1. Who we are (the controller)
The data controller for the personal data described in this policy is Soryx Data Protection Ltd (“Soryx”, “we”, “us”), a company established in Ireland with its registered office in Dublin, Ireland. We determine the purposes and means of processing when you use the Soryx service.
Because Soryx is established within the European Union, we are not required to appoint a representative under Article 27 GDPR. Our lead supervisory authority is the Irish Data Protection Commission (DPC).
2. The data we process
We practise data minimisation: we only collect what is needed to find and remove your exposed personal information. The categories below are the maximum we ever hold.
| Category | Examples | Why we hold it |
|---|---|---|
| Identity & contact | Name, email, postal address, phone, date of birth | To search broker databases for matches and to contact you |
| Search inputs (“personas”) | Aliases, past addresses, usernames you choose to monitor | To match records that may not use your legal name |
| Exposure findings | Listings and breach records discovered on data brokers | To show you what is exposed and to request its erasure |
| Account & billing | Subscription tier, payment status, invoices | To operate your account and process payments |
| Technical | IP address, device/browser metadata, security logs | To secure the service and prevent abuse |
We do not use your data to build advertising profiles, and we never sell it. See our AI Policy for our binding “no model training” commitment.
3. Lawful bases for processing (Article 6 GDPR)
We never process personal data without a lawful basis. We rely on the following, matched to each purpose:
| Purpose | Lawful basis |
|---|---|
| Delivering scans, removals, and your dashboard | Art. 6(1)(b) - performance of our contract with you |
| Sending Article 17 erasure requests to data brokers on your behalf | Art. 6(1)(b) contract, supported by Art. 6(1)(f) where we act in your interest |
| Securing the platform, preventing fraud and abuse | Art. 6(1)(f) - our legitimate interests, balanced against your rights |
| Billing, accounting, and statutory record-keeping | Art. 6(1)(c) - compliance with a legal obligation |
| Optional product emails and analytics cookies | Art. 6(1)(a) - your consent, which you may withdraw at any time |
Where we rely on legitimate interests, we have completed a balancing assessment and will share a summary on request. We do not process special-category data (Article 9) as part of the core service.
4. How we share data
To remove your information from the web, we necessarily transmit relevant identifiers to the specific data brokers holding your records, strictly to assert your right to erasure. We also rely on a short list of vetted subprocessors (hosting, breach intelligence, email delivery, payments).
- The full, current list is published at /legal/subprocessors.
- Every subprocessor is bound by a written data-processing contract meeting Article 28 GDPR.
- We disclose data to authorities only where legally compelled, and will tell you unless prohibited by law.
5. International transfers
Our primary infrastructure is hosted in the EU (AWS eu-west-1, Ireland). Where a subprocessor processes data outside the EEA, we rely on an adequacy decision or on the EU Standard Contractual Clauses (2021/914), with supplementary technical measures such as encryption in transit and at rest. Details per vendor are listed on the Subprocessors page.
6. How long we keep data
- Account and removal records: for the life of your subscription, then deleted within 30 days of account closure.
- Exposure and breach findings: retained while relevant to active monitoring, then purged.
- Billing records: retained for the period required by Irish and EU tax law (typically 6 years).
- Security logs: retained for up to 12 months, then deleted or anonymised.
You can delete your account - and trigger erasure of your data held by Soryx - at any time from your account settings.
7. Your rights
Under the GDPR you have the rights of access, rectification, erasure, restriction, portability, and objection, plus rights regarding automated decisions. We explain how to exercise each one - and our response timelines - on our dedicated GDPR rights page.
Complaints
You may lodge a complaint with the Irish Data Protection Commission (www.dataprotection.ie) or your local supervisory authority. We would, of course, welcome the chance to resolve any concern with you first.
8. Security
We apply encryption in transit (TLS 1.2+) and at rest, role-based access controls, audit logging, and least-privilege access for staff. Access to your identity data is limited to the systems and personnel required to operate removals.
9. Changes to this policy
We may update this policy as the service evolves. Material changes will be notified by email or in-product before they take effect. The “Last updated” date above always reflects the current version.