1. Data Controller
The data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) and Icelandic Act 90/2018 on Data Protection is:
Qualitas Imports ehf. (kennitala 600416-0140)
Klyfjasel 3, 109 Reykjavík, Iceland
Email: privacy@bersyn.com
We have not appointed a Data Protection Officer because we are not required to under GDPR Art. 37. Privacy questions reach the controller directly via the email above.
2. What We Collect
- Account information: Email address, name (if provided), and authentication credentials.
- Product information: The URL and derived product identity (category, capabilities, differentiators) you submit to Bersyn.
- Scan and result data: Queries we run against AI providers on your behalf, the responses those providers return, and the analysis we generate from them.
- Generated content: Patches, drafts, and publishing metadata created in your workspace.
- Usage data: Pages viewed, features used, and error logs, used to operate and improve the service.
- Billing data: Plan, subscription status, and payment identifiers. Card details are handled by our payment processor and are never stored on our systems.
3. How We Use Your Data
- To provide the service — scanning AI models, generating scores, diagnosing gaps, producing patches.
- To send transactional emails (account verification, billing receipts, scan completion notices).
- To operate, debug, secure, and monitor the platform.
- To improve the product. We use aggregated and de-identified signals from customer usage — such as scan patterns, gap categories, patch outcomes, and interaction data — to improve Bersyn's detection accuracy, diagnosis quality, and the content we generate. We do not share raw customer content with third parties for model training, and we do not sell your data.
4. Lawful Basis for Processing
Under GDPR Art. 6 we rely on the following lawful bases:
- Contract (Art. 6(1)(b)) — to deliver the service you signed up for.
- Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, service reliability, and the aggregated product-improvement use described in section 3.
- Consent (Art. 6(1)(a)) — for non-essential cookies, analytics, and marketing communications. You can withdraw consent at any time via the Cookie Settings link in our footer.
- Legal obligation (Art. 6(1)(c)) — for tax, accounting, and regulatory records we are required to retain.
5. Third-Party Sub-processors
We use the following sub-processors to deliver Bersyn. The full live list, including country of processing, is maintained on our Sub-processors page.
- Supabase — database, authentication, file storage (EU region where available).
- Vercel — application hosting and edge delivery.
- OpenAI, Anthropic, Google, Perplexity — AI providers we query on your behalf for scanning. We do not grant any of them training rights over your submissions, and we use API endpoints that, under each provider's current published terms, do not train on inputs. You are responsible for not submitting personal data of third parties into Bersyn.
- Resend — transactional email delivery.
- LemonSqueezy — subscription billing and tax handling (Merchant of Record).
- Sentry — error monitoring.
6. International Transfers
Some sub-processors (notably the AI providers and Sentry) are established in the United States. When personal data leaves the European Economic Area, transfers rely on the European Commission's Standard Contractual Clauses or, where applicable, adequacy decisions (such as the EU–US Data Privacy Framework). A list of the mechanism used for each sub-processor is available on request at privacy@bersyn.com.
7. Data Storage & Security
Your data is stored in Supabase-managed PostgreSQL databases with row-level security (RLS) enabled so that each user can only read their own data. All data is encrypted in transit (TLS 1.2+) and at rest. OAuth and API tokens are stored encrypted and can be revoked from account settings at any time.
8. Data Retention
- Account and workspace data: retained while your account is active.
- Deleted accounts: personal data permanently deleted within 30 days, except for items we are legally required to keep.
- Billing and accounting records: retained for seven (7) years as required by Icelandic tax and accounting law.
- Server and application logs: retained for up to 90 days for security and reliability.
- Backups: encrypted backups may persist up to 35 days after deletion due to rolling backup windows.
9. Your Rights
If you are in the EU/EEA (including Iceland) you have the right to:
- Access your personal data (Art. 15)
- Request correction of inaccurate data (Art. 16)
- Request deletion of your data (Art. 17)
- Restrict or object to processing (Arts. 18, 21)
- Data portability (Art. 20)
- Withdraw consent where processing is based on consent (Art. 7)
- Lodge a complaint with a supervisory authority
To exercise any right, email us at privacy@bersyn.com. We respond within 30 days.
If you are in Iceland you may also lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) at personuvernd.is.
10. Cookies & Tracking
We use a small number of essential cookies for authentication and session management. These do not require consent. We also use optional analytics and product telemetry — these only load after you grant consent via the cookie banner, and you can change your choice at any time via the Cookie Settings link in our footer.
11. Data Breach Notification
If a personal data breach occurs and is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, as required by GDPR Art. 33 and 34.
12. Children
Bersyn is not intended for users under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact privacy@bersyn.com and we will delete it.
13. Changes to This Policy
We may update this policy. Material changes will be announced by email or in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.