Privacy Policy
This Privacy Policy explains how Synqc ("we", "us") collects, uses, and protects information about the people who use our service ("you"). It covers data collected directly from our customers — not the personal data that customers' own contacts provide through HubSpot (which is governed by our Data Processing Agreement).
1. Who We Are
Synqc operates the conversion-tracking service available at app.synqc.io. We are the data controller for personal data collected from our own customers.
Contact: legal@synqc.io
2. Data We Collect and Why
| Data | When collected | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Full name, company name, email address | Registration | Create and manage your account; send login links | Performance of contract (Art. 6(1)(b)) |
| OAuth tokens (HubSpot, Meta) | Account setup | Access APIs on your behalf to deliver the service | Performance of contract (Art. 6(1)(b)) |
| Session identifiers (cookies) | Login | Keep you logged in securely | Performance of contract (Art. 6(1)(b)) |
| Event delivery status (timestamps, error codes) | Ongoing service | Show you activity in the dashboard; alert you to delivery failures | Performance of contract (Art. 6(1)(b)) |
| IP address | Every request | Rate limiting and bot/abuse prevention; not stored beyond the request | Legitimate interest (Art. 6(1)(f)) |
| Error reports (stack traces, request metadata) | When errors occur | Diagnose bugs and maintain service reliability; PII scrubbed before transmission | Legitimate interest (Art. 6(1)(f)) |
3. How We Store Your Data
Account data (name, company, email hash, OAuth tokens, configuration) is stored in Cloudflare KV namespaces hosted primarily in the United States. Your email address is stored in hashed form (SHA-256) as the primary account key; the plaintext email is retained in your registration record only to support login and communication.
Session cookies are short-lived (30 minutes idle, 8 hours absolute maximum) and are flagged HttpOnly, Secure, and SameSite=Strict.
4. Data Retention
| Data type | Retention period |
|---|---|
| Account registration record | Duration of subscription + 30 days after deletion request |
| OAuth tokens (HubSpot, Meta) | Until revoked or account deleted |
| Session data | 30 minutes idle / 8 hours absolute; deleted on logout |
| Last event delivery status | 60 days (success) / 14 days (error) |
| Audit log entries | 13 months, anonymised (no PII, only hashed subject identifiers) |
| IP addresses | Not stored (used only for in-request rate limiting) |
5. Third Parties We Share Data With
| Third party | Country | What is shared |
|---|---|---|
| Cloudflare, Inc. | United States | All stored data (infrastructure provider) |
| Resend, Inc. | United States | Your email address (to send login links and notifications) |
| Sentry, Inc. | United States | Error reports with PII scrubbed |
| Meta Platforms, Inc. | United States | Hashed contact data from your HubSpot CRM (conversion signals; see DPA) |
We do not sell your personal data. We do not share your data with advertisers or data brokers.
6. International Transfers
All third-party providers listed above are based in the United States. Transfers of personal data to the United States are made under the Standard Contractual Clauses (EU Commission Decision 2021/914). By using Synqc, you acknowledge these transfers.
7. Your Rights
If you are located in the European Economic Area, you have the following rights under the GDPR:
- Access: request a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate data.
- Erasure: ask us to delete your account and all associated data.
- Restriction: ask us to limit how we process your data.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interest.
- Withdraw consent: where processing is based on consent, withdraw it at any time.
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete it, the right to opt out of its sale (we do not sell personal information), and the right to non-discrimination for exercising these rights. You may submit a request via the opt-out or data deletion flows in your account, or by contacting us at legal@synqc.io.
To exercise any of these rights, contact us at legal@synqc.io. We will respond within 30 days.
8. Cookies
We use only essential cookies necessary to operate the service. No tracking or advertising cookies are set.
| Cookie | Purpose | Duration |
|---|---|---|
| __Host-sid | Authenticated session identifier | 8 hours |
| __Host-setup | Temporary session during account setup | 15 minutes |
| __Host-csrf | Cross-site request forgery protection on forms | 30 minutes |
9. Children
Synqc is intended for use by businesses and is not directed at individuals under 18. We do not knowingly collect personal data from minors.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice in the dashboard. The date at the top of this page reflects the most recent update.
11. Contact and Complaints
For privacy inquiries: legal@synqc.io
If you are in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.