Privacy Policy
Effective date: 1 May 2026 Last updated: 17 May 2026 Version: 1.1
This Privacy Policy describes how JM&Co SRL, a Belgian limited liability company operating under the trade name "Sylatris" (hereinafter "we", "us", "our", or "Sylatris"), processes personal data in connection with the Sylatris service (the "Service") accessible at sylatris.com and related domains.
This Policy is published in compliance with the EU General Data Protection Regulation 2016/679 ("GDPR") and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
1. Data Controller
The data controller responsible for the processing of personal data described in this Policy is:
JM&Co SRL Chaussée de Gand 461/7, 1080 Brussels Belgium Company number: BE 0738.851.374 (BCE/KBO) VAT number: BE 0738.851.374
Contact for privacy matters: privacy@sylatris.com General contact: contact@sylatris.com
For the purposes of GDPR Article 27, JM&Co SRL is established within the European Union and does not require the appointment of an EU representative.
2. Scope
This Policy applies to:
(a) Visitors to our public websites at sylatris.com, www.sylatris.com, and any subdomains thereof;
(b) Persons who join our waitlist or subscribe to communications from us;
(c) Authenticated users of the Service ("Users") and the businesses they represent ("Customer Organizations");
(d) Senders of email correspondence to addresses operated by us, including @receipts.sylatris.com and @sylatris.com.
3. Categories of Personal Data Processed
We process the following categories of personal data:
3.1 Account and Authentication Data
- Email address (used as primary identifier and for passwordless authentication via magic links)
- Authentication metadata (login timestamps, session tokens, IP addresses of authentication events)
- Selected user interface language
Source: Provided directly by you when you create an account or sign in.
3.2 Customer Organization Data
When you create or join a Customer Organization on the Service:
- Business name and trade name
- Country of registration
- Value Added Tax (VAT) identification number, where provided
- Default operating language and currency
- Membership role (owner, administrator, member)
Source: Provided directly by you during onboarding or by an administrator of your Customer Organization.
3.3 Business Document Content
The Service is designed to extract structured data from business documents you submit. Such documents — including but not limited to receipts, invoices, purchase orders, and statements — may contain:
- Vendor or counterparty names, addresses, and identification numbers
- Transaction amounts, currencies, dates, and tax breakdowns
- Line item descriptions, quantities, and unit prices
- Bank account or payment reference numbers
- Names, email addresses, or other personal data of natural persons appearing on the document
- Other information present in the document image or file
Source: Submitted by you via web upload, email forwarding to your designated inbound address, or future integrations.
3.4 Communication and Conversational Data
When you interact with the Sylatris AI assistant or the email-forwarding feature:
- Messages exchanged with the assistant
- AI-generated responses and tool execution records
- Email metadata of inbound forwards (sender address, subject, timestamps, attachment count, message identifier)
- Email content (raw and parsed) when received at addresses operated by us
Source: Generated by your interaction with the Service.
3.5 Technical and Usage Data
- IP address and approximate geographic location derived therefrom
- Browser type, operating system, device identifiers
- Pages visited, features used, timestamps of access
- Performance and error telemetry
Source: Automatically collected when you use the Service.
3.6 Allowed Senders Allowlist
Email addresses you authorize to forward documents to your Customer Organization's inbound address.
Source: Provided by you or other administrators of your Customer Organization.
4. Purposes of Processing and Legal Bases
We process personal data for the following purposes, on the legal bases identified below:
| Purpose | Legal Basis (GDPR Art. 6) | |---|---| | To create and authenticate user accounts and provide access to the Service | Performance of a contract (Art. 6(1)(b)) | | To extract structured data from documents you submit, generate AI responses, and provide the core functionality of the Service | Performance of a contract (Art. 6(1)(b)) | | To send transactional communications relating to your account, including authentication links, security notices, and service announcements | Performance of a contract (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) | | To prevent fraud, abuse, and unauthorized access; to maintain audit logs of inbound email activity | Legitimate interest in operating a secure service (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) | | To comply with applicable legal, regulatory, accounting, and tax obligations | Legal obligation (Art. 6(1)(c)) | | To send marketing or promotional communications to subscribers who have opted in | Consent (Art. 6(1)(a)) | | To improve and develop the Service, including aggregated analysis of usage patterns (without re-identifying individual users) | Legitimate interest (Art. 6(1)(f)) | | To establish, exercise, or defend legal claims | Legitimate interest (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
5. Recipients of Personal Data
We share personal data only with the following categories of recipients, each acting as a processor on our behalf under a written data processing agreement compliant with GDPR Article 28:
5.1 Sub-processors
| Sub-processor | Function | Location | Transfer Mechanism | |---|---|---|---| | Supabase, Inc. | Database, authentication, file storage | Frankfurt, Germany (EU) | N/A — EU storage | | Anthropic, PBC | AI document extraction and assistant capabilities | United States | Standard Contractual Clauses (SCCs), Module 2 | | ActiveCampaign, LLC (Postmark) | Inbound and transactional email processing | United States | Standard Contractual Clauses (SCCs), Module 2 | | Resend, Inc. | Outbound transactional email delivery | Various | Standard Contractual Clauses (SCCs), Module 2 | | Vercel, Inc. | Application hosting and content delivery | Global edge network with EU presence | Standard Contractual Clauses (SCCs), Module 2 | | Cloudflare, Inc. | Domain name resolution and DDoS protection | Global edge network | Standard Contractual Clauses (SCCs), Module 2 | | Stripe Payments Europe Limited | Payment processing (where applicable) | Ireland (EU) and United States | EU storage; SCCs for any US transfer |
We maintain a current list of sub-processors at sylatris.com/privacy/sub-processors. We provide reasonable notice of any new or replacement sub-processors and offer Customer Organizations the right to object on legitimate grounds.
5.2 Other Recipients
(a) Members of your Customer Organization. Personal data and business documents you submit may be visible to other members of your Customer Organization in accordance with their assigned roles.
(b) Professional advisers. Where strictly necessary, we may share personal data with our legal counsel, auditors, accountants, or other professional advisers, each subject to confidentiality obligations.
(c) Regulatory and law enforcement authorities. We may disclose personal data where required by Belgian or applicable EU law, by valid order of a competent court, or where necessary to protect our rights, property, or safety, or those of our Users or third parties.
(d) Successor entities. In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections.
We do not sell, rent, or trade personal data to third parties.
6. International Data Transfers
Where personal data is transferred outside the European Economic Area, such transfers are protected by appropriate safeguards as required by GDPR Chapter V, including:
(a) Standard Contractual Clauses adopted by the European Commission pursuant to Decision 2021/914;
(b) Where applicable, supplementary technical and organizational measures including encryption in transit (TLS) and at rest, access controls, and audit logging;
(c) Where applicable, adequacy decisions issued by the European Commission for specific countries.
A copy of the SCCs and information about our supplementary measures is available on request from privacy@sylatris.com.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, except where a longer retention period is required by law:
| Data Category | Retention Period | |---|---| | Account and authentication data | Duration of account + 24 months after closure | | Business documents and extracted data | Duration of account + seven (7) years after closure, as required by Belgian and French accounting record retention law (see Terms of Service Section 16.5). Data is accessible through graduated grace periods after cancellation and securely deleted after the retention period expires. | | Conversation and AI assistant logs | 12 months from creation | | Inbound email audit logs | 12 months from creation | | Technical and usage data | 12 months from creation | | Marketing consent records | Duration of consent + 3 years after withdrawal (for proof of consent) | | Records relating to legal claims, complaints, or regulatory inquiries | Duration of the matter + applicable limitation period (10 years for contractual claims under Belgian law) |
Upon expiry of the applicable retention period, we securely delete or anonymize the personal data.
8. Your Rights
You have the following rights with respect to personal data we hold about you, exercisable in accordance with GDPR Articles 12–22:
(a) Right of access (Art. 15) — to obtain confirmation of whether we process your personal data and, if so, a copy thereof;
(b) Right to rectification (Art. 16) — to obtain correction of inaccurate or incomplete personal data;
(c) Right to erasure (Art. 17) — to obtain deletion of personal data, subject to applicable exceptions;
(d) Right to restriction of processing (Art. 18) — to limit how we process your personal data in defined circumstances;
(e) Right to data portability (Art. 20) — to receive personal data you provided in a structured, commonly used, machine-readable format and to transmit it to another controller;
(f) Right to object (Art. 21) — to object to processing based on our legitimate interests, including profiling;
(g) Right to withdraw consent (Art. 7(3)) — where processing is based on consent, to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal;
(h) Right not to be subject to automated decision-making (Art. 22) — to not be subject to a decision based solely on automated processing that produces legal effects or significantly affects you. The Service uses AI to assist with document data extraction; we do not use such processing to make decisions about you that produce legal effects.
To exercise these rights, contact privacy@sylatris.com. We will respond within one (1) month of receipt of your request, extendable by a further two (2) months in cases of complexity.
We may request information necessary to verify your identity before processing your request.
You also have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) at:
Rue de la Presse 35, 1000 Brussels, Belgium Email: contact@apd-gba.be Website: www.autoriteprotectiondonnees.be
Or with the supervisory authority of the EU member state where you reside.
9. Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
(a) Encryption of personal data in transit (TLS 1.2 or higher) and at rest; (b) Role-based access controls and the principle of least privilege; (c) Multi-tenant data isolation enforced at the database level (row-level security); (d) Authentication of inbound email webhooks via shared secret; (e) Audit logging of inbound email processing and administrative actions; (f) Regular security review of our codebase and dependencies; (g) Restriction of inbound email processing to senders explicitly authorized by each Customer Organization; (h) Use of unguessable identifiers in email forwarding addresses to prevent enumeration attacks; (i) Secure password-free authentication via single-use email links.
No method of electronic transmission or storage is fully secure. We undertake to notify the Belgian Data Protection Authority and affected data subjects of any personal data breach in accordance with GDPR Articles 33 and 34.
10. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If we become aware that personal data of a child has been collected, we will take steps to delete it.
11. Cookies and Similar Technologies
The Service uses cookies and similar technologies as described in our Cookie Notice, available at sylatris.com/cookies. By default, only strictly necessary cookies are set. Other cookies are set only with your prior consent.
12. Automated Decision-Making and Profiling
The Service uses AI models (provided by Anthropic, PBC) to extract structured information from business documents and to generate responses to your queries. This processing:
(a) Is performed at your request and to provide the core functionality of the Service; (b) Does not produce legal effects concerning you or significantly affect you (the AI does not make autonomous decisions; it presents extracted information for your review); (c) Does not constitute "automated decision-making" within the meaning of GDPR Article 22.
You retain full control over how to use the information extracted or generated by the AI. We do not use AI-generated outputs to make decisions about you, your eligibility for the Service, or any other matter producing legal or similarly significant effects.
13. Changes to This Policy
We may update this Policy from time to time. The current version, with the effective date, will always be available at sylatris.com/privacy. Material changes will be notified to authenticated users by email at least thirty (30) days in advance. Your continued use of the Service after the effective date of an updated Policy constitutes acceptance of the changes.
14. Contact
For questions about this Policy, to exercise your rights, or to report a concern:
Email: privacy@sylatris.com Postal address: JM&Co SRL, Chaussée de Gand 461/7, 1080 Brussels, Belgium
This Privacy Policy is governed by Belgian law. The Belgian and English versions are equally authoritative; in case of inconsistency, the Belgian-French version shall prevail for users in the French Community of Belgium and Belgian-Dutch shall prevail for users in the Flemish Community.
Translations into French and Dutch will be made available before public launch.