Syllabi ("Syllabi," "we," "us," or "our") provides an AI-powered learning management platform that helps organizations create, deliver, and track compliance training and professional development content. Our platform is accessible at syllabi-hsek.polsia.app.
When you use Syllabi, we act as the data controller for your personal data — meaning we determine the purposes and means by which your data is processed. For customers who process their own employees' personal data through our platform, Syllabi acts as a data processor. That relationship is governed by our Data Processing Agreement (DPA).
If you have questions about this policy or how we handle your data, see Section 12 (Contact Us).
When you register or join an organization on Syllabi, we collect:
We do not use passwords. Authentication is passwordless via single-use magic links sent to your email.
When your organization generates courses, we store:
Uploaded source documents (PDFs, Word files, PowerPoints) are processed in server memory to generate course content and are discarded immediately after generation — they are never written to disk or stored in our database.
As learners complete courses, we record:
This data is scoped strictly to your organization and is not shared with or visible to other organizations.
Billing is handled by Stripe, Inc. We do not store your full credit card numbers on our servers. We receive and store your subscription status, plan tier, and Stripe customer ID. For details on how Stripe handles your payment data, see stripe.com/privacy.
We collect lightweight, privacy-respecting analytics using a self-hosted tracker (no third-party cookies). This includes:
No cross-site tracking. No advertising profiles built from this data.
For organizations using compliance features, we store signed agreement records (BAA, DPA), compliance settings, and HIPAA-mode configuration. These records include the signing user's name, email, timestamp, and IP address at time of signing.
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Creating and maintaining your account | Contract — necessary to provide the service you signed up for (GDPR Art. 6(1)(b)) |
| Sending authentication magic links | Contract — necessary to authenticate you |
| Storing course content and learner records | Contract — core functionality you signed up for |
| Processing payments | Contract — necessary to fulfill your subscription |
| Audit logging and security events | Legitimate interests — fraud prevention, security incident response (Art. 6(1)(f)) |
| Usage analytics (anonymized/hashed) | Legitimate interests — improving the service (Art. 6(1)(f)) |
| Compliance records (BAA, DPA signatures) | Legal obligation — HIPAA, GDPR compliance requirements (Art. 6(1)(c)) |
| Responding to legal requests | Legal obligation (Art. 6(1)(c)) |
We use your data only to:
We share your data only with the following sub-processors, who are contractually bound to process your data only as directed by us and under appropriate security measures.
| Sub-Processor | Purpose | Data Transferred | Location |
|---|---|---|---|
| Render, Inc. | Application hosting and compute | All application data (processed in memory) | United States |
| Neon, Inc. | PostgreSQL managed database | All persisted data (encrypted at rest) | United States |
| Anthropic, PBC | AI course generation (Claude models) | Extracted document text, generation prompts | United States |
| OpenAI, LLC | AI course generation (GPT models) | Extracted document text, generation prompts | United States |
| Stripe, Inc. | Payment processing and subscription management | Email, billing name, payment method (tokenized) | United States |
| Postmark (ActiveCampaign, Inc.) | Transactional email delivery (magic links) | Email address, email content | United States |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | IP address, request metadata (in transit) | United States / Global |
| GitHub, Inc. | Source code repository and CI/CD | No personal data | United States |
Both Anthropic and OpenAI's API terms prohibit using API inputs to train their models. Extracted document text is sent to these APIs only to generate your course content and is not retained by them for training purposes.
We retain your data for as long as your account is active or as needed to provide the service. Specific retention periods:
| Data Category | Retention Period | Notes |
|---|---|---|
| Account data (email, name) | Until account deletion + 30 days | 30-day grace period for accidental deletion |
| Course content and learning paths | Until org cancels or deletes content | Org admin can delete at any time |
| Learner completion records | Until org cancels or requests deletion | HIPAA Mode: 6 years minimum |
| Audit logs | 2 years (standard) | HIPAA Mode: 6 years minimum per §164.312(b) |
| Uploaded source documents | Not retained | Processed in-memory only; discarded after generation |
| Payment records | 7 years | Required by financial regulations |
| Signed agreements (BAA/DPA) | Duration of service + 7 years | Required for compliance audit trail |
| Magic link tokens | 15 minutes or until used | Single-use; expire immediately on click |
| Session tokens (JWT) | 7 days | Invalidated on logout |
Under GDPR (Articles 15–22), UK GDPR, and similar privacy laws, you have the following rights regarding your personal data. You can exercise any of these rights by contacting us at privacy@syllabi-hsek.polsia.app.
You have the right to request a copy of the personal data we hold about you, including information about how we use it, who we share it with, and how long we retain it.
If any personal data we hold about you is inaccurate or incomplete, you can request that we correct it. You can update your name and email directly in your account settings, or contact us for corrections we cannot make ourselves.
You can request that we delete your personal data. We will honor this request unless we are required to retain data by law (e.g., financial records, HIPAA audit logs) or to fulfill an existing contract. Account deletion removes your personal data and disassociates your activity from your identity.
You can request that we restrict processing of your data while a dispute is under review — for example, if you contest the accuracy of data we hold or object to our processing.
You can request a machine-readable export of your personal data. Organization admins can export learner completion records, audit logs, and course data from the admin panel. For a personal data export, contact us directly.
You can object to processing based on legitimate interests. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Where we rely on your consent to process data (if applicable), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before your withdrawal.
If you believe we have mishandled your data, you have the right to lodge a complaint with your local data protection authority. In the EU, you can find your supervisory authority at edpb.europa.eu. In the UK, contact the Information Commissioner's Office (ICO).
Response time: We will respond to rights requests within 30 days of receipt. If your request is complex, we may extend this by up to 60 additional days and will notify you of the extension.
Syllabi is operated from the United States. All of our sub-processors are based in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States.
We rely on the following transfer mechanisms to ensure an adequate level of protection:
If you are a business customer in the EEA or UK and require a signed Data Processing Agreement for GDPR compliance, you can execute one electronically on our DPA page.
Syllabi uses localStorage (not cookies) to store your authentication token on the client side. We do not use third-party tracking cookies or advertising pixels.
| Storage Key | Purpose | Expires |
|---|---|---|
| syllabi_token | Stores your JWT authentication token to keep you signed in | 7 days (or when you sign out) |
We run a self-hosted, privacy-first analytics tracker. It records page paths, referrers, and a one-way hashed (SHA-256) version of your IP address. The raw IP is never stored. No cross-site tracking. No cookies set by our analytics.
We do not run retargeting ads. We do not share your browsing behavior with any advertising platform. There are no Facebook Pixel, Google Ads, or similar trackers on any Syllabi page.
Syllabi is designed for use by organizations and their employees. Our service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will delete it promptly.
If you believe we have inadvertently collected data from a minor, contact us at privacy@syllabi-hsek.polsia.app.
We may update this Privacy Policy from time to time. When we do, we will:
Your continued use of Syllabi after a policy update constitutes your acceptance of the revised policy. If a change materially reduces your rights, we will seek fresh consent where required by law.
Previous policy versions are available upon request. Consent records reference the policy version that was in effect at the time of acceptance.
For any privacy-related questions, rights requests, or concerns about how we handle your data:
Email: privacy@syllabi-hsek.polsia.app
Subject line: Privacy Request — [Your Name / Organization]
For GDPR-specific requests (access, erasure, portability), please include your email address and organization name. We will respond within 30 days.
For EU/UK customers requiring a signed DPA, visit our Data Processing Agreement page.