SyncroTask ("we", "us", or "our") operates syncrotask.com and the SyncroTask application (the "Service"). This Privacy Policy explains how we collect, use, and protect information from users of our Service.

Our Service is intended for businesses and commercial entities. By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Who This Applies To

This Privacy Policy covers three types of users:

• Business Users — the company or individual who creates a SyncroTask account and manages a workspace.
• Authorized Users — employees or team members invited by a Business User to use the Service.
• Visitors — anyone who browses our website without creating an account.

2. Information We Collect

Information You Provide Directly

• Account information — name, email address, country, and password when you register.
• Workspace data — timesheets, leave requests, vacation days, projects, activities, clients, and team structures you create within the Service.
• Billing information — subscription and payment details processed securely through Paddle. We do not store your full payment card details.
• Communications — messages you send to our support team.

Information Collected Automatically

• Usage data — pages visited, features used, time and date of access.
• Device and browser data — IP address, browser type and version, operating system.
• Cookies — session and security cookies necessary for the Service to function. See our Cookie Policy for details.

3. How We Use Your Information

• To provide, operate, and maintain the Service.
• To manage your account and subscription.
• To process payments through Paddle.
• To send service-related communications (account confirmations, password resets, workspace invitations, subscription updates) via Resend.
• To display public holiday information in your preferred language, using the nager.date API and DeepL translation service.
• To provide customer support.
• To detect and prevent fraud, abuse, and security incidents.
• To maintain automated encrypted backups of Service data via Cloudflare R2 for disaster recovery purposes.
• To improve and develop the Service based on usage patterns.
• To comply with legal obligations.

4. Data Sharing and Third-Party Services

We do not sell your personal data. When third-party services are involved, we distinguish clearly between two categories:

A. Data Processors Acting on Our Behalf

These providers process data strictly under our instruction, for the sole purpose of delivering the Service. They do not use your data for their own purposes and are bound by data processing agreements and applicable law.

• Resend — our transactional email provider, used to deliver account confirmations, password resets, workspace invitations, and other service notifications. We transmit your email address and notification content to Resend solely for delivery purposes. SyncroTask does not have access to Resend's internal delivery infrastructure or logs beyond what is exposed through our own account dashboard. See Resend's Privacy Policy.
• Cloudflare R2 — encrypted cloud object storage used to retain automated database backups for disaster recovery purposes. Backups are stored under strict access controls. SyncroTask controls access to backup files; no backup data is accessible to Cloudflare for any purpose other than storage infrastructure operation. See Cloudflare's Privacy Policy.

B. Independent Third-Party Data Controllers

These are services where your browser or our server establishes a direct connection to a third-party platform. SyncroTask does not control, access, or have the ability to modify, delete, or retrieve any data these services collect on their own infrastructure. Each of these providers acts as an independent data controller under their own privacy policy. We have no technical or legal authority over how they store or process the data they collect.

• Paddle — our payment processor and Merchant of Record. When you subscribe, you transact directly with Paddle, who collects and processes all payment and billing data independently. We do not store your payment card details and have no access to the raw payment data held by Paddle. See Paddle's Privacy Policy.
• Cloudflare Turnstile — a bot-protection widget embedded on our registration and login pages. When the widget loads, your browser sends signals (including IP address and browser characteristics) directly to Cloudflare's servers. SyncroTask receives only a pass/fail token result; we do not receive, store, or have any access to the underlying data Cloudflare collects for bot detection. See Cloudflare's Privacy Policy.
• Google Fonts — our public marketing website (landing page only) loads font files served from Google's servers. This causes your browser to send a direct request to Google, which may include your IP address. This connection is established between your browser and Google — SyncroTask does not receive, process, or have any visibility into that request or any data Google may collect from it. This does not apply within the authenticated application. See Google's Privacy Policy.
• DeepL — a machine translation service used solely to localise public holiday names into your preferred language. Only non-personal holiday name text is transmitted. SyncroTask does not share any account data or personal information with DeepL, and has no access to or control over DeepL's processing infrastructure. See DeepL's Privacy Policy.
• nager.date — a public open-source API used to retrieve official public holiday data by country and year. Only a country code and year value are transmitted; no personal data is involved. SyncroTask has no relationship with or control over nager.date's infrastructure.

C. Legal Disclosure

• Legal authorities — we may disclose personal data when required by law, valid court order, or to protect the rights, property, or safety of SyncroTask, our users, or the public.

Business Users control the data of their Authorized Users within their workspace. Authorized User data is processed on behalf of the Business User.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data on the following legal bases:

• Contract performance — to deliver the Service you signed up for.
• Legitimate interests — to improve the Service, ensure security, and prevent fraud.
• Legal obligation — to comply with applicable laws and regulations.
• Consent — where you have explicitly agreed (e.g. marketing communications).

6. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right of rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data, subject to legal retention requirements.
• Right to restriction — request that we limit how we process your data.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at support@syncrotask.com.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion, we remove your data within a reasonable period, except where retention is required by law or for legitimate business purposes such as resolving disputes or enforcing agreements.

Business Users may request deletion of their workspace data at any time by contacting support.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

9. International Data Transfers

Your data may be processed in countries outside your own, including countries that may not have the same data protection laws. Where required, we rely on appropriate safeguards (such as standard contractual clauses) to ensure your data is protected in accordance with this policy.

10. Children's Privacy

Our Service is not directed at anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on the Service before the change takes effect. The "last updated" date at the top of this page will always reflect the most recent revision.

12. Contact Us

SyncroTask is operated by:

• Legal entity: TEODORESCU GABRIEL ILIE PFA
• CUI: 43538616
• EUID: ROONRC.F8/16/2021
• Email: contact@syncrotask.com