Privacy Policy
Last updated: April 2026
1. Data Controller & Contact Information
Syncra Tech EOOD (“we,” “us,” or “our”), a company organized under the laws of the Republic of Bulgaria, operates the Fraud Intercept platform (the “Service”) and acts as the data controller for personal data processed through it. If you have any questions or concerns about this Privacy Policy or how your data is handled, please contact us:
- Registered Entity: Syncra Tech EOOD, ЕИК 208779057
- Registered Seat: 34, 184-ta Str., Malinova Dolina, Studentski District, Sofia 1756, Bulgaria
- Primary: legal@fraud-intercept.com
- Secondary: fraud.intercept@outlook.com
- Website: https://fraud-intercept.com
2. Personal Data We Collect
We collect different categories of personal data depending on how you interact with the Service:
(a) Account & Registration Data
When you register for an account, we collect information such as your name, company name, email address, and other contact information you provide during the onboarding process.
(b) Technical & Usage Data
We automatically collect technical data when you use the Service, including IP addresses (for security and abuse prevention), device identifiers, browser type and version, session logs, request timestamps, and information about how you interact with the platform. Where feasible, this data is minimized or truncated before storage.
(c) Fraud-related Data
When you use the API and fraud detection features, we process fraud-related data on your behalf. This includes risk scores, fraud flags, behavioral metadata, and other signals submitted through the Service. This data is processed as part of providing the core fraud detection functionality.
(d) Analytics, Error Monitoring, and Cookies
With your consent, we collect usage analytics and performance metrics to understand how the Service is used and to improve it. We also collect error monitoring data (stack traces, error events, performance traces) to detect and fix software bugs. Where you opt in to diagnostic session replay, we record sessions only when an error occurs (trigger-based replay), with all text and media masked by default.
We do not set non-essential cookies until you provide consent via our cookie banner. See our Cookie Policy for the full list of cookie categories and how to manage them.
3. How We Use Your Data
We use the personal data we collect for the following purposes:
- Provide, maintain, and improve the Service
- Detect, investigate, and prevent fraud and other security threats
- Respond to support requests and communicate with you about the Service
- Comply with applicable legal obligations and regulatory requirements
- Analyze platform usage and develop new features
- Send transactional notifications and service-related communications
Our processing is based on the following legal grounds under GDPR: performance of a contract (to provide the Service you have signed up for), legitimate interests (fraud prevention, security monitoring, and platform improvement), and legal compliance (where we are required to process data by law).
4. Subprocessors
To deliver and operate the Service, we engage trusted sub-processors to process personal data on our behalf and under our instructions. All sub-processors are engaged under written data processing agreements that require them to protect your data and process it only as instructed by us.
We use sub-processors in the following categories:
| Category | Purpose | Location |
|---|---|---|
| Cloud hosting and compute infrastructure | Hosting and compute for the Service | EEA (with parent entity in the United States; transfers protected under SCCs and the EU-US Data Privacy Framework) |
| Managed database and authentication backend | Persistent storage and user authentication | EEA (with parent entity in the United States; transfers protected under SCCs and DPF) |
| Transactional email delivery | System-generated email notifications and alerts | EEA (with parent entity in the United States; transfers protected under SCCs and DPF) |
| Device intelligence and fraud signals | Device fingerprinting and risk scoring provided by a third-party device intelligence vendor. The vendor's identity is disclosed to customers under the Data Processing Agreement. | EEA with supplementary transfer measures |
| Large language model inference | AI Assistant responses, accessed via an aggregated API gateway | Processing in EEA; model providers outside the EEA under SCCs and supplementary measures |
| Analytics | Usage analytics (with your consent only) | Global, with transfers to the United States under SCCs and DPF |
| Error monitoring and session replay | Detecting, diagnosing, and resolving software errors; trigger-based session replay with masking (with your consent only) | EEA (with parent entity in the United States; transfers protected under SCCs and DPF) |
Named sub-processor list. We maintain a complete list of named sub-processors, including their legal entity names, registered countries, processing activities, and applicable data transfer safeguards. This list is provided to all customers as part of our Data Processing Agreement (DPA). Any data subject may request the current named sub-processor list by emailing legal@fraud-intercept.com, and we will respond within 30 days.
We notify customers before adding any new sub-processors that will process personal data on their behalf, providing an opportunity to raise objections prior to the new sub-processor becoming active.
5. Security & Safeguards
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. Our security measures include:
- Encryption: Data is encrypted in transit using TLS and at rest using industry-standard encryption protocols
- Access Control: Authenticated access with role-based permissions and separation of duties to limit data exposure
- Logging & Monitoring: Comprehensive audit trails and real-time monitoring for suspicious activity
- Incident Response: Defined procedures to detect, contain, and remediate security incidents promptly
- Regular Testing: Periodic security assessments and system testing to identify and address vulnerabilities
6. Cookies and Similar Technologies
We use cookies and similar technologies on our website and within the Service. Non-essential cookies are not set until you provide your consent via our cookie banner. You can accept, reject, or customize your cookie preferences at any time.
Our Cookie Policy explains the categories of cookies we use, their purposes, their duration, and how to manage them.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law. Our retention periods vary by data type:
- Account and directly identifying personal data: deleted within 30 days after your account is terminated or upon a valid erasure request, whichever is earlier.
- Anonymized fraud signals and network intelligence: retained for up to 24 months to support the shared intelligence network and model training. This data is anonymized and aggregated such that individuals cannot reasonably be identified.
- Error monitoring events: retained according to our error monitoring provider's defaults (approximately 90 days for error events).
- Session replay recordings: retained for approximately 30 days, with masking applied before storage.
- Audit logs: retained as needed for security, compliance, and accountability purposes, and then deleted.
After the applicable retention period, data is securely deleted or anonymized so that it can no longer be associated with an identifiable individual.
8. Rights Under GDPR & Other Laws
Depending on your location, you may have the following rights in relation to your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request that inaccurate or incomplete data be corrected
- Deletion: Request erasure of your personal data in certain circumstances
- Restriction: Request that we restrict processing of your personal data
- Portability: Receive your personal data in a structured, machine-readable format
- Withdraw Consent: Withdraw any consent you have given at any time, without affecting the lawfulness of prior processing
To exercise any of these rights, please contact us at legal@fraud-intercept.com. We will respond to your request within the timeframes required by applicable law.
California residents may have additional rights under the CCPA/CPRA, and Canadian residents may have rights under PIPEDA. If these laws apply to you, we will honor your requests in accordance with those frameworks.
8.1. Supervisory Authority and Data Protection Officer
Our lead supervisory authority under GDPR is the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни, KZLD). You have the right to lodge a complaint with KZLD or with your local supervisory authority if you believe your personal data is being processed unlawfully.
We will reassess our obligation to appoint a Data Protection Officer under GDPR Article 37 within 90 days of our official launch. For any privacy-related questions in the meantime, please contact legal@fraud-intercept.com.
9. International Data Transfers
Certain sub-processors are established in, or are subsidiaries of entities established in, the United States. Where personal data is transferred outside the European Economic Area, we rely on one or more of the following safeguards:
- An adequacy decision of the European Commission, including the EU-US Data Privacy Framework where the receiving entity is certified
- Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by a transfer impact assessment and appropriate technical and organizational measures
- Your explicit consent, where no other mechanism applies
You may obtain a copy of the applicable safeguards by contacting legal@fraud-intercept.com.
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:
- Notify affected individuals promptly and without undue delay
- Provide clear information about the nature of the breach, the data involved, and steps taken to address it
- Comply with the 72-hour notification requirement to the relevant supervisory authority under GDPR, where applicable
11. Children's Privacy
The Service is not intended for use by individuals under the age of 13, and we do not knowingly collect personal data from children. If we become aware that personal data has been collected from a child under 13 without appropriate consent, we will take steps to delete that data promptly.
If you believe we may have inadvertently collected data from a child, please contact us at legal@fraud-intercept.com.
12. Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The “Last Updated” date at the top of this page reflects when the most recent changes were made.
For material changes that significantly affect how we process your personal data, we will communicate the update via email or through a prominent notice within the Service prior to the changes taking effect. We encourage you to review this Policy periodically to stay informed about how we protect your data.