Privacy Policy

Last updated: March 24, 2026

SyncMaster ("we", "us", or "our") operates the SyncMaster calendar synchronization service available at syncmaster.pl. This Privacy Policy explains how we collect, use, and protect your personal data when you use our service.

1. Data Controller

The data controller responsible for your personal data is SyncMaster, reachable at contact@syncmaster.pl.

2. Data We Collect

We collect the following personal data when you use SyncMaster:

• Account data: email address and hashed password when you register
• Property data: property names, iCal URLs you provide for synchronization
• Booking data: booking information fetched from iCal feeds (guest count, dates)
• Technical data: IP address (for rate limiting, stored in memory only, not persisted), session tokens
• Notification data: email or ntfy topic you configure for alerts

3. How We Use Your Data

• To provide calendar synchronization and conflict detection between booking platforms
• To send you booking alerts and conflict notifications you configure
• To authenticate your account securely via session tokens
• To protect our service from abuse (rate limiting, session cleanup)

4. Legal Basis (GDPR)

We process your data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the service you signed up for
• Legitimate interests (Art. 6(1)(f) GDPR): security, fraud prevention, abuse protection
• Consent (Art. 6(1)(a) GDPR): for optional notification channels and cookies

5. Cookies and Local Storage

We use strictly necessary local storage to keep you logged in (session token). We do not use tracking cookies or third-party advertising cookies. If you consent, we may use analytics or chat support cookies as disclosed in our cookie banner.

6. Data Sharing

We do not sell your personal data. We may share data with:

• Infrastructure providers: our server is hosted on Hetzner (EU datacenter). Your data stays within the EU.
• Email delivery: if you configure SMTP or Resend email notifications, messages are sent via those providers

7. Data Retention

We retain your data for as long as your account is active. Inactive accounts and all associated data are deleted after 12 months of inactivity. You may delete your account at any time by contacting us. Sessions expire after 7 days of inactivity.

8. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Delete your data ("right to be forgotten", Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)
• Lodge a complaint with your supervisory authority

To exercise these rights, contact us at contact@syncmaster.pl.

9. Security

We protect your data using industry-standard measures: passwords are hashed using scrypt with unique salts, all data is transmitted over HTTPS (TLS 1.2+), and session tokens are cryptographically random. We perform regular database backups.

10. iCal URLs and Third-Party Platforms

Your iCal URLs point to Airbnb, Booking.com, VRBO, Tripadvisor, and Google Calendar servers. We fetch calendar data from these URLs on your behalf. We do not share your iCal URLs with third parties. These platforms have their own privacy policies.

11. Children's Privacy

SyncMaster is not directed at children under 16. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this Privacy Policy. We will notify you by updating the "Last updated" date above. Continued use of the service constitutes acceptance of the updated policy.

13. Contact

Questions? Contact us at contact@syncmaster.pl.