SyncDroid

Privacy Policy

Effective: May 2026

This Privacy Policy explains what personal data SyncDroid collects, how we use it, and the choices you have. SyncDroid is operated by Moritz Heschl, an Austrian sole proprietorship, acting as data controller under the EU General Data Protection Regulation (GDPR).

1. Data we collect

Account data

When you sign up, we (via our auth provider) store your email address, a hashed password (or a federated identity from Google, GitHub, or Microsoft), and timestamps for account creation and last sign-in.

Subscription and billing data

When you subscribe, our payment processor stores your billing name, billing address, payment method (tokenised; we never see card numbers), and invoice history. We receive a subscription status, tier, and license key associated with your account.

Operational data

To deliver the Service we process: device fingerprints (a hash of machine identifiers used to bind a license to a device), session metadata (start time, end time, duration, peer IP addresses for connection establishment), and basic diagnostic logs.

What we do not collect

We do not store the contents of remote-control sessions (screen captures, clipboard data, file transfers). All session media is end-to-end encrypted between the host and client desktops via DTLS-SRTP. Our relay servers see only encrypted bytes.

2. Why we process your data (legal bases)

  • Performance of contract (Art. 6(1)(b) GDPR): account management, subscription billing, license enforcement, customer support.
  • Legitimate interest (Art. 6(1)(f) GDPR): security monitoring, abuse prevention, product reliability.
  • Legal obligation (Art. 6(1)(c) GDPR): tax records and invoicing retention.

3. Subprocessors

We use the following processors to deliver the Service. Each is contractually bound by a Data Processing Agreement and either operates inside the EU/EEA or ships data under appropriate transfer safeguards (Standard Contractual Clauses or an adequacy decision).

  • Cloudflare — signaling Worker, edge cache, and DNS.
  • Hetzner — TURN relay servers (EU and US data centres).
  • Lemon Squeezy — payment processing and merchant of record.
  • Clerk — user authentication.
  • MailerSend — transactional email (license keys, invites).
  • Sentry — crash reporting (errors only; no session content).
  • Vercel — hosting for this website.

4. How long we keep data

  • Account data: until you delete your account.
  • Subscription and invoice data: 7 years, as required by Austrian tax law.
  • Session metadata: 90 days, then aggregated and anonymised.
  • Diagnostic logs: 30 days.

5. Your rights

Under GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • request deletion of your data (subject to legal retention obligations);
  • object to processing or request restriction;
  • receive your data in a portable format;
  • lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde).

To exercise any of these rights, email support@syncdroid.io. We respond within 30 days.

6. International transfers

Some of our subprocessors are based outside the EU/EEA. Where data is transferred to a third country, we rely on Standard Contractual Clauses or an applicable adequacy decision. A copy of the relevant safeguards can be requested at the contact email above.

7. Cookies and tracking

This website does not use third-party tracking cookies. Where we use cookies, it is strictly to remember your session and preferences, and they are essential for the site to function.

8. Security

We use TLS 1.3 for all transport, AES-256 encryption for data at rest where applicable, hashed passwords (handled by Clerk), and DTLS-SRTP end-to-end encryption for session media. We notify affected users of any data breach within 72 hours of discovery, in line with Art. 33 GDPR.

9. Children

The Service is not intended for users under 16. We do not knowingly collect data from children. If you believe we have, contact us and we will delete the affected data.

10. Changes

Material changes will be announced by email or in-app at least 30 days before taking effect. The current version is always available at this URL.

11. Contact

Data controller: Moritz Heschl (Austria). Email support@syncdroid.io for any privacy-related question.