Privacy Policy

1. Introduction

Welcome to SyncUp. This Privacy Policy explains how we collect, use, and protect your personal data when you use our service. SyncUp is a synchronized video watching platform that allows users to watch content together in real-time.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws in the European Union.

2. Data Controller

SyncUp operates as the data controller for the personal data collected through this service. Our service is hosted within the European Union.

3. Data We Collect

We collect minimal personal data to provide our service:

• Display name: A name you choose to identify yourself to other users in watch rooms. This is required to use the service.
• Email address: Required if you choose to create a registered account. Used for account authentication, recovery, and essential service communications.
• Profile picture (optional): If you upload a profile picture, we store it securely. We automatically remove metadata (EXIF data) from uploaded images for your privacy.
• Usage data: We collect information about your watch sessions (rooms joined, videos watched, session duration) to provide service features and improve our platform.
• Session security data: When you sign in, we automatically record your IP address and browser user agent string. This data is stored as part of your authentication session for security purposes (detecting unauthorized access) and is deleted when your session expires.

You can use SyncUp without creating an account. Anonymous users have full access to watch party features but cannot recover their session if they lose access.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contract performance: Processing your email and display name is necessary to provide you with our service.
• Legitimate interests: We may process data for security purposes and to improve our service.
• Consent: Where required, we will obtain your consent before processing data for specific purposes such as marketing communications.

5. How We Use Your Data

We use your personal data to:

• Create and manage your account
• Provide the synchronized video watching service
• Send essential service-related communications
• Maintain the security of our platform
• Improve and develop our service

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our service:

• Account data: Retained while your account is active. Deleted immediately when you delete your account.
• Session data: Authentication sessions expire after 30 days of inactivity and are then automatically deleted.
• Usage data: Watch session history is retained for up to 2 years to provide you with viewing statistics, then automatically deleted.
• Profile pictures: Deleted immediately when you remove them or delete your account.

If you delete your account, all your personal data is deleted immediately, except where we are required to retain it for legal purposes or to protect our legitimate interests (such as defending against legal claims).

7. Third-Party Services

We use the following third-party services to operate our platform. These services may process your data according to their own privacy policies:

• Google Analytics: We use Google Analytics to understand how visitors use our service. This data is collected only if you consent to analytics cookies. Google Analytics collects anonymized usage data such as pages visited and session duration. See Google's Privacy Policy.
• Brevo (email service): We use Brevo to process contact form submissions. When you contact us, your name, email, and message are processed through Brevo. See Brevo's Privacy Policy.
• LiveKit: Used for real-time voice communication in watch rooms. Audio streams are processed during active voice sessions only and are not recorded or stored. See LiveKit's Privacy Policy.
• DiceBear: Used to generate default avatar images. Only your display name is used to generate a unique avatar. See DiceBear's Privacy Policy.
• YouTube / Google: Videos are embedded using YouTube's player. YouTube may set cookies when you interact with embedded videos. See Google's Privacy Policy.
• Twitch / Amazon: Twitch streams are embedded using Twitch's player. Twitch may collect viewing data when you watch embedded streams. See Twitch's Privacy Policy.
• Klipy: Used for GIF search functionality in chat. Search queries are sent to Klipy's API. See Klipy's Privacy Policy.
• S3-compatible storage: Profile pictures you upload are stored on an S3-compatible storage service hosted in the EU.

We do not sell your personal data to third parties. All third-party processors we use are compliant with GDPR and process data only as necessary to provide their services to us.

8. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

• Right of access: You can request a copy of all personal data we hold about you. Contact us via our contact form and we will provide your data within 30 days.
• Right to rectification: You can update your display name and email address directly in your account settings. For other corrections, please contact us.
• Right to erasure: You can delete your account at any time through your account settings. This will permanently delete all your personal data. Alternatively, contact us and we will delete your data within 30 days.
• Right to restrict processing: You can request that we limit how we use your data while we address any concerns you have. Contact us to make this request.
• Right to data portability: You can request a copy of your data in a structured, machine-readable format (JSON). Contact us via our contact form and we will provide your data export within 30 days.
• Right to object: You can object to processing based on legitimate interests. Contact us to raise an objection and we will review your request.
• Right to withdraw consent: Where we process data based on your consent (such as analytics cookies), you can withdraw consent at any time by clearing your browser cookies and selecting "Reject All" on the cookie consent banner.

We will respond to all data rights requests within 30 days. If your request is complex, we may extend this by up to 60 additional days, but we will inform you of any extension and the reasons for it.

If you believe we have not handled your request appropriately, you have the right to lodge a complaint with your local data protection authority.

9. Cookies

We use cookies to provide and improve our service. We categorize cookies as follows:

• Essential cookies: Required for authentication and basic functionality. These cannot be disabled.
• Analytics cookies: Help us understand how you use our service. Only set with your consent.

When you first visit our site, you will see a cookie consent banner where you can accept or reject non-essential cookies. To change your preferences later, clear your browser cookies for our site and the consent banner will appear again on your next visit.

For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

10. International Data Transfers

Our service is hosted within the European Union. Some of our third-party service providers (such as Google) may process data outside the EU. Where this occurs, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally recognized transfer mechanisms

You can contact us if you would like more information about the specific safeguards applied to the transfer of your personal data.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS
• Secure password hashing using industry-standard algorithms
• Regular security reviews and updates
• Access controls limiting who can access personal data
• Automatic removal of metadata from uploaded images

12. Children's Privacy

Our service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us immediately so we can take appropriate action to delete that information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.