Privacy Policy

Last updated: 29 April 2026

SyncFlow ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and other applicable laws.

1. Data Controller

The data controller responsible for your personal data is:
SyncFlow
Email:

2. Data We Collect

a) Contact form submissions

When you use our contact form, we collect: name, email address, company name (optional), phone number (optional), selected plan, and your message.

b) User account data

When an account is created for your team, we store: display name, email address, role, timezone preference, and language preference.

c) Event and content data

Data you create within SyncFlow: events, notes, notifications, quotes, and links. This data belongs to your team's workspace.

d) Server-side analytics

We collect anonymous analytics on landing page visits: device type, browser, operating system, language, referring URL, UTM parameters, and a one-way hash of your IP address (rotated monthly, not reversible). We do not use client-side tracking cookies for analytics.

e) Authentication data

We use a server-side PHP session cookie (strictly necessary) to keep you logged in. This cookie contains no personal data and expires when you close your browser or log out.

3. Legal Basis for Processing

We process your data under the following legal bases (GDPR Art. 6):

• Contract performance — to provide the SyncFlow service to your team (account data, event data).
• Legitimate interest — to improve our service and understand usage patterns (anonymous analytics).
• Consent — when you voluntarily submit the contact form.

4. How We Use Your Data

• To provide and maintain the SyncFlow dashboard service.
• To respond to your contact form inquiries.
• To send calendar invitations and notifications you or your team configured.
• To monitor service performance and fix issues.
• To comply with legal obligations.

We do not use your data for advertising, profiling, or automated decision-making.

5. Data Sharing

We do not sell, rent, or trade your personal data. We may share data with:

• Email service provider — to send transactional emails (calendar invites, notifications, contact form replies). Only the recipient's email address and message content are shared.
• Google Analytics 4 — anonymous, server-side page view events. No personal data is sent; only a hashed, rotating identifier.
• Hosting provider — our server infrastructure provider processes data as a sub-processor under our instructions.

6. Data Retention

• Contact submissions — retained until manually deleted by an administrator, or upon your request.
• Account and event data — retained for the duration of your subscription. Deleted upon account termination and after a 30-day grace period.
• Analytics data — IP hashes rotate monthly. Aggregate page view records are retained indefinitely but contain no personal data.
• Session cookies — expire at the end of the browser session or on logout.

7. Your Rights (GDPR)

You have the following rights regarding your personal data:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data ("right to be forgotten").
• Restriction — request we limit how we process your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.

To exercise any of these rights, contact us at . We will respond within 30 days.

8. Cookies

SyncFlow uses only strictly necessary cookies:

• PHPSESSID — session cookie for authentication. No tracking, no personal data stored. Expires on browser close.

We do not use advertising cookies, tracking cookies, or any third-party cookie-based analytics. No cookie consent banner is required because we only use strictly necessary cookies (GDPR Art. 5(3) of the ePrivacy Directive).

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• HTTPS encryption for all data in transit.
• Passwords hashed using bcrypt (never stored in plain text).
• Session regeneration on login to prevent fixation attacks.
• IP addresses hashed with a monthly rotating salt (not reversible).
• Role-based access control within the application.

10. International Transfers

Your data is processed and stored within the European Economic Area (EEA). If any sub-processor operates outside the EEA, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).

11. Children's Privacy

SyncFlow is not directed at individuals under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates the latest revision. Continued use of SyncFlow after changes constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions or data requests: