Privacy Policy
Table of Contents
- Introduction and Legal Framework
- Data Controller
- Personal Data Collected
- Processing Purposes
- Legal Basis for Processing
- Cookies and Similar Technologies
- Third-party Services and Data Transfers
- Data Storage and Security
- Data Retention Period
- Your Rights (GDPR)
- International Data Transfers
- Processing of Minors' Data
- Automated Decisions and Profiling
- Security Breaches
- Policy Changes
- Contact and Complaints
1. Introduction & Legal Framework
1.1. StartSync.app ("the Platform", "the Service") is a SaaS platform for managing conferences and events. Protecting your personal data is a fundamental priority.
1.2. This policy applies to all Platform users, regardless of country of residence, and complies with:
- EU Regulation 2016/679 (GDPR)
- ePrivacy Directive 2002/58/EC (for cookies)
- Law no. 190/2018 (GDPR implementation measures in Romania)
2. Data Controller
2.1. The controller of your personal data is the entity operating the StartSync.app platform, headquartered in Romania.
2.2. Controller contact details:
- Email: contact@startsync.app
- Privacy email: contact@startsync.app
3. Personal Data Collected
We collect the following categories of personal data:
3.1. Data provided directly by you
| Category | Details | Mandatory |
|---|---|---|
| Account | Username, email address, password (hashed), display name | Da |
| OAuth authentication | OAuth identifier (Google/Apple), email address, avatar URL | Yes (if you choose OAuth) |
| Billing — Individuals | Name, address, city, county/state, postal code, country, phone | Yes (on paid subscription) |
| Billing — Legal entities | Company name, CUI/VAT Code, Reg. No., registered address, country, phone | Yes (for legal entities) |
| Payments | Information processed through Paddle (we do not store card data) | Yes (on paid subscription) |
| Content | Presentations (PowerPoint, PDF, HTML), event/room configurations | Nu |
3.2. Data collected automatically
| Category | Details | Purpose |
|---|---|---|
| Server logs | IP address, browser type, operating system, access date/time | Security, debugging |
| Cookies | Session token (JWT), preferences | Authentication, functionality |
| Usage | Actions in Platform, pages visited, features used | Service improvement |
3.3. Data from third parties
- Google OAuth: Name, email address and profile photo (with your consent)
- Apple Sign-In: Apple identifier and email address (may be private relay)
- Paddle: Payment confirmation, subscription status, Paddle client ID
- VIES (European Commission): VAT code validation and associated company data
4. Purposes of Processing
We process your personal data for the following purposes:
| Purpose | Description | Legal basis |
|---|---|---|
| Service provision | Account creation and management, event configuration, presentation display, timer and display features | Contract performance |
| Billing | Payment processing, invoice issuance, subscription management, VAT verification | Contract performance, legal obligation |
| Security | Account protection, fraud detection, prevention of unauthorized access | Legitimate interest |
| Communication | Account and service notifications, technical support, security alerts | Contract performance, legitimate interest |
| Improvement | Usage analysis, error debugging, new feature development | Legitimate interest |
| Live Translation | Real-time language translation processing via third-party cloud AI services. Audio data is processed in real time and is not stored by us after the session ends. Translated text is retained only for the duration of the active session. | Contract performance, explicit consent (by activating the feature) |
| Legal compliance | Compliance with tax and accounting obligations, response to authority requests | Legal obligation |
5. Legal Basis for Processing
We use the following legal bases pursuant to Art. 6 GDPR:
- Art. 6(1)(a) — Consent: For non-essential cookies, marketing communications (if any), OAuth authentication
- Art. 6(1)(b) — Contract performance: For providing the Service, account management, payment processing, support
- Art. 6(1)(c) — Legal obligation: For invoicing and accounting records, responding to authority requests, tax compliance
- Art. 6(1)(f) — Legitimate interest: For security, fraud prevention, Service improvement, usage analysis
5.2. In the case of consent-based processing, you have the right to withdraw your consent at any time, without affecting the lawfulness of prior processing.
6. Cookies & Similar Technologies
6.1. What are cookies?
Cookies are small text files stored on your device when you visit the Platform.
6.2. Cookies used
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| token | Essential | User authentication and session (JWT) | 7 days |
| oauth_state | Essential | Security in the OAuth authentication flow | Session |
6.3. Third-party cookies
Third-party services may set their own cookies:
- Paddle: Cookies for secure payment processing and fraud prevention
- Google (OAuth): Cookies for authentication, if you choose "Continue with Google"
- Apple (OAuth): Cookies for authentication, if you choose "Continue with Apple"
6.4. Managing cookies
You can manage or delete cookies from your browser settings. Note that disabling essential cookies may affect Platform functionality (e.g., you may not be able to stay logged in).
7. Third-Party Services & Data Transfers
We share data with the following third-party service providers, strictly as necessary:
| Provider | Purpose | Shared data | Location |
|---|---|---|---|
| Paddle.com Market Ltd. | Payment processing, subscriptions | Email, billing data, Paddle customer ID | USA (Standard Contractual Clauses) |
| Google LLC | OAuth authentication | OAuth token, email, name, avatar | USA (Standard Contractual Clauses) |
| Google Cloud Platform (Google LLC) | Live Translation processing (cloud AI services) | Audio and text data processed in real time. No data is retained by the Operator after the session ends. | USA / EU (Standard Contractual Clauses, Google Cloud DPA) |
| Apple Inc. | OAuth authentication | OAuth token, email | USA (Standard Contractual Clauses) |
| VIES / European Commission | VAT code verification | VAT code, country | UE |
| Railway Corp. | Platform Hosting (application servers) | All data processed on servers | EU / USA (Standard Contractual Clauses) |
| Cloudflare, Inc. (R2 Storage) | Primary file storage and database backup | Presentation files, encrypted database | EU (auto) – Standard Contractual Clauses |
| Backblaze, Inc. (B2 Storage) | Secondary file backup | Database backup copies | EU (Amsterdam) – Standard Contractual Clauses |
7.2. We do not sell, rent or share your personal data with third parties for marketing purposes.
7.3. We may disclose personal data when required by law, court order or competent authority.
8. Data Storage & Security
8.1. Data is stored on secure servers. We implement the following measures:
- Encryption in transit: All connections are protected via TLS/HTTPS
- Hashed passwords: Passwords are stored using secure hashing algorithms (bcrypt) and cannot be recovered in plain text
- JWT tokens: Sessions are managed through JSON Web Tokens with automatic expiry
- httpOnly cookie: The authentication token is stored in an httpOnly cookie, inaccessible to client-side JavaScript
- CSRF Protection: Protection measures against cross-site attacks
- Rate limiting: Protection against brute-force attacks on authentication
- Periodic backup: Regular database backup copies
- Limited access: Data access is restricted based on the "need to know" principle
8.2. No system is 100% secure. Despite our efforts, we cannot guarantee the absolute security of data transmitted over the internet.
8.3. Confidentiality of Presentations and Uploaded Files
8.3.1. Presentations and files uploaded by the User to the Platform are stored in the Operator's cloud infrastructure, using Cloudflare R2 (primary storage) and Backblaze B2 (secondary backup). The database is stored and automatically backed up in both locations. These files may contain personal data (speaker names and affiliations, medical data, research data, etc.).
8.3.2. File content is treated as confidential information within the meaning of Art. 28 GDPR and EU Directive 2016/943 on trade secrets.
8.3.3. The right to upload, manage and delete presentations belongs exclusively to the of the Beneficiary (account holder). The Operator does not intervene with these files except under the conditions set out in Terms and Conditions, section 10.
8.3.4. Storage space allocated per user is limited according to the subscription plan (Free: 300 MB, Pro: 20 GB, Enterprise: 100 GB). Full details in Terms and Conditions, section 10b.
9. Data Retention Period
| Data category | Retention period | Reason |
|---|---|---|
| Account data | For the duration of the account + 30 days after deletion | Service provision, grace period |
| Billing data | 10 years from the invoice date | Legal accounting and tax obligations |
| Presentations/Files | For the duration of the account + 30 days after event deletion | Service provision |
| Server logs | 90 days | Security, debugging |
| Expired trial data | 30 days after expiration | Grace period for reactivation |
| Audit data | 3 years | Security, compliance |
| Live Translation data | Duration of active session only (deleted immediately when session ends) | Real-time processing; no persistent storage required. Audio streams are not recorded. |
9.2. Upon expiry of the retention period, data is deleted or irreversibly anonymized.
10. Your Rights (GDPR)
Under GDPR, you have the following rights:
| Right | Description | GDPR basis |
|---|---|---|
| Access | The right to obtain confirmation of processing and a copy of your data | Art. 15 |
| Rectification | The right to correct inaccurate or incomplete data | Art. 16 |
| Deletion ("Right to be forgotten") | The right to request deletion of your data | Art. 17 |
| Restriction | The right to request restricted processing under certain conditions | Art. 18 |
| Portability | The right to receive data in a structured, commonly used format | Art. 20 |
| Objection | The right to object to processing based on legitimate interest | Art. 21 |
| Consent withdrawal | The right to withdraw consent at any time | Art. 7(3) |
| Complaint | The right to file a complaint with the supervisory authority | Art. 77 |
10.2. To exercise your rights, send a request to contact@startsync.app. We will respond within a maximum of 30 days (extendable by 60 days for complex requests, with notification).
10.3. Certain rights may be limited in specific cases (e.g.: legal obligations to retain billing data).
10.4. Supervisory authority: In Romania, the competent authority is ANSPDCP (National Supervisory Authority for Personal Data Processing) — www.dataprotection.ro
11. International Data Transfers
11.1. Certain third-party services (Paddle, Google, Google Cloud Platform, Apple) may transfer data outside the European Economic Area (EEA), primarily to the USA.
11.2. These transfers are protected by:
- Standard Contractual Clauses (SCC) approved by the European Commission
- EU-US Data Privacy Framework (for certified providers)
- Additional security measures as per EDPB recommendations
11.3. You may request details about the safeguards applied by contacting us at contact@startsync.app.
12. Processing of Minors' Data
12.1. The Service is not intended for persons under 16 years.
12.2. We do not knowingly collect personal data from minors under 16 years without parental/legal guardian consent.
12.3. If you discover that a minor under 16 has provided personal data without parental consent, please contact us immediately for deletion.
13. Automated Decisions & Profiling
13.1. Nu make decisions based solely on automated processing that produce legal effects or similarly significant effects on you.
13.2. The automatic verification of the VAT code through VIES is a technical validation check and does not constitute profiling or automated decision-making within the meaning of Art. 22 GDPR.
14. Security Breaches
14.1. In the event of a security breach affecting your personal data:
- We will notify ANSPDCP within 72 hours from discovery (as per Art. 33 GDPR)
- We will notify you directly, without undue delay, if the breach poses a high risk to your rights and freedoms (in accordance with Art. 34 GDPR)
- We will immediately take remedial and impact mitigation measures
15. Policy Changes
15.1. We reserve the right to update this Privacy Policy.
15.2. Changes will be communicated by:
- Publication of the updated version on this page (with the last updated date in the header)
- Email to the address associated with the account, for substantial changes
- In-Platform notification
15.3. Substantial changes will be notified at least 30 days before taking effect.
15.4. Continued use of the Service after the changes take effect constitutes acceptance of the new Policy.
16. Contact & Complaints
For any question or request regarding personal data protection:
- Email (data protection): contact@startsync.app
- Email (general support): contact@startsync.app
We commit to responding to any personal data request within a maximum of 30 calendar days.
If you are not satisfied with our response, you have the right to file a complaint with:
- ANSPDCP — National Supervisory Authority for Personal Data Processing
- Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, 010336, Romania
- Website: www.dataprotection.ro