1. Introduction

Innersync (“we”, “our”, or “us”) respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our service.

2. Data Controller

Controller: Innersync
Contact: privacy@innersync.tech
Data Protection Officer: Available via Settings → Contact Support

3. Data We Collect

3.1 Personal Data

Account Information: Email address, user ID (provided by OAuth providers)
Profile Data: Nickname, mood preferences
Usage Data: Login/logout times, feature usage patterns

3.2 Content Data

Reflections: Personal thoughts, mantras, goals, challenges
Habits: Habit definitions, completion logs, streaks
Visions: Future goals, aspirations, vision blueprints
AI Interactions: Chat messages, AI responses (stored temporarily for context)

3.3 Technical Data

Device Information: Browser type, operating system, screen resolution
Log Data: IP addresses, timestamps, error logs
Cookies: Session tokens, preferences (see Cookies section)

4. Legal Basis for Processing

We process your data based on:

Consent: You explicitly agree to our terms when creating an account
Contract: Processing necessary to provide our service
Legitimate Interest: Improving service quality and security
Legal Obligation: Complying with applicable laws

5. Data Usage

We use your data to:

Provide and maintain the Innersync service
Power AI-driven insights and recommendations
Personalize your experience based on usage patterns
Ensure platform security and prevent abuse
Send service-related notifications
Comply with legal obligations

6. Data Sharing

6.1 Third-Party Services

Supabase: Database and authentication (GDPR compliant, data stays in EU)
OpenAI: AI processing (data processed according to their privacy policy)
OAuth Providers: GitHub, Google, Discord (authentication only)

6.2 Data Sales

We do NOT sell your data to third parties or advertisers.

7. Data Retention

Account Active: Data retained while account is active
Account Deletion: All data permanently deleted within 30 days
AI Context: Chat history retained for 7 days for conversation continuity
Analytics: Aggregated, anonymized data retained indefinitely

8. Your Rights (GDPR Article 15-21)

8.1 Access

You can export all your data through Settings → Export Data.

8.2 Rectification

Update your data through the application interface.

8.3 Erasure

Delete your account through Settings → Delete Account.

8.4 Portability

Export your data in JSON format for use elsewhere.

8.5 Restriction

8.6 Objection

You may object to processing based on legitimate interest. Contact us via Settings → Contact Support.

9. Cookies

9.1 Essential Cookies

sb-access-token: Session authentication (HTTP-only, 7 days)
sb-refresh-token: Session renewal (HTTP-only, 30 days)
innersync_onboarding_complete: Onboarding status (7 days)

9.2 Analytics Cookies

We may use anonymized analytics to improve our service.

10. Security

Encryption: All data encrypted in transit (HTTPS) and at rest
Access Control: Row-level security ensures data isolation
Authentication: OAuth-based authentication with secure token handling
Monitoring: Security monitoring and incident response

11. International Data Transfers

Data is primarily stored in the EU through Supabase. AI processing may occur in other jurisdictions. We ensure appropriate safeguards for international transfers.

12. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect data from minors.

13. Changes to This Policy

We may update this policy. Significant changes will be communicated via the application or email.

14. Contact

Contact: Via Settings page → Contact Support
Email: privacy@innersync.tech
Response Time: Within 30 days for data requests
Supervisory Authority: Dutch Data Protection Authority (AP)

15. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Privacy Policy