Privacy Policy

How SyncWhen processes personal data. This policy applies to syncwhen.com and all subdomains.

1. Controller (Art. 4 GDPR)

2. What data we process

Server access logs

When you visit syncwhen.com, the web server automatically records the following: your IP address, the request timestamp, the requested URL, the HTTP status code, the referring URL, and your browser user agent. Access logs are rotated daily and the most recent 14 days are kept; older entries are permanently deleted. Logs are used solely for security, debugging and operational purposes (Art. 6(1)(f) GDPR, legitimate interest in service stability and abuse prevention).

Session cookie (strictly necessary)

If you sign in or create a sync, we set a single first-party session cookie to keep you authenticated and to remember your in-progress sync between page loads. This cookie is strictly necessary for the service to function and is exempt from consent requirements under § 25(2) TTDSG / EU ePrivacy Directive Art. 5(3).

Analytics (Umami, self-hosted)

We use a self-hosted instance of Umami Analytics to count page views and basic interactions. Umami is configured to be cookieless and does not store personal identifiers. Aggregated data only (page URL, country derived from IP, browser, device class) is retained for at most 12 months. No data is shared with third parties. Legal basis: Art. 6(1)(f) GDPR, legitimate interest in measuring service usage.

Email magic links

If you choose to sign in, we store the email address you provide and send a one-time magic link to it. Email addresses are used only to identify your account and to send transactional emails (login link, sync notifications). We do not send marketing emails. Legal basis: Art. 6(1)(b) GDPR, performance of a contract.

Google sign-in (OAuth)

As an alternative to magic links you can sign in with Google. If you do, Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) acts as a separate controller for the authentication step and transmits to us your Google account email address, name and profile identifier. We store the email address and identifier to keep you signed in; we do not request or store any other Google account data. Use of Google sign-in is voluntary and triggered only by clicking the corresponding button. Legal basis: Art. 6(1)(a) GDPR (consent given by clicking the sign-in button) plus Art. 6(1)(b) for the resulting account record. Transfer to Google in the USA relies on the EU-U.S. Data Privacy Framework adequacy decision (C(2023) 4745). Google's privacy policy: policies.google.com/privacy.

Error tracking (Sentry / GlitchTip)

To detect and fix software faults we use a self-hosted instance of GlitchTip (a Sentry-compatible open-source error tracker) at errors.alexkay.dev. When the application throws an unhandled exception, the following may be transmitted: stack trace, request URL, HTTP method, browser user agent, IP address and, where applicable, the email of a signed-in user. Error events are retained for 90 days and used solely for debugging. The error tracker runs on the same infrastructure operated by us; no third-party processor is involved. Legal basis: Art. 6(1)(f) GDPR, legitimate interest in service stability and security.

Sync content

Titles, descriptions, time slots, participant names and votes you submit are stored in our database to operate the service. They are visible to anyone with the sync link. You may delete a sync at any time from its admin page; deletion is immediate and permanent.

3. Third parties and international transfers

SyncWhen runs on a VPS server outside the European Union. The operator is based in Vietnam. Personal data may therefore be transferred to and processed in countries outside the EU/EEA. Such transfers are based on Art. 49(1)(b) GDPR (necessary for the performance of a contract requested by the data subject).

All static assets - fonts, JavaScript libraries (Vue.js, ActionCable), stylesheets and analytics scripts - are served from our own infrastructure. No third-party content delivery network receives your IP address as a result of loading this site.

4. Your rights (Art. 15-22 GDPR)

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / "right to be forgotten" (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent at any time, where processing is based on consent

To exercise any of these rights, email legal@syncwhen.com. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), typically the data-protection authority of your country of residence.

5. Retention

Server access logs: 14 days. Analytics events: 12 months. Error tracking events: 90 days. Sync content: until you delete the sync, or 12 months of inactivity for guest syncs. Account data: until you delete your account from the dashboard (see "Danger zone" at /dashboard); deletion is immediate, irreversible and removes all associated syncs.

6. Security

The service uses HTTPS for all connections, hashed credentials where applicable, and access controls limiting database access to the operator. No security measure is perfect; you use the service at your own risk.

7. Changes

This policy may be updated to reflect changes in the service or applicable law. Material changes will be announced on the site.

Last updated: May 2026