time / watched seconds per lesson
  • Video playback-start and stream-access timestamps for paid content
  • Last updated timestamps

2.6 Support and Communication Data

  • Support message content
  • Sender name and avatar (duplicated at time of sending)
  • TradingView username claims (for indicator access)

2.7 Activity and Log Data

  • IP addresses (anonymized by stripping the last octet for IPv4 and last 80 bits for IPv6 before storage in activity logs)
  • Raw IP addresses in affiliate click records (referral tracking)
  • Action types (signup, login, payment, admin actions, etc.)
  • Timestamps and details of activities

2.8 Affiliate Data

  • Referral code clicks (referral code, IP address, timestamp)
  • Conversion tracking (which referred users became subscribers)

2.9 Cookies and Local Storage

  • Authentication cookies (httpOnly, secure, SameSite=Strict)
  • Consent cookie (GDPR banner acceptance)
  • Referral cookie (affiliate tracking)
  • Timezone preference (localStorage)
  • News data cache (sessionStorage)

3. Legal Bases for Processing (GDPR Article 6)

We process your personal data only where we have a valid legal basis:

  • Contractual necessity (Art. 6(1)(b)): Processing necessary to provide our Services under our Terms of Service, including account creation, authentication, course access, subscription management, and customer support.
  • Legal obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, including tax/accounting obligations, fraud prevention, and responding to lawful requests from public authorities.
  • Legitimate interests (Art. 6(1)(f)): Processing for our legitimate interests, including security (rate limiting, account lockout, activity logging), service improvement, and affiliate tracking, provided your interests and fundamental rights do not override those interests.
  • Consent (Art. 6(1)(a)): Processing based on your explicit consent, including cookie placement (non-essential), Discord integration, and marketing communications where applicable. You may withdraw consent at any time.

4. How We Use Your Data

  • To provide, maintain, and improve our Services;
  • To authenticate users and secure accounts (including 2FA);
  • To process payments and manage subscriptions via Stripe;
  • To track course progress and grant access to content;
  • To manage Discord server roles and community access;
  • To process TradingView indicator claims;
  • To provide customer support through in-app messaging;
  • To detect and prevent fraud, abuse, and security incidents;
  • To comply with legal and regulatory obligations;
  • To enforce our Terms of Service and Acceptable Use Policy;
  • To operate our affiliate/referral program.

5. Data Sharing and Subprocessors

We do not sell your personal data. We share data only with trusted third parties (subprocessors) who assist us in operating our Services:

SubprocessorPurposeLocation
Stripe, Inc.Payment processing, subscription billing, invoicingUnited States
Discord, Inc.OAuth identity, community access, role managementUnited States
Vercel, Inc.Hosting and infrastructure (if deployed on Vercel)United States / EU
Google LLCFont delivery (Inter font via next/font/google)United States

All subprocessors are bound by data processing agreements that comply with EU GDPR requirements. We maintain a current list of subprocessors and will notify you of any material changes.

6. International Data Transfers

We are based in Denmark. Some of our subprocessors (Stripe, Discord, Vercel, Google) operate in the United States. When we transfer your personal data outside the European Economic Area, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by Technical and Organizational Measures (TOMs) and, where required, Transfer Impact Assessments (TIAs);
  • Relying on the subprocessors participation in the EU-U.S. Data Privacy Framework where applicable (e.g., Stripe, Google);
  • Ensuring that the jurisdiction of transfer provides an adequate level of protection as determined by the Danish Data Protection Agency (Datatilsynet) or the European Commission, or implementing additional safeguards.

You may request a copy of the applicable safeguards by contacting our DPO.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

  • Account data: Retained for the duration of your account plus up to 6 years after closure (to comply with Danish bookkeeping and tax legislation).
  • Payment and invoice data: Retained for 6 years in accordance with Danish tax legislation.
  • Activity logs: Retained for 2 years for security and fraud prevention, then anonymized or deleted.
  • Refresh tokens and revocations: Automatically deleted upon expiration (up to 8 hours for refresh tokens; 1 hour for revocations).
  • Rate limit data: Automatically deleted when the reset time expires.
  • Support messages: Retained for 2 years after the last message to enable continuity of support.
  • Affiliate click data: Retained for 1 year, then deleted or anonymized.

We review retention periods annually and securely delete or anonymize data when it is no longer needed.

8. Your GDPR Rights

As a data subject under the EU GDPR, you have the following rights:

  • Right of access (Art. 15): You may request a copy of the personal data we hold about you, including details of processing purposes, categories of data, recipients, and retention periods.
  • Right to rectification (Art. 16): You may request that we correct inaccurate or incomplete personal data.
  • Right to erasure / "Right to be Forgotten" (Art. 17): You may request deletion of your personal data where there is no overriding legal basis for continued processing. Note that we may retain certain data where required by law (e.g., tax records).
  • Right to restrict processing (Art. 18): You may request that we limit processing of your data in certain circumstances.
  • Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format, and transmit it to another controller.
  • Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint (Art. 77): You have the right to complain to a supervisory authority, in particular in Denmark or the EU member state of your habitual residence, place of work, or place of the alleged infringement. In Denmark, the supervisory authority is the Danish Data Protection Agency (Datatilsynet).

To exercise any of these rights, please contact us at privacy@syndicates.cc. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: Passwords are hashed with bcrypt (12 rounds). Sensitive data (TOTP secrets, Discord tokens) is encrypted with AES-256-GCM. All cookies are httpOnly and secure in production.
  • Access controls: Role-based access (free / paid / admin). JWT tokens expire every 15 minutes. Refresh token rotation.
  • Network security: HTTPS enforced in production. HSTS headers. Content Security Policy (CSP). Rate limiting per IP and per user.
  • Account security: Optional 2FA/TOTP. Account lockout after 5 failed attempts. Token revocation on logout.
  • IP anonymization: Last octet/80 bits stripped from IPs before logging.

Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Danish Data Protection Agency (Datatilsynet) within 72 hours of becoming aware of the breach;
  • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
  • Document the breach, its effects, and remedial actions taken.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and secure our Services. For detailed information, please see our Cookie Policy.

12. Children's Privacy

Our Services are not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately at privacy@syndicates.cc, and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Services at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the Policy was last revised.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Data Protection Officer
SYNDICATES
Email: dpo@syndicates.cc
Address: [Adresse tilføjes], Danmark