Syndik8 Privacy Policy

Effective date: 7 July 2026

Syndik8 (syndik8.app) is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, and your rights in relation to it.

1. Data Controller

The data controller for the personal data processed through Syndik8 is Deltatek Defence Ltd (trading as Deltatek Software), a company registered in England and Wales (Company No. 02975256). Registered address: 122 Great Berry Lane, Basildon, Essex, SS16 6BY. You can contact us about data protection matters at support@syndik8.app.

2. Data We Collect

When you use Syndik8, we collect the following personal data:

3. Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we process your personal data on the following lawful bases:

4. How We Use Your Data

We use your personal data to:

We do not use your personal data for automated decision-making or profiling.

Service notifications and email communications

We send notifications about activity in your syndicate. Most are configurable in the app — you can opt out of any type, or switch to a daily, weekly, or monthly email digest.

A small number of notifications are sent regardless of your settings, because they are required to operate the service you have signed up for or to meet legal obligations:

Direct Debit notices are sent under regulatory requirement (the Direct Debit Guarantee scheme). The others are sent under contractual necessity (the syndicate management service you have signed up for). They stop when you leave the syndicate or close your account.

Email is always sent for every always-on notification listed above; you cannot turn the email channel off while you are an active member. For Direct Debit notices, push is also always sent. For the other always-on notifications (payment account changes, syndicate deadlines, billing-accuracy alerts), you may turn the push channel off in your notification preferences if you prefer to receive them only by email.

5. Data Storage and Security

Your data is stored securely using Supabase, a cloud database provider. Data is stored on servers in the European Economic Area (EEA). We implement industry-standard security measures including encryption in transit (TLS) and at rest.

We retain your personal data for as long as your account is active. When you ask to delete your account, we hold the request for 30 days, during which you can cancel it, and then delete your personal data, except where we are legally required to retain it (for example, financial transaction records may be retained for up to 7 years for tax purposes).

Separately from deletion that you request, we remove data that has been left unused. A free syndicate with no activity for around six months is deleted together with its data; we email the members a warning ahead of the date and again as it approaches, any activity resets the period, and syndicates on a paid subscription are exempt while the subscription is active. If you leave your last syndicate and do not join or create another, we delete your account around two months later, again after email warnings, unless you join a syndicate before then. These periods are operational settings that we may adjust.

Documents you or your syndicate's administrators upload are stored in a private Supabase Storage bucket alongside your other data, and are served only via short-lived signed URLs issued to authorised users. Personal pilot documents — your pilot medical certificate and pilot licence — are held under owner-only access controls: the document file itself is never visible to any syndicate administrator or to any other user.

To support use without internet access (for example, at airfields or remote locations), Syndik8 may store copies of eligible documents on your device for offline reading: asset and syndicate documents you are entitled to see, and your own pilot medical certificate and pilot licence where you have uploaded them. Local copies are stored within the application's private storage area on your device. Copies of asset and syndicate documents are removed when you remove the document from Syndik8, leave the syndicate, or uninstall the app. Copies of your own pilot documents are removed when you delete the document or its certificate file, and when you uninstall the app; they are not removed when you leave a syndicate, because they belong to you rather than to any syndicate. Local copies are not removed when you sign out; after sign-out they are no longer viewable in the app, but their bytes remain in the app's private storage until deletion or uninstall. Your pilot documents are never copied to any other member's device.

When you delete a document from Syndik8, both the database record and the stored file are removed. When you close your account, your personal pilot documents (medical and licence) are deleted within 30 days; documents you previously uploaded to a syndicate or asset area remain with the syndicate for the benefit of the remaining members.

6. Cookies and Local Storage

On the web application, Syndik8 uses cookies and browser local storage for the following purposes:

We do not currently use third-party advertising or analytics cookies. You can decline cookies on first visit — the service will still function but your preferences may not be saved between sessions.

7. Data Sharing

We do not sell your personal data. We share data only as follows:

8. International Data Transfers

Our primary data storage is within the EEA. However, some of our service providers (such as payment processors) may process data in the United States or other countries. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

9. Your Rights

Under UK data protection law, you have the following rights:

To exercise any of these rights, contact us at support@syndik8.app. We will respond within 30 days.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via an in-app notice. The current version is always available at syndik8.app/privacy.

12. Contact

Syndik8 is a product of Deltatek Software, a trading name of Deltatek Defence Ltd (Company No. 02975256), registered in England and Wales.

For questions or concerns about this Privacy Policy or how we handle your data, please contact us at support@syndik8.app or visit syndik8.app.