Early access opens soon — special launch offer.

Privacy Policy

How we collect, use, share, and protect personal information.

Last updated: April 20, 2026

This Privacy Policy describes how Syncek SL ("Syncek", "we", "us", "our") collects, uses, shares, and protects personal information in connection with the Syncek customer relationship management platform and the syncek.com website (together, the "Service"). It is issued under Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 of Personal Data Protection and Digital Rights (LOPDGDD), and Spanish Law 34/2002 on Information Society Services (LSSI-CE). By using the Service you acknowledge that your information will be handled as described here.

1. Who we are

Syncek SL is a sociedad limitada incorporated under the laws of Spain, with registered office in Valencia, Spain. We are the controller (responsable del tratamiento) of personal information we collect about account holders and website visitors. When our customers use the Service to store information about their own customers, leads, and contacts, Syncek acts as a processor (encargado del tratamiento) on their behalf; the customer remains the controller of that information, and the relationship is governed by our Data Processing Addendum (DPA).

The supervisory authority for Syncek in Spain is the Agencia Española de Protección de Datos (AEPD, www.aepd.es). We are not currently required to appoint a Data Protection Officer under Art. 37 GDPR; you may reach our privacy team at legal@syncek.com.

2. Information we collect

We collect the following categories of information:

  • Account information you provide when you sign up or subscribe — name, email address, password (stored hashed), workspace name, role, and company size.
  • Billing information needed to charge your subscription — billing name, address, VAT/fiscal identifier (NIF/NIF-IVA) where applicable, and the last four digits of the payment card together with the card brand. Full card details are collected and stored by Stripe, our payment processor; Syncek never sees or stores the full card number.
  • Customer Data you upload to the Service to operate your business — the contacts, companies, deals, notes, activities, files, and custom fields you create or import. Customer Data is your property; we process it on your instructions to provide the Service (see Section 5).
  • Usage and device information automatically collected as you interact with the Service — IP address, device and browser identifiers, approximate location derived from IP, pages viewed, features used, referring URLs, and timestamps. We use this information to operate and improve the Service and to detect abuse.
  • Communications you exchange with us — support tickets, emails, and survey responses, including any information you voluntarily include.
  • Cookies and similar technologies as described in our Cookie Policy.

We do not collect special categories of personal data (Art. 9 GDPR) in the ordinary operation of the Service, and we do not use your personal information to make automated decisions with legal or similarly significant effects on you (Art. 22 GDPR).

3. How we use information

We use the information we collect to:

  • Provide, maintain, secure, and improve the Service, including customer support.
  • Process subscriptions, invoices, refunds, and related billing activities, and send transactional notices (invoices, renewal reminders, security alerts, service updates).
  • Communicate with you about your account, product changes, and — with your consent where required — product news and educational content. You can unsubscribe from marketing messages at any time.
  • Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service or applicable law.
  • Comply with legal obligations, respond to lawful requests, and enforce our rights.
  • Produce aggregated or de-identified analytics that do not identify any individual, for research and product development.

4. Legal bases for processing

Under the GDPR, we process personal information on the following legal bases:

  • Performance of the contract (Art. 6(1)(b) GDPR) — to provide the Service you subscribed to, process payments, and deliver related communications.
  • Legitimate interests (Art. 6(1)(f) GDPR) — to operate, secure, and improve the Service, prevent fraud and abuse, and keep customers informed of material product changes. We balance these interests against your rights and freedoms and will not rely on this basis where it is overridden by them.
  • Legal obligation (Art. 6(1)(c) GDPR) — to comply with tax, accounting, and other legal requirements (e.g., retention of invoices under Spanish tax law).
  • Consent (Art. 6(1)(a) GDPR; Art. 22 LSSI-CE for electronic marketing and Art. 22.2 LSSI-CE for non-essential cookies) — for optional analytics cookies and marketing email to prospects. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Customer Data: our role as processor

When you upload contacts, companies, deals, and other records about individuals into your Syncek workspace, those individuals are data subjects and you are the controller of their information. You are responsible for providing notice to and, where required, obtaining the consent of those individuals, for defining a lawful basis under Art. 6 GDPR, and for responding to their requests to exercise data-subject rights. If a data subject contacts us about Customer Data, we will refer them to the relevant Syncek customer.

Our processing of Customer Data is governed by our Data Processing Addendum (DPA), which satisfies Art. 28 GDPR and incorporates the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and — for transfers to UK recipients — the UK International Data Transfer Addendum (IDTA). The DPA is accepted by you as part of the Terms of Service on a click-through basis; an executed PDF copy is available on request.

6. How we share information

We do not sell personal information and we do not share it for cross-context behavioral advertising. We disclose information only as follows:

  • Sub-processors that operate the Service on our behalf — cloud hosting, object storage and CDN, email delivery, payment processing, and web analytics. The current list is published on our Sub-processors page. Each sub-processor is bound by contract to confidentiality and to process personal information only on documented instructions.
  • Other workspace members. If you are invited to a workspace, the workspace owner and administrators can see your account information, workspace activity, and the Customer Data you contribute.
  • Business transfers. If Syncek is involved in a merger, acquisition, financing, reorganization, insolvency, or sale of assets, information may be transferred as part of that transaction, subject to customary confidentiality commitments.
  • Legal and safety. When we believe in good faith that disclosure is necessary to comply with a legal obligation, respond to a valid legal request, enforce our agreements, protect the rights, property, or safety of Syncek, our users, or the public, or investigate fraud or security issues.
  • With your consent or at your direction.

We will notify customers of material changes to the sub-processor list at least thirty (30) days in advance, giving reasonable objection rights as set out in the DPA.

7. Where your data is stored and international transfers

Primary data residency. Customer Data and account information are stored in data-center regions within the European Union. Backups are kept in the same regional scope.

International transfers. Some of our sub-processors operate outside the EU/EEA — in particular, Stripe (payment processing, United States), Resend (transactional email, United States), Cloudflare (object storage and CDN, global network), and Google LLC (Google Analytics 4, web analytics on the marketing site only, United States). Google Analytics is consent-gated: storage of advertising and analytics cookies is denied by default under Google Consent Mode v2, and we only record a cookieless, redacted measurement ping until you accept analytics in the cookie banner (legal basis: Art. 6(1)(a) GDPR, consent). Data retention is set to 14 months and Google Signals is disabled. When personal information is transferred to these recipients, we rely on the following safeguards under Chapter V GDPR:

  • EU-US Data Privacy Framework (DPF) adequacy for certified U.S. recipients (Commission Implementing Decision of 10 July 2023), where the recipient is self-certified;
  • EU Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914) for recipients that are not DPF-certified;
  • UK International Data Transfer Addendum (IDTA) for onward transfers to UK recipients; and
  • Supplementary measures — TLS in transit, encryption at rest, strict access controls, and transfer-impact assessments where required.

8. How long we keep information

Retention is defined by category:

  • Account information — for as long as your account is active and up to twelve (12) months after closure, to handle disputes and enforce our agreements.
  • Customer Data — until you delete it or close your account. After deletion, Customer Data is removed from production systems promptly and from routine backups within thirty (30) days.
  • Billing and tax records — retained for the period required by Spanish and EU tax law (typically six to ten years; invoices under Art. 30 of the General Taxation Law are kept for six years).
  • Security and audit logs — typically ninety (90) days to twelve (12) months, depending on the log type.
  • Support communications — up to three (3) years after the last interaction.
  • Marketing preferences and unsubscribe records — retained for as long as needed to honor your choice.
  • Aggregated or anonymized data that cannot reasonably be linked to you may be retained indefinitely.

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information — including TLS 1.2+ in transit, encryption at rest, least-privilege access controls, audit logging, automated vulnerability and dependency scanners, encryption of sensitive customer data such as API credentials and integration secrets using a key-management service, regular backups, and a formal incident-response process. For a detailed overview, see our Security page.

Breach notification. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD (or other competent supervisory authority) without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of it (Art. 33 GDPR). Where the breach is likely to result in a high risk to you, we will also notify you within forty-eight (48) hours of confirmation (Art. 34 GDPR), except where we apply the exemptions set out in Art. 34(3) GDPR. No security program is perfect; we aim to keep you informed honestly when incidents occur.

10. Your privacy rights

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you and receive a portable copy (Arts. 15 and 20 GDPR).
  • Rectify information that is inaccurate or incomplete (Art. 16 GDPR).
  • Erase your personal information ("right to be forgotten", Art. 17 GDPR).
  • Restrict or object to certain processing — including direct marketing (Arts. 18 and 21 GDPR).
  • Withdraw consent where processing is based on consent (Art. 7(3) GDPR).
  • Not be subject to automated decision-making with legal or similarly significant effects (Art. 22 GDPR). Syncek does not engage in this kind of decision-making.
  • Lodge a complaint with the AEPD (www.aepd.es) if you reside in Spain, with your local data protection authority if you reside elsewhere in the EEA, with the Information Commissioner's Office (ICO, ico.org.uk) for UK residents, or with the Swiss Federal Data Protection and Information Commissioner (FDPIC) for Swiss residents.

To exercise any of these rights, email legal@syncek.com. We will respond within the timeframes required by applicable law (one month under Art. 12(3) GDPR, extendable by two further months for complex requests). We may need to verify your identity before acting on a request. We do not discriminate against you for exercising your rights.

10.1 UK Representative

Syncek does not currently target the United Kingdom and has not yet appointed a UK Representative under Art. 27 UK GDPR. UK residents may contact us directly at legal@syncek.com; we will appoint a UK Representative if and when our UK user base materializes and update this Policy accordingly.

10.2 Additional rights for U.S. state residents (California and others)

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or another U.S. state with a comprehensive privacy law, you have rights of access, correction, deletion, portability, and opt-out of targeted advertising or sale of personal information. Syncek does not sell personal information and does not share it for cross-context behavioral advertising or targeted advertising. You may designate an authorized agent to act on your behalf. California residents may request the categories and specific pieces of personal information we have collected about them in the past twelve months; the categories collected and the retention periods for each are described in Section 2 and Section 8 above. You will not receive discriminatory treatment for exercising any of these rights.

11. Children's privacy

The Service is not directed to children. Under Art. 8 GDPR and Art. 7 LOPDGDD, we do not knowingly collect personal information from anyone under the age of fourteen (14) in Spain or under the applicable age of consent in other EU member states (ranging from 13 to 16). For U.S. users, we do not knowingly collect personal information from anyone under thirteen (13) as prohibited by COPPA. If you believe a child has provided us personal information, contact us at legal@syncek.com and we will delete it.

12. Do Not Track and Global Privacy Control

We honor Global Privacy Control (GPC) signals sent by your browser as a valid request to opt out of sale or sharing under applicable U.S. state privacy laws. Because we do not sell or share personal information for cross-context behavioral advertising, a GPC signal does not change how we handle your information in practice, but we record it as a valid preference. We do not respond to legacy "Do Not Track" signals, which lack a common industry standard.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by applicable law, notify you in advance by email or through the Service. Your continued use of the Service after an update takes effect constitutes acceptance of the updated Policy.

14. Language

This Policy is published in English and Spanish for convenience. In the event of any discrepancy, inconsistency, or conflict between the two versions, the English version prevails, except where mandatory Spanish data- protection law requires otherwise for Spanish-resident data subjects.

15. Contact us

For questions about this Policy, to exercise your rights, or to request an executed copy of our DPA, contact us at legal@syncek.com. Registered-office, NIF, and Registro Mercantil information is published on our Legal Notice (Aviso Legal).