Data Processing Agreement
Last updated: 31 May 2026 · Version 3.0
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SYNDICATES("Processor", "we", "us", "our") and the User ("Data Subject" or "you"). It sets out the terms governing the processing of personal data in compliance with the EU General Data Protection Regulation ("EU GDPR" or "GDPR") and the Danish Data Protection Act.
This DPA applies where we process personal data on your behalf or where we act as a controller and use subprocessors to assist in providing our Services.
2. Definitions
Capitalized terms not otherwise defined herein shall have the meanings given in the EU GDPR. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" shall have the same meanings as in the EU GDPR.
3. Roles of the Parties
In relation to the personal data you provide when using our Services:
- Controller: SYNDICATES is the data controller for the personal data processed in connection with the operation of the Syndicates platform.
- Processor: We engage subprocessors (listed in Section 7) to process personal data on our behalf under our instructions.
4. Details of Processing
| Subject matter | Provision of the Syndicates subscription-based trading education platform and related services. |
| Duration | For the duration of the user's account plus any retention period required by applicable law. |
| Nature and purpose | Collection, storage, organization, structuring, adaptation, retrieval, use, disclosure by transmission, alignment, restriction, erasure, and destruction of personal data for the purposes of authentication, service delivery, payment processing, customer support, security, and legal compliance. |
| Types of personal data | Identity data (name, email), contact data, authentication data (password hashes, 2FA secrets), financial data (Stripe IDs, subscription status), technical data (IP addresses, cookies), usage data (course progress, support messages), and community data (Discord ID, TradingView username). |
| Categories of data subjects | Registered users, subscribers, affiliates, and individuals who contact support. |
5. Processor Obligations
We shall:
- Process personal data only on documented instructions from you (as controller), including with regard to transfers of personal data to third countries, unless required to do so by Danish or EU law;
- Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in our Privacy Policy;
- Not engage another processor (subprocessor) without your prior specific or general written authorization. We have your general authorization for the subprocessors listed in Section 7. We will inform you of any intended changes concerning the addition or replacement of subprocessors, giving you the opportunity to object;
- Assist you, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligation to respond to requests for exercising data subject rights;
- Assist you in ensuring compliance with obligations pursuant to Articles 32 to 36 of the EU GDPR (security of processing, data breach notification, DPIAs, and prior consultation);
- Make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the EU GDPR and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you;
- Notify you without undue delay after becoming aware of a personal data breach.
6. Subprocessors
We use the following subprocessors to provide our Services. All subprocessors are bound by data processing agreements that comply with EU GDPR Article 28:
| Subprocessor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription management, invoicing | United States | EU-U.S. Data Privacy Framework + SCCs |
| Discord, Inc. | OAuth identity, community platform, role management | United States | SCCs + supplementary measures |
| Vercel, Inc. | Hosting and CDN (if applicable) | United States / EU | SCCs + DPF (where applicable) |
| Google LLC | Font delivery (Inter via next/font/google) | United States | EU-U.S. Data Privacy Framework |
We will notify you at least 30 days in advance of adding any new subprocessor that processes your personal data, giving you the right to object on reasonable grounds.
7. International Data Transfers
Where personal data is transferred outside the European Economic Area, we ensure that appropriate safeguards are in place in accordance with EU GDPR Chapter V, including Standard Contractual Clauses approved by the European Commission or the Danish Data Protection Agency (Datatilsynet) and, where applicable, reliance on the EU-U.S. Data Privacy Framework.
Upon request, we will provide you with a copy of the relevant safeguards.
8. Data Subject Rights
We will assist you in responding to data subject requests to exercise their rights under EU GDPR Articles 15–22. This includes providing necessary information and taking appropriate technical measures to facilitate access, rectification, erasure, restriction, portability, and objection.
9. Data Breach Notification
We will notify you without undue delay and in any case within 24 hours of becoming aware of any personal data breach. Such notification will include, to the extent possible: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
10. Audit Rights
You have the right to audit our compliance with this DPA. Audits may be conducted no more than once per calendar year (unless mandated by a supervisory authority or triggered by a breach), with reasonable prior notice, and at your expense. We will cooperate and provide access to relevant documentation and personnel.
11. Return and Deletion of Data
Upon termination of your account or upon your written request, we will, at your choice, return or delete all personal data processed on your behalf, except where we are required by applicable law to retain copies. We will certify the deletion in writing upon request.
12. Changes to This DPA
We may update this DPA to reflect changes in our processing activities or legal requirements. Material changes will be notified at least 30 days in advance.
13. Contact
For questions about this Data Processing Agreement, please contact:
Data Protection Officer
SYNDICATES
Email: [email protected]
Address: [Adresse tilføjes], Danmark