Privacy Policy

Last updated: 2026-06-05 · Scope: website synapse-app.at, native Synapse apps and the associated server services.

Note: The English version is provided for reader convenience only. Only the German version is legally binding.

Protecting your personal data is important to us. We process your data exclusively on the basis of the statutory provisions (GDPR, Austrian Data Protection Act, TKG 2021). In this declaration we inform you about the most important aspects of data processing within the scope of Synapse.

1. Controller

[First and last name / company name]
[Street and house number]
[Postal code] [City], Austria
Email: support@synapse-app.at

2. What data we process

a) Account data

At registration we collect: email address, username and a password hash (bcrypt — the plain-text password is never stored or logged). Optional: Google account ID when using "Sign in with Google".

b) Notebook content

If you use cloud sync, your notebooks, drawings and embedded media (images, PDFs, audio) are transmitted encrypted to our server and stored there. The content is accessible only to you (bound to your bearer token).

c) Billing data

When concluding a paid subscription, the payment data is processed directly by Stripe Payments Europe, Ltd. (see point 5). We ourselves store only the Stripe customer ID, the plan code, the validity date and the status. Credit card data never leaves our server.

d) Technical data / server logs

On every access, IP address, user agent, timestamp and called URL are stored in the server log for a maximum of 14 days (legal basis: Art. 6(1)(f) GDPR — legitimate interest in IT security and abuse detection). After that the logs are automatically rotated and deleted.

e) AI usage data

When you use AI features (handwriting recognition, math solving, chat), the selected content (image excerpt, text) is transmitted to Google Gemini (see point 5) at the time of the request. We do not store the request itself, only the token count consumed, the model used and the timestamp — to settle your daily limit.

3. Purposes and legal bases

  • Performance of contract (Art. 6(1)(b) GDPR): account management, provision of the Synapse app, cloud sync.
  • Legitimate interest (Art. 6(1)(f) GDPR): IT security, abuse detection, server logs.
  • Legal obligation (Art. 6(1)(c) GDPR): retention obligations under UGB / BAO for invoices (7 years).
  • Consent (Art. 6(1)(a) GDPR): where we explicitly request your consent.

4. Retention period

  • Account data: until you delete the account. Invoice-related data is retained for 7 years under UGB/BAO and then deleted.
  • Notebook content: until you delete it, or up to 30 days after account deletion (recovery window).
  • Server logs: automatically rotated after 14 days.
  • AI usage data: daily statistics retained for a maximum of 30 days.

5. Recipients / processors

We share data with the following recipients — exclusively within the framework of the respective data processing agreements (Art. 28 GDPR):

  • IONOS SE, Karlsruhe (DE) — server hosting. Location: Germany (EU).
  • Cloudflare R2 (Cloudflare, Inc., US / EU region) — object storage for notebook snapshots. EU region active.
  • Stripe Payments Europe, Ltd., Dublin (IE) — payment processing. Privacy: stripe.com/at/privacy.
  • Google Ireland Limited (Gemini API) — AI inference for handwriting, math, chat. Privacy: policies.google.com/privacy. Note: content is not used for model training under Google's terms.
  • Let's Encrypt (ISRG, US) — TLS certificates.

6. Transfer to third countries

If data is transferred to third countries outside the EU/EEA (e.g. Google in the US), this is done on the basis of Standard Contractual Clauses of the EU Commission and/or within the framework of the EU-US Data Privacy Framework, which Google and Cloudflare have joined.

7. Cookies and similar technologies

This website uses no tracking cookies. We use only functional browser storage (localStorage) to keep your sign-in session. This data never leaves your browser. On logout it is removed again.

8. Your rights

You have the right at any time to:

  • Information (Art. 15 GDPR) — which data do we have about you?
  • Rectification (Art. 16 GDPR) — have incorrect data corrected.
  • Erasure (Art. 17 GDPR) — "right to be forgotten". Can be exercised any time in the app under Account → Delete account.
  • Restriction of processing (Art. 18 GDPR).
  • Data portability (Art. 20 GDPR) — export of all your data as ZIP. Request via support.
  • Objection (Art. 21 GDPR).
  • Complaint to the supervisory authority: Austrian Data Protection Authority (DSB), Barichgasse 40–42, 1030 Vienna.

To exercise your rights, an informal email to support@synapse-app.at is sufficient.

9. Data security

  • All connections are TLS-encrypted (HTTPS, at least TLS 1.2).
  • Passwords are stored exclusively as bcrypt hash (plain text at no point in log or DB).
  • Bearer tokens are stored server-side only as SHA-256 hash.
  • Daily database backups, 14-day retention, encrypted storage.
  • Server configuration: firewall (ufw), fail2ban against brute force, key-only SSH, regular security updates.

10. Changes to this privacy policy

We reserve the right to adapt this privacy policy if features or legal situation change. Material changes will be communicated in the app and by email.

Note: This template provides a legally compliant starting point but does not replace individual legal advice.