Synora

Legal

Privacy Policy

Last updated: May 13, 2026

This Privacy Policy explains how Synora Systems OÜ (“Synora”, “we”, “our”) collects, uses, stores and protects your personal data when you use the Synora application at app.synora.org and the marketing website at www.synora.org (together, the “Service”).

We are committed to processing your data lawfully, transparently and only to the extent strictly required to deliver the Service.

Privacy at a glance

  • Synora reads your Google Tasks and writes events to your Google Calendar to automatically schedule your to-dos.
  • We never sell your data, never use it for advertising, and never share it with third parties beyond the sub-processors listed in Section 7.
  • You can revoke Synora's access and permanently delete your account directly from inside the application at any time.
  • Synora's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2. Data Controller

The party responsible for processing your personal data is:

Synora Systems OÜ
Sepapaja tn 6
15551 Tallinn, Estonia
Email: marcel@synora.org

3. Google User Data

When you sign in with Google, Synora requests access to specific data on your Google account. The exact scopes are:

(a) https://www.googleapis.com/auth/calendar.events

Used to create, read, update and delete calendar events that Synora schedules from your tasks. Synora only modifies events it has created itself; existing events you or other apps have created are never altered or deleted.

(b) https://www.googleapis.com/auth/tasks

Used to read your Google Tasks (title, due date, completion status) and to mark tasks as completed when their scheduled calendar event has passed. Synora does not create or delete tasks on your behalf.

(c) openid, userinfo.email, userinfo.profile

Standard identity scopes used to sign you in and to display your name/email inside the app.

We do not request, access or read your Gmail, Drive, Contacts, Photos or any other Google data.

Limited Use Disclosure

Synora's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data exclusively to deliver Synora's core scheduling functionality.
  • We do not transfer Google user data to third parties except as required to provide the Service through the sub-processors listed in Section 7, or as required by law.
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read Google user data, except (i) with your explicit consent for specific support cases, (ii) as required for security purposes such as investigating abuse, or (iii) to comply with applicable law.

4. Account Data

When you create an account, we store the following information in our secured Firebase database (Google Cloud, region: europe-west3, Frankfurt):

  • Your Google account UID, email address and display name
  • An encrypted Google OAuth refresh token (used to schedule tasks in the background, including outside active browser sessions)
  • Your IANA time zone (e.g. Europe/Berlin)
  • Your application settings (e.g. auto-sync enabled/disabled)
  • A working copy of due-dated Google Tasks and the calendar events Synora has created for them, used to reconcile changes between Tasks and Calendar
  • Your subscription status (trial, active, expired, canceled) and the identifier of your Stripe customer record

5. Payment Data

If you subscribe to Synora Pro, payments are processed by Stripe Payments Europe, Limited (Ireland), our payment processor. Stripe handles all sensitive payment information directly; Synora never sees or stores your full credit card number, CVC, or bank details.

What we receive from Stripe and store on our side:

  • Your Stripe customer ID
  • Your Stripe subscription ID and its current status
  • Trial start and end dates
  • Anonymized payment events (e.g. “subscription renewed”, “payment failed”)

Stripe's processing of your payment data is governed by Stripe's own privacy policy: https://stripe.com/privacy

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

6. AI Processing

To calculate optimal scheduling, buffer times and slot suggestions, Synora uses Google's Gemini AI API (“Gemini for Google Cloud”, operated by Google Ireland Limited).

What we send to Gemini:

  • The titles and due dates of your tasks under consideration
  • The start/end times of your existing calendar events (titles are redacted in the prompt where possible)
  • Your time zone and active hours configuration

What we do NOT send to Gemini:

  • Your email address, name or other directly identifying information beyond what is required for scheduling
  • The content of events created by third parties (e.g. meeting notes, attachments)
  • Any data outside the calendar.events and tasks scopes

Google has confirmed that data sent to the Gemini API is not used to train Google's foundation models. See: https://cloud.google.com/gemini/docs/discover/data-governance

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

7. Sub-processors

We use the following carefully selected sub-processors to operate the Service. All transfers are governed by appropriate safeguards (EU Standard Contractual Clauses where applicable).

  • Google Ireland Limited (Firebase Authentication, Firestore database, Cloud Functions, Firebase Hosting, Firebase Cloud Messaging, Gemini API) — Primary processing region: europe-west3, Frankfurt, Germany
  • Stripe Payments Europe, Limited (Payment processing) — Primary processing region: European Union
  • Vercel Inc. (Marketing website hosting at www.synora.org) — Global edge network; primary processing in the United States and European Union
  • Plausible Insights OÜ (Cookieless website analytics on www.synora.org) — European Union

8. Data Retention

  • Account data (Section 4): retained as long as your account is active and you have not requested deletion.
  • Working copy of tasks and scheduled events: retained only as long as needed to keep Google Tasks and Google Calendar in sync. Events older than 90 days are routinely pruned from our database.
  • Payment data (Section 5): retained for the duration of your subscription and for up to 10 years thereafter, where required by Estonian and EU accounting law (legal basis: Art. 6(1)(c) GDPR).
  • Server log files (Section 11): up to 30 days.

9. Account Deletion and Revocation of Access

You may delete your Synora account at any time. There are two ways:

(a) Inside the application

Sign in at app.synora.org, scroll to “Danger zone”, click “Delete my account” and confirm by typing DELETE. This triggers, within a few seconds:

  • Revocation of Synora's OAuth grant on your Google account (we call Google's revoke endpoint directly).
  • Permanent deletion of all your data from our Firestore database, including settings, tokens, task mappings and audit history.
  • Deletion of your authentication record from Firebase Auth.

(b) Via your Google account

You may revoke Synora's access at any time, independently of our application, at: https://myaccount.google.com/permissions

Revoking access via Google does not automatically delete your data in our database. To delete your data, please also use option (a) or contact us at marcel@synora.org.

If you cancel your paid subscription, your account remains active but auto-sync is disabled. Your data is retained for 30 days after cancellation in case you decide to resubscribe; after 30 days the working copy of tasks and events is purged.

10. Your Rights under the GDPR

If you reside in the European Economic Area, the United Kingdom or Switzerland, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent at any time, where processing is based on consent (Art. 7(3) GDPR)

To exercise any of these rights, contact us at marcel@synora.org.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for Synora Systems OÜ is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, https://www.aki.ee). You may also lodge a complaint with the supervisory authority in your EU member state of residence.

11. Website Data (Marketing Site at www.synora.org)

The marketing website is hosted by Vercel Inc. Their servers automatically collect standard server log files when you visit the site, including:

  • Browser type and version
  • Operating system
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the request
  • IP address (truncated where technically feasible)

This data is processed on the basis of our legitimate interest in delivering a secure and performant website (Art. 6(1)(f) GDPR). It is stored separately from the application data and is automatically deleted within 30 days.

We use Plausible Analytics (Plausible Insights OÜ, EU-hosted) on www.synora.org to measure aggregated, cookieless website traffic and funnel performance (e.g. page views and CTA clicks). Plausible does not use cookies, does not collect personal profiles, and does not track visitors across websites. IP addresses are not stored. This processing is based on our legitimate interest in understanding how visitors use our marketing site and improving conversion (Art. 6(1)(f) GDPR). For more information, see Plausible's privacy policy and data processing agreement.

We do not use advertising trackers or behavioral profiling tools on www.synora.org.

12. Cookies

The marketing website (www.synora.org) does not set non-essential cookies. Plausible Analytics operates without cookies. Vercel may set strictly necessary technical cookies required to deliver the site securely.

The application (app.synora.org) uses cookies and local storage strictly required to keep you signed in and to remember your time zone and session. No advertising or third-party analytics cookies are set.

13. International Data Transfers

Synora's infrastructure is hosted in the European Union (Frankfurt, Germany). Some sub-processors (notably Google and Stripe) are part of international corporate groups and may, in narrow operational circumstances (e.g. support, security investigations), transfer data outside the EEA.

All such transfers are protected by appropriate safeguards under Art. 46 GDPR, including the EU Standard Contractual Clauses or the EU-US Data Privacy Framework where the receiving entity is certified.

14. SSL/TLS Encryption

All communication between your browser and our servers is encrypted using industry-standard TLS. You can verify this by the lock icon in your browser's address bar.

15. Changes to this Policy

We may update this Privacy Policy to reflect changes to our practices or legal obligations. The “Last updated” date at the top of the policy indicates the date of the most recent change. For material changes that affect your rights, we will notify active subscribers by email at least 14 days before the changes take effect.

16. Contact

For any questions about this Privacy Policy or about how your data is processed, please contact:

Synora Systems OÜ
Email: marcel@synora.org
Mail: Sepapaja tn 6, 15551 Tallinn, Estonia

← Back to home