This Privacy Policy explains how SYNQ handles your personal data. SYNQ is operated by Sascha Kissling as a sole proprietorship (Einzelunternehmen) under Swiss law: Sascha Kissling Grindelstrasse 59b 8604 Volketswil Switzerland admin@joinsynq.ch For privacy-related inquiries, write to admin@joinsynq.ch. We aim to respond within 14 days. This policy applies to our website at joinsynq.ch and our mobile apps for iOS and Android.

We collect the following categories of personal data: Account information — email address, password hash, display name, profile photo (optional), date of birth. Profile information — bio, languages spoken, interests, activity preferences, home neighborhood (if you choose to set one). Activity data — activities you host, activities you've joined, RSVPs, circles you're a member of. Communication data — chat messages and connection requests (stored for delivery; not used for advertising or mining). Usage data — pages visited, features used, time spent, app version. Device data — IP address, device type, operating system version, locale, timezone. Location data — precise GPS coordinates (only when you grant permission; only while using the app). AI interaction data — text prompts submitted to AI features (for draft generation, content moderation, or image generation). Generated outputs are stored as part of your content.

We use personal data to: • Operate the service (delivering messages, showing activities near you, authentication). • Personalize your experience (suggested activities, smart scheduling). • Safety and moderation (automated content and image screening via AI). • Analytics (understand feature usage in aggregate — never at an individual level for ad targeting). • Fraud prevention and platform security. • Legal compliance (responding to lawful requests, enforcing our Terms of Service). Legal bases under GDPR Art. 6 and Swiss FADP Art. 31: performance of contract (providing the service you signed up for), legitimate interest (safety, fraud prevention, analytics at aggregate level), and consent (AI features, optional location, tracking on iOS via ATT).

SYNQ uses AI features to help you discover activities, draft posts, search, and generate images. These features are powered by Google's Gemini and Imagen APIs. When you use an AI feature, the information you provide (for example, a draft activity description or a search query) is sent to Google's servers for processing. Google processes this data according to their Vertex AI data terms, and we do not allow our data to be used for training Google's models. We transmit only the minimum information necessary — we do not send your connections, your messages to other users, or private profile information to AI services unless you explicitly use a feature that requires it. You can choose not to use AI features at any time; non-AI features of SYNQ work independently of these services.

We share personal data only with the following categories of processors, each under a written data processing agreement and only to the extent necessary for the stated purpose: Google LLC (United States and regional data centers) — Firebase services (authentication, Firestore database, Cloud Functions, Cloud Storage, Cloud Messaging, Analytics for Firebase, App Check, Crashlytics), Vertex AI (Gemini + Imagen 4.0 for AI features), Google Maps (activity locations), Google Sign-In (optional authentication method). Transfer basis: Swiss–U.S. Data Privacy Framework (active since September 2024), EU–U.S. DPF, and Standard Contractual Clauses as fallback. For users in the European Economic Area, the contracting entity is Google Cloud EMEA Limited, Ireland. Meta Platforms, Inc. (United States) — Facebook Login and Facebook SDK app events, for users who sign in with Facebook or when campaign attribution is active and iOS ATT permission has been granted. Limited Data Use is enabled for Swiss and EEA users. Transfer basis: Standard Contractual Clauses and Facebook Data Processing Agreement. Apple Inc. (United States) — Sign in with Apple (for users who choose this method) and SKAdNetwork (privacy-preserving ad attribution). Transfer basis: Standard Contractual Clauses. Stripe, Inc. (United States) and Stripe Payments Europe, Ltd. (Ireland) — subscription billing for paying customers. Transfer basis: Standard Contractual Clauses with EU processor entity. Functional Software, Inc. d/b/a Sentry (United States) — error monitoring and crash reporting. Transfer basis: Standard Contractual Clauses. Resend, Inc. (United States) — transactional email delivery (invitations, password resets, notifications). Transfer basis: Standard Contractual Clauses. We do not sell personal data. We do not share data with third-party advertisers except for the privacy-preserving SKAdNetwork and Facebook attribution events described above, and only on iOS when you have granted App Tracking Transparency permission (default off).

SYNQ's backend services are currently hosted by Google Cloud Platform in us-central1 (Iowa, United States). All user data is stored and processed in this region. Migration to europe-west6 (Zurich, Switzerland) is planned before full public launch. For Swiss users: transfers to the U.S. rely on the Swiss–U.S. Data Privacy Framework (adequacy decision in force since September 2024). For EEA users: transfers to the U.S. rely on the EU–U.S. DPF, with Standard Contractual Clauses as fallback. For UK users: UK Extension to the EU–U.S. DPF, with the UK International Data Transfer Agreement as fallback. Google, Meta, Apple, Stripe, Sentry, and Resend are certified under the relevant Data Privacy Frameworks where applicable, and have signed Standard Contractual Clauses with us as an additional safeguard.

Account data — retained for the life of your account. Deleted or anonymized within 24 hours after you delete your account via Profile → Settings → Delete Account. Chat messages — retained while your account is active. Anonymized on account deletion (your name replaced with "Deleted user"; your connections can still read the conversation history they were part of, but cannot identify you). Activities you hosted — retained for historical record to other attendees. Your name anonymized on deletion. Moderation logs — retained 12 months from creation, for safety audit purposes; then deleted. Server access logs — 30 days. Aggregated analytics (no personal identifiers) — indefinite. Backup copies — may persist for up to 35 days in cloud-provider backups before being overwritten.

Under GDPR (Art. 15-22) and Swiss FADP (Art. 25-28) you have the right to: • Access — request a copy of your personal data (Profile → Settings → Data Export, or email admin@joinsynq.ch). • Rectification — edit directly in your profile, or email. • Erasure — Profile → Settings → Delete Account. Completes within 24 hours. • Restriction — email admin@joinsynq.ch to restrict specific processing activities. • Portability — data export is JSON format, machine-readable. • Objection — opt out of AI features in Settings; opt out of analytics tracking via the iOS ATT prompt (App Settings) or by declining analytics on web. • Withdraw consent — where processing is based on consent (AI features, optional location, ATT tracking), you can withdraw at any time. • Right to complain — Swiss users may contact the Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch. EEA users may contact their national data protection authority. UK users may contact the Information Commissioner's Office.

Our website uses the minimum cookies necessary to operate: session tokens for authentication and language preference cookies. We do not set third-party advertising cookies. We do not engage in cross-site tracking on joinsynq.ch. On mobile, the iOS App Tracking Transparency prompt controls whether Facebook SDK events may be transmitted with identifier-for-advertiser data. If you decline, we use only privacy-preserving SKAdNetwork attribution.

You must be at least 16 years old to create an account. This aligns with GDPR Art. 8 (digital consent threshold in most EU member states, including Germany and Ireland) and Swiss FADP capacity-of-judgment doctrine. We do not knowingly collect personal data from anyone under 16. If you learn that a child has created an account, contact admin@joinsynq.ch and we will delete the account within 48 hours of verification.

Precise location is accessed only when you grant explicit permission through your device settings. On iOS, we request "While Using the App" access — never "Always" background access. On Android, we request foreground-only location. Location is used in-session to show activities near you and is not stored on our servers beyond the session unless you explicitly pin a home neighborhood. Location is never shared with advertisers and is never used for ad targeting. You can revoke location permission at any time in your device settings; the app remains functional with a city-level default.

TLS 1.3 for data in transit. AES-256 at rest (Google Cloud default encryption). Authentication managed by Firebase Authentication with Argon2/bcrypt password hashing for email/password accounts, and OAuth 2.0 / OIDC for federated identity providers. In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify affected users and the relevant data protection authority within 72 hours of discovery, per GDPR Art. 33–34 and FADP Art. 24.

We may update this Privacy Policy to reflect changes to our practices, technology, or legal requirements. Material changes will be announced via in-app notification and by email to the address on your account. The "Last updated" date at the top of this policy reflects the most recent version. Continued use of SYNQ after the effective date constitutes acceptance of the updated policy.

For any privacy questions, to exercise your rights, or to submit a complaint: Sascha Kissling (operating as SYNQ) Grindelstrasse 59b 8604 Volketswil Switzerland admin@joinsynq.ch We are not required to appoint a Data Protection Officer under Swiss FADP for a controller of our current scope. All privacy matters go to admin@joinsynq.ch.

Pursuant to Article 13 of the EU Digital Services Act (DSA), SYNQ will appoint a designated legal representative in the European Union before public launch in EU markets. Until appointed, EU residents can contact us directly at admin@joinsynq.ch for any DSA-related correspondence. The appointed representative's name and address will be published here once the contract is in place.