The Daily Queue

The data controller for the personal data processed in connection with the Service is:

Parhelion Software SRL
Registered office: România, Galați, str. Vânători nr. 35
Trade register: J17/67/2013
VAT: RO31105708
Privacy contact: privacy@sydium.com

Data Protection Officer: We have not appointed a formal DPO under GDPR Art. 37 because our processing does not require one. For all data protection matters, contact privacy@sydium.com.

EU representative: Not applicable - Parhelion Software SRL is established in Romania and is therefore within the EU.

We collect personal data in the categories below. Where you provide data directly, we tell you what is required versus optional in the relevant interface.

• Account information. Email address, name, password hash (or social-login token from Google), profile picture URL. Provided by you on signup. We also generate technical identifiers (user ID, team ID, session identifiers) automatically.
• Billing information. Subscription plan, billing interval, payment status, invoice history. Card numbers and bank details are collected and held by our payment processor (Stripe); we receive only a tokenized identifier and metadata.
• Connected social media accounts. When you connect a social account, we store the credential that lets us act on your behalf (publish, read analytics, read messages): for most platforms this is an OAuth access token, and for Bluesky it is an app-specific password you generate. We never store your main platform password. The data we then read includes: post content you have published, engagement metrics, audience aggregates, and (for inbox features) direct messages and comments on your accounts.
• Content you create. Drafts, scheduled posts, calendar entries, media files (images, video, audio), AI-generated content, Brand Voice training material, and any text you type into the Service.
• Brand Voice data. Documents you upload and posts we read from connected accounts in order to train your Brand Voice. We extract style parameters; we do not republish the raw material. See our retention schedule below.
• Inbox and engagement data. For inbox features, we receive copies of direct messages and comments on connected accounts. These are stored to provide the inbox UI and to compute engagement features.
• Support communications. Emails, chat messages, and form submissions you send to us, plus our replies.
• Usage and device data. Pages viewed, features used, performance metrics, IP address (truncated where possible), browser type, operating system, device identifiers. Collected automatically by analytics and error-tracking systems.
• Cookies and similar storage. See Section 8 below for the full inventory.

Under the GDPR, every processing activity needs a lawful basis. Here is ours, by purpose:

• To provide and maintain the Sydium platform
• To schedule and publish content to your connected social media accounts on your behalf
• To generate AI-assisted content (including in your Brand Voice)
• To compute and display analytics about your social media performance
• To send important service messages (security, billing, account)
• To improve features and user experience
• To detect, prevent, and address security and fraud issues
• To comply with legal obligations

We do not sell your personal data. We do not share it for cross-context behavioral advertising. We share data only with the categories of recipients listed below, and only as needed to provide the Service. All subprocessors are bound by written data processing agreements that meet GDPR Art. 28 requirements.

Categories of recipients

• Social media platforms you connect. We send and receive data through their official APIs (OAuth 2.0) to publish content and read analytics/messages on your behalf.
• AI providers. OpenAI (text generation and audio transcription for captions), Anthropic (text generation), and fal.ai (image and video generation). We send only the prompts, media, and context needed for the generation; we do not share account or billing data. Current providers do not use business/API customer inputs to train their models by default.
• Infrastructure providers. Google Cloud / Firebase (database, storage, auth, hosting) and Cloudflare (edge CDN, Workers, object storage, security).
• Payment processor. Stripe handles subscription billing and tax. We never see your full card or bank details.
• Transactional email provider. Brevo (EU) sends verification, password reset, billing, and notification emails on our behalf.
• Observability. Sentry (errors), PostHog (product analytics, session recording, EU instance).
• Marketing-site analytics. Google Analytics (GA4) for aggregate measurement. It runs only on the public marketing site, is consent-gated for EU/UK visitors, and is not active when you are signed into the app.
• Professional advisers, authorities, and successors. Our lawyers, accountants, and auditors under confidentiality. Government authorities or courts where required by law. A successor entity in connection with a merger, acquisition, or sale of substantially all of our assets (with continued protection under this Policy).

Below is the current full list of subprocessors. We will update this list before adding a new subprocessor with access to your personal data. You may subscribe to subprocessor updates by emailing privacy@sydium.com.

Some of our subprocessors are located outside the European Economic Area, primarily in the United States.

For transfers of personal data to non-EEA countries that have not been deemed adequate by the European Commission, we rely on the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 (the "2021 SCCs"), supplemented where appropriate by additional technical and organizational measures (encryption in transit and at rest, access controls, processor obligations).

We have conducted transfer impact assessments for our main US subprocessors consistent with the EDPB's Recommendations 01/2020 (post-Schrems II). The 2023 EU-US Data Privacy Framework adequacy decision provides an additional safeguard where the subprocessor self-certifies under it.

You may request a copy of the SCCs or our transfer impact assessment summary by emailing privacy@sydium.com.

• Encryption in transit (TLS 1.2+) on all connections to and from the Service
• Encryption at rest (AES-256) for data stored in Google Cloud and Cloudflare R2
• Platform-issued OAuth tokens for social connections (or, for Bluesky, an app-specific password you generate) - we never receive or store your main social media password
• Signed, short-lived session cookies (JWT, HS256, 14-day sliding TTL) with session-revocation registry
• Access controls limiting production-data access to staff who need it, with audit logging
• Routine security monitoring via Sentry and Cloudflare WAF
• Periodic review of security practices and subprocessors

No system is perfectly secure. While we work hard to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and notifying us promptly of any suspected unauthorized use.

We use cookies and local browser storage for: (a) keeping you signed in (essential); and (b) measuring how the Service is used so we can improve it (analytics, consent-gated for EU/UK).

If you visit our marketing site or app from the EU, EEA, or UK, non-essential cookies and trackers are blocked until you accept them via the consent banner. You can change your decision at any time:

• On the marketing site (sydium.com): use the "Cookie preferences" link in the footer.
• In the app: open your account settings and click "Manage preferences" in the Cookie preferences card.

Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

We honor browser-level Global Privacy Control (GPC) signals where technically feasible by treating them as a request to reject non-essential cookies.

For some analytics trackers, additional opt-outs are available on the vendor's side: PostHog opt-out applies automatically when you reject analytics; Google Analytics can be opted out via https://tools.google.com/dlpage/gaoptout/.

We keep personal data only as long as needed for the purpose it was collected for, plus any period required by law.

If you are in the EU, EEA, or UK, the GDPR (and UK GDPR) gives you the following rights:

• Access. A copy of the personal data we hold about you (Art. 15).
• Rectification. Correction of inaccurate or incomplete data (Art. 16).
• Erasure. Deletion of your data, subject to limitations (Art. 17).
• Restriction. Restriction of processing in certain situations (Art. 18).
• Portability. Receipt of your data in a structured, machine-readable format and the right to transmit it to another controller (Art. 20).
• Objection. Objection to processing based on legitimate interest, including direct marketing (Art. 21).
• Withdraw consent. Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing (Art. 7(3)).
• Automated decision-making. Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently make such decisions.
• Complaint to supervisory authority. Right to lodge a complaint with your local data protection authority. In Romania, this is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), https://www.dataprotection.ro.

If you are a resident of California, the CCPA (as amended by the CPRA) gives you additional rights:

• Right to know. What personal information we collect, the sources, the purposes, and the categories of recipients.
• Right to delete. Deletion of personal information collected from you, subject to legal exceptions.
• Right to correct. Correction of inaccurate personal information.
• Right to opt-out of sale or sharing. We do not sell personal information and we do not share it for cross-context behavioral advertising, so no opt-out is required - but if you submit a GPC signal we will treat it as a confirming opt-out.
• Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that trigger this right.
• Right to non-discrimination. We will not deny, charge different prices for, or provide a different level of service because you exercised your CCPA rights.

To exercise any of these rights, email privacy@sydium.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We do not charge for reasonable requests; we may decline manifestly unfounded or excessive requests, with reasons. We will verify your identity before fulfilling a request (typically by confirming control of the email address on your Account).

Where permitted by law, you may use an authorized agent to make a request on your behalf. We will require proof of authorization.

The Service is not directed at, and we do not knowingly collect personal data from, anyone under the age of 16 (or the higher age of digital consent in your country, where applicable). If you believe a child under 16 has provided personal data to us, please contact privacy@sydium.com and we will delete it.

We do not currently use age-verification technology; we rely on self-declaration during signup and may take additional steps if we are alerted to a younger user.

If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and in any event in line with our GDPR Art. 34 obligations. The notice will describe the nature of the breach, the categories and approximate number of affected records, the likely consequences, the measures we have taken or propose to take, and a contact point for further information.

We use AI to assist you in creating content (text, images, ideas). These AI features generate suggestions; you decide whether to publish, edit, or discard them. We do not use AI to make decisions about you that produce legal effects or similarly significantly affect you (for example, we do not use AI for credit-scoring, fraud auto-blocking with no human review, or content-moderation decisions that terminate your Account).

We may update this Privacy Policy from time to time. For material changes (anything that meaningfully affects how we handle your personal data) we will email you at the address on your Account at least 30 days before the change takes effect and show an in-product notice. The "Effective" date at the top of the page always reflects the most recent version.

For privacy questions, requests, or complaints, contact our privacy team at privacy@sydium.com. For mail:

Parhelion Software SRL - Privacy
Address: România, Galați, str. Vânători nr. 35

• v2.1 - 2026-06-01 - Removed RB2B (B2B visitor de-anonymization) subprocessor and the marketing cookie category; clarified credential storage (Bluesky app passwords); disclosed audio transcription (OpenAI Whisper) and video generation (fal.ai); updated the subprocessor list and cookie disclosures.
• v2.0 - 2026-05-27 - Substantial rewrite: controller details, full subprocessor list, lawful basis table, retention schedule, cookie table, CCPA section, breach notification, automated decision-making.
• v1.0 - 2026-03-20 - Initial version.