Syndik8 Privacy Policy
Effective date: 7 July 2026
Syndik8 (syndik8.app) is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, and your rights in relation to it.
1. Data Controller
The data controller for the personal data processed through Syndik8 is Deltatek Defence Ltd (trading as Deltatek Software), a company registered in England and Wales (Company No. 02975256). Registered address: 122 Great Berry Lane, Basildon, Essex, SS16 6BY. You can contact us about data protection matters at [email protected].
2. Data We Collect
When you use Syndik8, we collect the following personal data:
- Account data: your email address, full name, and display name
- Profile preferences: timezone and default syndicate selection
- Booking data: dates, times, and usage logs you create
- Syndicate membership data: which syndicates you belong to and your role
- Financial data: transaction amounts, billing history, and expense records processed through the platform (card details are held by our third-party payment provider, not by us)
- Documents and files: documents that syndicate administrators upload to a syndicate or asset area (for example: insurance certificates, registration documents, aircraft manuals, maintenance records) and, where you choose to record them, your personal pilot documents — a pilot medical (its expiry date, with the certificate file itself optional) and a pilot licence. For every document we also store the metadata you record, including a title, a document type, and (where you choose to record one) an expiry date
- Consent records: where processing requires your explicit consent (specifically, your pilot medical certificate under UK GDPR Article 9(2)(a)), we record the timestamp at which you gave consent and a version tag identifying the wording you agreed to
- Technical data: your IP address, browser type, and device information collected automatically when you access the web application
3. Lawful Basis for Processing
Under the UK General Data Protection Regulation (UK GDPR), we process your personal data on the following lawful bases:
- Contract performance: we process your account data, booking data, syndicate membership data, financial data, and any documents uploaded to a syndicate or asset area because it is necessary to provide the Syndik8 service you have signed up for
- Legitimate interests: we process technical data for security monitoring, fraud prevention, and service improvement, where our interests do not override your rights
- Legal obligation: we may process and retain certain data where required by law, for example for tax or accounting purposes
- Explicit consent: where you choose to record a pilot medical (its expiry date, and the certificate itself if you upload it), we process that data under UK GDPR Article 9(2)(a) (explicit consent for special-category data). Your consent is captured on a consent screen before any data is stored, is recorded against your account with a version tag identifying the wording you agreed to, and may be withdrawn at any time by deleting the medical from Settings → My Documents
4. How We Use Your Data
We use your personal data to:
- Provide and maintain the Syndik8 service
- Authenticate your identity and keep your account secure
- Display your profile information to other members of your syndicates
- Enable booking, scheduling, and asset management features
- Process payments and financial transactions through our third-party payment provider
- Store documents you or your syndicate's administrators upload, and notify you ahead of their recorded expiry where you have recorded one
- Make a small amount of metadata about your personal pilot documents (the fact that a document is recorded and, for medicals, the expiry date you recorded) visible to the administrators of the syndicates you belong to, so they can plan around member currency
- Send you transactional emails such as invite notifications and payment receipts
- Improve and develop the service
We do not use your personal data for automated decision-making or profiling.
Service notifications and email communications
We send notifications about activity in your syndicate. Most are configurable in the app — you can opt out of any type, or switch to a daily, weekly, or monthly email digest.
A small number of notifications are sent regardless of your settings, because they are required to operate the service you have signed up for or to meet legal obligations:
- Direct Debit notices — when a collection is scheduled, has failed, or your mandate has been cancelled. The Direct Debit Guarantee scheme requires us to give you advance notice of every collection.
- Payment account changes (administrators only) — when your syndicate's payment account is verified, restricted, has a verification failure, or becomes able to accept payments.
- Syndicate deadlines — when a cash call you owe is due or overdue, or when a vote you can participate in is closing within 24 hours.
- Billing-accuracy alerts — when submitted usage data has a discrepancy that affects how you or another member are billed.
Direct Debit notices are sent under regulatory requirement (the Direct Debit Guarantee scheme). The others are sent under contractual necessity (the syndicate management service you have signed up for). They stop when you leave the syndicate or close your account.
Email is always sent for every always-on notification listed above; you cannot turn the email channel off while you are an active member. For Direct Debit notices, push is also always sent. For the other always-on notifications (payment account changes, syndicate deadlines, billing-accuracy alerts), you may turn the push channel off in your notification preferences if you prefer to receive them only by email.
5. Data Storage and Security
Your data is stored securely using Supabase, a cloud database provider. Data is stored on servers in the European Economic Area (EEA). We implement industry-standard security measures including encryption in transit (TLS) and at rest.
We retain your personal data for as long as your account is active. When you ask to delete your account, we hold the request for 30 days, during which you can cancel it, and then delete your personal data, except where we are legally required to retain it (for example, financial transaction records may be retained for up to 7 years for tax purposes).
Separately from deletion that you request, we remove data that has been left unused. A free syndicate with no activity for around six months is deleted together with its data; we email the members a warning ahead of the date and again as it approaches, any activity resets the period, and syndicates on a paid subscription are exempt while the subscription is active. If you leave your last syndicate and do not join or create another, we delete your account around two months later, again after email warnings, unless you join a syndicate before then. These periods are operational settings that we may adjust.
Documents you or your syndicate's administrators upload are stored in a private Supabase Storage bucket alongside your other data, and are served only via short-lived signed URLs issued to authorised users. Personal pilot documents — your pilot medical certificate and pilot licence — are held under owner-only access controls: the document file itself is never visible to any syndicate administrator or to any other user.
To support use without internet access (for example, at airfields or remote locations), Syndik8 may store copies of eligible documents on your device for offline reading: asset and syndicate documents you are entitled to see, and your own pilot medical certificate and pilot licence where you have uploaded them. Local copies are stored within the application's private storage area on your device. Copies of asset and syndicate documents are removed when you remove the document from Syndik8, leave the syndicate, or uninstall the app. Copies of your own pilot documents are removed when you delete the document or its certificate file, and when you uninstall the app; they are not removed when you leave a syndicate, because they belong to you rather than to any syndicate. Local copies are not removed when you sign out; after sign-out they are no longer viewable in the app, but their bytes remain in the app's private storage until deletion or uninstall. Your pilot documents are never copied to any other member's device.
When you delete a document from Syndik8, both the database record and the stored file are removed. When you close your account, your personal pilot documents (medical and licence) are deleted within 30 days; documents you previously uploaded to a syndicate or asset area remain with the syndicate for the benefit of the remaining members.
6. Cookies and Local Storage
On the web application, Syndik8 uses cookies and browser local storage for the following purposes:
- Session cookies: to keep you signed in between page loads
- Preference storage: to remember your theme and other settings
We do not currently use third-party advertising or analytics cookies. You can decline cookies on first visit — the service will still function but your preferences may not be saved between sessions.
7. Data Sharing
We do not sell your personal data. We share data only as follows:
- With other members of your syndicates: your name, display name, and booking history within that syndicate, in accordance with the syndicate's privacy settings
- With the administrators of your syndicates: if you have uploaded a pilot licence, the fact that you have done so and the date you uploaded it. If you have recorded a pilot medical (with or without uploading the certificate) and given explicit consent under UK GDPR Article 9(2)(a), additionally the expiry date you recorded against it. The licence and medical files themselves are never shared with anyone but you, and other members of the syndicate (non-administrators) see none of this information
- With Supabase (supabase.com): as our database, authentication, and file storage infrastructure provider, processing data on our behalf under a data processing agreement
- With our third-party payment provider: to process payments, the provider receives your name, email address, and payment information. The payment provider acts as an independent data controller for payment data — see the provider's privacy policy for details
- With your syndicate's payment-processor account: if your syndicate uses in-app payments, the syndicate administrator may see your name and transaction amounts through the provider's dashboard
- If required by law or to protect the rights and safety of users
8. International Data Transfers
Our primary data storage is within the EEA. However, some of our service providers (such as payment processors) may process data in the United States or other countries. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.
9. Your Rights
Under UK data protection law, you have the following rights:
- Right of access: request a copy of the personal data we hold about you
- Right to rectification: correct inaccurate data
- Right to erasure: request deletion of your data
- Right to restrict processing: ask us to limit how we use your data
- Right to data portability: receive your data in a commonly used, machine-readable format
- Right to object: object to processing of your data where we rely on legitimate interests
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time. For your pilot medical certificate (processed under UK GDPR Article 9(2)(a) explicit consent), withdrawal is immediate via Settings → My Documents — deleting the medical removes the certificate file (where one is uploaded), removes the metadata visible to syndicate administrators, and clears the consent record on your account. A future medical will require fresh consent
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via an in-app notice. The current version is always available at syndik8.app/privacy.
12. Contact
Syndik8 is a product of Deltatek Software, a trading name of Deltatek Defence Ltd (Company No. 02975256), registered in England and Wales.
For questions or concerns about this Privacy Policy or how we handle your data, please contact us at [email protected] or visit syndik8.app.