Synup

Synup is operated by Cardinalis Advisory, an Ontario sole proprietorship, a company incorporated and headquartered in North York, Ontario, Canada. This Privacy Policy describes how we collect, use, disclose, retain, and otherwise process personal information in connection with the Synup website, mobile application, business tools, support channels, and related services.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. This Policy should be read together with our Terms of Service and our Cookie Policy.

Synupserves users in multiple jurisdictions. Depending on your country of residence, additional rights and disclosures may apply under applicable law, including the General Data Protection Regulation ("GDPR") and UK GDPR for users in the European Economic Area ("EEA") and United Kingdom, Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and Québec's Act Respecting the Protection of Personal Information in the Private Sector (commonly referred to as "Law 25") for Canadian residents, and other applicable privacy legislation. Jurisdiction-specific rights are set out in Section 15.

1. Information We Collect

We collect personal information that is reasonably necessary to operate, secure, and improve the Service. The categories of personal information we collect depend on how you use Synup and may include:

Identity and account information: Telegram user identifiers, Google account identifiers, email addresses used for business or administrative access, display names, account status, and related sign-in credentials or method identifiers.
Profile and content information: Date of birth, gender, profile descriptions, photographs, interests, preferences, reviews, and other information you voluntarily submit through profile or content features.
Location information: Approximate or precise geographic coordinates, city, country, timezone, and place-search queries submitted when you use location-based features.
Communications and interaction data: Private messages, public group communications, support requests and responses, user reports, reviews, reservation details, and business-related communications conducted through the Service.
Business information: Business profile content, event details, reservation records, and public contact information that a business chooses to publish through business features.
Financial and transactional information: Billing records, invoice metadata, subscription details, payment-related identifiers, and transaction records generated in connection with paid features. Full payment card numbers are handled exclusively by our payment processor and are not stored by us.
Technical and usage information: Session records, IP addresses, browser and device identifiers and signals, user-agent strings, anti-abuse challenge results, access logs, and operational diagnostics.
Safety, moderation, and compliance records: Reports submitted by or concerning users, restriction and enforcement records, investigation notes, and associated audit records maintained for platform safety, fraud prevention, and legal compliance purposes.

The provision of certain personal information is voluntary. Where information is optional, you may decline to provide it, but doing so may limit your access to certain features. Please refrain from submitting sensitive personal information in free-text fields, chats, listings, or support requests unless strictly necessary.

2. Special Category Personal Information

Certain personal information we may collect — such as information that reveals or may reveal gender or health status — may constitute "special category" or "sensitive" personal information under applicable law, including Article 9 of the GDPR. We do not require you to provide special category information; however, you may voluntarily include such details in your profile. Where you provide such information, we process it on the basis of your explicit consent (which you may withdraw at any time through your account settings) or, where permitted by applicable law, to establish, exercise, or defend legal claims. You may update or remove such information at any time.

3. How We Collect Information

Directly from you, when you register an account, complete your profile, upload content, make a purchase, use a Service feature, or contact our support team.
From third-party service providers involved in authentication (Telegram, Google), payment processing (Stripe), mapping (Google), and related operational services, to the extent those providers share information with us in connection with your use of the Service.
Automatically through your use of the Service, including through session management, security logging, device and browser signals, and operational monitoring.
From other users or businesses, when they interact with you through product features such as messages, reviews, reservations, reports, or business workflows.

4. Purposes and Legal Bases for Processing

We process personal information for the purposes set out below. Where applicable law requires a legal basis for processing, we rely on the basis indicated for each purpose:

Providing and operating the Service— including account creation and authentication, profile and discovery features, messaging, business tools, event and reservation features, and payment processing. Legal basis: performance of a contract with you, or steps taken at your request prior to entering into a contract.
Platform security, fraud prevention, and moderation— including abuse detection, account restrictions, fraud review, and safety enforcement. Legal basis: our legitimate interests in protecting the integrity and security of the Service and the safety of our users.
Support and account administration— including responding to support requests, account inquiries, and operational communications. Legal basis: performance of a contract and our legitimate interests in administering the Service.
Service improvement and diagnostics— including troubleshooting, operational monitoring, and service-level analysis. Legal basis: our legitimate interests in maintaining and improving the Service.
Legal, regulatory, and compliance obligations— including retention of billing, tax, and financial records and responding to lawful requests from governmental or regulatory authorities. Legal basis: compliance with a legal obligation.
Optional and marketing communications— where we seek to send promotional content or use non-essential technologies. Legal basis: your consent, which you may withdraw at any time without affecting the lawfulness of prior processing.

5. Information Visible to Others

Certain information you submit through the Service is intended to be visible to other users, businesses, or members of the public as a function of the features you use. This may include profile details, business profile content, event and bazaar listings, reviews, public group messages, and other material you choose to publish.

You are solely responsible for the personal information you elect to make available through public or semi-public features. We recommend that you not publish personal information you do not wish to have accessed, copied, or used by others.

6. Location Information

Where you elect to use location-based features, we process geographic coordinates and associated city, country, and timezone data to support nearby discovery, business search, events, and related functionality. Device-level location permissions are managed through your device and browser settings. You may revoke location access at any time through those settings, subject to the consequential effect on location-dependent features.

We use Google Maps, Places, and Geocoding APIs in connection with certain location features. Your use of those features is also subject to Google's Privacy Policy.

7. Cookies and Similar Technologies

We currently use strictly necessary cookies and similar technologies for authentication, session management, security, and core Service operation. We do not currently operate non-essential analytics cookies or third-party advertising technologies.

For detailed information about the specific technologies we use, their purposes, and your management options, please see our Cookie Policy.

8. Disclosure of Personal Information

We do not sell personal information, and we do not share personal information with third parties for their own independent marketing purposes. We may disclose personal information in the following circumstances:

Service providers and sub-processors: We share personal information with vendors and contractors that provide services on our behalf, including hosting, infrastructure, database storage, payment processing, mapping, authentication, email delivery, and abuse prevention. These providers are contractually authorized to use personal information only as necessary to perform services for us and are subject to appropriate confidentiality and data protection obligations.
In-product disclosures: Certain personal information is disclosed to other users, businesses, or participants as an inherent function of the Service features you use (for example, when you send a message, submit a review, or publish a listing).
Authorized personnel: We may share personal information with our employees and contractors on a need-to-know basis for support, safety, moderation, billing, security, fraud review, or legal compliance purposes, subject to confidentiality obligations.
Legal and compliance disclosures: We may disclose personal information when required or permitted by applicable law, regulation, or legal process, or in response to a lawful request from a governmental or regulatory authority. We may also disclose personal information where we reasonably believe disclosure is necessary to protect the rights, property, or safety of Cardinalis Advisory, an Ontario sole proprietorship, our users, or others.
Corporate transactions: Personal information may be disclosed or transferred in connection with, or during negotiations of, a merger, acquisition, financing, reorganization, sale of assets, or similar corporate transaction, subject to appropriate confidentiality commitments and, where required, regulatory approval.

9. Service Providers and Sub-processors

Our current service providers and sub-processors, as of the date above, include the following. This list may be updated as our provider relationships change.

Neon, Vercel, Railway, and Supabase— infrastructure, hosting, database, and storage services.
Stripe— payment processing and subscription billing.
Telegram and Google— authentication and account-access services.
Google Maps Platform— mapping, geocoding, and location search services.
Zoho Mail— operational, support, and privacy-related email communications.
Cloudflare Turnstile— bot detection and abuse prevention on public-facing interfaces.

10. International Transfers

Synup is a global service, and personal information may be transferred to, processed in, or accessed from countries outside your country of residence, including Canada, the United States, and other jurisdictions where our service providers or authorized personnel operate. Those jurisdictions may have data protection laws that differ from those applicable in your country.

Where personal information originating from the EEA, the United Kingdom, or Switzerland is transferred to a country that has not received a relevant adequacy decision, we rely on appropriate safeguards to protect that information. These safeguards may include the European Commission's Standard Contractual Clauses ("SCCs"), the UK International Data Transfer Agreement ("IDTA") or Addendum to SCCs, or other transfer mechanisms recognized under applicable law.

You may request further information about the specific safeguards applicable to transfers of your personal information by contacting us at the address provided in Section 18.

11. Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law. Our general retention practices are as follows:

Upon account deletion, we apply a 30-day grace period during which the account may be recoverable at your request. Following expiry of the grace period, applicable live account data is permanently deleted.
Certain support, safety, fraud, moderation, billing, and legal records may be retained for longer periods as necessary for the purposes for which they were collected. In some cases, identifying information may be pseudonymized rather than fully deleted where complete deletion is not technically feasible or where retention is required by law.
Billing and financial records are retained for such periods as are required or permitted to comply with applicable tax, accounting, audit, and legal dispute obligations.

12. Security

We implement technical and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, loss, and destruction. These measures include logical access controls, session security mechanisms, contractual data-security obligations with our service providers, and internal moderation and security workflows. No information security system is impenetrable, and we cannot guarantee the absolute security of personal information transmitted to or stored through the Service.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will take appropriate action in accordance with applicable law. This includes notifying the relevant supervisory authority within legally required timeframes (for example, within 72 hours under GDPR Article 33 where applicable) and notifying affected individuals where required under GDPR Article 34, PIPEDA, or other applicable law.

14. Automated Decision-Making and Profiling

We do not subject users to solely automated decisions that produce legal or similarly significant effects within the meaning of GDPR Article 22. We may use automated processes for platform security, fraud detection, abuse prevention, and moderation triage. Significant enforcement decisions affecting accounts are reviewed by our operations team before being made final where reasonably practicable.

15. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights in respect of your personal information. To exercise any of these rights, please contact our Privacy Officer, Cardinalis Advisory at privacy@synup.app. We will acknowledge receipt of verified requests promptly and provide a substantive response within the timeframe required by applicable law (and in any event within 30 days for GDPR-covered requests, subject to any permitted extension).

Right of access: You may request confirmation of whether we process personal information about you and, if so, a copy of that information together with supplementary details about the processing.
Right to rectification: You may request correction of inaccurate or incomplete personal information we hold about you.
Right to erasure: In certain circumstances you may request deletion of your personal information, for example where it is no longer necessary for the purposes for which it was collected or where you have withdrawn your consent.
Right to restriction of processing: In certain circumstances you may request that we restrict processing of your personal information while a request or objection is being assessed.
Right to data portability: Where processing is based on your consent or a contract and carried out by automated means, you may request that we provide your personal information in a structured, commonly used, and machine-readable format, and that we transmit it to another controller where technically feasible.
Right to object: You may object to processing based on our legitimate interests, including profiling for those purposes, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.
Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Right to lodge a complaint with a supervisory authority:You have the right to lodge a complaint with the data protection supervisory authority in your jurisdiction. EEA residents may contact the supervisory authority in their Member State of habitual residence, place of work, or place of the alleged infringement. UK residents may contact the Information Commissioner's Office (ico.org.uk). Canadian residents may contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, for Québec residents, the Commission d'accès à l'information (cai.gouv.qc.ca).

We may require verification of your identity before fulfilling any rights request. Certain rights are subject to statutory limitations and exceptions, and we may retain records where required or permitted by law notwithstanding a request for erasure or restriction.

16. Age Restrictions

The Service is directed exclusively to individuals who are at least 18 years of age. We do not knowingly collect personal information from minors. If we determine or are credibly informed that personal information has been collected from a person who does not meet our age eligibility requirements, we will take appropriate steps to delete or restrict that account and associated data without undue delay.

17. Changes to This Policy

We may amend this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this Policy and provide reasonable advance notice through the Service or by other appropriate means, which may include in-application notice or email notification. Where required by applicable law, we will seek renewed consent before implementing changes that affect consent-based processing.

18. Contact and Privacy Requests

For general support inquiries, please contact us at support@synup.app.

For privacy-related requests, data subject rights exercises, complaints, or data protection inquiries, please contact our Privacy Officer, Cardinalis Advisory at privacy@synup.app.