Privacy Policy

Personal Data Administrator

I. Definitions

• Administrator / Operator – Daniel Siwek conducting business activity at ul. Wiosenna 2/247, 03-749 Warszawa, NIP: 1132989706.
• Service – the SyncBooster platform available at syncbooster.pl and related applications.
• User – a natural person using the Service.
• Account – an individual User profile created in the Service.
• GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
• Personal Data – any information relating to an identified or identifiable natural person.
• Processing – any operation performed on personal data (collection, recording, storage, modification, disclosure, erasure).
• Data Processor – a third party to which the Administrator entrusts the processing of personal data based on a data processing agreement.

1. Introduction

This Privacy Policy explains how we collect, use, disclose, and protect your data when using the SyncBooster social media management platform ("Service").

SyncBooster is a comprehensive AI-powered tool that helps businesses and creators manage their social media presence across multiple platforms, including Facebook, Instagram, LinkedIn, and Google Business Profile.

This Policy applies from the moment you start using the Service or create an Account.

2. Legal Basis for Data Processing

We process your personal data based on the following legal grounds under GDPR (Article 6(1)):

3. What Data We Collect

3.1 Personal Data You Provide

• Account Data: First and last name, email address, password provided during registration
• Profile Data: Profile picture, bio, and other optional information
• Communication: Messages sent through contact forms and support channels
• Billing Data: Company name, tax ID, address for invoicing purposes

3.2 Authentication Data

• Google OAuth: When logging in with Google, we receive your name, email, and profile picture
• Email Verification: We collect and verify email addresses for account security
• Session: Tokens and session information for secure access (processed by SuperTokens)

3.3 Social Media Account Data

• Connected Platforms: Information about accounts (Facebook, Instagram, LinkedIn, Google Business Profile)
• Access Tokens: OAuth tokens and permissions to publish on your behalf
• Metadata: Profile names, follower counts, and other public data

3.4 Content and Posts

• Post Content: Texts, images, videos, and other media uploaded for publication
• Scheduled Content: Posts scheduled for future publication
• Drafts: Saved drafts and content templates
• Files: Images, videos, and documents uploaded to the platform (stored in MinIO)

3.5 Usage Data and Analytics

• Logs: IP addresses, device information, browser type, access time
• Usage Patterns: Platform interactions, features used, time spent
• Performance: Performance metrics and error logs (processed by Sentry)
• API Usage: Interactions with connected platforms

3.6 Data Processed by Artificial Intelligence

• AI Assistant Conversations: Chat content and queries directed to the AI assistant
• Contextual Data: Information about your business, communication style, and target audience provided during the initial interview
• Website Analysis: Data from your public website used to understand your brand
• Generated Content: Posts and content generated by AI based on your data

4. How We Use Data

4.1 Service Delivery

• Account Management: Creating and maintaining user accounts
• Authentication: Identity verification and secure session management
• Social Media Management: Publishing content to connected accounts
• Content Storage: Secure storage of posts, media, and drafts
• Platform Integrations: Connecting and managing social media accounts
• AI Content Generation: Creating personalized social media content using artificial intelligence

4.2 Payments and Invoicing

• Transaction Processing: Processing payments for subscriptions and services
• Invoice Generation: Issuing VAT invoices through iFirma
• Tax Compliance: Storing data required by tax law

4.3 Communication and Support

• Notifications: Sending information about account and services
• Support: Responding to inquiries and providing technical assistance
• Security Alerts: Informing about threats and incidents

4.4 Platform Improvement

• Analytics: Understanding how the platform is used (Google Analytics, Hotjar)
• Error Monitoring: Identifying and resolving technical issues (Sentry)
• AI Monitoring: Tracking AI model quality and performance (Langfuse)
• Optimization: Improving speed and reliability

4.5 Marketing

• Meta Pixel: Conversion tracking and building advertising audiences (consent-only)
• Google Tag Manager: Managing analytics and marketing tags (consent-only)

5. AI Processing and Personalization

SyncBooster uses artificial intelligence to personalize content and improve user experience. This section explains how AI processes your data in compliance with GDPR and the EU AI Act (Regulation 2024/1689).

5.1 AI Service Providers Processing Your Data

To provide AI functionality, your data (including chat content, queries, business information, and conversation context) may be transmitted to the following external providers:

5.2 AI Content Personalization

• Learning Process: AI analyzes your business information, communication style, and target audience through an initial interview
• Website Analysis: AI examines your public website to understand your brand voice and business context
• Content Generation: Based on collected data, AI creates personalized social media posts matching your style
• Continuous Improvement: AI adapts to your feedback and preferences over time

5.3 Legal Basis and Transparency

• Legal Basis: AI processing is necessary for contract performance (Art. 6(1)(b) GDPR)
• No Automated Decisions: AI does not make decisions that significantly affect your rights – it only assists in content creation
• Human Control: You maintain full control over all AI-generated content and can modify or reject any suggestions
• Data Sources: AI uses data you provide directly, data from your website analysis, and social media API data
• No Training on Your Data: Your data is not used to train external AI provider models. Data is processed solely to generate responses to your queries.

5.4 AI Monitoring and Quality (Langfuse)

To ensure quality and monitor AI service performance, we use Langfuse GmbH (Germany/EU). Langfuse records metadata from AI interactions (response times, model type, token counts) to help us optimize service quality. Conversation content may be processed for error diagnostics. This data is stored on EU servers.

6. Data Processors

To properly deliver the Service, the Administrator entrusts the processing of Users' personal data to the following entities, based on data processing agreements pursuant to Article 28 GDPR:

The Administrator enters into a data processing agreement with each processor in accordance with Article 28 GDPR, ensuring an appropriate level of data protection. Processors are obligated to process data exclusively within the scope and purpose determined by the Administrator.

7. International Data Transfers

Due to the use of services from entities headquartered outside the EEA, Users' personal data may be transferred to third countries, particularly the United States. Data transfers are based on the following legal grounds:

• Standard Contractual Clauses (SCC): We use EU Commission-approved clauses (Implementing Decision 2021/914) with all non-EU providers
• EU-US Data Privacy Framework (DPF): Additional protection for transfers to certified US companies based on the European Commission's Implementing Decision of 10 July 2023
• Art. 49(1)(b) GDPR: Transfer necessary for performance of a contract with the data subject

Countries Where We Transfer Data:

You have the right to obtain a copy of data transferred outside the EEA and information about the safeguards applied. Requests should be directed to: privacy@syncbooster.pl.

8. Data Retention Period

We retain personal data for specific periods based on the purpose of processing and legal requirements:

• Account Data: Until account deletion + 30 days (for backup and recovery purposes)
• Access Logs (IP, Browser): 12 months (for security and fraud prevention)
• Analytics Cookies (GA4, Hotjar): Maximum 14 months
• OAuth Tokens: Until account disconnection or revocation
• AI-Generated Content: Until account deletion + 30 days
• AI Interaction Logs (Langfuse): 90 days
• Error Logs (Sentry): 90 days
• Backup Data: Up to 90 days after account deletion
• Communication Data: 3 years (for customer support and legal compliance)
• Invoice and Payment Data: 5 years after the end of the fiscal year (obligation under Polish Accounting Act, Art. 74)
• Marketing Data (Meta Pixel): Maximum 180 days

After the retention period expires, we securely delete or anonymize your personal data, except where we are legally required to retain it longer (e.g., tax regulations, statute of limitations for claims).

9. Data Security

9.1 Technical Safeguards

• Encryption: Data transmission using HTTPS/TLS protocol
• Secure Storage: Encrypted databases and cloud infrastructure
• Access Control: Strict permission and role management
• Audits: Regular security and vulnerability testing
• Secure AI Communication: Connections to AI providers are encrypted (TLS) and authenticated with API keys

9.2 Operational Safeguards

• Training: Data protection practices for the team
• Incident Response: Procedures for handling data breaches (in accordance with Art. 33-34 GDPR)
• Backups: Regular data backups
• Monitoring: Continuous monitoring of threats and unauthorized access (Sentry)

10. Your Rights

10.1 Your GDPR Rights

As a data subject, you have the following rights:

• Right of Access (Art. 15): Right to obtain information about the processing of your data and to receive a copy
• Right to Rectification (Art. 16): Right to correct inaccurate or supplement incomplete data
• Right to Erasure (Art. 17): Right to request deletion of data ("right to be forgotten")
• Right to Restrict Processing (Art. 18): Right to request restriction of processing in certain circumstances
• Right to Data Portability (Art. 20): Right to receive your data in a structured, commonly used, machine-readable format
• Right to Object (Art. 21): Right to object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for analytics cookies at any time without affecting the lawfulness of processing before withdrawal
• Right Not to Be Subject to Automated Decision-Making (Art. 22): Right not to be subject to a decision based solely on automated processing, including profiling

10.2 How to Exercise Your Rights

• Account Settings: Access, correct, or delete data through your account dashboard
• Email: Send a request to privacy@syncbooster.pl with subject "Data Rights Request"
• Cookie Management: Use our cookie banner or browser settings
• Response Time: We will respond to your request within 30 days of receipt (Art. 12(3) GDPR)

10.3 Right to Lodge a Complaint

If you believe that the processing of your personal data violates GDPR, you have the right to lodge a complaint with the supervisory authority:

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Service. This section provides detailed information in compliance with the ePrivacy Directive and GDPR.

11.1 Types of Cookies We Use

Essential Cookies (No Consent Required)

• SuperTokens Session Cookies: Required for user authentication and secure login sessions
• Security Cookies: Protect against fraud and ensure platform security
• Functional Cookies: Remember your preferences and settings

Analytics Cookies (Consent Required)

• Google Analytics 4:
  • Purpose: Website traffic analysis and user behavior insights
  • Data: Anonymized IP addresses, page views, session duration
  • Retention: Maximum 14 months
  • Provider: Google LLC (USA) with Standard Contractual Clauses
• Hotjar:
  • Purpose: Heatmaps, session recordings, and UX optimization
  • Data: Mouse movements, clicks, scroll behavior (no personal data)
  • Retention: Maximum 14 months
  • Provider: Hotjar Ltd (Malta/USA) with Standard Contractual Clauses

Marketing Cookies (Consent Required)

• Meta Pixel (Facebook Pixel):
  • Purpose: Conversion tracking, remarketing, building advertising audiences
  • Data: Website actions, pixel identifiers
  • Retention: Maximum 180 days
  • Provider: Meta Platforms Ireland Ltd (Ireland/USA)

11.2 Cookie Consent Management

• Google Consent Mode v2: We implement a compliant consent management mechanism
• Granular Control: You can accept all, reject non-essential, or customize preferences
• Easy Withdrawal: Change your preferences anytime through our cookie banner or browser settings
• No Pre-checked Boxes: All consent is opt-in

11.3 Third-Party Privacy Policies

• Google Analytics: https://policies.google.com/privacy
• Hotjar: https://www.hotjar.com/legal/policies/privacy
• Meta (Facebook): https://www.facebook.com/privacy/policy/
• OpenAI: https://openai.com/policies/privacy-policy
• Anthropic: https://www.anthropic.com/privacy
• Perplexity: https://www.perplexity.ai/privacy
• Sentry: https://sentry.io/privacy/
• Tpay: https://tpay.com/polityka-prywatnosci

12. Children's Privacy

The Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from persons under 16. If we discover that we have collected data from a person under that age, we will immediately delete the data and terminate the account.

13. Privacy Policy Changes

The Administrator reserves the right to amend this Privacy Policy in the event of changes in processing practices, technology, or legal requirements. We will notify you of significant changes by:

• Publishing a new version on this page with an updated date
• Sending an email notification to registered users
• Displaying a prominent notice on our website

Continued use of our Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

We will respond to your inquiry within 30 days. For complaints about data protection, you can also contact the Polish data protection authority (UODO) as described in section 10.3.

15. Consent and Final Provisions

By using SyncBooster, you confirm that you have read and understood this Privacy Policy and agree to our data processing practices as described herein.

Important: Consent for analytics cookies (Google Analytics 4, Hotjar) and marketing cookies (Meta Pixel) is voluntary and can be withdrawn at any time without affecting your ability to use the core features of our Service.

This Privacy Policy is governed by Polish law. Matters not regulated herein are subject to the provisions of GDPR, the Polish Act of 10 May 2018 on Personal Data Protection, and the Polish Act of 18 July 2002 on Electronic Services.

If you do not agree with any part of this Privacy Policy, please do not use our Service.