This Privacy Policy explains how SynthCrew Ι.Κ.Ε. (“SynthCrew”, “we”, “us”) handles personal data in connection with the Viciora platform (“Viciora”, the “Service”). Viciora is a multi-tenant governance, risk, compliance and IT advisory platform used by service providers, consultants and advisors (our “Customers”) to manage compliance and advisory work for their own clients.
We take this seriously — building a compliance platform means holding ourselves to the standard we help our Customers meet.
1. Who we are
SynthCrew Ι.Κ.Ε. is the company behind Viciora, established in Greece. For any privacy question, or to exercise the rights described below, contact us at hello@viciora.com.
2. The two roles we play
Because Viciora is used by advisors to manage their own clients, it’s important to be clear about who controls what data.
When we act as a data controller. For data about our Customers and their team members — account details, billing information, support requests, and how people use the Service — SynthCrew is the data controller. This Policy governs that data.
When we act as a data processor. When a Customer uploads or generates data about their clients inside their workspace (assessments, evidence, risk registers, contacts, and similar), the Customer is the data controller and SynthCrew acts as a data processor on their behalf. We process that data only on the Customer’s documented instructions, under a Data Processing Agreement (DPA). If you are a client of one of our Customers and have questions about that data, please contact the advisor or firm that manages your engagement.
3. Data we collect
- Account data: name, work email, company, role, and login credentials.
- Usage data: how the Service is accessed and used, including log data, device and browser information, and feature interactions, used to operate and improve the platform.
- Communications: messages you send us, including demo requests and support enquiries.
- Customer workspace data: the compliance, risk, advisory and inventory data Customers manage inside Viciora. We process this as described in Section 2.
4. Why we process data and our legal basis
We process personal data for the following purposes under the GDPR:
- To provide the Service — performance of a contract (Art. 6(1)(b)).
- To secure, maintain and improve the platform — our legitimate interests in running a reliable, secure service (Art. 6(1)(f)).
- To communicate with you about demos, support and service updates — legitimate interests or, where applicable, your consent (Art. 6(1)(a)).
- To meet legal obligations such as tax and accounting requirements (Art. 6(1)(c)).
We never use Customer workspace data to train AI models.
5. Where your data is hosted
Viciora is EU-hosted by default. Personal data is stored in data centres located within the European Union, which matters when our Customers and their clients are regulated. Workspace data is isolated per workspace.
6. Security
We protect data with measures including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Per-workspace data isolation in our multi-tenant architecture
- Role-based access controls and single sign-on (SSO)
- Full audit logging
- Controls aligned with ISO 27001 and GDPR
No system is perfectly secure, but we work continuously to protect the data entrusted to us.
7. Sub-processors
We use a limited set of vetted sub-processors (for example, EU cloud hosting and infrastructure providers) to deliver the Service. Each is bound by data protection terms consistent with the GDPR. A current list of sub-processors is available on request at hello@viciora.com.
8. International transfers
We aim to keep personal data within the EU. Where any transfer outside the European Economic Area is necessary, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.
9. Retention
We keep personal data only as long as needed for the purposes set out above, or as required by law. Customer workspace data is retained according to the Customer’s instructions and our agreement with them, and is deleted or returned on termination as set out in the DPA.
10. Your rights
If you are in the EU, you have the right to access, rectify, erase, restrict or object to the processing of your personal data, and the right to data portability. You may also withdraw consent at any time where processing is based on consent.
To exercise these rights for data we control, contact hello@viciora.com. For data held inside a Customer’s workspace, contact the Customer (the controller) directly; we will assist them in responding. You also have the right to lodge a complaint with your local supervisory authority — in Greece, the Hellenic Data Protection Authority (HDPA).
11. Cookies
We use a small number of cookies and similar technologies to operate the site, remember preferences and understand usage. You can manage cookies through your browser settings. Where required, we ask for consent before setting non-essential cookies.
12. Changes to this Policy
We may update this Policy from time to time. We’ll post the revised version here and update the “Last updated” date. Material changes will be communicated where appropriate.
13. Contact
SynthCrew Ι.Κ.Ε.
Email: hello@viciora.com