Privacy Policy & Data Protection

1. Introduction

Welcome to syns6 ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our karaoke visualization service. This document also serves as our Data Processing Agreement (DPA) and complies with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

As the Data Controller, syns6 determines the purposes and means of processing your personal data.

2. Information We Collect

2.1 Account Information

When you sign up through Spotify OAuth, we collect:

• Profile Data: Your Spotify username, profile picture, and email address
• Unique Identifiers: Spotify user ID and our internal user ID
• Authentication Tokens: OAuth access and refresh tokens to interact with Spotify on your behalf

2.2 Spotify Playback Data

To provide our karaoke and visualization services, we access:

• Currently Playing Track: Song title, artist, album, and track duration
• Playback State: Whether you're playing, paused, or stopped
• Playback Position: Current timestamp in the track for synced lyrics
• Device Information: The device you're playing Spotify on
• Audio Features: Track characteristics like instrumentalness to optimize lyrics display

2.3 Usage Data

We collect information about how you use our service:

• Play History: Tracks you've played, play duration, and timestamps
• Visualization Preferences: Your chosen visualization types and settings
• Audio Preferences: Sensitivity, bass boost, and other audio settings
• Hue Integration Settings: Bridge IP, username, and light intensity preferences (if you enable Hue integration)

2.4 Microphone Data

When you use our visualizations, we access your microphone to analyze audio in real-time. This audio is processed locally in your browser and is never recorded, stored, or transmitted to our servers.

2.5 Payment Information

Payment processing is handled by Stripe. We store:

• Stripe Customer ID: Links your account to Stripe
• Subscription Details: Plan type (weekly/monthly/yearly), status, billing period, and trial information
• Note: We never store your credit card details. All payment information is securely handled by Stripe.

2.6 Technical Data

• Browser Information: Browser type, version, and capabilities (WebGL support)
• Device Data: Operating system, screen resolution
• Referral Data: Referral codes for our referral program
• Analytics: Page views, session duration, and feature usage (via Vercel Analytics)

2.7 Cookies and Local Storage

We use:

• Session Cookies: To keep you logged in
• Preference Cookies: To remember your visualization and audio settings
• Local Storage: To cache lyrics and user preferences for offline access

3. How We Use Your Information

We process your data for the following purposes:

• Provide the Service: Display synced lyrics, render visualizations, and control Spotify playback
• Personalize Your Experience: Remember your preferences and pre-load lyrics for upcoming tracks
• Process Payments: Manage your subscription through Stripe
• Improve Our Service: Analyze usage patterns to enhance features and performance
• AI Features: Generate custom visualizations based on your prompts (using Google AI)
• Communication: Send service updates, subscription notifications, and promotional materials (with your consent)
• Referral Program: Track and reward referrals
• Legal Compliance: Comply with legal obligations and protect our rights

4. Data Processors and Third-Party Services

We engage the following third-party data processors to provide our service. Each processor has been carefully vetted for GDPR compliance and has appropriate data processing agreements in place.

4.1 Infrastructure and Hosting

Vercel Inc.

• Purpose: Application hosting, edge functions, CDN, and analytics
• Data Processed: All application data, user sessions, API requests, page views (anonymized)
• Location: United States (with global edge network)
• GDPR Compliance: EU-US Data Privacy Framework certified
• Security: SOC 2 Type II certified
• DPA: vercel.com/legal/dpa

Neon Database (Serverless PostgreSQL)

• Purpose: Database hosting and management
• Data Processed: User accounts, preferences, play history, lyrics cache, subscriptions
• Location: United States and Europe (region-selectable)
• GDPR Compliance: GDPR-compliant, SOC 2 Type II certified
• Security: Encryption at rest and in transit, automated backups
• Privacy Policy: neon.tech/privacy-policy

4.2 Authentication

Spotify AB

• Purpose: OAuth authentication and Spotify API integration
• Data Processed: Spotify user ID, profile information, playback state, OAuth tokens
• Location: Sweden (EU), with global infrastructure
• GDPR Compliance: Fully GDPR compliant (EU-based company)
• Privacy Policy: spotify.com/privacy

4.3 Payment Processing

Stripe, Inc.

• Purpose: Payment processing and subscription management
• Data Processed: Email, payment methods, billing information, subscription status
• Location: United States and Europe (depending on your location)
• GDPR Compliance: Fully GDPR compliant, PCI DSS Level 1 certified
• Security: Industry-leading payment security, encrypted transactions
• DPA: stripe.com/legal/dpa
• Note: syns6 does not store or process credit card information directly

4.4 AI and Machine Learning

Google LLC (Gemini AI)

• Purpose: AI-powered visualization generation from user prompts
• Data Processed: User-provided text prompts for visualization creation
• Location: United States and global data centers
• GDPR Compliance: EU-US Data Privacy Framework certified
• DPA: cloud.google.com/terms/data-processing-addendum

4.5 Optional Integrations

YouTube API (Google LLC)

• Purpose: Video search for music videos (optional feature)
• Data Processed: Song and artist names for video search queries
• Location: United States and global
• Privacy Policy: policies.google.com/privacy

PeerJS Cloud Server

• Purpose: WebRTC signaling for peer-to-peer session sharing (viewer mode)
• Data Processed: Peer IDs, signaling data for WebRTC connections
• Note: Video/audio streams are peer-to-peer and do not transit through servers
• Privacy: peerjs.com

5. International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. We ensure such transfers comply with GDPR through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for data transfers
• EU-US Data Privacy Framework: For transfers to certified US companies (Vercel, Google, Stripe)
• Adequacy Decisions: For transfers to countries with adequate data protection (e.g., UK, Switzerland)
• Processor Agreements: All processors maintain GDPR-compliant data processing agreements

You have the right to request information about the safeguards we use for international data transfers.

6. Data Security

We implement comprehensive technical and organizational measures to protect your personal data:

6.1 Technical Security Measures

• Encryption in Transit: All data transmissions use TLS/SSL encryption
• Encryption at Rest: Database storage is encrypted
• Secure Authentication: OAuth 2.0 for Spotify integration
• Web Application Firewall (WAF): Protection against common attacks
• DDoS Mitigation: Protection against denial-of-service attacks
• Regular Updates: Security patches and updates applied promptly

6.2 Organizational Security Measures

• Access Controls: Principle of least privilege, role-based access
• Security Audits: Regular vulnerability assessments
• Employee Training: Data protection and security awareness
• Incident Response: Documented procedures for security incidents
• Data Breach Protocols: 72-hour notification requirement under GDPR

6.3 Processor Security Certifications

Our data processors maintain industry-standard certifications:

• SOC 2 Type II certification (Vercel, Neon, Stripe)
• ISO 27001 certification (Stripe, Google)
• PCI DSS Level 1 compliance (Stripe)

7. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

• Account Data: Duration of active account plus 30 days after deletion request
• Play History: 2 years for analytics and service improvement
• Subscription Data: 7 years for tax and legal compliance (as required by law)
• Cached Lyrics: Indefinitely (anonymized, contains no personal data)
• Analytics Data: 24 months in anonymized form
• Support Communications: 3 years
• Backups: Securely deleted according to our retention schedule

After these retention periods, personal data is securely deleted or anonymized in compliance with GDPR requirements.

8. Your Rights (GDPR)

Under GDPR and other applicable laws, you have the following rights:

8.1 Right to Access

Request a copy of your personal data we hold about you.

8.2 Right to Rectification

Request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data in certain circumstances.

8.4 Right to Restriction of Processing

Request that we limit the processing of your personal data.

8.5 Right to Data Portability

Receive your personal data in a structured, commonly used, machine-readable format.

8.6 Right to Object

Object to processing of your personal data for direct marketing or legitimate interests.

8.7 Right to Withdraw Consent

Withdraw your consent at any time where processing is based on consent (e.g., revoke Spotify permissions).

8.8 Right to Lodge a Complaint

File a complaint with your local data protection authority if you believe your rights have been violated.

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@syns6.com. We will respond within 30 days as required by GDPR. You may also contact our EU representative ateu-rep@syns6.com if you are located in the European Union.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify You: Within 72 hours of becoming aware of the breach
• Notify Authorities: Report to relevant supervisory authorities as required by GDPR
• Provide Details: Information about the nature of the breach, affected data, and mitigation measures
• Take Action: Immediate steps to contain and remediate the breach
• Prevent Recurrence: Implement additional safeguards to prevent similar breaches

10. Children's Privacy

Our service is not intended for users under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe we have collected data from a child under 13, please contact us immediately atprivacy@syns6.com, and we will take steps to delete such information.

11. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes:

• Email Notification: For material changes that affect your rights
• Website Banner: Prominent notice on our website
• 30 Days Notice: For changes to subscription pricing or terms

Your continued use of the service after changes constitutes acceptance of the updated policy. The "Last Updated" date at the top of this page indicates when the policy was last revised.

12. Sub-Processor Changes

We reserve the right to engage new sub-processors or change existing ones as needed to provide and improve our service. When we do:

• We will update this policy to reflect changes
• Notify users via email of material changes to sub-processors
• Provide at least 30 days' notice before engaging new sub-processors that handle personal data
• Allow you to object to the use of a new sub-processor

13. Contact Us

If you have questions about this privacy policy, want to exercise your rights, or have concerns about how your data is processed, contact us at:

• Privacy Inquiries: privacy@syns6.com
• General Support: support@syns6.com
• EU Representative: eu-rep@syns6.com (for EU residents)
• Social Media: @_syns6_ on Twitter/X