This Privacy Policy explains how DUMA DIGITAL SOLUTIONS S.R.L. (Romania) (“we”, “us”, “our”) collects, uses, and shares information when you use SYNCDATE at syncdate.app (the “Service”).
If you have questions, contact us at info@syncdate.app or support@syncdate.app.
1. Information We Collect
We collect only what we need to operate the Service.
- Account and identity: When you sign in with a supported calendar provider (such as Google or Microsoft), we receive your account ID, email address, name, and profile image from that provider.
- OAuth credentials: We store OAuth access and refresh tokens (encrypted) from your connected provider(s) to access your calendars on your behalf.
- Calendar data: We store calendar identifiers, names, colors, and connection metadata (e.g., sync tokens, webhook channel IDs, status, timestamps).
- Event data (processed for syncing): We access and process event details required to sync: title/summary, description, start/end time, recurrence rules, reminders, and visibility. We do not store full event content in our database, but we do store event identifiers and sync metadata (e.g., source/target event IDs and timestamps). Operational logs may include limited event metadata (such as event summary and recurrence) for troubleshooting.
- Connected agents and AI access logs: When you authorize an AI client (such as Anthropic Claude, OpenAI ChatGPT, or another agent that supports the Model Context Protocol, “MCP”) to connect to your account, we store the OAuth client registration (client name, client identifier, redirect URI), a hashed copy of the long-lived refresh token we issue to that client (we do not retain the short-lived access tokens themselves), and an audit log of tool calls made by that client (tool name, timestamp, outcome). You can view and revoke connected agents at any time from the Connected Agents page in your dashboard.
- Usage analytics: We use Google Analytics (GA4) to measure page views and basic usage events. This may set cookies and collect device/usage data (e.g., IP address, browser type, pages viewed), subject to Google’s policies. See Section 2 for details on cookies.
- Session recording and heatmaps: We use Contentsquare (ContentSquare SAS, France) to record anonymized user sessions, generate heatmaps, and analyze in-app behavior. This may set cookies and collect interaction data (e.g., clicks, scrolls, mouse movements, page URLs, viewport size). Session recordings do not capture passwords or payment fields. See Section 2 for details on cookies.
- Location data (IP-based): We use your approximate country, derived from your IP address via our CDN provider (Cloudflare), to determine which currency to display for pricing (EUR or USD). We do not store this location data.
- Billing data: If you purchase a paid plan, we store Stripe customer and subscription identifiers, plan and billing status. Payment card details are handled by Stripe and are not stored by us.
- Operational monitoring: We collect server-side performance metrics (response times, error rates) and, when enabled, distributed traces of sync operations for debugging. These contain technical metadata (operation names, durations, error codes) but not personal content.
- Support communications: If you contact us, we collect the information you provide (e.g., email content).
2. Cookies and Similar Technologies
We use cookies to operate and analyze the Service.
Strictly necessary cookies (no consent required)
| Cookie | Purpose | Duration |
|---|---|---|
| next-auth.session-token | Keeps you signed in (encrypted JWT session) | Session |
| next-auth.csrf-token | Protects against cross-site request forgery | Session |
| next-auth.callback-url | Remembers where to redirect after OAuth sign-in | Session |
Analytics cookies (require consent in EEA/UK)
| Cookie | Purpose | Duration |
|---|---|---|
| _ga | Google Analytics — distinguishes unique visitors | 2 years |
| _ga_<ID> | Google Analytics — maintains session state | 2 years |
| _cs_id | Contentsquare — persistent visitor identifier | 13 months |
| _cs_s | Contentsquare — current session identifier | 30 minutes |
| _cs_vars | Contentsquare — custom dimension data | Session |
| _cs_ex | Contentsquare — experiment assignment | Session |
Analytics cookies are only set when analytics is active. If you are in the EEA/UK, we will ask for your consent before loading analytics cookies. You can withdraw consent at any time via your browser settings or by contacting us.
3. How We Use Information
- Provide, operate, and maintain the Service (including syncing calendars and events, and serving authorized AI clients via the MCP endpoint).
- Authenticate users and secure accounts.
- Process payments and manage subscriptions.
- Maintain audit logs of MCP tool calls for security, abuse prevention, and troubleshooting.
- Monitor performance, troubleshoot, and improve reliability.
- Include service attribution in synced events (a brief text line identifying SYNCDATE in the event description of events we create in your target calendars; contains no personal data; removable on paid plans).
- Comply with legal obligations and enforce our terms.
We do not sell your data and we do not use Google or Microsoft user data for advertising.
4. Legal Bases (EEA/UK)
If you are in the EEA/UK, we process your data under the following legal bases:
- Contract: to provide the Service you request, including processing requests from AI clients you have authorized.
- Legitimate interests: to secure, debug, and improve the Service.
- Consent: for analytics cookies and similar tracking technologies (see Section 2), and for each AI client you authorize via the Connected Agents flow.
- Legal obligation: to comply with applicable laws.
5. Sharing of Information
We share information only as needed to run the Service:
- Calendar providers (Google, Microsoft, CalDAV providers such as iCloud, Fastmail, Nextcloud): to access and sync your calendar data via their APIs.
- Stripe: to process payments and manage subscriptions.
- Cloudflare: for DNS, DDoS protection, CDN, and web application firewall. Cloudflare processes all web traffic to the Service (including IP addresses and request metadata).
- Hetzner (Germany): for server hosting and infrastructure.
- Google Analytics: for anonymized usage analytics (when active).
- Contentsquare (ContentSquare SAS, France): for session recording, heatmaps, and behavioral analytics.
- AI clients connected via MCP: If you authorize a third-party AI client (such as Anthropic Claude, OpenAI ChatGPT, or any other MCP-compatible agent) to connect to SYNCDATE, that AI client — and the AI provider operating it — will receive calendar and event data you instruct it to access, and will be able to create, update, or delete events on your behalf within the scope of the access you grant. The AI provider operates under its own terms and privacy policy, which we do not control. You can revoke any connected agent at any time from the Connected Agents page in your dashboard.
- Legal: if required by law or to protect our rights and users.
- Business transfers: if we are involved in a merger, acquisition, or sale of assets.
We do not sell your personal data, and we do not transfer your data to AI providers except in response to your authenticated requests through the Connected Agents flow.
6. International Transfers
Some service providers (e.g., Google, Microsoft, Stripe, Cloudflare, and AI providers you may connect via MCP) may process data outside Romania/EEA. We rely on appropriate safeguards (such as standard contractual clauses or adequacy decisions) where required. Hetzner processes data within the EU (Germany).
7. Data Retention
We keep data only as long as needed for the Service and legal purposes. Examples:
- Account and connection data are retained while your account is active.
- Sync logs are retained for a limited period (typically up to 90 days by default).
- Orphaned sync mappings are pruned on a rolling basis (typically up to 30 days by default).
- Connected agent registrations are retained until you revoke them or delete your account; MCP tool-call audit logs are retained for a limited period (typically up to 90 days by default).
You can delete your account at any time from the dashboard or by contacting us (see Section 9).
8. Security
We use reasonable technical and organizational measures to protect data, including encryption of OAuth tokens at rest (AES-256-GCM). No method of transmission or storage is 100% secure.
9. Your Rights
Depending on your location, you may have the right to access, correct, delete, or export your data, and to object or restrict certain processing.
To exercise these rights, contact us at info@syncdate.app. You can also delete your account directly from the Service. You may lodge a complaint with your local data protection authority.
10. Children
SYNCDATE is intended for adults and is not directed to children. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this policy from time to time. We will update the effective date above and, if changes are material, provide reasonable notice.
12. Google API Services User Data Policy
SYNCDATE’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
When you authorize an AI client via the Connected Agents flow, the transfer of Google calendar data to that AI client occurs only at your explicit direction (per-client OAuth consent), is limited to the calendar scopes you originally granted to SYNCDATE, and is subject to the AI provider’s own data handling terms. We do not transfer Google user data to AI clients except in response to your authenticated requests through the Connected Agents flow.
13. Microsoft API Terms
SYNCDATE’s use of information received from Microsoft APIs (including Microsoft Graph) complies with the Microsoft API Terms of Use and applicable data handling requirements. The same user-authorized constraints described in Section 12 apply to Microsoft data accessed via AI clients connected through MCP.
14. Contact
DUMA DIGITAL SOLUTIONS S.R.L. (Romania)
Email: info@syncdate.app (general) or support@syncdate.app (support)