Privacy Policy
Last updated: 26 June 2026
This Privacy Policy explains how Spacebackend LU SàRL (“Spacebackend”, “we”, “us”) collects, uses and protects personal data in connection with the Lynapse™ Studio platform and account application available at https://lynapse.com and https://app.lynapse.com (the “Service”).
This policy covers personal data for which we act as a controller (e.g., account and billing data of our users). Where we process personal data contained in Customer Data on behalf of a customer organization, we act as a processor, and that processing is governed by the agreement (including the Data Processing Agreement) with the customer rather than this policy.
1. Controller and contact
The controller is:
Spacebackend LU SàRL
9 Av. des Hauts-Fourneaux, L-4362 Esch-sur-Alzette, Luxembourg
RCS Luxembourg: B288832
For privacy questions or to exercise your rights, contact: contact@spacebackend.com
2. What personal data we collect
Depending on how you use the Service, we may collect:
Account data: name, work email, password (hashed), organization/employer, job title, and role.
Authentication data: login records, single sign-on identifiers (if used), multi-factor authentication settings.
Billing data: billing contact, billing address, VAT number, and transaction records. Card/payment details are processed by our payment provider — we do not store full card numbers.
Usage data: log data, IP address, device and browser information, feature usage, timestamps, and diagnostics.
Support and communications: messages, support tickets, and correspondence you send us.
Cookies and similar technologies: as described in our Cookie Policy.
Customer Data (ICDs, datasheets, source code, digital models, etc.) is uploaded by customers and may incidentally contain personal data (e.g., engineer names in documents). We process such data as a processor on the customer’s instructions; see the DPA.
3. How and why we use personal data (purposes and legal bases)
Under the GDPR, we rely on the following legal bases:
Provide, operate and maintain the Service and your account — Performance of a contract (6(1)(b)).
Process payments and manage billing — Performance of a contract; legal obligation (6(1)(b), 6(1)(c)).
Authenticate users and secure the Service — Legitimate interests — security (6(1)(f)).
Provide support and respond to enquiries — Performance of a contract; legitimate interests (6(1)(b), 6(1)(f)).
Improve and develop the Service (aggregated/de-identified where possible) — Legitimate interests (6(1)(f)).
Send service and administrative communications — Performance of a contract; legitimate interests (6(1)(b), 6(1)(f)).
Send marketing communications (where applicable) — Consent or legitimate interests, subject to opt-out (6(1)(a)/(f)).
Comply with legal, tax, accounting and export-control obligations — Legal obligation (6(1)(c)).
Establish, exercise or defend legal claims — Legitimate interests (6(1)(f)).
Where we rely on legitimate interests, we balance those interests against your rights and freedoms. You can ask us about this balancing test using the contact details above.
4. Cookies and analytics
The Service and our websites use cookies and similar technologies (including Google Tag Manager and analytics tools) for functionality, performance and, where applicable, marketing. Non-essential cookies are only set with your consent where required. For details and to manage preferences, see our Cookie Policy.
5. Sharing and disclosure
We do not sell personal data. We share it only with:
Service providers / processors acting on our behalf — e.g., cloud hosting, payment processing, analytics, email, customer support and security providers — under data processing agreements. A list of subprocessors is available on request.
Professional advisers (lawyers, accountants, auditors) under confidentiality obligations.
Authorities / third parties where required by law, to comply with legal process, or to protect rights, safety and security.
Corporate transactions — in connection with a merger, acquisition, financing or sale of assets, subject to appropriate safeguards.
6. International transfers
We are based in the EU (Luxembourg) and prefer to keep data within the EU/EEA. Where personal data is transferred outside the EEA (for example to a subprocessor), we put in place appropriate safeguards such as the European Commission’s Standard Contractual Clauses and, where relevant, supplementary measures. You can request a copy of the relevant safeguards using the contact details above.
7. Data retention
We keep personal data only as long as necessary for the purposes described, including to provide the Service, comply with legal, tax and accounting obligations (typically up to 10 years for accounting records in Luxembourg), resolve disputes and enforce agreements. Account data is deleted or anonymized within 90 days after account closure, subject to legal retention requirements. Customer Data retention is governed by the customer agreement/DPA.
8. Your rights
Subject to conditions under the GDPR, you have the right to:
access your personal data;
rectify inaccurate or incomplete data;
erase your data (“right to be forgotten”);
restrict or object to processing (including direct marketing);
data portability;
withdraw consent at any time where processing is based on consent (without affecting prior processing);
not be subject to solely automated decisions with legal or similarly significant effect (none are made through the Service in respect of your account data).
To exercise these rights, contact contact@spacebackend.com. We will respond within the timeframes required by law (generally one month). If you are an end user whose personal data appears in Customer Data, please contact the relevant customer (controller); we will assist them as processor.
Complaints. You may lodge a complaint with your local supervisory authority. In Luxembourg this is the Commission nationale pour la protection des données (CNPD) — https://cnpd.public.lu.
9. Security
We implement technical and organizational measures designed to protect personal data against unauthorized access, loss or misuse, including encryption in transit, access controls, logging and monitoring. For sensitive or controlled projects, an On-Premises deployment is available so that data remains within your own environment. No system is completely secure; we encourage you to use strong credentials and enable multi-factor authentication.
10. Children
The Service is intended for business/professional use and is not directed to individuals under 18. We do not knowingly collect personal data from children.
11. Changes to this policy
We may update this policy from time to time. We will post the updated version with a new “Last updated” date and, for material changes, provide additional notice where appropriate.
12. Contact
Spacebackend LU SàRL — Privacy
9 Av. des Hauts-Fourneaux, L-4362 Esch-sur-Alzette, Luxembourg
Email: contact@spacebackend.com