PRIVACY STATEMENT

Introduction

Synology holds itself to high standards in handling and processing personal information. The statement outlined below establishes the boundaries of what Synology processes and what you, as our customer and the data subject ("users"), are entitled to. This Privacy Statement applies when you use our features and services ("Services"). Additionally, we have a Cookie Policy for use of our website.

Synology operates around the world and has adopted English as the controlling language of this Privacy Statement. Additional translations are provided for convenience. You may switch to other languages by using the language selection button at the bottom of the webpage.

This Privacy Statement applies to Synology-provided services offered on Synology-owned websites, Synology-branded applications, services provided from physical Synology products ("Synology Devices"), and digital or physical services directly offered by Synology. For specific programs, products, or Services offered by Synology, individual Service-specific privacy policies may supersede and prevail over this Privacy Statement or supplement this Privacy Statement in relevant parts.

Your Personal Data

Personal data refers to identifying information that relates to, describe, is capable of being associated with, or can reasonably be linked directly or indirectly to, an individual or a household. Identification can be by the data alone or in conjunction with any other data in the data controller's possession or likely to come into such possession. Synology collects information only to provide you with the Services and to improve user experiences. To provide you with Synology Devices or Services, including responding to your inquiries, we may ask for your personal information. If you choose not to provide the requested information, we may be unable to deliver the desired Services. Most of Synology's Services are provided under a Synology Account, and if you no longer require the Service or wish to have your data removed, you may delete your Synology Account.

In general, Synology collects personal data from you through your use of our Services. Synology also uses cookies and other technologies to gather information regarding a visitor's browsing preferences. The data we collect and store from you, including in the preceding 12 months, may consist of the following data categories:

• Your e-mail address, which is used as identification for our services and as the primary communication method.
• Your name, address, phone number, and additional contact information are used to provide registration, device shipping, and billing verification services.
• Your commercial information including payment method and financial data (credit card, bank account number, etc.), which is used for payment transactions for a service or product, logistics, and billing data (such as customs ID and tracking number).
• Your IP address, unique device identifiers, referral URL, computer and connection data such as the type of operating system you use, device and software information, browser type, browser language and version, ad data, access times, Internet or other network activity such as weblog information used for fraud prevention, security purposes, for warranty registration, support services, and for transactions.
• Your account name, Internet, or other network activity information such as account login, account activity, transaction data, and any information you provide during a transaction, or other transaction-based content that you generate or connected to your account as a result of your transaction.
• Your chat and service history with us, and any other information you may provide us when you interact with us.

Other information that you provide to us through digital or physical means may be stored on a case-by-case basis depending on the reason it was provided.

Synology does not access (or use) files uploaded by users to their devices.

Learn more from our Services Data Collection Disclosure for specific Services and Cookie Policy for specific information on the data processed and ways they are stored for each Service.

Lawful Bases and Other Usage

The lawful bases for Synology to process your personal data for the various types of processing performed on your personal data are, as applicable, processing based on your consent, as necessary for us to enter into and to perform our contract with you, or in certain circumstances, as necessary for Synology to pursue our "legitimate interests", where our interests are not outweighed by your rights and freedoms.

"Legitimate interest" situations necessitating such actions may include the following: to protect you, us, or others from security threats, to comply with laws we are subjected to, to implement information sharing within Synology's group affiliates, to prevent fraud, misuse of company IT systems, to operate a whistleblowing scheme, for purposes of mergers and acquisitions, and to perform internal investigations and auditing.

Synology will collect, process, and use the personal data supplied by you only for the purposes communicated to you and will not disclose your data to third parties except under the lawful bases set forth above. Synology does not share your personal information with third parties for the purpose of direct marketing. Synology also does not engage in the selling of personal data to any third party.

The purposes for which Synology collects and processes personal data may include, but not limited to:

• Operating our websites to provide you access to and use of our websites and Services;
• Administering your use of our Services, to communicate with you and respond to your requests;
• Managing your Synology Account;
• Customizing your Service experience with us, to improve our Services and products;
• Providing you with our online or offline marketing measures and activities; including but not limited to newsletters, online and live event registrations, and other promotional information and materials;
• Sharing your contact details with our subsidiaries, affiliates, authorized repair and support centers, authorized logistics companies, communications infrastructure, and other entities deemed necessary to carry out providing these Services to you;
• Sharing your contact details with our affiliate offices around the world within our group of companies for the purposes of internal administration and back-office support;
• Ensuring our network security, and to prevent fraud;
• Enforcing or defending our policies or contract with you; and
• Maintaining the integrity and safety of our data technology systems that store and process your personal data.

You are not under any obligation to provide us any of your personal data. However, please note that without certain data from you, we may not able to undertake some or all of our obligations to you under our contract with you, or adequately provide you with our full range of services. If you would like to obtain more detail about this, please contact us following the instructions in the "Contact Information" section below.

Period of Storage

Synology keeps your personal data for no longer than reasonably necessary for the given purpose for which your data is processed. If you will provide us, or have provided us, consent for us to process your data, we will process your data for no longer than your consent is effective. Notwithstanding the above, we may retain your personal data as required by applicable laws and regulations, as necessary to assist with any government and judicial investigations, to initiate or defend legal claims or for the purpose of civil, criminal, or administrative proceedings. If none of the above grounds for us to keep your data apply, we will delete and dispose of your data in a secure manner.

Data Controllers, Contracting Parties, Transfer of Data

We use the term "Designated Areas" to refer to the residential locations that are in the European Union (EU), European Economic Area (EEA), and Switzerland.

If you reside in the Designated Areas, Synology Inc. will be the controller of your personal data, except under limited circumstances where Synology holds marketing events in Germany, France, or the United Kingdom, for which Synology GmbH, Synology France SARL, or Synology UK Ltd will respectively be the controller of your personal data. Other than for such limited circumstances, Synology Inc. will be responsible for collecting and processing data for our Services, which will be covered by the Terms of Service of the relevant Services.

If you reside outside the Designated Areas, Synology Inc. will be the controller of your personal data. Your usage of services provided by Synology will be bound by the Terms of Service of the relevant Services.

Synology's Services include providing data processing, order fulfillment, technical support, device replacement, payment invoicing, processing and collection, event registration, customer services, marketing support, as well as the transfer of data based on users' decisions, around the world. The nature of these Services requires us to be able to transfer your personal data into and out of the European Union (EU) to Synology affiliates including Synology GmbH and Synology Inc., authorized repair and support centers, authorized logistics companies, communications infrastructure, and other entities deemed necessary to carry out providing these Services. We may also transfer your data to third-party service providers whom we subcontract to work on our behalf or for us and therefore may have access to the data only for purposes of performing these tasks on our behalf and under obligations similar to those described in this Privacy Statement, who perform functions such as data processing, auditing, order fulfillment, managing and enhancing customer data, providing customer service, conducting customer research or satisfaction surveys, marketing support, payment processing and invoice collection support, informational systems technical support, to help us provide, analyze, and improve our Services and to assist us in detecting and dealing with data breaches, illegal activities, and fraud. We may also share your personal data with governments and/or government-affiliated institutions, courts, or law enforcement agencies, to comply with our obligations under relevant laws and regulations, enforce or defend our policies or contract with you, respond to claims, or in response to a verified request relating to a government or criminal investigation; provided that, if any law enforcement agency requests your data, we will attempt to redirect the law enforcement agency to request that data directly from you, and in such event, we may provide your basic contact information to the law enforcement agency. We may also provide your data to third parties involved in a legal proceeding if they provide us with a court order or substantially similar legal procedure requiring us to do so. The above parties are the recipients of your personal data.

Synology takes measures to ensure that your personal data is processed as required by this Privacy Statement and applicable laws, including to ensure your personal data is transferred to a residential location that has an adequate level of data protection approved by the European Commission. In circumstances where an adequate level of data protection is not available for the residential location of the data recipient, Synology requires that such recipient adopts European Commission-approved Standard Contractual Clauses with Synology as a legal mechanism for data transfer, to ensure that such data is safeguarded and processed by the recipient strictly within the restrictions and conditions set forth in such Standard Contractual Clauses.

Your Rights to your Personal Data

Synology's services are generally provided on an opt-in basis, with required and collected information differing on a per-service basis. Unless subject to an exemption, you will have the following rights with respect to your personal data:

• The right of access: You may request a copy or specific pieces of your personal data that we have collected at the time.
• The right to request information about the categories of your personal data which we have collected and the categories of sources from whom we have collected such data.
• The right to be informed about the business or commercial purpose for our collection of your personal data.
• The right to request information about the categories of your personal data which we have disclosed to third parties and the categories of third parties to whom we have disclosed your personal data.
• The right of portability: You may request us to transmit your personal data directly to another data controller, where the processing is based on your consent or is necessary for the performance of a contract with you, and in either case, we process the data by automated means. The right to delete data: You can request us and our third-party processors to delete data, subject to applicable laws: You can ask us or our third-party processors to delete data for which we no longer need in order to provide service to you.
• The right to correct or change data: You can modify your contact information through your Synology Account. You can also ask us to change, update, or fix data that are incorrectly presented and unable to be changed by yourself.
• The right to object: You can object to the usage of some or all of your personal data which is based on legitimate interests pursued by Synology.
• The right to restrict the use of data: You can ask us to stop or limit the usage of some or all of your personal data that we no longer need, in order to provide service to you, or have legal rights to retain.
• The right not to be discriminated against by us for exercise any of your above rights.

You may make these requests by submitting a request through your Synology Account or our website. Upon receipt, we will evaluate your request and inform you how we intend to proceed. Under certain circumstances, and according to applicable European Union or European Union state laws and regulations, we may withhold access to your data, or decline to modify, erase, port, or restrict the processing of your data. Synology will respond to your request within thirty days after receiving it. Please be advised that if you exercise the rights to erase data, restrict, or object to our processing, or to withdraw your consent, we may not be able to continue our Services to you if the necessary data is missing for processing.

If you are a resident in the Designated Areas, you have the right to file a complaint with the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) or with the competent authority where you reside or in which your data is processed. In case of disagreements relating to Synology’s processing of your personal data, you can submit a request for administrative action to the data protection supervisory authority with the competent authority where you reside or in which your data is processed. Please click here for a list of local data protection authorities in the EEA.

Security

Synology employs multiple methods of data protection in order to minimize the risk of misuse, unauthorized access and disclosure, and loss of access. Some of these safeguards include the use of pseudonymization, data encryption, data hashing, and other technologies and permission control methods. When our employees directly handle or access your personal information, we do so on secured networks and through fine-grained permission control to limit who can access your information. Data you provide to us is encrypted and stored on both third-party storage and on Synology-managed devices, depending on the service.

Synology logs and stores IP addresses of both users to our web services solely for security purposes. This log is archived and then removed at irregular intervals depending on ongoing or existing security threats or investigations. If Synology has overwhelming evidence that certain IP addresses, users, or devices may be purposely damaging or hindering our operations or service quality, we may deny further services and/or report such behavior to relevant authorities.

Synology removes data that is no longer required to provide services based on each service.

Changes to Statement

Synology may make amendments to this document when needed to reflect statement updates, customer feedback, as well as new products or services. We will provide a brief overview of the changes, and if the terms modify the way we process or handle your data or affect your rights, we will notify you through direct message or by posting notices if we are unable to directly reach you. We encourage that you regularly review this Privacy Statement to understand how your data is handled.

Data from Children

Synology's products and services are targeted at professionals and are not designed nor intended to be used by children under 16 years of age. Synology does not typically collect date of birth information as it is not used by Synology. If children under the minimum age of the relevant jurisdiction must use Synology's products and services, explicit parental consent must be provided and verified. If Synology is notified or discovers that data collected is from a child under the minimum age, we will take procedures to delete the information as soon as possible.

Notice to End Users

Certain Synology products or services may be managed or administered to you by organizations or other users. Your use of these managed Synology products or services will be affected by the terms or policies that are provided and dictated by the organization or service provider. Please direct inquiries in these instances to the administrator of the device or service. Synology will not be responsible for the privacy or security practices, including the lawfulness of practices for our customers as they may manage or implement our products and services in a manner that is no longer determined by Synology's policies or agreements.

Contact Information

You can directly contact us through your Synology Account, or by submitting a form available on our website for privacy-related questions or concerns.

If you are a California resident, you may also contact Synology to this toll-free at 1-866-467-8688 (Service Code 951#). If you are unable to resolve the issue, you have options to exercise your rights as detailed in the previous "Your Rights to your Personal Data" section. Synology will respond to your requests within thirty days after receiving it.

You may also contact Synology through the following addresses.

For users residing in the Designated Areas:

Synology GmbH
Attn: Data Protection

Grafenberger Allee 295
40237 Düsseldorf
DEUTSCHLAND

Tel: +49 211 9666 9666

For users residing outside the Designated Areas:

Synology Inc.
Attn: Data Protection

9F, No. 1, Yuan Dong Rd.,
Banqiao, New Taipei 220632
TAIWAN

Tel: +886 2 2955 1814