Privacy Policy

Last updated: 30 March 2026

1. Who We Are

SyncBeacon (“we”, “us”, “our”) is a server-side conversion tracking platform operated from the European Union. We act as a Data Processor on behalf of our customers (merchants), who remain the Data Controller of their end-user storefront data.

For questions about this policy, contact us at privacy@syncbeacon.cloud.

2. What Data We Collect

2.1 Merchant Account Data

When you register, we collect:

  • Email address (used for authentication and billing notifications)
  • Company name (optional)
  • Hashed password (bcrypt — we never store plain-text passwords)
  • Selected subscription plan

2.2 Storefront Event Data (Processed on Behalf of Merchants)

When your browser tracker or server-side webhook fires, SyncBeacon ingests:

  • Event type (Purchase, AddToCart, InitiateCheckout, PageView, etc.)
  • Order value, currency, and product identifiers (SKU)
  • Pseudonymous click identifiers (gclid, fbclid, ttclid, etc.)
  • SHA-256 hashed email and phone number — never plain-text PII
  • Consent signals from the end-user’s cookie banner (marketing consent source & status)

We do not collect end-user names, postal addresses, IP addresses, or device fingerprints.

2.3 Payment Data

Payments are processed by Mollie B.V. (PCI DSS Level 1 certified). We never receive or store credit card numbers, IBAN details, or other payment instrument data. We only store your Mollie customer ID and subscription status.

3. How We Use Your Data

  • To provide the SyncBeacon service — forwarding conversion events to your configured ad platforms
  • To display analytics dashboards within your SyncBeacon account
  • To manage your subscription, billing, and support requests
  • To send transactional emails (account verification, password reset, billing receipts)
  • To detect and prevent fraud or abuse of the platform

We do not sell, rent, or share your data with third parties for their marketing purposes.

4. Legal Basis for Processing (GDPR Art. 6)

PurposeLegal Basis
Service deliveryContract performance (Art. 6(1)(b))
Billing & invoicingContract performance (Art. 6(1)(b))
Security & fraud preventionLegitimate interest (Art. 6(1)(f))
EU tax complianceLegal obligation (Art. 6(1)(c))
Marketing emails (future)Consent (Art. 6(1)(a))

5. Data Retention

Storefront event data is retained according to your subscription plan:

PlanRetention Period
Essentials7 days
Growth90 days
Enterprise1 year (365 days)

After the retention period, event data is automatically purged by a nightly background job.

Account data (email, company name, subscription records) is retained for the duration of your account and for up to 7 years thereafter for tax and legal compliance.

6. Data Sharing & Sub-Processors

We share data only with the following categories of recipients, all bound by data processing agreements:

Sub-ProcessorPurposeLocation
Hetzner Online GmbHInfrastructure hostingGermany (EU)
Mollie B.V.Payment processingNetherlands (EU)
Ad platforms (Meta, Google, etc.)Conversion event forwarding (on merchant’s instruction)Global

7. International Transfers

Our servers are located in Germany (EU). Storefront event data may be transferred to ad platform servers outside the EEA when you configure a destination. These transfers are covered by the ad platforms’ own Standard Contractual Clauses (SCCs).

8. Your Rights (GDPR Art. 15–22)

As a merchant account holder, you have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — correct inaccurate account information
  • Erasure — request deletion of your account and all associated data
  • Portability — receive your event data in a machine-readable format (JSON)
  • Restriction — request that we limit processing of your data
  • Objection — object to processing based on legitimate interest

You can exercise the first four rights from the GDPR Controls page in your dashboard, or email privacy@syncbeacon.cloud.

9. Security Measures

  • All data in transit is encrypted via TLS 1.2+
  • Passwords are hashed with bcrypt (cost factor 12)
  • Customer PII is SHA-256 hashed before storage
  • API authentication uses short-lived JWTs with refresh token rotation
  • Rate limiting, HMAC webhook signature verification, and nonce-based replay protection
  • Database backups are encrypted at rest

10. Cookies

The SyncBeacon dashboard uses only strictly necessary cookies and localStorage items for authentication (JWT tokens) and UI preferences (theme). We do not use tracking cookies, analytics scripts, or third-party advertising pixels on our own website.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be notified by email at least 14 days before taking effect.

12. Contact & Supervisory Authority

Data Protection Contact: privacy@syncbeacon.cloud

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority (e.g., the BfDI in Germany).