Sylonow

GDPR Compliance

Last Updated: December 6, 2024

Sylonow is fully committed to compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This page outlines our commitment to protecting your personal data and explains your rights under GDPR.

1. Our Commitment to GDPR

1.1 Data Protection Principles

We adhere to the following GDPR principles in all our data processing activities:

  • Lawfulness, fairness, and transparency in data processing
  • Purpose limitation – collecting data only for specified, explicit purposes
  • Data minimization – collecting only necessary data
  • Accuracy – keeping personal data accurate and up to date
  • Storage limitation – retaining data only as long as necessary
  • Integrity and confidentiality – ensuring appropriate security
  • Accountability – demonstrating compliance with these principles

1.2 Scope of Application

This GDPR compliance notice applies to all users accessing Sylonow services from the European Economic Area (EEA), United Kingdom, and any other jurisdiction where GDPR or similar data protection regulations apply.

2. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

2.1 Right to Access (Article 15)

You have the right to:

  • Obtain confirmation of whether we process your personal data
  • Request a copy of your personal data
  • Know the purposes of processing
  • Know the categories of data being processed
  • Know the recipients of your data
  • Know the retention period for your data
  • Know the source of data if not collected directly from you

2.2 Right to Rectification (Article 16)

You have the right to:

  • Correct inaccurate personal data without undue delay
  • Complete incomplete personal data
  • Update outdated information

2.3 Right to Erasure (Article 17)

Also known as the "right to be forgotten," you can request deletion of your data when:

  • Data is no longer necessary for the original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • Data has been unlawfully processed
  • Data must be erased to comply with legal obligations

2.4 Right to Restrict Processing (Article 18)

You can request restriction of processing when:

  • You contest the accuracy of your data
  • Processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification

2.5 Right to Data Portability (Article 20)

You have the right to:

  • Receive your data in a structured, commonly used, machine-readable format
  • Transmit your data to another controller without hindrance
  • Request direct transmission between controllers where technically feasible

2.6 Right to Object (Article 21)

You have the right to object to:

  • Processing based on legitimate interests
  • Processing for direct marketing purposes
  • Processing for scientific or historical research purposes
  • Profiling related to any of the above

2.7 Rights Related to Automated Decision-Making (Article 22)

You have the right to:

  • Not be subject to decisions based solely on automated processing
  • Obtain human intervention in automated decisions
  • Express your point of view regarding automated decisions
  • Contest automated decisions

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

3.1 Contract Performance (Article 6(1)(b))

Processing necessary to:

  • Provide celebration services you have booked
  • Process payments and refunds
  • Communicate about your bookings
  • Deliver services to your specified location

3.2 Legitimate Interests (Article 6(1)(f))

Processing based on our legitimate business interests:

  • Improving our services and user experience
  • Fraud prevention and security
  • Business analytics and reporting
  • Marketing to existing customers (with opt-out option)

3.3 Consent (Article 6(1)(a))

Processing based on your explicit consent:

  • Marketing communications to new users
  • Non-essential cookies and tracking
  • Sharing data with third-party marketing partners
  • Processing special categories of data

3.4 Legal Obligation (Article 6(1)(c))

Processing required by law:

  • Tax and accounting requirements
  • Responding to legal requests from authorities
  • Compliance with consumer protection laws

4. Data Protection Officer

4.1 DPO Contact Information

We have appointed a Data Protection Officer to oversee GDPR compliance:

Email: dpo@sylonow.com

Subject Line: GDPR Inquiry

Response Time: Within 30 days (as required by GDPR)

4.2 DPO Responsibilities

Our Data Protection Officer is responsible for:

  • Monitoring compliance with GDPR and other data protection laws
  • Advising on data protection impact assessments
  • Cooperating with supervisory authorities
  • Acting as a contact point for data subjects
  • Training staff on data protection obligations

5. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in our Privacy Policy:

5.1 Retention Periods

  • Booking and transaction data: 7 years (for tax and legal compliance)
  • Account information: Until account deletion, plus 3 years
  • Marketing preferences: Until consent withdrawal
  • Customer support records: 3 years from last interaction
  • Analytics data: 2 years (anonymized after 1 year)
  • Cookie data: As specified in our Cookie Policy

5.2 Deletion Process

When data reaches the end of its retention period or you request deletion, we will securely delete or anonymize the data within 30 days, unless legal obligations require longer retention.

6. International Data Transfers

6.1 Transfer Mechanisms

For users in the EEA, any transfer of personal data outside the EEA is protected by:

  • Adequacy decisions by the European Commission
  • Standard Contractual Clauses (SCCs) approved by the EU
  • Binding Corporate Rules where applicable
  • Your explicit consent for specific transfers

6.2 Data Location

Your data may be processed in:

  • India (our primary data center location)
  • Cloud service providers with servers in various locations
  • Third-party service providers as described in our Privacy Policy

7. Data Security Measures

We implement appropriate technical and organizational measures to protect your data:

7.1 Technical Measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security assessments and penetration testing
  • Intrusion detection and prevention systems
  • Secure access controls and authentication
  • Regular software updates and patch management

7.2 Organizational Measures

  • Data protection training for all employees
  • Access controls based on role and necessity
  • Confidentiality agreements with staff and contractors
  • Regular audits of data processing activities
  • Incident response procedures

8. Data Breach Notification

8.1 Our Obligations

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay if high risk
  • Document all breaches and remedial actions taken
  • Implement measures to prevent future breaches

8.2 Breach Notification Content

Notifications will include:

  • Nature of the breach and categories of data affected
  • Approximate number of individuals affected
  • Contact details of our Data Protection Officer
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9. Exercising Your Rights

9.1 How to Submit a Request

To exercise any of your GDPR rights, you can:

  • Email our DPO at dpo@sylonow.com
  • Use the privacy settings in your account
  • Submit a request through our website contact form
  • Write to us at our headquarters address

9.2 Verification Process

To protect your data, we may need to verify your identity before processing your request. This may include:

  • Confirming your email address
  • Asking security questions
  • Requesting government-issued ID for sensitive requests

9.3 Response Timeline

We will respond to your request within 30 days. If the request is complex, we may extend this by an additional 60 days, but we will inform you of any extension within the initial 30-day period.

10. Complaints

10.1 Internal Complaints

If you are not satisfied with how we handle your data or respond to your requests, please contact our DPO at dpo@sylonow.com. We take all complaints seriously and will investigate thoroughly.

10.2 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. For users in the EEA, this is typically the data protection authority in your country of residence. Key supervisory authorities include:

  • UK: Information Commissioner's Office (ICO)
  • Germany: Federal Commissioner for Data Protection
  • France: Commission Nationale de l'Informatique et des Libertés (CNIL)
  • Ireland: Data Protection Commission

11. Contact Us

For GDPR-related inquiries and to exercise your data protection rights:

Data Protection Officer Email: dpo@sylonow.com

General Privacy Email: privacy@sylonow.com

Response Time: Within 30 days

Company Name: Sylonow

Launch Date: July 2025

Headquarters: Bengaluru, Karnataka, India

Founders: Sangamesh, Srikanth & Gagan

Industry: Celebration & Surprise Services

Business Model: B2C & B2B – Platform-based

Service Areas: Now serving in Bengaluru, and coming soon to other cities across India

12. Updates to This Notice

We may update this GDPR compliance information from time to time. When we make changes:

  • We will update the "Last Updated" date at the top of this page
  • Significant changes will be communicated via email or through our platform
  • Your continued use of our services constitutes acceptance of the updated notice
  • We encourage you to review this notice periodically