Last updated: March 11, 2026
The controller of your personal data is Sylius sp. z o.o., with its registered address at ul. Ostróżki 2/3, 86-005 Białe Błota, Poland, NIP (VAT ID) 7272867768, REGON 524874153, entered into the Register of Entrepreneurs of the National Court Register under KRS number 0001028152. You can contact us regarding privacy matters at [email protected]. If we appoint a Data Protection Officer (DPO) in the future, we will publish the DPO's contact details in this Privacy Policy or within the service.
This Privacy Policy applies to Sylius Connect as an identity provider. When you use Sylius Connect to access another service, that service processes personal data under its own privacy policy and determines its own purposes and legal bases for processing. Sylius Connect's role is to authenticate you and, when you authorize it, to share certain identity claims with a service you choose to access.
We process the personal data you provide directly, including your email address, your first and last name, and your password, which is stored only in hashed form (we do not store or have access to your plaintext password). We also process technical and security data generated automatically when you use the service, such as unique account identifiers, session identifiers, OAuth tokens and related metadata (such as issuance and expiry times), IP address, device and browser information (for example, user agent string), timestamps and security event logs. We also process records of your authorizations, including which services you authorized and what claims or scopes were requested and granted.
We process personal data to create and manage your Sylius Connect account, to authenticate you, and to provide identity and access management functionality, on the basis that such processing is necessary for the performance of a contract with you under Article 6(1)(b) GDPR. We process personal data to send you necessary service communications such as verification messages, security notices and password reset messages, on the basis of contract necessity under Article 6(1)(b) GDPR and, where applicable, our legitimate interests in secure operation under Article 6(1)(f) GDPR. We process technical and security data (including IP addresses and logs) to maintain security, prevent abuse, detect fraud, investigate incidents, and ensure the integrity and availability of the service, on the basis of our legitimate interests under Article 6(1)(f) GDPR. We may process personal data to comply with legal obligations under Article 6(1)(c) GDPR, including responding to lawful requests by public authorities and meeting applicable accounting, tax or compliance retention requirements where relevant. We disclose identity claims to a service you choose to access only when you actively authorize that disclosure as part of the OAuth/OpenID Connect authorization process; depending on the context and what is disclosed, this disclosure is based on your request to perform the contract (Article 6(1)(b) GDPR). In limited cases where the disclosure goes beyond what is necessary for the requested service, your explicit consent under Article 6(1)(a) GDPR may be required separately. You can revoke an authorization at any time. Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Where we rely on legitimate interests, our interests include operating a secure and reliable authentication service, preventing unauthorized access, detecting and preventing abuse and fraud, protecting users and the Provider, maintaining service integrity, and improving the service's security posture. We consider and balance these interests against your rights and freedoms, and we apply safeguards such as data minimization, access controls, logging protections, and retention limits.
When you authorize access for a Relying Party Service, Sylius Connect shares only the claims and scopes that you authorize (for example a unique identifier, email address, name and email verification status). The recipient service will act as an independent controller for the personal data it receives and processes for its own purposes. Sylius Connect may also share personal data with service providers acting as processors on our behalf, including cloud hosting and infrastructure providers, transactional email delivery services, application monitoring and logging services, and security service providers, under data processing agreements compliant with Article 28 GDPR. We may disclose personal data to competent public authorities where required by law, court order or binding request, or where necessary to establish, exercise or defend legal claims.
We store and process personal data primarily within the European Economic Area (EEA). Some personal data, such as technical error reports and associated metadata, may be transferred to service providers located outside the EEA (including the United States) for application monitoring and error tracking purposes. Where such transfers occur, we ensure appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses (SCCs). We also rely on the EU-U.S. Data Privacy Framework where the relevant service provider is certified under it.
We retain account data such as your email address and name for as long as your account remains active. If you delete your account, we delete or anonymize account data without undue delay and typically within 30 days, unless retention is required by law or necessary for the establishment, exercise or defence of legal claims. OAuth tokens and session identifiers are retained for their validity period and are automatically invalidated or removed upon expiry, and may be retained briefly in logs for security auditing. Security logs and access records, including IP addresses, are retained for a limited period proportionate to security needs, typically up to 12 months, unless a longer retention is necessary to investigate a security incident or to comply with legal obligations.
We implement appropriate technical and organizational measures to protect personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. Measures include secure password hashing, encryption in transit using TLS/HTTPS, access controls and least-privilege principles, token expiry and revocation mechanisms, monitoring and logging, and regular security updates and reviews.
Subject to the conditions and limits set out in the GDPR, you have the right to request access to your personal data, rectification of inaccurate data, erasure of data, restriction of processing, data portability, and to object to processing based on legitimate interests. Where processing is based on consent, you have the right to withdraw consent at any time. To exercise your rights, contact [email protected]. We will respond without undue delay and in any event within one month of receipt of the request, unless the GDPR allows an extension, in which case we will inform you of the extension and the reasons.
Sylius Connect does not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
Sylius Connect uses only strictly necessary cookies or similar storage mechanisms that are required for the authentication service and security features to function, such as maintaining login sessions and providing CSRF protection. These technologies do not require consent under Article 5(3) of the ePrivacy Directive where they are strictly necessary to provide the service you request. If you block these cookies, Sylius Connect may not function correctly.
Sylius Connect is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, you may not create an account. If we become aware that we have collected personal data from a person under 16 without appropriate parental consent, we will take steps to delete that data promptly. If you believe that a child under 16 has created an account, please contact us at [email protected].
In the event of a personal data breach, we will assess the risk to individuals' rights and freedoms and will notify the competent supervisory authority and, where required, affected individuals in accordance with Articles 33 and 34 GDPR.
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa, Poland. Information is available via uodo.gov.pl. If you reside in another EU/EEA member state, you may also lodge a complaint with your local supervisory authority.
We may update this Privacy Policy from time to time, for example to reflect changes in the service, legal requirements, or our processing activities. If changes are material, we will notify you in advance, typically at least 30 days before the changes take effect, by email or by a prominent notice in the service, and we will update the "Last updated" date.