Privacy Policy

• Google account data — your name, email address, and profile picture, obtained via Google OAuth when you sign in.
• Google Calendar events — event titles, descriptions, start and end times, fetched via the Google Calendar API to populate your board.
• Photos you upload — images you attach to events, stored on Hetzner Object Storage in Germany.
• Transactional emails — your email address is used to send a welcome email when you register and a confirmation email when you delete your account.
• Server logs — IP addresses, request timestamps, and HTTP status codes, retained for a maximum of 30 days for security and debugging purposes.
• Rate limiting — IP addresses (for unauthenticated routes) or user IDs (for authenticated routes) are held in server memory to enforce request limits. This data is not persisted to disk and is cleared on server restart.

• Google account profile (name, email, profile picture) — used solely to identify your account and display your name within the app.
• Google Calendar events (read-only) — event titles, descriptions, start and end times are fetched and stored to populate your personal kanban board.

This data is used exclusively to provide the core functionality of Synqboard. Specifically:

• — Google data is not used for advertising, profiling, or any purpose unrelated to the service.
• — Google data is not transferred, sold, or disclosed to third parties except as necessary to operate the service (infrastructure listed in section 11).
• — We do not allow any person to read your Google Calendar data unless you have explicitly granted access or it is required for security or legal compliance.
• — Access is limited to the minimum scopes required: openid, email, profile, and calendar.readonly.

Synqboard's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

• — sell, rent, or share your data with third parties
• — use your data for advertising or profiling
• — store the content of your calendar events beyond what is needed to display them

• Account and calendar data — stored in a PostgreSQL database on Hetzner Cloud (Germany).
• Photos you upload — stored in Hetzner Object Storage (Germany).
• Google OAuth tokens — encrypted at rest using AES-256-GCM before being stored in the database. Used solely to sync your calendar on your behalf and never shared.
• Session data — stored in a secure, HTTP-only cookie on your device.
• Server logs — retained for a maximum of 30 days, then deleted.

All data associated with your account is permanently deleted when you delete your account via Settings → Danger Zone.

• Encryption in transit — all connections between your browser and our servers use TLS (HTTPS). Unencrypted HTTP requests are redirected to HTTPS.
• Encryption at rest — Google OAuth access tokens and refresh tokens are encrypted using AES-256-GCM with a server-side key before being stored in the database. The encryption key is stored as an environment variable and is never exposed to clients.
• Access control — all API endpoints require authentication. Every database query is scoped to the authenticated user, ensuring users can only access their own data.
• Rate limiting — API requests are rate-limited per user to prevent abuse and protect service availability.
• Minimal data storage — we only store the data necessary to provide the service. Google Calendar events are synced read-only, and we do not store data beyond what is displayed in the app.
• Secure session management — sessions are stored in secure, HTTP-only cookies that are not accessible to client-side JavaScript.
• Infrastructure — all servers and storage are hosted exclusively in Germany (Hetzner Cloud) within the EU. No data is transferred outside the EU.
• Account deletion — when you delete your account, all associated data (profile, calendar events, uploaded files, tokens) is permanently and immediately removed from the database and cloud storage.

• Google LLC — OAuth authentication and Calendar API. Governed by Google's Privacy Policy and the Google API Services User Data Policy.
• Cloudflare, Inc. — analytics service (Cloudflare Web Analytics).
• Hetzner Online GmbH — server and object storage infrastructure, Germany. A Data Processing Agreement is in place.
• Mailgun Technologies (EU) — transactional email delivery. Used to send welcome and account deletion confirmation emails. Email data is processed within the EU. Governed by Mailgun's Privacy Policy.