Privacy Policy

Introduction

Date of last update: 2025-12-14
Your privacy is important to us. It is HYNC.io's policy to respect your privacy regarding any information we may collect from you across our website https://hync.io, and other sites we own and operate.

ATTENTION: Hync.io is currently in closed beta. This means that the website is not yet fully functional and that the privacy policy is not yet complete. The privacy policy will be updated as soon as the website is fully functional.

We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://hync.io, including any other media form, media channel, mobile website, or mobile application related or connected thereto (collectively, the "Site"). Please read this privacy policy carefully.

In this notice the terms "you" and "your" refer to any user of the website, API or other service provided by HYNC.io and the terms "we", "us" and "our" refer to HYNC.io.

Using this Website indicates that you accept these terms regardless of whether or not you choose to register with us. If you do not agree with the terms of this privacy policy, please do not access or use the site or services provided by HYNC.io. This legal notice applies to the entire contents of the website under the domain name hync.io ("Website"), any provided services ("Services") and to any correspondence by e-mail between us and you.

We reserve the right to change this Privacy Policy at any time. We will notify you about significant changes in the way we treat personal information by sending a notice to the primary email address specified in your account, by placing a prominent notice on our site, and/or by updating any privacy information on this page. Your continued use of the Site and/or Services available through this Site after such modifications will constitute your: (a) acknowledgment of the modified Privacy Policy; and (b) agreement to abide and be bound by that Policy.

Contact information of the owner and data controller can be found at the page Legal Notice.

Policy Summary

Policy: Privacy Policy – HYNC.io
Effective date: 14 December 2025
Service: HYNC.io (web app, API, and community features)

This Privacy Policy explains how we collect and process personal data when you use HYNC.io, a fitness and health tracking platform that allows users to record, import, analyze, and optionally share fitness and health information. Because HYNC.io may process highly sensitive information (including health data and, if enabled, intimate/sexual data), please read this policy carefully.

1. Controller (who is responsible)

Data Controller (GDPR “Controller”):
Thomas Bella (natural person, Austria), operating HYNC.io as part of the personal project umbrella “bella.network”.

Under the General Data Protection Regulation (GDPR), the “Controller” is the entity that determines the purposes and means of the processing of personal data. This means that Thomas Bella is responsible for deciding why and how personal data is processed within HYNC.io, for ensuring compliance with applicable data protection laws, and for serving as the primary point of contact for data subjects and supervisory authorities.

Contact (privacy inquiries):
info@hync.io

Important clarification: “bella.network” is a project umbrella label used to group personal websites and projects operated by Thomas Bella. It is not necessarily a separate legal entity. The Controller remains the natural person named above. For further identification details (where legally required), please refer to the Legal Notice.

If you contact us regarding privacy matters (e.g., access requests, deletion requests, objections, or questions about this Privacy Policy), we will process the information you provide to handle your request, verify your identity where necessary, and document the outcome to prevent misuse (e.g., someone attempting to delete or export data without authorization).

2. Scope

This Privacy Policy applies to the processing of personal data in connection with your use of HYNC.io, including its website, web application, APIs, and community/sharing features. It covers both logged-in and public access, including situations where certain content is made publicly available by users.

the HYNC.io website and web application (including public pages and logged-in areas)
HYNC.io APIs and developer/automation interfaces (where provided)
user profiles, public sharing links, community features, and leaderboards (where enabled and configured by users)
notifications and support communications related to HYNC.io (e.g., security emails, password resets, feature notifications)

This policy describes how HYNC.io processes personal data when acting as Controller. It does not govern the data practices of third-party services you connect to HYNC.io (e.g., Strava, Google, Garmin, Fitbit), which operate under their own privacy policies and terms. When you connect such services, they may independently collect and process data about you. This Privacy Policy explains our side of the connection (e.g., what data we receive, store, and use) but cannot replace or override third-party policies.

Public and indexable content: If you choose to publish profile content, activities, or other information as “public”, such content may be accessible without authentication and may be indexed by search engines and other third parties. Once indexed, public content may also be cached, archived, or re-published outside of HYNC.io, which may limit the effectiveness and speed of later removal requests.

3. Key concepts and definitions

For clarity, the following terms are used in this Privacy Policy in the sense of the GDPR and common data protection practice. These definitions are provided as helpful explanations and do not replace statutory definitions.

Personal data: Any information relating to an identified or identifiable natural person. A person is “identifiable” if they can be identified, directly or indirectly, for example by name, email address, account identifiers, IP address, device or browser identifiers, or by combinations of data (e.g., location patterns together with profile information).
Special categories of data: Personal data that is subject to higher protection under Article 9 GDPR. In the context of HYNC.io, this primarily includes health data (physical and mental health metrics, biomarkers, and derived indicators). Where enabled, it may also include data concerning sex life and similarly intimate information. Processing of special category data generally requires explicit consent or another specific legal exception under Article 9 GDPR.
Intimate / adult-only data: Data related to sexual life or similarly intimate topics (e.g., sexual activity entries, erection quality, penis size, and related metrics). Such features are disabled by default and are processed only if you explicitly enable them, provide explicit consent, and confirm you are 18+. This data is treated as highly sensitive and is not intended to be shared publicly.
Processing: Any operation performed on personal data, whether automated or manual, such as collecting, recording, organizing, structuring, storing, adapting, retrieving, consulting, using, disclosing (including making available), aligning, restricting, erasing, or destroying data.

4. What data we process

The categories below describe the types of personal data HYNC.io may process. The exact scope depends on your use of the service, the settings you choose (including privacy controls), and whether you connect external providers. Some data is required for account operation, while other data is optional. In addition, HYNC.io may generate derived values (e.g., calculated indicators) to provide insights and summaries.

4.1 Account and profile data

To create and operate an account, we process certain account identifiers and authentication data. You can add additional profile information to personalize your account and to use community/sharing features.

Required:

Email address (used as your account identifier and for essential service communications such as verification, password resets, security notices, and important account messages)
Password (stored as a secure hash, not in plaintext; we do not store your password in a readable form)

Optional (you choose what to provide):

First name, last name (for profile display and community features, if enabled)
Gender, pronouns, date of birth (may be used for personalization and to improve the accuracy of certain fitness/health estimates and calculations, where applicable)
Time zone, country, city (for correct timestamp display, localization, and optional community features)
Profile photo (for profile display)
“About me” / motivation text (profile content you provide)
Additional profile fields you choose to add or import

Public base profile (default):

Name (or display name, if supported)
Profile photo (if set)
Registration date
“About me” (if provided)

Public visibility and indexing: The public base profile is accessible without logging in and may be indexed by search engines and processed by third parties. This means that your public profile may appear in search results and may be cached or archived outside of HYNC.io. You should therefore avoid including sensitive information in fields that are public by default.

All other profile fields are optional and can be controlled via privacy settings (see Section 7). If you enable publication of additional profile fields, those fields may also become publicly accessible and indexable, depending on your settings.

4.2 Fitness and activity data

HYNC.io is a fitness tracking platform. When you create, import, or share activities, we may process fitness and activity-related data associated with your account. Depending on the connected provider (e.g., Garmin/Strava/Fitbit and similar) and your device, the scope and granularity of data may vary.

Activity data may include in particular:

Activity type (including “Custom” activities and user-defined categories)
Timestamps (start/end time), duration, pauses, and time zones
Performance metrics such as distance, pace/speed, power, cadence, elevation, and steps
Energy metrics such as calories burned and exertion/intensity indicators
Training details such as zones (e.g., HR zones), splits/laps, and workout structure where provided
User content such as notes, descriptions, tags, and attachments you add
Device-provided measurements (provider dependent), e.g., heart rate, body temperature, oxygen saturation, etc.
Additional activity-related data made available by the connected provider or entered by you

Some activity data may be displayed to other users only if you enable sharing features and configure your privacy settings accordingly (see sections on “Public profiles / sharing”).

Search engine indexing of public content: If you make activities or activity details public, such content may be accessible to anyone and may be indexed by search engines and other third parties. As a result, public activities may also appear outside of HYNC.io (e.g., in search results) and may be cached, archived, or re-published by third parties.

4.3 Location data (GPS)

When you record or import activities that include location, HYNC.io may process precise GPS location data, including routes/tracks and related metadata (e.g., start/end points, timestamps, map polylines, pace by segment). Location data can reveal sensitive information about your habits and whereabouts.

You can control the visibility of location information for shared/public activities. Depending on your settings, public viewers may see:

the full route/track
a route with hidden start/end points (privacy zone)
no route data (route completely hidden)

Even if you hide route data publicly, HYNC.io may still process and store location data in your private account area to provide the requested functionality (e.g., maps, statistics), unless you delete the activity or remove location details.

Important: If you publish activities with route/track information (even partially), such information may be indexed by search engines and may be cached or archived outside of HYNC.io. If you do not want this, keep the activity private and/or hide route details before sharing.

4.4 Health and measurement data (special category data)

HYNC.io allows you to store and analyze a wide range of health and measurement information. This can include data that qualifies as health data and/or other special categories of personal data within the meaning of Article 9 GDPR.

Examples (not exhaustive) include:

Vital and cardiovascular metrics: heart rate, resting heart rate, heart rate variability (HRV), blood pressure, body temperature
Body and composition metrics: body weight, height, BMI, body fat %, lean/muscle mass, waist/hip/neck/chest circumference
Respiratory and endurance metrics: VO₂max, oxygen saturation, lung capacity, lactate threshold (where available)
Sleep and recovery: sleep duration/time/quality, recovery indicators (provider dependent)
Mental well-being metrics: mood, stress level, anxiety level, depression level, energy/focus/motivation
Nutrition and intake-related metrics: calories consumed, protein/fiber intake, omega-3 intake, hydration metrics
Performance tests: grip strength, maximum push-ups/pull-ups, plank time, 1RM values (bench/deadlift/squat)
Lab/biomarker entries (if you choose to record them): e.g., blood sugar, CRP, vitamin D, cortisol, testosterone and similar values

Voluntary input: You decide which health/measurement data you provide or import. You can use HYNC.io with minimal data, but certain insights and features are only meaningful if you store relevant health and activity information.

Legal basis: Where required by applicable law, we process health and measurement data only on the basis of your explicit consent (Article 9(2)(a) GDPR). You can withdraw your consent at any time in your settings; however, withdrawing consent may limit or disable related features.

Public visibility: Health and measurement data is private by default and becomes visible to other users only if you explicitly enable publication of specific fields in your privacy settings. If you make any such information public, it may also be indexed by search engines and processed outside of HYNC.io.

4.5 Lifestyle and substance-related inputs

You may optionally track lifestyle-related inputs and similar entries. Depending on type and detail, such data may be sensitive, especially when combined with health metrics.

Such inputs may include in particular:

caffeine/coffee intake (e.g., mg)
alcohol intake/consumption
supplementation entries (e.g., creatine)
medication entries (where used)
drug-related inputs (where available and used)

These inputs are optional and can be deleted by you at any time. Publication to other users only occurs if you explicitly enable sharing of the relevant fields in your privacy settings.

If you publish lifestyle-related inputs, such information may also be indexed by search engines and may be cached or archived by third parties outside of HYNC.io.

4.6 Adult-only / intimate data (only if explicitly enabled)

HYNC.io provides certain optional features for tracking intimate, adult-only data. These features are disabled by default and require (i) explicit activation in your profile/settings and (ii) confirmation that you are 18 years or older. This data may qualify as data concerning sex life and therefore as special category data under Article 9 GDPR.

Examples (not exhaustive) include:

activity entries explicitly labeled as sexual activity
sex drive and related intimate well-being indicators
erection quality
penis size and related measurements
ejaculation amount

Strict visibility rules: Adult-only / intimate data is treated as highly sensitive. It is stored for your private use and is not made available to other users, not displayed on public profiles, not included in leaderboards, and not shared via public links.

Legal basis: Where required, we process adult-only / intimate data only with your explicit consent (Article 9(2)(a) GDPR). You can disable the feature at any time; disabling it stops further collection and you may delete existing entries within your account.

4.7 Public content and search engine indexing

HYNC.io allows you to publish certain information (e.g., base profile data, public activities, and other content you explicitly set to “public”). Public pages and content may be accessible without an account and may be indexed by search engines and other third parties.

Consequences of indexing: Once content is indexed, it may appear in search results and may be cached, archived, or re-published by third parties outside of HYNC.io. Even if you later change visibility settings or delete content, removal from third-party caches or archives may take time and may not be fully enforceable by us.

You can reduce exposure by keeping content private and by using the privacy controls provided by HYNC.io before sharing.

4.8 Derived and inferred metrics

In addition to raw inputs you provide or import, HYNC.io may compute derived metrics and summaries to deliver the service (e.g., BMI, calorie estimates, intensity indicators, trend analyses, personal records, and similar insights). These computations are based on your stored data and the algorithms used by connected providers or by HYNC.io.

You can delete the underlying entries at any time; derived outputs will update accordingly or be removed together with the underlying data.

4.7 Communications data

When you communicate with us (for example via support requests, feedback messages, privacy inquiries, or replies to service emails), we process certain communications data in order to respond to you, provide the requested support, and document the interaction where necessary (e.g., for troubleshooting, abuse prevention, or legal compliance).

Communications data may include, in particular:

Your email address (sender/recipient address, and where applicable display name), which is used to route and associate communications with your account
Message content (the text you send, attachments you provide, and any information you include in the message)
Metadata such as timestamps (sent/received), message IDs, subject lines, and delivery status information (e.g., whether an email was delivered, bounced, deferred, or marked as spam)
Related account identifiers (e.g., user ID, username/display name) and contextual information necessary to resolve your request (for example, which activity or profile you are referring to)

We use communications data to (i) respond to your request, (ii) provide customer support and service-related assistance, (iii) investigate technical issues, and (iv) prevent misuse (e.g., attempts to take over accounts or submit fraudulent requests). If you share sensitive information in a message, we will treat it as confidential; however, we recommend that you avoid sending unnecessary special category data (e.g., health details) via support messages unless it is required to resolve your issue.

Retention: Communications are retained only for as long as necessary to handle your request and to maintain a reasonable audit trail for support and security purposes. You can request deletion of support communications; however, we may need to retain limited records where required to defend against abuse, to comply with legal obligations, or to document the handling of a dispute.

4.8 Technical data, logs, and security signals

To operate HYNC.io securely and reliably, we process certain technical data that is generated automatically when you access the service. This includes server logs, application logs, and security-related signals. Such data is necessary to provide the service, protect against attacks (e.g., brute force attempts), diagnose errors, and maintain availability.

Technical data and security signals may include, in particular:

IP address (including, where applicable, proxy-related information such as forwarded IP headers), which may be processed to prevent abuse, rate-limit requests, and investigate security incidents
Date/time of requests and server-side timestamps, used for debugging and incident analysis
User agent and device/browser information (e.g., browser type/version, operating system), used to optimize compatibility and diagnose client-specific errors
Referrer URL (where applicable), which may indicate which page a request originated from
Requested pages/endpoints, including API routes and parameters relevant for diagnosing issues (we aim to avoid logging sensitive content in URLs; where technically possible, we minimize or mask sensitive parameters)
Authentication and security events such as login attempts, session/token issuance and usage, password reset requests, and suspicious activity indicators
Abuse prevention signals such as rate limiting results, bot detection outcomes (e.g., hCaptcha), request patterns, and indicators of automated misuse

Where feasible, we apply data minimization and purpose limitation. For example, we strive to keep security logs short-lived, and we avoid collecting unnecessary identifiers. Technical data may be processed in our monitoring and logging systems (e.g., for alerting and incident response).

Retention: Raw security and server logs are kept for up to 48 hours and are then deleted or minimized (e.g., anonymized and/or aggregated), where feasible. In exceptional cases (e.g., active abuse, ongoing incident response, or investigation of a security event), specific log fragments may be retained longer to the extent necessary to protect the service and users.

5. Sources of data

HYNC.io processes data from several sources. Some data is entered directly by you, while other data may be imported from connected providers or generated automatically by the system as part of normal operation.

You (manual entry of activities and measurements, profile settings, uploads/attachments, notes, privacy configuration, and user-generated content)
Connected third-party accounts (imports via OAuth and/or APIs, such as activity and health data from providers; and identity/login data where you use single sign-on such as Google)
Your devices (indirectly through integrated providers, for example when wearables or apps transmit recorded metrics to a provider that you have connected to HYNC.io)

You control whether and which third-party services are connected. You can disconnect integrations at any time, which will stop future imports. Data already imported into HYNC.io remains stored in your account until you delete it or delete your account, unless otherwise required by law.

6. Purposes of processing

We process personal data only for specific, explicit purposes. The exact scope depends on how you use HYNC.io, what data you enter or import, and which privacy settings and integrations you enable. Because HYNC.io can involve health data and other special category data, we apply the principles of purpose limitation and data minimization and process data only as needed to deliver the service and protect it from misuse.

Provide the service

We process personal data to operate HYNC.io and to provide you with the core functionality of the platform. This includes, in particular, account creation, authentication, and providing the tools to record, store, analyze, and present your activities and measurements.

Create and maintain your account, including account setup, profile configuration, and account management
Authenticate users and manage sessions, including login, session cookies, tokens, and access control
Store and present your activities and measurements, including dashboards, charts, statistics, and history
Provide personalized views based on your settings (e.g., time zone, units, preferred metrics)
Enable exports and data portability, including downloads of your account data and activity history
Enable account deletion and deletion of entries you choose to remove

Where applicable, HYNC.io may generate derived metrics (e.g., calculated indicators, summaries, trends, estimated calories, intensity scores) based on your stored data. These derived metrics are created to provide insights and do not replace professional medical advice.

Enable integrations

If you connect third-party services (e.g., for importing activities or for single sign-on), we process data to establish, maintain, and operate the connection you requested. Integrations are optional and can be disconnected at any time.

Connect and synchronize data from third-party providers you authorize (imports via OAuth and/or APIs)
Store connection status and technical credentials (e.g., tokens) that are necessary to keep the connection active until you disconnect it; where feasible, we apply safeguards such as encryption, access controls, and minimization of token scope
Map and normalize imported data into HYNC.io’s data model so it can be displayed and analyzed consistently
Maintain continuity of imports until you revoke access or disconnect the integration; after disconnection, future imports stop (but previously imported data remains in your account unless you delete it)

Please note that third-party providers process data under their own policies. HYNC.io controls only the processing within HYNC.io and cannot control what the provider does with your data on their side.

Enable sharing and community features (only as configured)

HYNC.io includes optional social/community features. These features are controlled by your privacy settings. We process personal data to display content to other users or to the public only where you have chosen to publish it or where it is part of the default public base profile. You can change privacy settings at any time.

Public base profile display (see Section 7.1)
Sharing single activities by link (public link visibility depends on your settings)
Leaderboards and community visibility according to privacy settings (e.g., rankings, challenges, comparisons)
Display of user-generated content you choose to publish (e.g., activity titles/notes where enabled)

We strongly recommend that you review privacy settings before publishing activities or profile information. Public content may be accessible without an account and may be indexed by search engines (see Section 7.4).

Send service communications

We process your contact details and related metadata to send communications that are necessary for operating your account and providing the service. Some messages are strictly necessary (e.g., password reset), while others are optional and can be enabled or disabled in your settings.

Account verification (where used) and password reset emails
Security notices (e.g., suspicious logins, important vulnerability or incident-related information)
Transactional notifications where enabled (e.g., friend requests, comments, reactions, sharing events)
Newsletters and summary reports where enabled (e.g., weekly summaries, progress reports)
Service announcements about significant changes (e.g., major feature changes or policy updates)

Where legally required, optional communications are sent only with your consent and you can unsubscribe or disable them at any time.

Maintain safety, stability, and performance

We process technical data to protect HYNC.io and its users, ensure availability, and diagnose issues. This includes security monitoring, abuse prevention, and performance optimization. Given the sensitivity of data stored in HYNC.io, security processing is essential.

Prevent abuse (spam, bots, brute force attempts, scraping, denial-of-service attempts)
Monitor system health and uptime, including alerting and incident response
Detect, analyze, and fix errors, including crash reports and exception monitoring
Investigate suspicious activity and take protective measures (e.g., rate limiting, temporary blocking)
Maintain integrity of accounts and data (e.g., preventing unauthorized access)

We aim to keep technical logs short-lived and to minimize stored identifiers. In exceptional cases (e.g., ongoing attacks), specific log data may be retained longer to the extent necessary to protect the service and users.

Improve the platform (in a privacy-preserving way)

We use aggregated statistics, performance analysis, and feedback to improve HYNC.io. Where feasible, we attempt to use aggregated and/or anonymized data, for example to understand feature usage, detect performance bottlenecks, and prioritize improvements.

Important: “Anonymization” is context-dependent. In particular, the risk of re-identification can increase when datasets are small or when multiple data points can be combined (e.g., location patterns). We therefore apply privacy-preserving measures such as data minimization, aggregation thresholds where appropriate, and avoidance of unnecessary identifiers.

7. Public content and privacy controls

HYNC.io offers privacy controls that allow you to decide which information is private and which information is visible to others. Some content is public by default (the base profile), while other information becomes public only if you explicitly enable it.

7.1 Default public base profile

By default, certain basic profile information is publicly visible and may be accessible without an account:

name/display name
profile photo (if set)
registration date
“About me” (if provided)

We recommend that you avoid including sensitive information in public-by-default fields. You may be able to limit public exposure by removing optional public information and by carefully configuring your privacy controls.

7.2 Optional publication of additional fields

Any additional profile fields and metrics are published only if you explicitly enable them in your privacy settings. This may include, for example, selected fitness statistics, selected health metrics, or other profile attributes. You remain in control of whether such information is visible to other users or to the public. If you later disable publication, the information will no longer be displayed on HYNC.io as public content.

7.3 Public activities, links, and leaderboards

You can choose to publish activities publicly, share them via a link, and participate in leaderboards. Participation and visibility depend on your configuration and may be changed at any time.

Publish activities publicly (viewable without an account where configured)
Share activities via link (anyone with the link may access the content; links may be forwarded)
Participate in leaderboards (ranking and community visibility according to privacy settings)

For GPS routes, you can choose to hide start/end points (privacy zone) or hide the entire route from public viewers. Even when route data is hidden publicly, HYNC.io may still process and store the full route privately to provide the service, unless you delete it.

7.4 Important note about public data

Public means public: Public data may be accessible to anyone on the internet, including people who do not have an account. Public content may be copied, saved, screenshotted, scraped, re-shared, or otherwise processed by third parties outside our control.

Indexing and caching: Public profiles, public activities, and other public pages may be indexed by search engines (e.g., Google, Bing) and may be cached or archived (e.g., search caches or third-party archives). Even if you later change visibility settings or delete content, removal from third-party caches and archives may take time and may not be fully enforceable by us.

If you do not want information to be publicly accessible or indexable, keep it private and do not share it publicly or via public links.

8. Legal bases (GDPR)

Under the GDPR, every processing activity must have a valid legal basis. The applicable legal basis depends on the type of data, the purpose of processing, and the specific feature you use. In particular, HYNC.io may process special category data (e.g., health data) which requires a higher level of protection and, in most cases, explicit consent.

8.1 General personal data (Art. 6 GDPR)

For “ordinary” personal data (i.e., data that is not special category data under Art. 9 GDPR), we rely on one or more of the following legal bases:

Art. 6(1)(b) GDPR (Contract): We process personal data to perform a contract with you or to take steps at your request prior to entering into a contract. This covers processing that is objectively necessary to provide the features you actively use or request, such as: account registration and management, authentication, session handling, storing and displaying your activities and metrics, providing exports and dashboards, and applying the privacy/sharing settings you choose.
Art. 6(1)(f) GDPR (Legitimate interests): We process certain personal data where necessary for our legitimate interests in operating, securing, and improving HYNC.io, provided that your interests or fundamental rights and freedoms do not override those interests. Our legitimate interests include, in particular: security and fraud/bot prevention (e.g., rate limiting, detecting brute force attempts), maintaining stability and availability, short-term logging, debugging, and incident investigation, as well as basic operational monitoring. We apply safeguards such as short retention periods, access controls, and minimization of logged content to reduce impact on your privacy.
Art. 6(1)(a) GDPR (Consent): Where appropriate, we rely on your consent for optional processing that is not strictly necessary to provide the core service. This may include optional communications (e.g., newsletters, summary reports) and certain optional features. Where processing is based on consent, you can withdraw consent at any time with effect for the future.

Note: In some cases, multiple legal bases may apply simultaneously (for example, account security may rely on legitimate interests while account operation relies on contract).

8.2 Sensitive data (Art. 9 GDPR – health / special categories)

HYNC.io can process health data and other special categories of personal data within the meaning of Article 9 GDPR, such as physical and mental health metrics, biomarkers, and related measurements. Processing such data is subject to stricter legal requirements.

Art. 9(2)(a) GDPR (Explicit consent): Where required, we process special category data only if you provide explicit consent. We request explicit consent after registration and/or before you first use features that involve health data or other special categories. You can withdraw your explicit consent at any time (see Section 13).

Practical implication: HYNC.io is designed for health and fitness tracking. If you do not provide explicit consent, you may be unable to use certain features (or the service as a whole) to the extent that these features require processing of health data. If you withdraw consent, we will stop processing affected data categories for future use. Depending on the situation, this may mean that related insights, dashboards, and features become unavailable and you may need to delete sensitive entries or delete your account to ensure that no further processing takes place.

Data minimization and privacy by default: We aim to keep special category processing limited to what is necessary for the features you use. Certain sensitive fields may be disabled by default and require explicit activation. Where feasible, we separate private data from public displays and provide granular privacy controls.

8.3 Adult-only / intimate data

HYNC.io offers optional adult-only features that may involve data concerning sex life and similarly intimate information. This is treated as highly sensitive special category data.

For adult-only intimate data, we require:

Explicit feature activation (disabled by default; you must turn it on yourself)
Explicit consent (Art. 9(2)(a) GDPR, where required)
Confirmation that you are 18+ before the feature can be used

Adult-only / intimate data is intended for your private use and is not designed to be publicly shared. It is not shown on public profiles, not included in leaderboards, and not accessible via public sharing links.

9. Children and age limits

HYNC.io is a platform for fitness and health tracking that can involve sensitive personal data. For this reason, it is not intended for children.

Minimum age: You must be at least 16 years old to create an account and use HYNC.io.
Adult-only features: Features involving adult-only / intimate data require you to be 18+ and to explicitly enable these features.
Age assurance: We may request age confirmation (for example through self-declaration) where necessary to enforce these rules. We do not aim to collect more age-related information than necessary.
Enforcement: If we learn or reasonably suspect that an underage user has created an account contrary to these rules, we may restrict the account, disable certain features, and/or delete the account and associated data.
Parents/guardians: Parents or legal guardians may contact us to request deletion of accounts created by underage users. We may need information to verify the request and to prevent unauthorized deletions.

Please note that users are responsible for providing accurate information. If you are not at least 16 years old, you must not use HYNC.io.

We do not sell your personal data. We also do not share personal data for third-party advertising purposes. However, in order to operate HYNC.io, personal data may be processed by selected service providers acting as processors (Art. 28 GDPR) on our behalf, and by third parties you connect at your request (e.g., integrations).

We only disclose personal data to recipients where it is necessary for the purposes described in this Privacy Policy, and we apply safeguards such as data minimization, access controls, and contractual protections (e.g., Data Processing Agreements where required). Service providers are permitted to process personal data only under our instructions, unless they act as independent controllers for their own purposes.

10.1 Hosting and email infrastructure

To provide HYNC.io, we use hosting and email infrastructure. These providers may receive and process personal data (such as account identifiers, technical logs, and email metadata/content) to the extent necessary to deliver their services. We select providers with a focus on security and reliability.

netcup GmbH (hosting for production web/backend), Nuremberg, Germany
Categories of data potentially processed: account identifiers, stored user content (as part of hosting), technical logs, IP addresses in server logs, database content necessary to provide the service.
dataforest GmbH (email services for notifications and support), Frankfurt, Germany
Categories of data potentially processed: email address, message content (depending on the message), delivery metadata (timestamps, delivery status), and identifiers required to route messages.

10.2 Content delivery and DNS

Cloudflare (CDN and DNS). Requests to HYNC.io may pass through Cloudflare systems to improve performance, provide caching, and protect against abuse (e.g., DDoS mitigation, firewalling). In this context, Cloudflare may process technical connection data such as IP address, request headers, requested resources, and security-related signals. The extent of processing depends on your request and Cloudflare configuration.

Cloudflare may act as a processor and/or an independent controller depending on the product and the circumstances. Where required, we rely on contractual safeguards and configure services to minimize data where feasible.

10.3 Bot protection

hCaptcha is used for bot detection and abuse prevention (e.g., to protect registration and forms against automated misuse). When a hCaptcha challenge is displayed, technical information may be processed to determine whether a request is likely human or automated. This may include IP address and device/browser signals, depending on the configuration and the hCaptcha service behavior.

10.4 Uptime monitoring

UptimeRobot is used to monitor availability of HYNC.io endpoints. In this context, UptimeRobot may access public endpoints and process technical data necessary to perform uptime checks (e.g., response codes, timing, and server reachability).

10.5 Self-hosted services (controller-operated)

We operate certain support and security tools ourselves (“self-hosted”) in a private environment (homelab) to reduce disclosure to external providers. These tools are used for error tracking, monitoring, and log analysis and are protected with access controls.

Sentry (self-hosted) for error tracking (in the homelab environment)
Potential data: error events, stack traces, and contextual technical data required to debug issues (e.g., browser version, request identifiers). We aim to avoid collecting sensitive content in error payloads where feasible.
checkmk and Graylog for monitoring/logging (in the homelab environment)
Potential data: technical logs and metrics required for operational monitoring and security analysis (e.g., request timing, status codes, IP addresses in short-lived logs, authentication events).

10.6 Connected third-party accounts (integrations)

If you connect external services (e.g., Strava or other fitness providers; Google for login), those providers process data under their own privacy policies and as independent controllers. HYNC.io receives and stores the data you authorize us to access (e.g., activities and associated metrics), and may store technical credentials (such as OAuth tokens) necessary to maintain the connection until you disconnect it.

You control whether an integration is active. You can revoke access by disconnecting the integration in HYNC.io and/or by revoking access at the third-party provider. Disconnecting stops future imports, but does not automatically delete data already imported into HYNC.io; you can delete imported entries in your account at any time.

11. International transfers (outside the EEA)

HYNC.io is primarily operated with infrastructure in the European Economic Area (EEA). However, depending on the provider and their (sub-)processor infrastructure, personal data may be processed in countries outside the EEA, including countries that may not provide the same level of data protection as the EEA.

International transfers may occur, for example, when using global service providers (such as CDN/DNS, bot protection, uptime monitoring, or identity providers) that operate internationally, or when you connect third-party integrations with global infrastructure.

Where international transfers occur, we rely on appropriate safeguards as required by GDPR, such as:

EU Standard Contractual Clauses (SCCs) (Art. 46 GDPR), where applicable
an adequacy decision (Art. 45 GDPR), where applicable (e.g., where a recognized framework applies)
supplementary technical and organizational measures, where appropriate (e.g., encryption in transit and at rest, access controls, minimization)

Please note that the exact transfer mechanism and roles (processor/controller) depend on the specific provider and service configuration. Where required, additional information about international transfers and safeguards can be requested via info@hync.io.

12. Cookies and similar technologies

HYNC.io uses essential cookies and similar technical mechanisms only to the extent necessary to provide the service to logged-in users. We do not use third-party advertising cookies and we do not use tracking cookies for behavioral advertising.

Essential cookies for logged-in sessions only: HYNC.io uses essential cookies only for logged-in sessions.
Session cookie: A session cookie is required for authentication/session management and to keep you logged in while navigating the application. Without this cookie, login and authenticated areas cannot function.
No cookies for non-logged-in visitors: No cookies are set for visitors who are not logged in (based on the current configuration and specification). Public pages can be accessed without cookies.

Cookie lifetime: The session cookie is typically a transient cookie that expires when you end your session or close your browser, unless your device/browser keeps session state. If additional essential cookies are introduced (e.g., for security hardening), they will be limited to what is strictly necessary and documented here.

Managing cookies: You can usually delete or block cookies via your browser settings. Please note that blocking essential cookies may prevent you from using authenticated features of HYNC.io.

If this changes (e.g., analytics cookies or other non-essential cookies are introduced), this policy must be updated and appropriate consent mechanisms may be required under applicable law.

13. Your choices, consent management, and withdrawal

HYNC.io provides privacy controls designed to give you meaningful choices over how your data is processed and displayed. This includes controls over public visibility, sharing, and (where applicable) consent-based processing of sensitive data.

13.1 Privacy settings

You can manage privacy settings in your account. Depending on the feature set enabled, you can:

Control what profile fields are public (including whether optional fields and selected metrics are displayed publicly)
Choose whether activities are public or private, and whether they are visible only to you, to other users, or to the public
Configure how GPS routes are displayed publicly (e.g., show full route, hide start/end points, or hide the route entirely)
Decide whether you appear in leaderboards and similar community ranking features, where available

Reminder: If you publish data as public, it may be accessible to anyone and may be indexed by search engines and processed by third parties outside of HYNC.io. You should review your settings before publishing.

13.2 Withdrawing consent

Where processing is based on your consent (including explicit consent for special category data where required), you can withdraw consent at any time in your settings or by contacting info@hync.io.

Effect of withdrawal: Withdrawal takes effect for the future. Once consent is withdrawn, we will stop processing the affected categories of data for the purposes that relied on consent. Depending on the nature of the data and the feature, this may disable certain functions (e.g., health analytics), and you may need to delete sensitive entries or delete your account if the service cannot operate meaningfully without processing of that category.

Alternative legal bases: Withdrawal of consent does not affect processing that is lawful on another legal basis (e.g., contract for account operation, or legitimate interests for security). In practice, this means we may still need to process certain minimal data to keep the platform secure and to fulfil deletion/export requests.

14. Data retention and deletion

We apply the principles of storage limitation and data minimization. We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless longer retention is required by law or is necessary for the establishment, exercise, or defense of legal claims.

14.1 General retention principle

As a general rule, we store your account data, activities, measurements, and content until you delete them (or delete your account). You can delete individual entries at any time. If you do not want a specific activity or measurement stored, you should remove it from your account.

In limited cases, we may retain certain minimal information for longer periods where required for security purposes (e.g., to prevent abuse) or to comply with legal obligations. Where feasible, we minimize such retained information.

14.2 Account deletion

HYNC.io provides a user-controlled deletion mechanism. When you delete your account, we apply a deletion workflow designed to remove your data from active systems promptly.

Immediate actions: authentication data, sessions, and access credentials are removed immediately, and access to the account is terminated.
Background deletion: user content and activity/health data are scheduled for deletion and removed from active systems within 24 hours.

Public content: If you had public profiles or public activities, they will no longer be served from HYNC.io after deletion. However, copies of previously public information may remain in third-party caches or archives (e.g., search engine caches) outside of HYNC.io for some time, which we cannot fully control.

14.3 Backups and “suppression list” protection

We maintain encrypted offsite backups at two locations in Austria. Backups are point-in-time snapshots intended for disaster recovery and service continuity. Because backups are historical copies, deleted data may still exist in backup archives until those archives are rotated and overwritten according to the backup schedule.

Suppression list: To prevent deleted accounts from reappearing after a restoration, HYNC.io maintains a suppression list of deleted account identifiers. During and after a restore, the system checks this suppression list and ensures that data associated with deleted accounts is not reintroduced into active operation. If restored data contains entries belonging to deleted accounts, those entries are discarded/removed again as part of post-restore sanitation.

Meaning of this safeguard: This mechanism is designed to ensure that deletion remains effective in production even if a backup restore occurs. It does not necessarily mean that deleted data is immediately erased from all backup archives, but it prevents deleted accounts and their data from becoming active again.

14.4 Logs

Raw server/security logs are retained for up to 48 hours and are then deleted or minimized (e.g., anonymized/aggregated) where feasible. In exceptional cases (e.g., ongoing attacks or incident response), specific log fragments may be retained longer to the extent necessary to protect the service and users.

15. Security measures

HYNC.io processes highly personal information, including health data and, where enabled, adult-only intimate data. We therefore implement technical and organizational security measures (“TOMs”) designed to protect confidentiality, integrity, and availability of data. Security measures are continuously reviewed and may evolve over time based on technical developments and risk assessments.

Core security measures include in particular:

HTTPS/TLS encryption in transit: Communication between your device and HYNC.io is encrypted using TLS to reduce the risk of interception or manipulation during transmission.
Password hashing (bcrypt): Passwords are not stored in plaintext. We store only cryptographic hashes using bcrypt (or a comparable strong hashing scheme), to reduce the risk of password disclosure in case of an incident.
Access controls and least-privilege concepts: Administrative and internal access to systems is restricted to what is necessary for operation and maintenance. We apply role-based concepts where feasible and limit access to production systems.
Two-factor authentication (2FA), where available: Where supported, 2FA can be used to strengthen account security. We recommend enabling 2FA if it is available for your account.
Monitoring, alerting, and intrusion/abuse prevention: We use monitoring and alerting to detect availability issues and suspicious activity. Protective measures may include VPN-restricted administrative access, rate limiting, bot protection (e.g., hCaptcha), and security rules to mitigate brute force attempts, scraping, and other abuse patterns.
Encrypted offsite backups: Backups are encrypted to reduce the risk of unauthorized access if backup media or storage were compromised. Backups are used for disaster recovery and continuity and are not intended for routine access.

Organizational safeguards: In addition to technical measures, we apply organizational safeguards such as limiting who can access administrative systems, using secure operational procedures (e.g., controlled deployment and update processes), and restricting the environments where operational tooling is accessible.

Data minimization in telemetry: Where feasible, we aim to minimize sensitive information in logs and monitoring payloads. For example, we strive to avoid logging the content of sensitive fields and to limit retention of raw security logs (see Section 14.4).

Incident handling: If a security incident occurs, we take reasonable steps to contain and mitigate the incident, investigate its cause, and restore system security. Where required by law, we will notify affected users and/or relevant authorities.

No internet service can be 100% secure. However, we aim to apply security best practices proportionate to the sensitivity of the data processed by HYNC.io and to continuously improve protective measures.

16. Automated decision-making / profiling

HYNC.io may compute analytics, scores, and insights based on the data you provide or import. This may include, for example, trend analyses, summaries, comparisons, training load indicators, personal records, recommendations, and gamification elements such as XP or badges.

These computations are intended to provide informational and convenience features (e.g., helping you visualize progress or summarize activities). They are not intended to produce legal effects concerning you or to similarly significantly affect you within the meaning of Article 22 GDPR. In particular, HYNC.io does not use your data to make decisions about employment, insurance eligibility, creditworthiness, or other comparable high-impact determinations.

Profiling in the GDPR sense: Certain features may involve automated evaluation of personal aspects (e.g., fitness performance trends). Where this qualifies as “profiling” under the GDPR, it remains limited to the purposes of providing the service features you request and is not used for advertising targeting or third-party marketing.

If this changes (e.g., if HYNC.io introduces automated eligibility decisions or similarly significant automated decision-making), we will update this policy and, where required, provide additional information about the logic involved, the significance and the envisaged consequences of such processing, and the rights available to you.

17. Your GDPR rights

As a data subject, you have certain rights under the GDPR. These rights apply depending on the circumstances and the legal basis of the processing. Where we process special category data (e.g., health data), your rights remain applicable, subject to legal limitations and safeguards. Exercising your rights is generally free of charge, unless requests are manifestly unfounded or excessive.

Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether we process personal data about you and, if so, to receive access to that data and information about the processing (e.g., purposes, categories, recipients, retention, and safeguards).
Right to rectification (Art. 16 GDPR): You have the right to request correction of inaccurate personal data and completion of incomplete data. Many profile and tracking fields can be corrected directly within your account settings.
Right to erasure (“right to be forgotten”, Art. 17 GDPR): You have the right to request deletion of personal data in certain situations, for example where data is no longer necessary for the purposes collected, or where you withdraw consent and no other legal basis applies. Please note that public content may have been indexed or cached by third parties outside of HYNC.io; deleting data on HYNC.io does not guarantee immediate removal from external caches or archives.
Right to restriction of processing (Art. 18 GDPR): You have the right to request that we restrict processing in certain cases (e.g., if you contest accuracy, or if processing is unlawful but you oppose erasure). Restricted data may remain stored but will not be actively processed except as permitted by law.
Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format and, where technically feasible, to have it transmitted to another controller. HYNC.io provides an account export feature for this purpose.
Right to object (Art. 21 GDPR): Where we process personal data based on legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to such processing on grounds relating to your particular situation. If you object, we will stop the processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is needed for legal claims.
Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent (including explicit consent for special category data under Art. 9(2)(a) GDPR), you can withdraw consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise your rights, contact info@hync.io. We may need to verify your identity to protect your data and to prevent unauthorized access or deletion (for example, by asking you to confirm control over the account email address or to provide additional verification in suspicious cases).

Response time: We aim to respond without undue delay and within the statutory time limits (generally one month, extendable in complex cases). If we cannot fulfill a request, we will explain the reasons (e.g., legal restrictions or conflicting obligations).

18. Supervisory authority (Austria)

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. In particular, you may contact the Austrian Data Protection Authority (Datenschutzbehörde).
You can also lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or the place of the alleged infringement.

19. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in HYNC.io, such as new features (e.g., payments via Stripe), new integrations, changes in infrastructure providers, legal requirements, or security improvements. We also may update this policy to clarify descriptions or improve transparency.

When we update this Privacy Policy, we will publish the updated version and update the effective date. If a change materially affects your rights or the way we process sensitive data, we may additionally provide a prominent notice within the service or via email, where appropriate and legally required.

Your continued use of HYNC.io after an update means that the updated policy applies going forward. If you do not agree with an updated policy, you should stop using the service and may delete your account and data.

20. Contact

If you have questions about this Privacy Policy, want to exercise your GDPR rights, or wish to contact us regarding privacy and data protection, please use:

Privacy inquiries: info@hync.io

To help us process your request efficiently, please include (where applicable) your account email address, a clear description of your request, and any relevant context (e.g., which profile/activity the request refers to). Please do not include unnecessary sensitive information in emails.

Quick facts

What data do we collect?

Do we sell your personal information?

Do we share your personal information with third parties?

Do we share your personal information with third parties for targeted advertising?

Do we process health/sensitive data?

Yes, only if you provide it and consent (Art. 9 GDPR)

Can you withdraw consent?

Yes, anytime in settings or via contact

How long do we keep data?

Until you delete it; logs up to 48h

Do we use cookies?

Only essential session cookies for logged-in users

International data transfers?

Possible with safeguards (SCCs, adequacy, supplementary measures)

Minimum age to use HYNC.io?

16+; adult-only features 18+

How we handle your personal information

When you create an account on Hync.io, we ask you to provide us with your email address and a password. This information is required to create an account on Hync.io. We use this information to identify you as a user of Hync.io and to provide you with the services you request. The more data you provide (for example gender, age, weight, height, ...) the more accurate the results of the services provided by Hync.io will be. You can choose which data you want to provide and which data you want to keep private.