Privacy
In plain English
We collect what we need to deliver a repair or alteration — and nothing more. We don't sell your data, we don't profile you for advertising, and you have eight GDPR rights you can exercise by emailing privacy@syom.io.
1.Who's responsible for your data
SYOM ApS is the data controller. One email reaches the right person.
Data controller: SYOM ApS, [address], CVR [xxxxxxx]
Privacy contact: privacy@syom.io
General support: support@syom.io
For complaints, you can also contact the Danish Data Protection Authority (Datatilsynet) — but we'd appreciate the chance to fix things first.
2.What this covers
Everything we do on our platform, app, and embedded surfaces — across Denmark, Sweden, Norway, and Finland.
This Privacy Policy applies to our website, mobile app, embedded booking surfaces on partner brand sites, and any Service you book through them. It aligns with EU GDPR and Nordic privacy rules. Operations are primarily in Denmark, and data is stored in EU-region infrastructure.
3.What we collect
The minimum required to deliver, communicate, improve, and meet our legal duties.
| Category | Examples | Source |
|---|---|---|
| Identity & contact | Name, email, phone, addresses | You provide it |
| Account | Login credentials, preferences, consent records | You provide it |
| Order & service | Service selections, notes, measurements, garment photos | You provide it |
| Logistics | Pickup/delivery windows, tracking, proof of delivery | Generated during service |
| Transactions | Payment status, tokenised payment method, invoices | Payment provider |
| Technical | Device, IP, browser, cookies, error diagnostics | Automatic |
| Communications | Support tickets, emails, chat messages | You provide / we generate |
| Marketing | Subscriptions, unsubscribes, campaign interactions | Consent-based |
In practice
4.Why we process it
Every use of your data has a specific reason — and a specific legal basis in EU law. We show both, side by side, so nothing hides behind jargon.
GDPR Article 6 lists six possible legal grounds for processing personal data. For each thing we do with your data, we name the ground we rely on — and why we picked that one.
| What we do | Why | Legal basis (GDPR Art. 6) |
|---|---|---|
| Set up your account, authenticate you, deliver the service | We can't do the service without it | Contract performance (6(1)(b)) |
| Process payment, issue invoices, keep books | Tax and accounting law require us to | Legal obligation (6(1)(c)) |
| Pickup, delivery, order updates | Part of the service we promised you | Contract performance (6(1)(b)) |
| Quality assurance, customer support | We need to know if a repair held up | Legitimate interests (6(1)(f)) |
| Security, fraud prevention, abuse detection | Protects you and the platform | Legitimate interests (6(1)(f)) |
| Analytics, A/B testing, product improvement | Helps us build a better service | Consent (6(1)(a)) |
| Marketing communications | Only with your opt-in (or limited soft opt-in for existing customers) | Consent / soft opt-in (6(1)(a)/(f)) |
| Legal claims, regulatory compliance | Required by law or to defend our rights | Legal obligation / legitimate interests (6(1)(c)/(f)) |
5.Who we share with
Only the parties who genuinely need the data to deliver the service — never with advertisers, never for sale.
- Tailors — the workshop performing your repair sees what they need to do the work: garment details, notes, photos, return address. They're bound by confidentiality and a Data Processing Agreement.
- Delivery partners — couriers handling pickup and return see address and order ID only.
- Payment providers — handle card processing and fraud screening. They see payment data; we don't.
- Infrastructure providers — hosting, email delivery, error monitoring, analytics. All bound by data processing agreements and EU-region constraints where applicable.
- Partner brands — if you booked through a partner brand's surface, that brand may receive limited information (e.g., that you booked a service for one of their garments). The brand never sees your payment details and only sees what's needed to fulfil the warranty or care commitment they offer you.
- Authorities — when legally required (court order, regulatory request).
6.International transfers
We keep data in the EU/EEA wherever possible. When transfer outside is needed, we use approved legal safeguards.
Our primary infrastructure is hosted in the EU. Some vendors (e.g., specific support tools) may process data outside the EEA. When this happens, we use approved transfer mechanisms — typically Standard Contractual Clauses — and where appropriate, supplementary measures such as encryption.
7.How long we keep it
As short as possible — with legal retention periods (mostly accounting) as the floor.
| Data | Typical retention |
|---|---|
| Active account data | While your account is active + 12 months after closure |
| Order data | 5 years (Danish bookkeeping law) |
| Payment records | 5 years (Danish bookkeeping law) |
| Marketing consent records | Until you opt out |
| Support correspondence | 3 years from last contact |
| Anonymous analytics | Aggregated indefinitely (not linked to you) |
8.Your rights
EU law gives you eight rights. Most can be exercised in one email.
You can ask us to:
- See what data we hold about you — the right of access
- Fix anything that's wrong or out of date — the right to rectification
- Delete your data — the right to erasure (subject to legal retention duties)
- Pause our processing while we sort something out — the right to restriction
- Take your data elsewhere in a portable format — the right to portability
- Object to certain processing (especially marketing) — the right to object
- Withdraw any consent you've given us, at any time
- Complain to your national data protection authority (in Denmark: Datatilsynet)
To exercise any of these rights, email privacy@syom.io. We respond within 30 days — usually much faster. Identity verification may be required for sensitive requests.
9.How we protect your data
The same care we ask our Tailors to bring to garments, we bring to your data — and we show our work.
Your data sits behind the standard tools of premium-tier infrastructure: TLS encryption in transit, encryption at rest for sensitive fields, role-based access controls so only the people who need to see something can, and audit logs so we can answer the question "who touched what, when."
We review our security setup regularly — quarterly internally, annually with external input once we cross the relevant threshold. No system is perfect. If you spot something that looks wrong, email privacy@syom.io and we'll treat it as the priority it is.
10.Children
The service is for 18+. We don't knowingly collect data from minors without parental involvement.
SYOM is intended for users 18 and older. We do not knowingly collect personal data from minors without parental consent. If you believe a child has provided personal data without appropriate consent, contact privacy@syom.io and we'll act promptly.
11.Changes to this Policy
We update this Policy as the service evolves. Material changes are signposted.
We may update this Privacy Policy from time to time. Material changes will be signposted on the platform and notified to account holders where appropriate. The "Last updated" date below tells you when the current version took effect.