SyncMyDay
Sign in Sign up

Privacy Policy

Operator: SyncMyDay — Lukas Slehofer, Kurzova 2222/16, 155 00 Prague 5, VAT ID: CZ7912150191

Last updated: 2025-12-20

Scope and Purpose

This Privacy Policy explains how we process personal data in connection with the provision of SyncMyDay. We follow Regulation (EU) 2016/679 (GDPR) and Czech Act No. 110/2019 Coll., on Personal Data Processing. This policy is governed by Czech law.

Categories of Data Processed

  • Identification and contact data (e.g., email, name)
  • Account and authentication data (OAuth identifiers, tokens)
  • Billing data if you purchase Pro (handled via Stripe)
  • Technical and usage data (logs, device/browser metadata)
  • Calendar synchronization metadata (start/end times, status). We do not store event titles, descriptions or attendees.
  • Inbound email processing metadata for email calendars
  • Support communications
  • Cookie identifiers where applicable
  • Minimal IP addresses for security and anti‑abuse
  • Payment transaction identifiers via our payment provider
  • Webhook subscription identifiers
  • Encryption keys and key identifiers required for service operation
  • Data strictly necessary to comply with legal obligations
  • Any additional data you voluntarily provide
  • We do not process special categories of personal data intentionally

Google Calendar Data Processing

SyncMyDay's use and transfer of information received from Google Calendar will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Data Accessed from Google

When you connect your Google Calendar, we request the following permissions:

  • https://www.googleapis.com/auth/calendar — Full access to your calendars, allowing us to read, create, and modify calendar metadata
  • https://www.googleapis.com/auth/calendar.events — Access to calendar events, allowing us to read, create, modify, and delete events
  • Offline access (access_type=offline) — Refresh tokens for maintaining continuous synchronization without repeated logins

We access the following data from your Google Calendar:

  • Calendar metadata (calendar names, IDs, time zones, colors)
  • Event details (titles, descriptions, start/end times, locations, attendees, recurrence rules, reminders, status)
  • Event identifiers and modification timestamps for synchronization tracking
  • Refresh tokens for long-term access (obtained through offline access)

Offline Access and Refresh Tokens

We request offline access to your Google Calendar, which allows us to:

  • Maintain continuous synchronization: Keep your calendars synchronized automatically in the background, even when you're not actively using SyncMyDay
  • Process scheduled sync operations: Run synchronization at scheduled intervals without requiring you to log in repeatedly
  • Ensure reliability: Maintain uninterrupted service without access token expiration interrupting your calendar synchronization

Refresh tokens: When you connect your Google Calendar with offline access, we receive a refresh token that allows us to obtain new access tokens automatically. These refresh tokens:

  • Are stored encrypted separately with additional key encryption in our secure database
  • Are used exclusively to maintain your calendar synchronization
  • Are immediately revoked and deleted when you disconnect your calendar or delete your account
  • Can be revoked by you at any time through your Google Account permissions
  • Remain valid until you revoke access or change your Google account password

We do not use offline access for any purpose other than maintaining your calendar synchronization. We never access your calendar data when synchronization is paused or after you disconnect the calendar.

How We Use Google Calendar Data

We use Google Calendar data exclusively to provide the core calendar synchronization service:

  • Synchronizing events between your Google Calendar and other connected calendars (Microsoft Outlook, CalDAV, or email calendars)
  • Creating, updating, and deleting events across your connected calendars according to your sync rules
  • Maintaining synchronization state to prevent duplicates and ensure bidirectional sync works correctly
  • Displaying your calendars and events in our web interface for configuration and management purposes

We do not use Google Calendar data for any other purposes, including advertising, AI training, or analytics beyond what is strictly necessary for synchronization.

Sharing of Google Calendar Data

We do not sell, rent, or share your Google Calendar data with third parties for their own purposes. Your calendar data is shared only in the following limited circumstances:

  • With other calendar services you connect: When you set up a sync rule, event data is transmitted to the destination calendar service (e.g., Microsoft Outlook, CalDAV server) to create or update synchronized events
  • With technical service providers: We use secure hosting infrastructure to store and process your data. These providers act as data processors under strict contractual obligations and do not have independent access to your calendar content
  • As required by law: We may disclose data if legally required (e.g., court order), but only to the minimum extent necessary

Data sharing between your calendars happens only when you explicitly configure sync rules. You have full control over which calendars sync and which data flows between them.

Storage and Protection of Google Calendar Data

We implement comprehensive security measures to protect your Google Calendar data:

  • Encryption: All data is encrypted in transit using TLS/SSL and at rest in our database using AES-256 encryption
  • Access tokens: Google OAuth tokens are encrypted separately with additional key encryption to prevent unauthorized access
  • Access control: Strict access controls ensure only authorized system components can access your calendar data
  • Principle of least privilege: Our systems request only the minimum necessary permissions and access
  • Regular security updates: We maintain up-to-date security patches and monitoring
  • Secure infrastructure: Data is stored in professionally managed data centers with physical and digital security measures

Your Google Calendar data is stored only for as long as necessary to provide the synchronization service. Synchronized event metadata is stored in our database to track sync state, but event content is not permanently stored beyond what's needed for active synchronization.

Retention and Deletion of Google Calendar Data

You have full control over your Google Calendar data:

  • Disconnect calendar: You can disconnect your Google Calendar at any time from your account settings. When disconnected, we stop accessing your Google Calendar and delete associated OAuth tokens and sync state within 30 days
  • Delete account: Deleting your SyncMyDay account immediately stops all calendar synchronization. All your calendar data, sync rules, and OAuth tokens are permanently deleted within 30 days
  • Revoke access: You can revoke SyncMyDay's access to your Google Calendar at any time through your Google Account permissions page
  • Data retention: We retain Google Calendar data only while your calendar remains connected and active. Event metadata needed for synchronization is kept for the duration of the active sync relationship
  • Legal retention: Some minimal technical logs may be retained for legitimate interests (security, fraud prevention) for up to 90 days, but these do not include calendar event content

Microsoft Outlook/365 Calendar Data Processing

SyncMyDay's use of Microsoft Graph API complies with Microsoft API Terms of Use and respects user data privacy.

Data Accessed from Microsoft

When you connect your Microsoft Outlook or Microsoft 365 Calendar, we request the following permissions:

  • Calendars.Read — Read access to your calendars and events
  • Calendars.ReadWrite — Full access to read, create, modify, and delete calendar events
  • offline_access — Permission to maintain access and refresh tokens for continuous background synchronization

We access the following data from your Microsoft Calendar:

  • Calendar metadata (calendar names, IDs, time zones, colors)
  • Event details (titles, descriptions, start/end times, locations, attendees, recurrence rules, reminders, status, sensitivity)
  • Event identifiers and modification timestamps for synchronization tracking
  • Refresh tokens for long-term access (obtained through offline_access permission)

Offline Access and Refresh Tokens

We request the offline_access permission for your Microsoft Calendar, which enables us to:

  • Continuous background synchronization: Automatically sync your calendars in the background without requiring repeated logins
  • Reliable service delivery: Maintain uninterrupted access to your calendar data for synchronization purposes
  • Scheduled operations: Process sync rules at regular intervals automatically

Refresh tokens: The offline_access permission provides us with a refresh token for long-term access. These tokens:

  • Are encrypted and securely stored in our database with additional security measures
  • Are used solely for calendar synchronization operations
  • Are deleted within 30 days after disconnection or account deletion
  • Can be revoked anytime through Microsoft Account App permissions
  • Remain valid until you revoke access or change your Microsoft account password

Offline access is essential for automatic calendar synchronization and is not used for any other purpose. We only access your calendar when synchronization is active.

How We Use Microsoft Calendar Data

We use Microsoft Calendar data exclusively for calendar synchronization:

  • Synchronizing events between your Microsoft Calendar and other connected calendars (Google, CalDAV, or email calendars)
  • Creating, updating, and deleting events according to your sync rules
  • Maintaining synchronization state to prevent duplicates
  • Displaying your calendars and events in our interface for management

We do not use Microsoft Calendar data for advertising, marketing, AI training, or any purpose beyond calendar synchronization.

Sharing of Microsoft Calendar Data

Your Microsoft Calendar data is shared only when you explicitly configure sync rules to other calendar services you connect. We do not sell or share your data with third parties for their own purposes. Technical service providers have access only under strict data processing agreements.

Storage and Protection of Microsoft Calendar Data

Microsoft OAuth tokens and calendar data are encrypted with AES-256 encryption at rest and TLS/SSL in transit. Access controls ensure only authorized system components can process your data.

Retention and Deletion of Microsoft Calendar Data

You can disconnect your Microsoft Calendar anytime, delete your account, or revoke access through your Microsoft Account App permissions. Upon disconnection or account deletion, all associated data is deleted within 30 days.

Apple iCloud & CalDAV Calendar Data Processing

SyncMyDay supports Apple iCloud calendars and other CalDAV-based calendar services. We respect user privacy in accordance with industry standards and GDPR.

Data Accessed from CalDAV Services

When you connect a CalDAV calendar (including Apple iCloud), you provide server credentials that allow us to access:

  • Calendar metadata (calendar names, IDs, time zones, colors)
  • Event details (titles, descriptions, start/end times, locations, attendees, recurrence rules, alarms, status)
  • Event identifiers (UIDs) and modification timestamps for synchronization

How We Use CalDAV Calendar Data

We use CalDAV calendar data exclusively for synchronization with other calendars you connect. Data is processed only to:

  • Synchronize events bidirectionally between your CalDAV calendar and other services
  • Create, update, and delete events according to your sync rules
  • Track synchronization state to prevent duplicates
  • Display calendars and events in our interface

CalDAV data is never used for advertising, analytics, or any purpose beyond synchronization.

Sharing of CalDAV Calendar Data

CalDAV calendar data is shared only with other calendar services you explicitly connect through sync rules. Your CalDAV credentials and data are not shared with third parties for their own purposes.

Storage and Protection of CalDAV Data

CalDAV credentials (usernames, passwords, app-specific passwords) are encrypted separately with strong encryption. All calendar data is encrypted at rest (AES-256) and in transit (TLS/SSL). We use secure connections to CalDAV servers.

Retention and Deletion of CalDAV Data

You can disconnect your CalDAV calendar or delete your SyncMyDay account anytime. All CalDAV credentials, tokens, and synchronized data are permanently deleted within 30 days. For Apple iCloud, you can also revoke app-specific passwords through your Apple ID account.

Legal Bases for Data Processing

We process your personal data in accordance with GDPR (Regulation (EU) 2016/679) and Czech Act No. 110/2019 Coll., on Personal Data Processing. The legal bases for our data processing activities are:

  • Performance of contract (Article 6(1)(b) GDPR, Section 5(1)(b) of Czech Act No. 110/2019 Coll.): Processing necessary to provide SyncMyDay services, including calendar synchronization, account management, and service delivery
  • Legal obligation (Article 6(1)(c) GDPR, Section 5(1)(c) of Czech Act No. 110/2019 Coll.): Processing required by Czech law, including:
    • Accounting and tax obligations (Act No. 563/1991 Coll., Accounting Act)
    • Record retention requirements (Act No. 235/2004 Coll., VAT Act)
    • Anti-money laundering obligations where applicable
  • Legitimate interests (Article 6(1)(f) GDPR, Section 5(1)(f) of Czech Act No. 110/2019 Coll.): Processing necessary for our legitimate interests or those of third parties, including:
    • Security and fraud prevention
    • Service improvement and technical diagnostics
    • Protection of our legal rights
    • Aggregate analytics for service optimization
    We have conducted a legitimate interest assessment confirming that these interests are not overridden by your rights and freedoms.
  • Consent (Article 6(1)(a) GDPR, Section 5(1)(a) of Czech Act No. 110/2019 Coll.): Where required, we obtain your explicit consent for:
    • Certain cookies (pursuant to Czech Act No. 127/2005 Coll., Electronic Communications Act, Section 89)
    • Marketing communications (if you opt in)
    You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Applicable law: This Privacy Policy and all data processing is governed by Czech law, specifically GDPR as directly applicable EU regulation and Czech Act No. 110/2019 Coll., on Personal Data Processing. Our supervisory authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ).

Data Retention Periods

We retain personal data only as long as necessary for the purposes described in this policy:

  • Active account data: Retained for the duration of your active account
  • Calendar connections: OAuth tokens, sync state, and calendar data are deleted within 30 days after you disconnect a calendar or delete your account
  • Technical logs: System logs for security and error tracking are retained for up to 90 days. These logs do not include calendar event content, only technical metadata
  • Billing records: Invoices and payment records are retained for 10 years to comply with Czech accounting and tax law requirements
  • Support communications: Retained for up to 3 years for quality assurance and legal protection purposes
  • Anonymized analytics: Aggregate anonymized usage statistics may be retained indefinitely as they cannot identify individuals

Third-Party Service Providers and Data Processors

We work with carefully selected third-party service providers who process data on our behalf under strict data processing agreements (DPAs). We do not sell your data to third parties. Our processors include:

  • Hosting providers: Infrastructure providers that host our application and databases in secure data centers. They have access to encrypted data at rest but cannot decrypt calendar content without our encryption keys
  • Payment processor (Stripe): Handles payment processing and subscription management. Stripe processes your payment card details directly; we never store full card numbers
  • Email service providers: Transactional email delivery for account notifications, password resets, and support communications
  • Monitoring and error tracking: Services that help us monitor application performance and diagnose technical issues. These receive minimal technical metadata only
  • Calendar service providers: Google, Microsoft, Apple, and CalDAV server operators process your calendar data when you explicitly connect these services for synchronization

All third-party processors:

  • Are bound by data processing agreements ensuring GDPR compliance
  • Process data only on our instructions and for specified purposes
  • Implement appropriate technical and organizational security measures
  • Do not use your data for their own purposes
  • Must notify us of any data breaches

International Data Transfers

Some of our service providers may process data outside the European Economic Area (EEA). When data is transferred to third countries, we ensure adequate protection through:

  • Adequacy decisions: We prioritize providers in countries recognized by the European Commission as providing adequate data protection (e.g., UK, Switzerland, countries covered by Privacy Shield successor frameworks)
  • Standard Contractual Clauses (SCCs): For transfers to other countries, we use EU-approved Standard Contractual Clauses ensuring the same level of protection as within the EU
  • Additional safeguards: We implement technical measures such as encryption in transit and at rest, access controls, and regular security audits

Our main data processing occurs within the EU. Specific international transfers include:

  • Hosting infrastructure: Primary servers located in the EU; backup systems may be in countries with adequacy decisions
  • Calendar services: When you connect Google, Microsoft, or Apple calendars, your calendar data is synchronized with servers operated by these providers in their respective jurisdictions according to their privacy policies
  • Payment processing: Stripe processes payments globally but maintains GDPR compliance through appropriate safeguards

Your Privacy Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of all personal data we hold about you
  • Right to rectification: Correct inaccurate or incomplete personal data
  • Right to erasure ("right to be forgotten"): Request deletion of your personal data
  • Right to restriction: Limit how we process your data in certain circumstances
  • Right to data portability: Receive your data in a structured, machine-readable format and transfer it to another service
  • Right to object: Object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent (does not affect prior processing)
  • Right to lodge a complaint: File a complaint with a supervisory authority (in the Czech Republic: ÚOOÚ)
  • Right to information about automated decision-making: We do not make decisions based solely on automated processing that significantly affects you
  • Right to be informed about data breaches: We will notify you if a data breach affects your rights and freedoms

How to Exercise Your Rights

You can exercise your rights through the following methods:

Self-Service Options

  • Delete your account: Go to Account Settings → Delete Account. This will permanently delete all your data within 30 days
  • Disconnect calendars: Go to Calendar Connections → Disconnect. OAuth tokens and sync data will be deleted within 30 days
  • Export your data: Go to Account Settings → Export Data to download your sync rules and configuration
  • Update your information: Edit your profile and account settings directly in the application

Contact Us for Assistance

For other privacy requests or questions, contact us at:

  • Email: support@syncmyday.eu
  • Subject line: "Privacy Request - [Your Request Type]"
  • Include: Your registered email address and a description of your request

We will respond to your request within 30 days as required by GDPR. For complex requests, we may extend this period by an additional 60 days and will inform you of the extension.

Security Measures

We implement comprehensive technical and organizational security measures to protect your personal data:

  • Encryption: AES-256 encryption for data at rest; TLS/SSL for data in transit
  • Access controls: Role-based access restrictions; principle of least privilege
  • Authentication security: Secure password hashing; OAuth 2.0 for calendar connections
  • Infrastructure security: Professionally managed data centers with physical security; regular security updates and patches
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Backup and recovery: Regular encrypted backups with secure retention
  • Incident response: Documented procedures for security incident handling

Contact Information

Data Controller: Lukas Slehofer, Kurzova 2222/16, 155 00 Prague 5, Czech Republic, VAT ID: CZ7912150191

Privacy inquiries: support@syncmyday.eu

General support: support@syncmyday.eu

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we notify you of changes:

  • Material changes: We will notify you via email and/or a prominent notice in the application at least 30 days before the changes take effect
  • Minor changes: We will update the "Last updated" date at the top of this policy
  • Your acceptance: Continued use of SyncMyDay after the effective date constitutes acceptance of the updated policy
  • Review recommended: We encourage you to review this policy periodically

If you do not agree with changes to this policy, you may delete your account before the changes take effect.