Privacy Policy

Last updated: 2026-04-22

This Privacy Policy explains what personal data SyntaxPath collects when you visit syntaxpath.com, sign in, or buy something from us, why we collect it, who we share it with, and how you can exercise your rights over it. It is written to satisfy our obligations under the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and the California Consumer Privacy Act (CCPA), and to be understandable to a normal human being.

1. Who we are (the data controller)

The data controller is Marshal Solutions FZ-LLC, a free-zone limited liability company registered at Marshal Solutions FZ-LLC, VUPR0628 Compass building - Al Hulaila, AL Hulaila Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates. For privacy questions, data-rights requests, or any concerns about how we handle your data, contact support@syntaxpath.com.

2. What we collect, why, and the legal basis

We try to collect as little as possible. The personal data we actually hold falls into the following buckets:

  • Account data - email address, display name, and (when you sign in with Google or GitHub) your profile image. We collect this so you have an account that ties together your purchases, repository access, and waitlist memberships. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
  • Authentication data - session tokens, OAuth provider IDs, and the email one-time codes used for passwordless sign-in. We collect this to keep you signed in and to prevent abuse. Legal basis: performance of a contract (Art. 6(1)(b)) and legitimate interest in securing the Service (Art. 6(1)(f)).
  • Purchase data - order id, line item, price, currency, and the country reported by the payment processor. We collect this because tax law requires it and because we need to know what you bought. Legal basis: legal obligation (Art. 6(1)(c)) and performance of a contract (Art. 6(1)(b)).
  • GitHub username - collected only when you buy a product that includes private repository access. We use it once to send you a collaborator invitation via the GitHub API, and we keep it on the order so we can re-invite you if your access is revoked. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Product analytics - pseudonymous page views and funnel events (e.g. which CTAs were clicked, which checkout step you reached) collected via PostHog. This is gated behind your cookie consent (see §3) and is only active if you accept. Legal basis: consent (Art. 6(1)(a)).
  • Server logs - IP address, user agent, referrer, and request path, retained briefly for security, abuse detection, and debugging. Legal basis: legitimate interest in operating a secure service (Art. 6(1)(f)).

We do not collect or process: government IDs, passport data, social security or tax-ID numbers, biometric data, location data beyond country-level, or any "special category" data under GDPR Art. 9.

3. Cookies and similar technologies

We use two categories of cookie-like storage:

  • Essential - a session cookie set by Better Auth so you stay signed in, plus a small localStorage entry that remembers whether you've answered the cookie banner. These are required for the site to function and are not subject to consent under GDPR Art. 5(3) ePrivacy.
  • Analytics (optional) - PostHog cookies that record pseudonymous product analytics. Only loaded if you click Accept all on the cookie banner. If you click Reject non-essential (or dismiss the banner), no analytics cookies are set.

You can change your decision at any time. If you are signed in, open the Preferences section on your Settings page to re-show the banner and revoke or grant consent. You can also email support@syntaxpath.com - or, for the technically inclined, clear the syntaxpath.cookie-consent.v1 entry from your browser's local storage and reload the page.

4. Sub-processors

We use the following third-party services to run the Service. Each has access only to the data needed to perform its function and is contractually bound to handle it under their own published terms and Data Processing Agreement.

  • Vercel (United States, with edge nodes worldwide) - hosting and request routing for the website. Sees: IP, request path, user agent.
  • Neon (EU region) - managed Postgres database. Sees: everything you store on your account (email, name, purchases, GitHub username).
  • Better Auth - open-source authentication library that runs in our own server process (not an external SaaS). Underlying OAuth providers (Google, GitHub) see your email and basic profile when you sign in with them.
  • Stripe (United States, EU subsidiaries for EU customers) - card and bank-account payment processing, invoicing, and tax. Sees: payment instrument, billing address, country.
  • PayPal (United States / EU) - alternative payment processing. Sees: payment instrument, billing address.
  • PostHog (EU region) - product analytics. Only receives data if you accept the analytics cookie (see §3). Sees: pseudonymous page views, funnel events, anonymised IP.
  • Loops (United States) - transactional and lifecycle email (login one-time codes, purchase receipts, waitlist announcements). Sees: email address, name, message content.
  • GitHub (United States) - repository hosting and the collaborator-invite API used to grant you access to paid repositories. Sees: the GitHub username you provided at checkout.
  • Arcjet (United States, edge) - bot detection and rate-limiting for our API endpoints. Sees: IP, user agent, request fingerprint.

We will keep this list current. Material changes (adding a new sub-processor that significantly changes the data flow) will be announced by updating the "Last updated" date above.

5. International transfers

Some of the sub-processors above are based outside the UAE and outside the European Economic Area. Where personal data is transferred to a country without an adequacy decision, the transfer is made under Standard Contractual Clauses (SCCs) or equivalent safeguards published by the receiving processor. Marshal Solutions FZ-LLC, as the data controller, remains responsible for the data regardless of where it is processed.

6. Retention

  • Account data - kept for as long as your account is active. Deleted within 30 days of a confirmed account-deletion request.
  • Purchase records - kept for 7 years after the purchase to comply with tax and accounting law. Deleting your account does not delete purchase records - we anonymise them (remove name and email) but retain the order id, amount, and tax data.
  • Analytics - pseudonymous events kept for 12 months, then automatically pruned.
  • Server logs - kept for up to 30 days, then automatically pruned.
  • Email logs (handled by Loops) - kept according to Loops' published retention policy.

7. Your rights under GDPR / UK GDPR

If you are in the European Economic Area, the United Kingdom, or a country with comparable data-protection law, you have the right to:

  • Access the personal data we hold about you.
  • Rectify data that is inaccurate or incomplete.
  • Erase ("right to be forgotten") your personal data, subject to legal retention obligations (see §6).
  • Restrict or object to processing based on legitimate interest.
  • Port your data to another service in a structured, machine-readable format.
  • Withdraw consent at any time where we relied on it (e.g. analytics).
  • Lodge a complaint with your local supervisory authority.

To exercise any of these, email support@syntaxpath.com. We will respond within 30 days. We may need to verify your identity before acting on a request.

8. Notice for California residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect about you, to request its deletion, and to opt out of any "sale" of personal information. We do not sell or rent personal information to third parties for monetary or other valuable consideration. Sharing with sub-processors as described in §4 is for service operation only and is not a sale under CCPA.

To exercise CCPA rights, email support@syntaxpath.com. We will not discriminate against you for exercising any of your rights.

9. Children

The Service is intended for users aged 18 or over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact support@syntaxpath.com and we will delete it.

10. Security

We protect your data with industry-standard practices, including TLS in transit, hashed session tokens, scoped database credentials, least-privilege access for sub-processors, and bot/abuse protection (Arcjet) on sensitive endpoints. We do not store payment card numbers - that data goes directly to Stripe or PayPal. No method of transmission or storage is 100% secure; if there is a breach affecting your data, we will notify you and the relevant supervisory authority as required by law.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be highlighted at the top of this page and, where you have an account, communicated by email or in-product notice. Continued use of the Service after a change means you accept the updated policy.

12. Contact

For privacy questions, data-rights requests, or anything else about how we handle your data, email support@syntaxpath.com. For general or friendly enquiries, hello@syntaxpath.com. Our full Terms of Service and License apply alongside this Privacy Policy.