Synergy SKY Privacy Notice

Legal Information.

Synergy SKY AS has registered address at Klingenberggaten 7B, 0161 Oslo, Norway.

At Synergy SKY AS ("us", "we", or "our"), we care about privacy, security and transparency; these are core tenets in our company’s mission. Toward that, this privacy notice explains what to expect when Synergy SKY collects personal information about you, including:

• how we collect data;
• understanding who controls your data;
• the lawful basis for processing your data;
• understanding Synergy SKY services;
• information sharing and transborder flows;
• security, compliance and certification assurance;
• your data protection rights;
• special information for residents of California, USA;
• data retention;
• our commitment to data protection;
• future changes to this privacy notice; and
• definitions.

How Synergy SKY Collects Data.

One of the purposes of this privacy notice is to explain how we collect and process personal data. The primary ways we collect information are when you:

• (a) visit one of our websites;
• (b) consume our services purchased by your employer or business;
• (c) attend a meeting as participant which is joined by a meeting room consuming our services;
• (d) contact us directly using email, chat, or web forms;
• (e) visit one of our office locations;
• (f) provide us feedback; and
• (g) submit a job application.

We encourage you to read this privacy notice. It has been written to ensure you understand how we collect information, how it is safeguarded, what data is collected, how it is processed, where it is processed, with whom we may share it, and your rights under the law.

Please be informed that our websites and services are not intended for children, which may be defined differently by the data protection laws in your territory; we do not knowingly collect data from children and will immediately delete it if discovered.

Understanding Who Controls Your Data.

When your organisation procures video collaboration and meeting room services from Synergy SKY, we act as a data processor (“Processor”) under the instructions of a data controller. In this instance, all future requests or exercises of your rights must be made to the data controller.

When services are used in the context of US healthcare, a Business Associate Agreement between Synergy SKY and the customer/partner is required per 45 CFR Part 160 & 164. We use appropriate safeguards to prevent the use or disclosure of electronic protected health information (“ePHI”) according to the requirements of the HIPAA Security Rule. Synergy SKY employs administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that is created, received, maintained, or transmitted via services on behalf of the subscribed HIPAA Covered Entity or Business Associate as defined in 45 CFR 164.103.

When you share information with us directly by visiting our website, Synergy SKY acts as a Data Controller (“Controller”) according to the definitions in Article 4 of Regulation (EU) 2016/679 (“EU GDPR”) or the Data Protection Act of 2018 (“UK GDPR”), collectively referred to as the General Data Protection Regulation (“GDPR”). As a Controller, where we determine the purpose and the means of the processing, we are responsible for controlling and safeguarding your personal data.

Toward that, we have assigned a Privacy Officer to superintend all aspects of this privacy notice, ensuring your questions are answered and your rights are respected. Whenever you have questions, you should contact the Privacy Officer via one of the venues below:

Synergy SKY’s Lawful Basis for Processing Your Data.

Synergy SKY will only process your data according to the allowance permitted by law. In most instances, we will only use your data in the following situations:

• when you provide us with your consent to process your personal data which may be revoked by you at any time and for any reason;
• when it may be necessary for our legitimate interest;
• when we may need to respond to a legal requirement or regulatory action; and
• where we need to fulfill our obligation to provide services when you subscribe to our services.

In the following table, we describe ways your personal information may be used; each of these uses are tied to a legal basis for processing. Further, we have also outlined wherever we have a legitimate interest to process your data where appropriate.

Understanding Synergy SKY Services.

This section applies to users of Synergy SKY services. If you only use the Synergy SKY public website, this section does not apply to you.

Synergy SKY provides video interop as a cloud service including CONNECT, Management Suite and associated support activities (“Services”).

Services are driven by an Internet-based communication platform designed to enable business users to connect to video meetings. The person adding you for the first time to an organisation will provide certain information about you for provisioning, such as your name, company name and work email address in the Management Suite. The meetings are routed from the end point in meeting room through the Synergy SKY Connect services in a seamless manner.

The type of personal data we collect to provide collaboration and meeting room services include:

• Provisioning data: Display Name, Video Address
• Meeting Metadata: Meeting title, Participant names and Call Log details
• Conference Media: Audio streams, Video streams and Content Sharing
• Scheduling Service data: Full Name, Email Address

Information Sharing and Trans border Flows.

Synergy SKY respects your right to privacy and we do not use or share your personal information in any other way beyond what has been written in this privacy notice. For instance, we do not sell your information to anyone, including but not limited to third parties for their own marketing use.

Synergy SKY may share personally identifiable information to third party Corporate Subprocessors who provide or offer other applications on our behalf. This data sharing pertains to CRM data which we hold as ‘Controller’ and is shared in compliance with privacy laws and electronic communication regulations.

As a Data Processor, Synergy SKY is acting under the instructions of the Data Controller and may share your data with the Controller in support of your service. We have a due diligence process with all our vendors and all sub-processors of personal data have a Data Processing Agreement (“DPA“) in place. Those DPAs are scrutinised by our Privacy Officer and must be approved by the senior leadership team.

The list of third parties (“Subprocessors”) that assist Synergy SKY in delivering your service is available here: https://www.synergysky.com/subprocessors

EEA, Swiss and UK Customers

The content below is applicable only for EEA, Swiss and UK Customers. If your organization is based out of other countries, then it does not apply to you.

Whenever we transfer your personal data to third countries, we ensure a similar degree of protection is afforded to it by employing at least one or more of the following safeguards:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy Decisions and United Kingdom: ICO Adequacy.
• Where we use certain service providers, we may use specific contracts approved by the European Commission or UK’s Information Commissioner Office (“ICO”) which give personal data the same protection it has in Europe. Due diligence of the third country’s legal system and provider obligations is carried out, including notification, opportunity to resist production, and obligations to cease processing if compliance is not possible under the clauses.

Synergy SKY will confirm, on the basis of the due diligence carried out, that the standard contract clauses, in conjunction with any other applicable contractual terms for the relationship, are sufficient to address any issues raised as to the protection of personal data in the third country in that context or whether the circumstances require more specific terms.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA, UK or Switzerland.

Security, Compliance and Certification Assurance.

At Synergy SKY, we have a security and compliance team actively working to keep your information protected, auditing the security posture and improving safeguards from unauthorized access, accidental loss, disclosure or destruction. Toward this, we employ physical, technical, and administrative safeguards to protect the personal information we collect and process. Administrative and organisational policies and procedures are documented in the Synergy SKY Information Security Management System (ISMS) where appropriate controls are designed to maintain an adequate level of data confidentiality, integrity and availability.

Synergy SKY is ISO/IEC 27001:2022 certified and is committed to legal compliance with applicable laws including GDPR and HIPAA. For more information, please visit our compliance page.

Your Data Protection Rights.

Many data subjects have data privacy rights afforded them by laws and regulations such as the GDPR and CCPA.

• Right to be informed about the collection and use of your personal data. This includes being provided with clear, transparent, and easily understandable information about how and why we use your data, who we share it with, and how long we retain it. (GDPR Art. 12-14.)
• Right of access / right to know. You may request confirmation whether we process your personal data and obtain access to it. For California residents, you may also request the categories of personal information (PI) collected, sources, purposes, categories of recipients (including sold/shared or disclosed for a business purpose), and the specific pieces of PI we hold. (GDPR Art. 15.)
• Right to correction/rectification. You may request prompt correction of inaccurate personal data and completion of incomplete data; California residents may request correction of inaccurate PI we maintain. (GDPR Art. 16; Cal. Civ. Code § 1798.106.)
• Right to deletion/erasure. You may request deletion of your personal data/PI, subject to statutory exemptions. (GDPR Art. 17; Cal. Civ. Code § 1798.105.)
• Right to restrict processing. You may request that we restrict processing in specified circumstances (e.g., while accuracy is contested or where processing is unlawful and you prefer restriction). (GDPR Art. 18.)
• Right to object to processing (including a separate, absolute right to object to direct marketing). You may object at any time to processing based on our legitimate interests (we will stop unless we demonstrate compelling legitimate grounds overriding your interests/rights). Separately, you have an absolute right to object to direct marketing and related profiling, and we will stop. (GDPR Art. 21(1), 21(2)–(3).)
• Rights related to automated decision-making (ADM). You have the right to receive notice of automated decision-making including profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Where such processing occurs, you are entitled to human intervention, to express your view, and to contest the decision. (GDPR Art. 22(1), 22(3).)
• Right to withdraw consent. Where we process data based on your consent, you may withdraw it at any time; withdrawal does not affect prior lawful processing. (GDPR Art. 7(3).)
• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. (GDPR Art. 20.)
• Right to lodge a complaint with a supervisory authority. You may lodge a complaint with a data protection authority, including in your habitual residence, place of work, or place of the alleged infringement. (GDPR Art. 77.)
  
  

Additional Rights, including the above, for California Residents

• Right to opt out of the sale or sharing of personal information. If we act as a business for certain data, you may direct us not to sell or share your PI. Where applicable, we provide a “Do Not Sell or Share My Personal Information” link and honor valid requests. (Cal. Civ. Code §§ 1798.120, 1798.135.)
• Right to limit the use and disclosure of Sensitive Personal Information (SPI). You may direct us to limit SPI to uses permitted by law; where applicable, we provide a “Limit the Use of My Sensitive Personal Information” mechanism. (Cal. Civ. Code § 1798.121; 11 CCR § 7027.)
• Right to non-discrimination. We will not deny goods/services, charge different prices/rates, or provide a different level/quality because you exercised your rights. (Cal. Civ. Code § 1798.125.)
• Use of an authorized agent & methods to exercise rights. You may designate an authorized agent to submit requests on your behalf (subject to verification); we provide two or more methods to submit requests (including a toll-free number, unless we operate exclusively online and have a direct relationship, in which case an email address is sufficient). We also honor opt-out preference signals (e.g., Global Privacy Control) as a valid request to opt out of sale/sharing. (Cal. Civ. Code § 1798.130(a)(1); 11 CCR §§ 7063, 7013–7014, 7025.)

How to submit a request.

If your rights apply in your jurisdiction and we act as a controller for your data, you can submit a request by emailing contact@synergysky.com. For California opt-outs of sale/sharing, you may also use the “Do Not Sell or Share My Personal Information” link where applicable, and we honor opt-out preference signals (e.g., Global Privacy Control) without requiring identity verification.

We do not charge a fee to access your data or exercise your rights. We may charge a reasonable fee or refuse a request only when it is manifestly unfounded or excessive (for example, repetitive), and we will explain why.

We may request information needed to verify your identity before acting on a request and will use any additional information only for verification. Under the GDPR, where we have reasonable doubts about identity, we may request additional information; under the CCPA/CPRA, verification is required for “know/correct/delete,” while opt-out of sale/sharing and limit SPI requests do not require a verifiable consumer request. You may designate an authorized agent to act for you (subject to verification requirements).

We respond within the timeframe applicable to your location and request type:

• GDPR: within one month of receipt (extendable by up to two months for complex or numerous requests, with notice).
• California (CCPA/CPRA): within 45 days of receiving a verifiable consumer request (extendable once by 45 days, with notice).

If we decline all or part of a request due to a statutory exception, we will explain the basis and how to escalate or complain to a supervisory authority.

For Synergy SKY services, we generally act as a processor/service provider for our customers. In that capacity, we process personal data on the customer’s instructions, and requests regarding such service data must be directed to the customer (the controller/business). We will support our customers in fulfilling requests as required by our contracts and applicable law.

Special Information for Residents of California, USA.

In relation to Synergy SKY video collaboration and meeting room services, we are Service Provider (and not Business under CCPA) under Section 1798.140(v) of the California Civil Code and hence all the data subject rights related to Synergy SKY services should be directed to the Business who would then engage us.

Data Retention.

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we must keep basic information about our customers (including contact, identity, financial and transaction data) for seven years after ceasing to be a customer for taxation purposes.

In cases where we decide the means and purpose of processing and act as Controller, you can ask us to delete your data and we shall address it in a timely manner, subject to legal and regulatory obligations and keep you informed of it. In other cases where we act as Service Provider or Processor, we will route your requests to the Business or Controller for actioning your request to delete your data. We may anonymise your personal data so that it can no longer be associated with you for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Our Commitment to Data Protection.

Synergy SKY is committed to the highest standards of information security, privacy and transparency. Towards this, Synergy SKY complies with data protection laws around the world where we process information and protect data subject rights. These include:

• EU Regulation 2016/679 (the EU GDPR)
• EU Regulation 2018/1725
• UK Data Protection Act 2018 (DPA 2018, enacting the UK GDPR)
• California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act (CPRA)
• Swiss Federal Act on Data Protection (FADP)
• UL Data Use and Access Act 2025
• Relevant U.S. state data protection laws

Future Changes to this Privacy Notice.

As our services evolve, this privacy notice may change or other privacy documentation may be written and posted specific to new offerings or to keep pace with data privacy laws. When changes are substantial, we will endeavour to make you aware of any forthcoming changes by attempting to contact you via our user interfaces, portals, or through your partner or reseller. If you have questions or comments on a future privacy notice, you may write us at contact@synergysky.com.

Questions for Synergy SKY.

If you have any remaining questions that are not addressed within this privacy notice, please contact the Privacy Officer at contact@synergysky.com.

Definitions

Personal Data: Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).

Data Controller: Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.

Data Processors (or Service Providers): Data Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively.

Data Subject (or User): Data Subject is any living individual who is using our Service and is the subject of Personal Data.

Prior Versions:

• January 10, 2024
• January 29, 2019