Privacy Policy

Last updated: April 2026

1. Data Controller

The data controller responsible for data processing on this website and for the CYNC software is:

2. Overview

We take data protection seriously and treat your personal data confidentially in accordance with the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and other applicable data protection laws.

3. Data We Collect

3.1 Website Visits

This website is hosted on Cloudflare Pages. When you visit the site, Cloudflare may collect technical data such as your IP address, browser type, and access timestamps for the purpose of content delivery and security. Cloudflare acts as a data processor on our behalf. See the Cloudflare Privacy Policy for details.

We do not use any analytics tools, tracking cookies, or advertising networks on this website.

3.2 License Purchase (Stripe)

When you purchase a license via our checkout, payment is processed by Stripe, Inc. Stripe collects the following data directly:

• Full name
• Email address
• Billing address
• Company / organisation name (required field in checkout)
• Payment details (card number, expiry, CVC)

We do not store your payment card details. Stripe acts as an independent data controller for payment processing. See the Stripe Privacy Policy.

After a successful purchase, we receive from Stripe: your name, email address, billing address, company name, and the purchased license tier (number of users). This data is stored in a Cloudflare D1 database as an order record and is forwarded to our self-hosted automation server for license key generation. The license key is then delivered to the email address you provided during checkout via Gmail (Google SMTP). We do not share this data with any other parties.

3.3 License Activation

When you activate a CYNC license key, the software sends the following data to our activation server (cync-license.it-baer.net):

• A machine fingerprint - a SHA-256 hash derived from Windows registry values (machine GUID and product ID). This is a one-way hash; we cannot derive the original values from it.
• A hash of the license key - never the full key itself.
• The license ID embedded in the key.

This data is stored in a Cloudflare D1 database (SQLite), exclusively for the purpose of enforcing single-machine licensing. When you deactivate a license, the activation record is deleted.

3.4 Free Tier Usage

If you use CYNC under the free tier (up to 10 users), the software sends periodic heartbeat data to our server containing:

• A SHA-256 hash of your tenant ID (not the tenant ID itself)
• A machine fingerprint (same SHA-256 hash as described above)
• The number of enabled target users on your instance

This data is used solely to prevent free-tier stacking (running multiple free instances to bypass the user limit). No personal data or tenant identifiers are stored — only one-way hashes.

3.5 CYNC Software (On-Premises)

The CYNC Windows Service runs entirely on your own infrastructure. It accesses Microsoft Entra ID user profiles and Exchange Online contact folders via the Microsoft Graph API using credentials you configure. This data stays within your Microsoft 365 tenant and your server - we have no access to it.

The only outbound connections the software makes to our servers are for license activation and periodic license verification.

4. Legal Basis for Processing

We process personal data based on the following legal grounds (Art. 6 GDPR):

• Contract performance (Art. 6(1)(b)) - processing necessary to deliver the purchased license and provide support.
• Legitimate interest (Art. 6(1)(f)) - license activation to prevent unauthorised use; website hosting and security.
• Legal obligation (Art. 6(1)(c)) - retention of invoicing data as required by Austrian tax law (BAO).

5. Data Retention

• Activation records: stored only while the license is active; deleted upon deactivation.
• Purchase records (name, email, invoice): retained for 7 years as required by Austrian tax law (§ 132 BAO).
• Website access logs: managed by Cloudflare according to their retention policy (typically up to 72 hours).

6. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. Data may be shared with the following categories of processors in the course of providing the service:

• Stripe, Inc. - payment processing (USA; EU Standard Contractual Clauses apply)
• Cloudflare, Inc. - website hosting, CDN, activation server hosting, order database (USA; EU Standard Contractual Clauses apply)
• Google LLC - transactional email delivery of license keys via Gmail SMTP (USA; EU Standard Contractual Clauses apply)

7. International Data Transfers

Stripe, Cloudflare, and Google are US-based companies. Data transfers to the United States are secured by EU Standard Contractual Clauses (SCCs) and, where applicable, supplementary technical measures (encryption in transit and at rest).

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Access (Art. 15) - request a copy of the data we hold about you.
• Rectification (Art. 16) - request correction of inaccurate data.
• Erasure (Art. 17) - request deletion of your data, subject to legal retention obligations.
• Restriction (Art. 18) - request restricted processing.
• Data portability (Art. 20) - receive your data in a machine-readable format.
• Objection (Art. 21) - object to processing based on legitimate interest.

To exercise any of these rights, contact us at admin@it-baer.net. We will respond within 30 days.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data is being processed unlawfully. The competent authority in Austria is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde) at www.dsb.gv.at.

10. Cookies

This website does not use cookies for tracking or analytics. No cookie consent banner is required. Stripe may set technically necessary cookies during the checkout process, which are subject to Stripe’s own privacy policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “last updated” date.

12. Contact

For questions or requests regarding data protection, contact us at admin@it-baer.net.