This Privacy Policy explains how DUMA DIGITAL SOLUTIONS S.R.L. (Romania) (“we”, “us”, “our”) collects, uses, and shares information when you use SYNCDATE at syncdate.app (the “Service”).
If you have questions, contact us at info@syncdate.app or support@syncdate.app.
1. Information We Collect
We collect only what we need to operate the Service.
- Account and identity: When you sign in with a supported calendar provider (such as Google or Microsoft), we receive your account ID, email address, name, and profile image from that provider.
- OAuth credentials: We store OAuth access and refresh tokens (encrypted) from your connected provider(s) to access your calendars on your behalf.
- Calendar data: We store calendar identifiers, names, colors, and connection metadata (e.g., sync tokens, webhook channel IDs, status, timestamps).
- Event data (processed for syncing): We access and process event details required to sync: title/summary, description, start/end time, recurrence rules, reminders, and visibility. We do not store full event content in our database, but we do store event identifiers and sync metadata (e.g., source/target event IDs and timestamps). Operational logs may include limited event metadata (such as event summary and recurrence) for troubleshooting.
- Usage analytics: We use Google Analytics (GA4) to measure page views and basic usage events. This may set cookies and collect device/usage data (e.g., IP address, browser type, pages viewed), subject to Google’s policies. See Section 2 for details on cookies.
- Location data (IP-based): We use your approximate country, derived from your IP address via our CDN provider (Cloudflare), to determine which currency to display for pricing (EUR or USD). We do not store this location data.
- Billing data: If you purchase a paid plan, we store Stripe customer and subscription identifiers, plan and billing status. Payment card details are handled by Stripe and are not stored by us.
- Operational monitoring: We collect server-side performance metrics (response times, error rates) and, when enabled, distributed traces of sync operations for debugging. These contain technical metadata (operation names, durations, error codes) but not personal content.
- Support communications: If you contact us, we collect the information you provide (e.g., email content).
2. Cookies and Similar Technologies
We use cookies to operate and analyze the Service.
Strictly necessary cookies (no consent required)
| Cookie | Purpose | Duration |
|---|---|---|
| next-auth.session-token | Keeps you signed in (encrypted JWT session) | Session |
| next-auth.csrf-token | Protects against cross-site request forgery | Session |
| next-auth.callback-url | Remembers where to redirect after OAuth sign-in | Session |
Analytics cookies (require consent in EEA/UK)
| Cookie | Purpose | Duration |
|---|---|---|
| _ga | Google Analytics — distinguishes unique visitors | 2 years |
| _ga_<ID> | Google Analytics — maintains session state | 2 years |
Analytics cookies are only set when Google Analytics is active. If you are in the EEA/UK, we will ask for your consent before loading analytics cookies. You can withdraw consent at any time via your browser settings or by contacting us.
3. How We Use Information
- Provide, operate, and maintain the Service (including syncing calendars and events).
- Authenticate users and secure accounts.
- Process payments and manage subscriptions.
- Monitor performance, troubleshoot, and improve reliability.
- Comply with legal obligations and enforce our terms.
We do not sell your data and we do not use Google or Microsoft user data for advertising.
4. Legal Bases (EEA/UK)
If you are in the EEA/UK, we process your data under the following legal bases:
- Contract: to provide the Service you request.
- Legitimate interests: to secure, debug, and improve the Service.
- Consent: for analytics cookies and similar tracking technologies (see Section 2).
- Legal obligation: to comply with applicable laws.
5. Sharing of Information
We share information only as needed to run the Service:
- Calendar providers (Google, Microsoft): to access and sync your calendar data via their APIs.
- Stripe: to process payments and manage subscriptions.
- Cloudflare: for DNS, DDoS protection, CDN, and web application firewall. Cloudflare processes all web traffic to the Service (including IP addresses and request metadata).
- Hetzner (Germany): for server hosting and infrastructure.
- Google Analytics: for anonymized usage analytics (when active).
- Legal: if required by law or to protect our rights and users.
- Business transfers: if we are involved in a merger, acquisition, or sale of assets.
We do not sell your personal data.
6. International Transfers
Some service providers (e.g., Google, Microsoft, Stripe, Cloudflare) may process data outside Romania/EEA. We rely on appropriate safeguards (such as standard contractual clauses or adequacy decisions) where required. Hetzner processes data within the EU (Germany).
7. Data Retention
We keep data only as long as needed for the Service and legal purposes. Examples:
- Account and connection data are retained while your account is active.
- Sync logs are retained for a limited period (typically up to 90 days by default).
- Orphaned sync mappings are pruned on a rolling basis (typically up to 30 days by default).
You can delete your account at any time from the dashboard or by contacting us (see Section 9).
8. Security
We use reasonable technical and organizational measures to protect data, including encryption of OAuth tokens at rest (AES-256-GCM). No method of transmission or storage is 100% secure.
9. Your Rights
Depending on your location, you may have the right to access, correct, delete, or export your data, and to object or restrict certain processing.
To exercise these rights, contact us at info@syncdate.app. You can also delete your account directly from the Service. You may lodge a complaint with your local data protection authority.
10. Children
SYNCDATE is intended for adults and is not directed to children. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this policy from time to time. We will update the effective date above and, if changes are material, provide reasonable notice.
12. Google API Services User Data Policy
SYNCDATE’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
13. Microsoft API Terms
SYNCDATE’s use of information received from Microsoft APIs (including Microsoft Graph) complies with the Microsoft API Terms of Use and applicable data handling requirements.
14. Contact
DUMA DIGITAL SOLUTIONS S.R.L. (Romania)
Email: info@syncdate.app (general) or support@syncdate.app (support)