Privacy Policy

1. Introduction

Welcome to SyncUp. This Privacy Policy explains how we collect, use, and protect your personal data when you use our service. SyncUp is a synchronized video watching platform that allows users to watch content together in real-time.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws in the European Union.

2. Data Controller

SyncUp is operated by Roan de Graaf as an independent sole proprietor, acting as the data controller for the personal data collected through this service. The service is hosted within the European Union.

The fastest way to reach the data controller about anything in this policy is the contact form. Messages received there are monitored personally and are the appropriate channel for data subject requests.

3. Data We Collect

We collect minimal personal data to provide our service:

• Display name: A name you choose to identify yourself to other users in watch rooms. This is required to use the service.
• Email address: Required if you choose to create a registered account. Used for account authentication, recovery, and essential service communications.
• Profile picture (optional): If you upload a profile picture, we store it securely. We automatically remove metadata (EXIF data) from uploaded images for your privacy.
• Usage data: We collect information about your watch sessions (rooms joined, videos watched, session duration) to provide service features and improve our platform.
• Session security data: When you sign in, we automatically record your IP address and browser user agent string. This data is stored as part of your authentication session for security purposes (detecting unauthorized access) and is deleted when your session expires.

You can use SyncUp without creating an account. Anonymous users have full access to watch party features but cannot recover their session if they lose access.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contract performance: Processing your email and display name is necessary to provide you with our service.
• Legitimate interests: We may process data for security purposes and to improve our service.
• Consent: Where required, we will obtain your consent before processing data for specific purposes such as marketing communications.

5. How We Use Your Data

We use your personal data to:

• Create and manage your account
• Provide the synchronized video watching service
• Send essential service-related communications
• Maintain the security of our platform
• Improve and develop our service

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our service:

• Account data: Retained while your account is active. Deleted immediately when you delete your account.
• Session data: Authentication sessions expire 30 days after they are last used, after which the session token is no longer valid. Session records (including the IP address and user agent captured for security) are deleted when the associated account is deleted.
• Usage data: Watch session history, in-room chat messages, and direct messages are retained for as long as your account is active so you can view your history. All of it is deleted when you delete your account.
• Consent records: Records of your cookie consent choices (whether you accepted or rejected analytics cookies, and the version of this policy in effect at the time) are retained for up to 3 years as required to demonstrate compliance with GDPR.
• Profile pictures: Deleted immediately when you remove them or delete your account.

If you delete your account, all your personal data is deleted immediately, except where we are required to retain it for legal purposes or to protect our legitimate interests (such as defending against legal claims).

7. Third-Party Services

We use the following third-party services to operate our platform. These services may process your data according to their own privacy policies:

• Google Analytics: We use Google Analytics to understand how visitors use our service. This data is collected only if you consent to analytics cookies. Google Analytics collects anonymized usage data such as pages visited and session duration. See Google's Privacy Policy.
• Polar (payments): All subscription and one-time payments are processed by Polar, who acts as the Merchant of Record. Polar processes your payment details, billing address, and purchase history. See Polar's Privacy Policy.
• Brevo (email service): We use Brevo to send all service emails, including email verification messages, password reset messages, and contact form submissions. When you contact us or receive an account email, your email address and message content are processed through Brevo. See Brevo's Privacy Policy.
• LiveKit: Used for real-time voice communication in watch rooms. Audio streams are processed during active voice sessions only and are not recorded or stored. See LiveKit's Privacy Policy.
• DiceBear: Used to generate default avatar images. Only your display name is used to generate a unique avatar. See DiceBear's Privacy Policy.
• YouTube / Google:Videos are embedded using YouTube's player. YouTube may set cookies when you interact with embedded videos. See Google's Privacy Policy.
• Twitch / Amazon:Twitch streams are embedded using Twitch's player. Twitch may collect viewing data when you watch embedded streams. See Twitch's Privacy Policy.
• Klipy:Used for GIF search functionality in chat. Search queries are sent to Klipy's API. See Klipy's Privacy Policy.
• S3-compatible storage: Profile pictures you upload are stored on an S3-compatible storage service hosted in the EU.

We do not sell your personal data to third parties. All third-party processors we use are compliant with GDPR and process data only as necessary to provide their services to us.

8. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

• Right of access: You can request a copy of all personal data we hold about you. Contact us via our contact form and we will provide your data within 30 days.
• Right to rectification: You can update your display name and email address directly in your account settings. For other corrections, please contact us.
• Right to erasure: You can delete your account at any time through your account settings. This will permanently delete all your personal data. Alternatively, contact us and we will delete your data within 30 days.
• Right to restrict processing: You can request that we limit how we use your data while we address any concerns you have. Contact us to make this request.
• Right to data portability: You can request a copy of your data in a structured, machine-readable format (JSON). Contact us via our contact form and we will provide your data export within 30 days.
• Right to object: You can object to processing based on legitimate interests. Contact us to raise an objection and we will review your request.
• Right to withdraw consent:Where we process data based on your consent (such as analytics cookies), you can withdraw consent at any time by clearing your browser cookies and selecting "Reject All" on the cookie consent banner.

We will respond to all data rights requests within 30 days. If your request is complex, we may extend this by up to 60 additional days, but we will inform you of any extension and the reasons for it.

If you believe we have not handled your request appropriately, you have the right to lodge a complaint with your local data protection authority.

9. Cookies

We use cookies to provide and improve our service. We categorize cookies as follows:

• Essential cookies: Required for authentication and basic functionality. These cannot be disabled.
• Analytics cookies: Help us understand how you use our service. Only set with your consent.

When you first visit our site, you will see a cookie consent banner where you can accept or reject non-essential cookies. To change your preferences later, clear your browser cookies for our site and the consent banner will appear again on your next visit.

For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

10. International Data Transfers

Our service is hosted within the European Union. Some of our third-party service providers (such as Google) may process data outside the EU. Where this occurs, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally recognized transfer mechanisms

You can contact us if you would like more information about the specific safeguards applied to the transfer of your personal data.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS
• Secure password hashing using industry-standard algorithms
• Regular security reviews and updates
• Access controls limiting who can access personal data
• Automatic removal of metadata from uploaded images

12. Children's Privacy

SyncUp is intended for users aged 13 and over. We do not knowingly collect personal data from children under 13. If you become aware that a child under 13 has provided us with personal data, please contact us and we will delete it.

If you are based in a European country where the age of digital consent under GDPR Article 8 is higher than 13, you must have permission from a parent or legal guardian to use the service until you reach that age. Parents or guardians can contact us at any time to request deletion of a minor's data.

13. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information. The rights described in section 8 (access, deletion, correction, portability) apply to you and you can exercise them through the same contact form.

We do not sell your personal informationand we do not "share" it for cross-context behavioral advertising as those terms are defined by the CCPA/CPRA. You therefore do not need to submit a "Do Not Sell or Share My Personal Information" request, but you may still contact us if you have any concerns. We do not use sensitive personal information for any purpose that would trigger the right to limit its use.

We will not discriminate against you for exercising any of your CCPA/CPRA rights.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.