1. Who We Are
DeepSynergy ("we", "us", "our") is an AI governance and orchestration consultancy headquartered in Amsterdam, the Netherlands. We are in the process of formal registration with the Dutch Chamber of Commerce (Kamer van Koophandel). For the purposes of EU and international data protection law, DeepSynergy acts as the data controller for all personal data collected through this website (deepsynergy.io).
Contact details for all privacy matters:
- Responsible person: Raden Yusuf Darul Kutni Zahri, CEO & Founder
- Email: yusuf@deepsynergy.io
- Location: Amsterdam, Netherlands
- Website: deepsynergy.io
2. Personal Data We Collect
2.1 Contact Form Data
When you submit a message through our contact form, we collect the following personal data:
- Full name — to address you correctly in our response
- Email address — to send our reply and any follow-up communications
- Company or organisation name (optional) — to contextualise your enquiry
- Subject / service interest — to route and prioritise your message
- Message content — the substance of your enquiry or request
2.2 Automatically Collected Technical Data
We do not operate any analytics service, tracking pixel, or user fingerprinting technology. We do not knowingly collect IP addresses, device identifiers, or behavioural browsing data. Standard HTTP access logs may be generated automatically by our hosting providers (Netlify and Render) as part of normal server operations; these logs are managed under each provider's own data practices (see Section 5).
2.3 Language Preference
We store your selected display language (English, Arabic, Indonesian, or Dutch) in your browser's localStorage under the key ds_lang. This value never leaves your device and is not transmitted to any server. We treat it as a functional preference, not personal data.
3. Legal Basis for Processing
We process personal data only where we have a valid legal basis. The table below maps each processing activity to its legal basis across applicable jurisdictions.
| Processing Activity | Data Involved | Legal Basis | Jurisdiction |
|---|---|---|---|
| Responding to contact form enquiries | Name, email, company, message | Legitimate interests (Art. 6(1)(f) GDPR); pre-contractual steps (Art. 6(1)(b) GDPR) | EU / NL |
| Responding to contact form enquiries | Name, email, company, message | Consent (UU PDP Art. 20); fulfilment of contractual obligations (UU PDP Art. 21) | Indonesia |
| Responding to contact form enquiries | Name, email, company, message | Contractual necessity; legitimate interest (PDPL Art. 4, 5, 7) | KSA / GCC |
| Service delivery to active clients | Communication records | Contract performance (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR) | EU / NL |
| Compliance with legal obligations (e.g., accounting records) | Business correspondence | Legal obligation — Dutch Civil Code, Wet op de jaarrekening | EU / NL |
4. How We Use Your Data
We use the personal data you provide solely for the following purposes:
- To respond to your specific contact form submission or enquiry
- To discuss potential service engagements relevant to your stated interest
- To arrange discovery calls, demonstrations, or consultations that you have requested
- To send you information about our services where you have explicitly requested this
- To comply with legal obligations imposed on us under Dutch, EU, or applicable international law
We expressly do not:
- Sell, rent, license, or otherwise transfer your personal data to any third party for their own marketing purposes
- Use your data for automated decision-making or profiling that has legal or similarly significant effects
- Use your data to send unsolicited marketing or newsletters unless you have given separate, explicit consent
- Process your data for any purpose beyond those stated above without first obtaining your explicit consent
5. Third-Party Data Processors
We engage the following sub-processors to operate this website and deliver our services. Each processor is used in a manner consistent with applicable data protection law; where required, data processing agreements or Standard Contractual Clauses (SCCs) are in place.
| Provider | Purpose | Data Shared | Processing Location | Safeguards |
|---|---|---|---|---|
| EmailJS (emailjs.com) | Delivery of contact form submissions to our inbox | Name, email, company, message content | EU / US | SCCs; EmailJS Privacy Policy |
| Netlify (netlify.com) | Website hosting and global CDN delivery | Standard HTTP server request metadata only | EU / US (CDN edge nodes) | DPA available; Netlify Privacy Policy |
| Render (render.com) | API server hosting for protected content delivery | Standard HTTP request metadata; no contact form personal data | EU (Frankfurt, Germany) | SOC 2 Type II; Render Privacy Policy |
We do not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any advertising or behavioural-analytics platforms.
6. International Data Transfers
Our primary infrastructure is located within the European Union. Where data is processed outside the EU/EEA (for example, via certain CDN edge nodes operated by Netlify), we ensure adequate safeguards are in place:
- EU Standard Contractual Clauses (SCCs) — for transfers to countries without a European Commission adequacy decision
- EU–US Data Privacy Framework — where the recipient organisation is certified under this framework
Indonesia — UU PDP (Law No. 27 of 2022), Article 56
Cross-border transfers of personal data relating to Indonesian data subjects are conducted only where: (a) the destination country provides an equivalent or adequate level of personal data protection; or (b) appropriate contractual safeguards providing equivalent protections have been established in accordance with Indonesian law.
Saudi Arabia & GCC — PDPL, Article 30
Personal data relating to data subjects in the Kingdom of Saudi Arabia and GCC member states is not transferred outside the applicable jurisdiction in a manner that would reduce the level of protection guaranteed by the PDPL. Where cross-border transfer is necessary, it is carried out under contractual mechanisms consistent with PDPL requirements, and only where the relevant authority's conditions are satisfied.
7. Data Retention
We retain personal data for no longer than is necessary to fulfil the purposes set out in this Policy, or as required by applicable legal obligations:
- Contact form submissions (no engagement): deleted within 6 months of our last communication with you
- Contact form submissions (leading to a scoped discussion): retained for up to 24 months from submission
- Active client correspondence and project records: retained for 7 years from the end of the engagement, in accordance with Dutch Civil Code obligations (Burgerlijk Wetboek, Book 2, Art. 394)
- Financial and accounting records: retained for 7 years under Dutch tax and accounting law
Upon a valid erasure request, we will delete your data promptly where no overriding legal retention obligation applies.
8. Your Rights
To exercise any right listed below, contact us at yusuf@deepsynergy.io. We will acknowledge your request within 72 hours and respond in full within 30 days (EU/NL & Global), 14 working days (Indonesia), or within the statutory period applicable to your jurisdiction.
8.1 European Union / Netherlands (GDPR)
Under the General Data Protection Regulation (EU 2016/679), you have the following rights:
- Right of access (Art. 15) — obtain confirmation and a copy of the personal data we hold about you
- Right to rectification (Art. 16) — request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten") (Art. 17) — request deletion of your data where it is no longer necessary for the purposes for which it was collected
- Right to restriction of processing (Art. 18) — request that we limit how we use your data in certain circumstances
- Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller
- Right to object (Art. 21) — object at any time to processing of your data based on our legitimate interests
- Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing
- Right not to be subject to automated decision-making (Art. 22) — we do not carry out automated decision-making or profiling with legal or similarly significant effects
You also have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens (AP), Bezuidenhoutseweg 30, 2594 AV Den Haag.
8.2 Indonesia — UU PDP (Law No. 27 of 2022)
Data subjects in Indonesia have the following rights under the Personal Data Protection Law:
- Request information on the identity of the data controller and the purpose, legal basis, and type of personal data used
- Access your personal data and obtain a copy
- Correct or complete inaccurate, incomplete, incorrect, or outdated personal data
- End processing and request deletion of your personal data
- Withdraw consent previously given for any processing activity
- Object to automated processing that produces legal or similarly significant effects for you
- Receive your personal data in a commonly used electronic format (data portability)
- File a complaint with the competent Indonesian regulatory authority (currently the Ministry of Communication and Information Technology — Kominfo)
8.3 Saudi Arabia & Gulf Cooperation Council (PDPL)
Data subjects in the Kingdom of Saudi Arabia and GCC member states have the following rights under the Saudi Personal Data Protection Law (PDPL) and relevant national implementations:
- Be informed of what personal data is collected, the purpose of processing, and how it is used
- Access your personal data held by us at reasonable intervals
- Request correction or completion of inaccurate or incomplete personal data
- Request destruction of your personal data where processing was based solely on your consent and you have withdrawn that consent
- Withdraw consent for processing at any time
- File a complaint with Saudi Arabia's National Data Management Office (NDMO) / Saudi Data and Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa
9. Cookies and Local Storage
This website uses no advertising cookies, no analytics cookies, and no cross-site tracking technologies. The only browser-side storage mechanism we use is:
ds_lang(browserlocalStorage): stores your display language preference (e.g., "en", "ar", "id", or "nl"). This value is never transmitted to any server and contains no personal data.
For full information on our use of browser storage, please review our Cookie Policy.
10. Children's Privacy
Our website and services are directed at business professionals and enterprises, not individuals. We do not knowingly collect personal data from children below the applicable minimum age:
- EU / Netherlands: 16 years (GDPR Art. 8)
- Indonesia: 17 years (UU PDP)
- Saudi Arabia / GCC: 18 years (PDPL)
If we become aware that we have inadvertently collected personal data from a child below the applicable threshold, we will delete such data promptly. If you believe we have collected a child's data, please contact us immediately at yusuf@deepsynergy.io.
11. Data Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Specific measures include:
- Mandatory HTTPS / TLS 1.2+ encryption for all data transmitted to and from this website
- Encrypted communication channels with all third-party data processors
- Access restrictions — contact form submissions are delivered only to our secure inbox and are not stored on publicly accessible servers
- No persistent storage of contact form content on our web servers beyond the point of delivery
- Regular review of third-party processor security practices and certifications
While we employ commercially reasonable security measures, no method of electronic transmission or storage is perfectly secure. Should you suspect any unauthorised access to your data, please contact us immediately at yusuf@deepsynergy.io.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational circumstances. When we make material changes, we will update the "Last updated" date at the top of this document.
For significant changes affecting your rights or the way we process your data, we will make reasonable efforts to notify you directly if we hold your contact information and the change is material to our relationship.
Your continued use of this website after any update constitutes acknowledgement of the revised Policy.
13. Contact and Regulatory Complaints
For any question, request, or concern regarding this Privacy Policy or the processing of your personal data, please contact:
- Data Controller: Raden Yusuf Darul Kutni Zahri
- Role: CEO & Founder, DeepSynergy
- Email: yusuf@deepsynergy.io
- Location: Amsterdam, Netherlands
If you are in the EU/Netherlands and are not satisfied with our response, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens (AP).
If you are in Indonesia, you may file a complaint with the Ministry of Communication and Information Technology (Kominfo) or other competent authority designated under Law No. 27 of 2022.
If you are in Saudi Arabia or the GCC, you may contact the Saudi Data and Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa.
Related policies: Terms of Service • Cookie Policy