GDPR


- GDPR Privacy Policy
- GDPR Data Processing Addendum


Specific Information for EU users – GDPR requirements

This part of our Privacy Policy especially sets out the additional information required by the GDPR for our EU users on how we collect and process your personal information when you visit our Website or use our products and services specified above.

Storage Location

We store your personal information on our servers which are located in Canada. Canada provides an adequate level of data protection as required by Art 45 (1) GDPR.

Controller

The controller according to Art. 4 (7) GDPR is
Sync.com Inc.
105-155 Gordon Baker Road
Toronto, ON M2H 3N5
You can contact us as follows:
Email: datacontroller@sync.com

Privacy Officer (Data Protection Officer)

Sync has designated a Privacy Officer (Data Protection Officer) who you may contact via email at privacyofficer@sync.com.

Purposes and legal basis for the processing of your personal information

According to Art. 13 (1) (c) and Art. 14 (1) (c) GDPR, we have to inform you about the purposes of the processing for which your personal information is being collected and used as well as the legal basis for such processing.

We will process your personal information only with your knowledge and consent (Art. 6 (1) (a) GDPR), except where permitted or required by the law or defined in this Privacy Policy. Where we process your personal information on the legal basis of your consent, you have the right to withdraw your consent at any time. Such withdrawal of your consent will not affect the lawfulness of our processing of your personal information before such withdrawal.

Moreover, we process your personal information to:

  • Provide you with the products or services you have requested (Legal basis: Art. 6 (1) (b) GDPR);
  • Process your payment, including recurring payments as you request (Legal basis: Art. 6 (1) (b) GDPR);
  • Communicate with you about the products or services you have requested (Legal basis: Art. 6 (1) (b) GDPR);
  • Ensure that you are properly registered to use our products and services and to receive any associated technical support (Legal basis: Art. 6 (1) (b) GDPR); and
  • Inform you of any important product revisions or updates (Legal basis: Art. 6 (1) (b) GDPR).

Where we process your personal information on the basis of Art. 6 (1) (b) GDPR, you are contractually required to provide us with your data and we are not able to provide our services without such data. If we process your personal information on the basis of our legitimate interests (Art. 6 (1) (f) GDPR) and in case you want to learn more about our balancing of interests, please contact our Privacy Office at privacyofficer@sync.com.

Visiting our Website

When visiting our Website, we collect and store the IP address assigned to your computer in order to provide you with the contents of our Website requested by you (e.g. texts, images and product information). The legal basis insofar is Art. 6 (1) (b) GDPR. We furthermore collect that information for the detection and defense of misuse which is justified by our legitimate interest according Art. 6 (1) (f) GDPR and is being conducted in order to ensure the proper functioning of our Website. Furthermore, we collect and process information about the browser type you use as well as date and time of access and use of our Website based on Art. 6 (1) (f) GDPR to optimize our Website and our services which also is our legitimate interest in the meaning of Art. 6 (1) (f) GDPR. This information is stored in log files and is not linked to personal information gathered elsewhere on the Website. You are contractually required to provide us with such information and we are not able to provide our services to you without such data.

Using our Services

When you create an account, Sync’s account creation process requires that you provide personal information and other contact information. Such personal information may include your e-mail address, first name, last name, and personal and/or business billing information. Access to your personal information is restricted to us, and in the case of a Business Pro plan, the account administrator. Your e-mail address and display name may also be visible to the people you share with, or accept a share invitation from. Your personal information will be processed by us for verification purposes and to provide our services to you on the legal basis of Art. 6 (1) (b) GDPR. You are contractually required to provide us with such information and we are not able to provide our services to you without such data.

When you use our Sync services your personal information and other information you provide is encrypted in transit using SSL/TLS encryption. Sync's desktop, mobile and web applications (“Sync Apps”) apply an additional layer of client side encryption automatically, during transit and at rest, which we define as end-to-end encryption.

Sync never collects or stores your file, file meta data, encryption keys or passwords (your “Encrypted Data”) in an unencrypted format, unless you request us to do so. The Encrypted Data you upload to Sync is always end-to-end encrypted, and stored in such a way that we cannot access it in a readable format, or share it with third-parties. Sync's applications and features allow you, and only you (or in the case of the Business Pro plan, you and the administrator) to control who can decrypt your Encrypted Data, for example when sharing with other people, when enabling in-app sharing with other apps, when enabling account or password recovery, or in the case of a Business Pro plan administrator, when provisioning an account.

We make every effort to ensure that we cannot access or decrypt your Encrypted Data, regardless of which features you may have enabled or use.

During the use of our service, you may also submit non-Encrypted Data, including your email address. We make every attempt to ensure that the transmission and storage of non-Encrypted Data is secure, and that access to this data is highly restricted. If you have any questions about the security of your Encrypted Data or non-Encrypted Data you can contact us at help@sync.com

Further purposes/marketing communications

Sync may also use your personal information for purposes such as:

  • Letting you know about new or upgraded Sync products and services; and
  • Inviting you to participate in customer surveys or other opinion-gathering devices.

We will ask you for your prior consent before contacting you accordingly and the legal basis for such processing of your personal information is your consent (Art. 6 (1) (a) GDPR). Where you are able to subscribe to periodic information updates (e.g. our newsletters), we are using the double-opt-in method (confirmation of your email address by confirmation email before the first marketing communication is sent) in order to verify consent. You may withdraw your consent at any time with future effect which will not affect the processing of your personal information being undertaken until the withdrawal by

  • using the unsubscribe link in the email we have sent you, or
  • changing your media preferences in your control panel, or
  • contacting us at help@sync.com.

Transfer of personal information

We use service providers or other third parties to help us provide our products or services to you. Such service providers may have access to your personal information. Regardless of where these service providers or other third parties are located, we require that they also comply with the GDPR and the applicable data protection laws. We use the following categories of service providers or other third parties:

We share your personal information with service providers for billing purposes and payment processing (Paypal, U.S., Bitpay, U.S., Zuora Inc., U.S.), for sales and technical support (Helpscout, U.S., Slack Technologies Inc., U.S., ZenDesk Inc., U.S.), for transactional email communications (SendGrid,U.S., MailJet, U.S.), for data analytics (Mixpanel, U.S.), and for marketing communications (MailChimp, U.S.). These third parties are prohibited from using your personal information for any purposes other than as stipulated in this Privacy Policy.

Additional use of personal information

Should your personal information be processed for other purposes than those outlined in this Privacy Policy or other purposes than the ones your personal information has been originally been collected for, we will provide you with information on that other purpose and any other relevant information as referred to in this Privacy Policy.

Cookies

Our Website uses cookies. Cookies are small text files that are placed on your computer by the websites that you visit. These text files are used to help identify when you return to a website. Cookies can be “persistent” or “session” cookies. Persistent cookies remain on your computer, when you have gone offline, while session cookies are deleted, as soon as you close your web browser. You are free to decline these cookies by configuring the appropriate web browser settings; however, doing so may negatively impact your experience using our website.

We use cookies which are strictly necessary to provide you with the services requested by you. The legal basis for such use of cookies is Art. 6 (1) (b) GDPR. Moreover, we are using marketing and advertising cookies and the legal basis for this is Art. 6 (1) (f) GDPR. Our legitimate interest in processing your personal information in this context is to optimize the services of our Website, to customize the user experience and to offer you advertising tailored to your interests.

We also use cookies to collect information on your usage of our Website for monitoring and debugging purposes to help us improve our product and services. Information collected includes IP address, anonymized errors logs, and the type of web browser and platform you use. We never collect encryption keys, passwords or unencrypted file data, unless you request us to do so. The legal basis for this are our legitimate interests (Art. 6 (1) (f) GDPR) in keeping our Website error-free and to optimize our Website.

The use of cookies by third-party service providers are not covered by this Privacy Policy.

Data retention

We delete or anonymize your personal information as soon as it is no longer required for the purposes we have collected your personal information as outlined in this Privacy Policy, unless further processing or storage of your personal information is necessary in order to comply with a respective legal obligation.

We will retain your Encrypted Data for as long as your account is active. You can cancel your account at any time, which will permanently delete your Encrypted Data. In addition, when sharing, you control the deletion of data shared with other users.

Moreover, we will retain your personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

If you want to learn more about our data retention concept, please contact our Privacy Office at privacyofficer@sync.com.

Information about your rights

You have the following rights:

  • Right of access (Art. 15 GDPR): You have the right to request confirmation as to whether or not your personal information is being processed, and, where that is the case, to request access to the personal information and information such as the purposes of the processing or the categories of personal information concerned.
  • Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal information.
  • Right to erasure (Art. 17 GDPR): You have the right to request erasure of personal information without undue delay under certain circumstances, e.g. if your personal information is no longer necessary for the purposes for which it was collected or if you withdraw consent on which processing is based according to Art. 6 (1) (a) GDPR and where there is no other legal ground for processing.
  • Right to restriction of processing (Art. 18 GDPR): You have the right to request us to restrict the processing of your personal information under certain circumstances, e.g. if you think that the personal information we process about you is incorrect or unlawful.
  • Right to object (Art. 21 GDPR): You have the right to object to the processing of your personal information under certain circumstances, in particular if we process your personal information on the legal basis of legitimate interest (Art. 6 (1) (f) GDPR) or if we use your personal information for marketing purposes.
  • Right to data portability (Art. 20 GDPR): Under certain circumstances, you have the right to receive your personal information you have provided us with, in a structured, commonly used and machine-readable format and you have the right to transmit that information to another controller without hindrance or ask us to do so.
  • You can assert your abovementioned rights by contacting our Privacy Office at privacyofficer@sync.com.

Automated individual decision-making

We don’t use your personal information for automated decision-making, including profiling.

Right to lodge a complaint before the data protection authority

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement if you consider that our processing of your information relating to you infringes the GDPR. Please contact our Privacy Office at privacyofficer@sync.com and we will provide you with detailed information as regards the contact details of the respective supervisory authority.


This file was last modified on July 6, 2023.

Copyright © 2024 Sync.com, Inc.
Terms of service · Privacy policy · GDPR