Privacy Policy
Effective Date: December 7, 2025
1. Definitions
- "Service" means the Synn Git visualization platform accessible at synn.gossorg.in
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Data Controller" means the entity that determines the purposes and means of processing Personal Data
- "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller
- "You" or "User" means the individual accessing or using the Service
2. Data Controller
Synn operates as the Data Controller for Personal Data collected through the Service. For inquiries regarding data processing, contact us through our GitHub repository.
3. Legal Basis for Processing (GDPR Article 6)
We process your Personal Data based on the following legal bases:
- Consent (Article 6(1)(a)): You provide explicit consent by using the Service and authorizing GitHub OAuth
- Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service you requested
- Legitimate Interests (Article 6(1)(f)): Security, fraud prevention, and service improvement
- Legal Obligation (Article 6(1)(c)): Compliance with applicable laws and regulations
4. Categories of Personal Data Collected
4.1 Identity Data
- GitHub username and profile information
- Email address (from GitHub or Clerk)
- Name (if provided)
4.2 Technical Data
- IP address (encrypted at rest)
- Browser type and version
- Operating system
- Device type and identifiers
- User agent string (encrypted at rest)
4.3 Usage Data
- Repositories accessed
- Actions performed (commits viewed, branches accessed)
- API request logs
- Session timestamps
4.4 Authentication Data
- GitHub OAuth access tokens (encrypted at rest)
- GitHub OAuth refresh tokens (encrypted at rest)
- Session identifiers
5. Purpose and Lawful Basis for Processing
| Purpose | Legal Basis |
|---|---|
| Service provision and authentication | Contract performance, Consent |
| Security and fraud prevention | Legitimate interests |
| Service improvement and analytics | Legitimate interests |
| Legal compliance | Legal obligation |
6. Data Retention
We retain Personal Data only for as long as necessary to fulfill the purposes outlined in this Policy:
- Account Data: Retained while your account is active; deleted within 30 days of account deletion
- Activity Logs: Retained for 90 days from creation
- API Request Logs: Retained for 30 days from creation
- Fingerprint Data: Retained for 30 days after last activity
- Authentication Tokens: Retained until revoked or account deletion
You may request deletion at any time. We may retain certain data longer if required by law or for legitimate business purposes.
7. Your Rights (GDPR Articles 15-22)
Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights:
- Right of Access (Article 15): Request a copy of your Personal Data in a structured, machine-readable format. Exercise via
GET /api/gdpr/export - Right to Rectification (Article 16): Request correction of inaccurate or incomplete Personal Data
- Right to Erasure (Article 17): Request deletion of your Personal Data ("Right to be Forgotten"). Exercise via
DELETE /api/gdpr/delete - Right to Restriction of Processing (Article 18): Request limitation of processing under certain circumstances
- Right to Data Portability (Article 20): Receive your Personal Data in a portable format. Exercise via
GET /api/gdpr/export - Right to Object (Article 21): Object to processing based on legitimate interests
- Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time without affecting prior processing
- Right to Lodge a Complaint (Article 77): File a complaint with your supervisory authority
To exercise these rights, contact us through our GitHub repository. We will respond within 30 days as required by GDPR.
8. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to Know: Request disclosure of categories and specific pieces of Personal Data collected
- Right to Delete: Request deletion of Personal Data (subject to exceptions)
- Right to Opt-Out: Opt-out of sale of Personal Data (we do not sell Personal Data)
- Right to Non-Discrimination: Exercise your rights without discrimination
We do not sell Personal Data. To exercise CCPA rights, use the same GDPR endpoints or contact us directly.
9. Data Security
We implement technical and organizational measures to protect Personal Data:
- RSA/AES-256 hybrid encryption for sensitive data at rest
- Encrypted database connections (TLS/SSL)
- Access controls and authentication requirements
- Regular security assessments
- Secure token storage with encryption
Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
10. International Data Transfers
Your Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) with third-party processors
- Adequacy decisions where applicable
- Appropriate safeguards as required by GDPR Chapter V
Third-party services (Clerk, GitHub, Neon DB) may process data in various jurisdictions. Their privacy policies govern such processing.
11. Third-Party Processors
We engage the following Data Processors who process Personal Data on our behalf:
- GitHub, Inc.: OAuth authentication and repository access (United States)
- Clerk, Inc.: User authentication and session management (United States)
- Neon DB (Neon, Inc.): Database hosting and storage (United States/European Union)
- Vercel, Inc.: Hosting and infrastructure (United States)
Third-Party Liability Disclaimer: We are not responsible for, and expressly disclaim all liability for, any data breaches, security incidents, service outages, or other failures occurring with third-party processors. Such incidents are subject to the terms, policies, and liability limitations of those respective services. We recommend reviewing their privacy policies and terms of service.
12. Cookies and Tracking Technologies
We use the following technologies:
- Essential Cookies: Required for authentication and session management (cannot be disabled)
- Device Fingerprinting: For security, fraud prevention, and session validation
We do not use third-party advertising cookies, tracking pixels, or cross-site tracking technologies.
13. Children's Privacy
The Service is not intended for individuals under 16 years of age (or 13 in jurisdictions where applicable). We do not knowingly collect Personal Data from children. If you believe we have collected data from a child, contact us immediately for deletion.
14. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified by updating the "Effective Date" and, where required by law, by additional notice. Continued use after changes constitutes acceptance of the updated Policy.
15. Supervisory Authority
If you are located in the EEA, you have the right to lodge a complaint with your local supervisory authority if you believe our processing of your Personal Data violates GDPR. Contact information for supervisory authorities can be found at edpb.europa.eu.
16. Contact Information
For questions, requests, or complaints regarding this Privacy Policy or our data practices, contact us through our GitHub repository. We will respond within 30 days as required by applicable law.