Skip to content
SyncSuite.co
Join free

Privacy Policy

Last modified: May 5, 2026

"We collect what we need to run the platform, host your data in Germany, and give you straightforward control. This policy explains the details."

1. Who We Are

22 Apps, Inc., a British Columbia company doing business as SyncSuite, operates the marketing site at syncsuite.co and the platform at app.syncsuite.co (the "Platform"). Where the Platform serves customer-facing sites, those are reached at the customer's chosen domain (for example, yourdomain.com) or at a system-generated subdomain under *.syncsuitecloud.com.

For the marketing website and for our Platform customers' account information, SyncSuite acts as a data controller. For personal data that flows through our customers' Workspaces about their end-users, SyncSuite acts as a data processor; that processing is governed by our Data Processing Addendum.

Privacy contact / DPO: Matthew McGregor, [email protected].

2. Categories of Data Subjects

  • Marketing-site visitors - anyone visiting syncsuite.co.
  • Account holders - Free, Pro, and Agency Customers who sign up for the Platform.
  • Agency end-clients - Sub-Account holders provisioned by an Agency Customer.
  • Customers' own customers - contacts, leads, and recipients managed inside our Customers' Workspaces (we are processor for this data).

3. Data We Collect

3.1 Account information

Name, email address, business name, phone number, password hash, time-zone, and similar registration details. For Agency Customers we also collect Whitelabel branding (logo, colors, custom domain).

3.2 Billing information

Stripe handles cards and bank details directly; we receive only token references, the last four digits, expiration, country, billing email, and transaction metadata. Wallet balance, included AI credit, and itemized usage history are stored by us.

3.3 Usage and telemetry

Authentication events, IP address, browser, operating system, device fingerprints, feature usage, error and audit logs, and aggregated performance metrics. We use this to operate, secure, and improve the Service.

3.4 Customer Data inside your Workspace

Whatever you (or AI acting on your behalf) put in your Workspace - CRM contacts, deals, calendar entries, inbox messages, files, source code, AI prompts, AI outputs, custom fields, automation logs, and the like. You own this data.

3.5 OAuth tokens for connected social platforms

If you connect external accounts, we store the OAuth refresh and access tokens necessary to operate the connection. Currently supported: Instagram, TikTok, X / Twitter, LinkedIn, Facebook, YouTube, Pinterest, Reddit, Bluesky, Telegram, Discord, Google Business, and WhatsApp. Tokens are encrypted at rest with AES-256-GCM.

3.6 Communications data

SMS / MMS message content, call recordings (where you enable them), opt-in records, A2P 10DLC consent metadata, sender ID registrations, transactional and marketing email content, and delivery receipts.

3.7 Support correspondence

Tickets, chat transcripts, and any attachments you send when you contact [email protected].

4. Lawful Bases for Processing (GDPR)

  • Contract (Article 6(1)(b)) - to provide the Service you signed up for.
  • Legitimate interests (Article 6(1)(f)) - to secure the Platform, prevent fraud and abuse, operate analytics, and develop the product. We balance these interests against your rights.
  • Consent (Article 6(1)(a)) - for non-essential analytics cookies, marketing emails to prospects, and any sensitive processing where consent is the appropriate basis.
  • Legal obligation (Article 6(1)(c)) - tax, accounting, and lawful-disclosure obligations.

5. How We Use Data

  • To provision, operate, and secure your Workspace and Sub-Accounts.
  • To process subscription and usage billing, including AI token metering and Wallet replenishment.
  • To route SMS, voice, and email through our communication sub-processors at your direction.
  • To run AI inference on your prompts via third-party AI model providers and return results to your Workspace.
  • To investigate abuse, debug issues, and protect Customers and the Platform.
  • To send service announcements, security notices, and (with consent or where permitted) product updates.
  • To comply with law, respond to lawful requests, and enforce our agreements.

We do not sell personal data. We do not share personal data with third parties for their own marketing.

6. AI Processing

When you use AI features, your prompts and the resulting outputs are sent to one or more third-party AI model providers, processed transiently to generate a response, and returned to your Workspace. SyncSuite does not train AI models on Customer Data, and the third-party AI model providers we use are contracted not to train their foundation models on data routed through our Platform. AI usage is metered per token; current per-token rates for each available model are published in the Platform.

6.1 Automated decision-making (GDPR Article 22)

SyncSuite itself does not use Customer Personal Data to make decisions that produce legal or similarly significant effects on Data Subjects without human involvement. Inside your Workspace, however, AI Agents act on your instructions and may take actions on your contacts, leads, customers, employees, or other Data Subjects on your behalf - for example, drafting and sending an email, creating or updating a CRM record, scheduling a follow-up, or triggering an automation. Because the Customer (you) configures and directs the AI, the Customer is the controller of any such automated processing under Article 22 and equivalent laws.

If an AI Agent in your Workspace will produce a decision with legal or similarly significant effect on a Data Subject (for example, automated approval / denial of an application, eligibility scoring, or termination of a service relationship), you must (a) ensure that processing is permitted under Article 22 or the equivalent local law, (b) provide the Data Subject with meaningful information about the logic involved and the significance and consequences of the processing, and (c) provide a route for the Data Subject to obtain human review, contest the decision, or express their point of view. SyncSuite provides Workspace logs, conversation history, and audit trails to help you fulfill these obligations; you are responsible for designing your AI workflows accordingly.

If you believe an AI Agent has produced an automated decision that affects you and you wish to exercise rights of access, human review, or contestation, please contact the Customer (controller) whose Workspace produced the decision; we will assist that Customer on request as described in our DPA.

7. Data Residency

Customer Data is hosted in Germany on Hetzner Cloud's Falkenstein facilities. Daily code backups and continuous database backups (Pro / Agency) are written to Cloudflare R2 object storage in private buckets. Cloudflare also provides our global CDN, edge cache, and custom-domain proxy; metadata for these services may be processed at edge locations close to your visitors.

8. Sub-Processors

To run the Service we share data with the following sub-processors:

  • Stripe - payment processing (including Stripe Connect on Pro and Agency).
  • Twilio - SMS / MMS (A2P 10DLC), voice calling, and brand/campaign registration.
  • Twilio SendGrid - transactional and Customer-initiated email delivery.
  • Zernio - multi-platform social-media integrations (OAuth, posting, comments, DMs, analytics, ads) across the 13 connected platforms.
  • Third-party AI model providers for AI inference (we do not pin a single vendor publicly because the Platform routes through a model abstraction layer; current providers are listed in the DPA Annex 2).
  • Cloudflare - CDN, edge cache, R2 object storage, and custom-domain proxy.
  • Hetzner Cloud - compute hosting (Germany).

We update this list when sub-processors change. Where reasonably practical we will give advance notice (typically at least 14 days), but for urgent vendor migrations or security responses we may make a change immediately and update the list shortly afterward. The DPA contains the most current list with details suitable for due diligence.

9. Mobile Messaging & SMS Privacy

If you (as a Customer) opt in to SMS for account or billing alerts, we use your number only for that purpose. Mobile information (including phone number, opt-in records, and consent) is not shared with third parties or affiliates for their marketing or promotional purposes. A2P 10DLC opt-in / opt-out data and consent records are kept solely to support deliverability, compliance, and your operations.

Carrier-mandated disclosures for SMS we send to you: Reply STOP to opt out at any time. Reply HELP for help. Message and data rates may apply. Message frequency varies. Wireless carriers are not liable for delayed or undelivered messages. Some messages (security alerts, abuse notices, account-status notices) are essential to operating the Service and cannot be opted out of while your account is active.

When you use SyncSuite to send SMS to your own contacts, you are the legal sender. You are responsible for collecting and honoring consent in line with TCPA, CAN-SPAM, CASL, A2P 10DLC carrier rules, and similar laws, and for displaying the equivalent STOP / HELP / message-rates / frequency / carrier-liability disclosures to your recipients, as further described in our Terms of Service Section 12.

10. Cookies, Analytics & Advertising Pixels

On the marketing site we set cookies and similar technologies (pixels, web beacons, local storage) in the following categories:

  • Essential cookies - required for basic site operation (security, load-balancing, language preference, and remembering your privacy choice itself). Always on.
  • Cloudflare Web Analytics - we use Cloudflare Web Analytics, a privacy-friendly, cookieless page-view counter that does not set cookies, does not track across sites, and does not build user profiles. Cloudflare auto-excludes visitors located in the European Economic Area, the United Kingdom, and Switzerland. Because no cookies are set and (for EU/UK/Swiss visitors) no data is collected at all, we do not present a separate consent prompt for analytics; this is consistent with how cookieless first-party analytics is treated under GDPR and ePrivacy guidance.
  • Advertising / retargeting pixels - used to measure ad performance and to show you relevant SyncSuite ads on third-party platforms. We currently use the Meta (Facebook / Instagram) Pixel, the Google Ads tag, and the LinkedIn Insight Tag. These are off by default and only load if you turn them on through the privacy preferences modal in the footer.
  • Personalization cookies - small first-party cookies that remember UI choices (region, currency display, dismissed messages). Off by default.

These advertising pixels enable what U.S. state privacy laws call "sharing" of personal information for cross-context behavioral advertising (and what the GDPR treats as a separate processing purpose requiring consent). Disclosed identifiers are typically limited to your IP address, browser/device fingerprint, hashed email (if you submit a form), and pages visited. We do not exchange this information for money, and we do not allow these networks to use the information for their own independent purposes.

10.1 Your right to opt out / "Do Not Sell or Share My Personal Information"

California, Colorado, Connecticut, Texas, Oregon, and other U.S. state privacy laws give you the right to opt out of "sale" or "sharing" of your personal information for cross-context behavioral advertising. You can opt out at any time by:

  • Clicking the "Do Not Sell or Share My Personal Information" link in the footer of syncsuite.co, which sets an opt-out preference cookie and stops the advertising pixels for that browser.
  • Sending us a verifiable request at [email protected] with the subject line "Privacy Request - Do Not Sell or Share".
  • Authorizing an agent under California law to submit the request on your behalf.

We honor the Global Privacy Control (GPC) signal as a valid opt-out for users browsing from California and other jurisdictions where GPC is recognized as such. We do not currently respond to legacy "Do Not Track" (DNT) browser headers because there is no industry-standard interpretation; GPC supersedes DNT for opt-out purposes.

On the authenticated Platform (app.syncsuite.co) we do not run third-party advertising pixels. Authenticated-Platform cookies are first-party only and are used for session management, security, and operating the Service.

You can also clear or block cookies from your browser at any time, install the standard opt-out browser extensions published by the IAB and individual ad networks, and use your operating-system "limit ad tracking" / "Ask App Not to Track" controls. The authenticated Platform requires session cookies to function.

11. Retention

  • Workspace data: retained while your subscription is active. After cancellation or termination, we retain your data for 30 days so you can export or migrate, then delete.
  • Backups: daily code backups and continuous database backups age out on schedules described in the DPA; backups containing your data are also purged after the 30-day window.
  • Billing & tax records: retained for the period required by Canadian and applicable foreign tax law (typically up to 7 years).
  • Support correspondence: retained up to 3 years to maintain context across requests.
  • AI prompts and outputs: not retained by SyncSuite beyond what is needed to deliver the response, render conversation history in your Workspace, and perform abuse investigation when triggered. Conversation history you save inside your Workspace is part of your Customer Data and follows the Workspace retention rules above.
  • Marketing-site analytics: retained in aggregate for up to 26 months.

12. Security

  • TLS 1.2+ in transit everywhere (Let's Encrypt and Cloudflare-issued certificates).
  • Sensitive in-database fields - Stripe Connect OAuth tokens, third-party API keys, account secrets - encrypted at rest with AES-256-GCM using a per-environment master key.
  • Backup files protected by private-bucket access control on Cloudflare R2.
  • Tenant isolation via Kubernetes namespaces; gVisor sandboxing for Free-tier static workloads.
  • Principle-of-least-privilege access to production infrastructure, with audit logging.
  • Continuous database backups (Pro / Agency) via CloudNativePG to private R2.

SyncSuite does not currently hold SOC 2 or ISO 27001 certification. We can provide our security questionnaire on request.

13. Your Rights

13.1 GDPR / UK GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to: access your personal data; correct inaccurate data; request erasure; restrict or object to processing; receive your data in a portable format; and withdraw consent. You also have the right to lodge a complaint with your local supervisory authority.

13.2 PIPEDA / PIPA / Quebec Law 25 (Canada)

Canadian residents have the right to access, correct, and challenge the accuracy of personal information we hold about them, and to ask about our handling practices under PIPEDA and B.C.'s Personal Information Protection Act (PIPA).

Quebec residents have additional rights under An Act respecting the protection of personal information in the private sector (commonly known as Quebec Law 25 / Bill 64): the right to be informed when a decision is based exclusively on automated processing and to request human review of that decision; the right to data portability for automatically-collected personal information; the right to de-indexation (cessation of dissemination) where dissemination causes serious injury and outweighs public interest; and the right to be informed of the categories of personnel and sub-processors with access to your personal information. To exercise these rights, contact our Privacy Officer at [email protected]. Our Privacy Officer for Quebec Law 25 purposes is Matthew McGregor.

13.3 U.S. State Privacy Laws (CCPA / CPRA, VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, and others)

Residents of U.S. states with comprehensive privacy laws have the right to know what categories of personal information we collect, the sources, the purposes, and the categories of recipients; the right to access and obtain a copy; the right to correct inaccurate information; the right to delete; the right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising; and the right not to be discriminated against for exercising these rights. We do not "sell" personal information as defined by these laws and we do not "share" personal information for cross-context behavioral advertising. California users may also designate an authorized agent to exercise rights on their behalf.

13.4 How to make a request (DSAR)

Email [email protected] with the subject line "Privacy Request". We will verify your identity (typically by confirming control of the account email) and respond within the timeframe required by applicable law (45 days under U.S. state laws and CCPA, 30 days under GDPR, with one extension where the law allows). Authorized agents may submit requests on a Data Subject's behalf with appropriate written authorization.

13.5 Right to appeal

If we deny your privacy request in whole or in part, you have the right to appeal that decision. To appeal, reply to our denial email or send a new email to [email protected] with the subject line "Privacy Request Appeal" within 60 days of our response. We will review the appeal independently and respond within 60 days (or sooner where required by law). If your appeal is denied, you may contact your state attorney general (for U.S. state privacy laws), your supervisory authority (for GDPR / UK GDPR), or the Office of the Privacy Commissioner of Canada (for PIPEDA).

13.6 Marketing email opt-out

Every marketing email we send includes an "Unsubscribe" link in the footer. Clicking it removes you from our marketing lists. You can also email [email protected] with "Unsubscribe" in the subject. Service-related emails (account, billing, security, abuse) cannot be opted out of while your account is active because they are necessary to operate the Service.

13.7 Breach notification

For Customer Personal Data we process as Processor on a Customer's behalf, SyncSuite will notify the affected Customer (the Controller) without undue delay and within 72 hours of becoming aware of a Personal Data Breach, as further described in DPA Section 12. For Personal Data we hold as Controller (for example, marketing-site visitor or account-holder data), we will notify affected individuals and regulators where required by applicable law and within applicable statutory deadlines.

If you are an end-user of an Agency Sub-Account or of one of our Customers' own customer lists, please contact that Customer first; they are the controller of that data. We will assist them in responding.

14. International Transfers

Customer Data is hosted in Germany. If you access the Platform from outside Germany, your data is transferred internationally to Germany for processing. For transfers from the EEA / UK / Switzerland to jurisdictions without an adequacy decision (for example, when our sub-processors operate from the United States), we rely on Standard Contractual Clauses (SCCs) and any necessary supplementary measures, as described in the DPA.

15. Children

The Platform is for users 18 years of age and older. We do not knowingly collect personal data from children under 13 (or under 16 in jurisdictions where that is the higher age of digital consent). If you believe a child has given us personal data, contact us and we will delete it.

16. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last modified" date at the top of this page reflects the latest revision. Material changes will be communicated by in-platform notice or email.

17. Contact

Privacy Officer: Matthew McGregor - [email protected].