Privacy Policy

Version 2025-06-17  ·  Synqc

This Privacy Policy explains how Synqc ("we", "us") collects, uses, and protects information about the people who use our service ("you"). It covers data collected directly from our customers — not the personal data that customers' own contacts provide through HubSpot (which is governed by our Data Processing Agreement).

1. Who We Are

Synqc operates the conversion-tracking service available at app.synqc.io. We are the data controller for personal data collected from our own customers.

Contact: legal@synqc.io

2. Data We Collect and Why

DataWhen collectedPurposeLegal basis (GDPR)
Full name, company name, email address Registration Create and manage your account; send login links Performance of contract (Art. 6(1)(b))
OAuth tokens (HubSpot, Meta) Account setup Access APIs on your behalf to deliver the service Performance of contract (Art. 6(1)(b))
Session identifiers (cookies) Login Keep you logged in securely Performance of contract (Art. 6(1)(b))
Event delivery status (timestamps, error codes) Ongoing service Show you activity in the dashboard; alert you to delivery failures Performance of contract (Art. 6(1)(b))
IP address Every request Rate limiting and bot/abuse prevention; not stored beyond the request Legitimate interest (Art. 6(1)(f))
Error reports (stack traces, request metadata) When errors occur Diagnose bugs and maintain service reliability; PII scrubbed before transmission Legitimate interest (Art. 6(1)(f))

3. How We Store Your Data

Account data (name, company, email hash, OAuth tokens, configuration) is stored in Cloudflare KV namespaces hosted primarily in the United States. Your email address is stored in hashed form (SHA-256) as the primary account key; the plaintext email is retained in your registration record only to support login and communication.

Session cookies are short-lived (30 minutes idle, 8 hours absolute maximum) and are flagged HttpOnly, Secure, and SameSite=Strict.

4. Data Retention

Data typeRetention period
Account registration recordDuration of subscription + 30 days after deletion request
OAuth tokens (HubSpot, Meta)Until revoked or account deleted
Session data30 minutes idle / 8 hours absolute; deleted on logout
Last event delivery status60 days (success) / 14 days (error)
Audit log entries13 months, anonymised (no PII, only hashed subject identifiers)
IP addressesNot stored (used only for in-request rate limiting)

5. Third Parties We Share Data With

Third partyCountryWhat is shared
Cloudflare, Inc.United StatesAll stored data (infrastructure provider)
Resend, Inc.United StatesYour email address (to send login links and notifications)
Sentry, Inc.United StatesError reports with PII scrubbed
Meta Platforms, Inc.United StatesHashed contact data from your HubSpot CRM (conversion signals; see DPA)

We do not sell your personal data. We do not share your data with advertisers or data brokers.

6. International Transfers

All third-party providers listed above are based in the United States. Transfers of personal data to the United States are made under the Standard Contractual Clauses (EU Commission Decision 2021/914). By using Synqc, you acknowledge these transfers.

7. Your Rights

If you are located in the European Economic Area, you have the following rights under the GDPR:

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete it, the right to opt out of its sale (we do not sell personal information), and the right to non-discrimination for exercising these rights. You may submit a request via the opt-out or data deletion flows in your account, or by contacting us at legal@synqc.io.

To exercise any of these rights, contact us at legal@synqc.io. We will respond within 30 days.

8. Cookies

We use only essential cookies necessary to operate the service. No tracking or advertising cookies are set.

CookiePurposeDuration
__Host-sidAuthenticated session identifier8 hours
__Host-setupTemporary session during account setup15 minutes
__Host-csrfCross-site request forgery protection on forms30 minutes

9. Children

Synqc is intended for use by businesses and is not directed at individuals under 18. We do not knowingly collect personal data from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice in the dashboard. The date at the top of this page reflects the most recent update.

11. Contact and Complaints

For privacy inquiries: legal@synqc.io

If you are in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.