Last Updated: March 2026
Synckony Pty Ltd (ABN [to be inserted]) ("Synckony", "we", "us", "our") is committed to protecting the privacy of individuals who visit our website at www.synckony.com.au ("Website"), individuals who register for and use our platform and services ("Service"), and individuals whose personal information may be processed through the Service on behalf of our customers.
This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with our Website and Service. It applies to information we collect as a data controller, that is, when we decide why and how personal information is processed, for example, when you create an account, visit our Website, or contact us.
This Privacy Policy does not apply to personal information we process on behalf of our customers as a data processor. When our customers connect their ecommerce stores to the Service, we process their store data, which may contain their end customers' personal information, according to our customers' instructions and the terms of our Data Processing Addendum ("DPA"). If you are an end customer of a Synckony customer and have questions about how your personal information is handled, please contact the merchant directly.
By using the Website or Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Website or Service.
1. Who We Are
Synckony is an Australian company that provides a middleware platform for ecommerce merchants using Maropost Commerce Cloud (Neto). The Service bridges merchant store data with third-party ecommerce applications by polling the merchant's ecommerce platform API, detecting changes, and delivering real-time webhook notifications to connected applications.
Our principal place of business is in Australia, and we are subject to the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs").
For the purposes of the European General Data Protection Regulation ("GDPR") and the UK GDPR, Synckony Pty Ltd is the data controller for personal information collected through the Website and in connection with account registration and management.
Contact for privacy enquiries:
Email: [email protected]
Website: www.synckony.com.au
2. Information We Collect
We collect personal information in the following ways:
2.1 Information You Provide to Us
Account Information. When you register for a Synckony account, we collect your name, email address, company name, and password. If you register as an agency or app partner, we may also collect your company website, areas of expertise, and business description.
Billing Information. When you subscribe to a paid plan, we collect your billing name, billing address, and payment method details. Payment card information is collected and processed by our payment processor, Stripe. We do not store your full payment card number on our systems.
Communications. When you contact us via email, support channels, or feedback forms, we collect the content of your communications, your email address, and any other information you choose to provide.
Connected Platform Credentials. When you connect your ecommerce store to the Service, you provide us with your store URL and API key (or OAuth credentials, where available). We store these credentials in encrypted form and use them solely to poll your store's API as part of the Service.
2.2 Information We Collect Automatically
Usage Data. When you use the Service, we automatically collect information about your interactions, including pages visited within the dashboard, features used, integrations activated, polling configurations, event volumes, and timestamps of activity.
Device and Browser Information. We collect information about the device and browser you use to access the Website and Service, including IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
Log Data. Our servers automatically record information when you access the Website or Service, including your IP address, the date and time of your request, the URL of the page you visited, and referring or exit pages.
Cookies and Similar Technologies. We use cookies and similar tracking technologies to collect information about your browsing activity. See Section 8 (Cookies) for details.
2.3 Information We Receive from Third Parties
Authentication Providers. If you sign up or log in using a third-party authentication provider, such as Google, we receive your name, email address, and profile information from that provider, as permitted by your settings with that provider.
Connected Platforms. When you connect your ecommerce store, we receive data from the Connected Platform's API as necessary to provide the Service. This data may include product information, order details, customer records, and other resource data from your store. We process this data as a data processor on your behalf, as described in our DPA, and not under this Privacy Policy.
Payment Processor. We receive transaction confirmation and subscription status information from Stripe in connection with your billing.
3. How We Use Your Information
We use personal information for the following purposes:
To provide and operate the Service. We use your account information to create and maintain your account, authenticate your access, and provide the features and functionality of the Service. We use your Connected Platform credentials to poll your store's API and deliver webhook notifications.
To process payments. We use billing information to process subscription payments, issue invoices, and manage the Synckony Credits programme.
To communicate with you. We use your email address to send you service-related communications, such as account confirmations, billing notifications, security alerts, and feature updates, to respond to your support enquiries, and, where you have opted in, to send you marketing communications about Synckony's products and services.
To improve the Service. We use usage data, aggregated analytics, and feedback to understand how the Service is used, identify trends, diagnose technical issues, and develop new features and improvements.
To ensure security. We use log data, device information, and IP addresses to detect and prevent fraud, abuse, security incidents, and violations of our Terms of Service.
To comply with legal obligations. We use personal information as necessary to comply with applicable laws, regulations, legal processes, and governmental requests.
To enforce our rights. We use personal information as necessary to enforce our Terms of Service, DPA, and other agreements, and to protect our rights, property, and safety, and the rights, property, and safety of our customers and others.
4. Legal Basis for Processing (EEA, UK, and Switzerland)
If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, we process your personal information on the following legal bases:
Performance of a contract. Processing necessary to perform our contract with you, including providing the Service, managing your account, and processing payments.
Legitimate interests. Processing necessary for our legitimate interests, or those of a third party, provided those interests are not overridden by your rights. Our legitimate interests include improving the Service, ensuring security, preventing fraud, and marketing our products and services.
Consent. Where you have given us your consent to process your personal information for a specific purpose, such as receiving marketing communications. You may withdraw your consent at any time.
Legal obligation. Processing necessary for compliance with a legal obligation to which we are subject.
5. How We Share Your Information
We do not sell, rent, or trade your personal information for monetary consideration. We share personal information only in the following circumstances:
Service Providers (Subprocessors). We share personal information with third-party service providers who perform services on our behalf, including hosting, database management, authentication, payment processing, analytics, error tracking, and monitoring. These providers are contractually obligated to use personal information only for the purposes of providing their services to us and in accordance with applicable data protection laws. Our current subprocessors are listed at synckony.com/legal/subprocessors.
Connected Applications. When you activate an Integration through the Service, we deliver webhook payloads containing your store data, which may include personal information of your end customers, to the third-party application you have selected. This delivery is performed on your instructions as part of the Service, and the third-party application's own privacy policy governs its handling of that data.
Agencies and App Partners. If you are a merchant whose store is managed by an agency through the Service, your agency may have access to your store's connection status, event logs, and configuration within the Service. Similarly, if an app partner pays Synckony fees on your behalf, they may have visibility into your account's connection status.
Legal Requirements. We may disclose personal information if required to do so by law or in response to valid legal process, such as a court order, subpoena, or government request. We may also disclose personal information if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Synckony, our customers, or the public.
Business Transfers. If Synckony is involved in a merger, acquisition, reorganisation, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.
With Your Consent. We may share your personal information with other parties where you have given us your explicit consent to do so.
Aggregated and De-Identified Data. We may share aggregated or de-identified data that cannot reasonably be used to identify you. For example, we may share aggregate statistics about Service usage, event volumes, or integration adoption trends.
6. International Data Transfers
Synckony is based in Australia, and our Service uses infrastructure and subprocessors located in Australia, the United States, and other countries. Your personal information may be transferred to and processed in countries other than the country in which you reside.
Transfers from Australia. Where we transfer personal information outside Australia, we comply with Australian Privacy Principle 8 and take reasonable steps to ensure that the overseas recipient handles your personal information in accordance with the APPs.
Transfers from the EEA, UK, and Switzerland. Where we transfer personal information from the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, as described in our DPA.
7. Data Retention
We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, and reporting obligations.
Account Information. We retain your account information for the duration of your account and for a reasonable period following account closure to comply with legal obligations, resolve disputes, and enforce our agreements. Typically, account information is deleted within 90 days of account closure, unless longer retention is required by law.
Billing Information. We retain billing records for the period required by Australian tax law, generally seven years, and any other applicable tax laws.
Usage Data and Logs. Usage data and server logs are retained for a minimum of 30 days for operational purposes and up to 12 months for analytics and security purposes.
Communications. Support communications are retained for as long as your account is active and for a reasonable period thereafter to provide continuity of support and resolve ongoing issues.
Connected Platform Data. Data retrieved from your Connected Platform, store data, flows transiently through the Service and is not persistently stored. Webhook payloads in the retry buffer are deleted within 72 hours of successful delivery or retry expiry. Shadow State fingerprints, cryptographic hashes only and containing no personal information, are deleted within 30 days of account termination.
8. Cookies and Tracking Technologies
We use cookies and similar technologies on our Website and within the Service dashboard.
8.1 What Are Cookies
Cookies are small text files placed on your device by a website. They are widely used to make websites work, improve user experience, and provide information to website operators.
8.2 Types of Cookies We Use
Strictly Necessary Cookies. These cookies are essential for the Website and Service to function. They enable core functionality such as user authentication, session management, and security. You cannot opt out of these cookies without impairing the functionality of the Service.
Analytics Cookies. We use analytics cookies to understand how visitors interact with the Website, including which pages are visited, how long visitors spend on each page, and how visitors navigate between pages. We use Axiom for application analytics. These cookies help us improve the Website and Service.
Functional Cookies. These cookies enable enhanced functionality and personalisation, such as remembering your preferences and settings within the Service dashboard.
8.3 Managing Cookies
Most web browsers allow you to manage your cookie preferences through the browser settings. You can set your browser to refuse cookies or to alert you when cookies are being sent. Please note that disabling cookies may affect the functionality of the Website and Service.
8.4 Do Not Track
Some web browsers transmit "Do Not Track" signals. We do not currently respond to "Do Not Track" signals, as there is no industry-standard protocol for interpreting such signals. However, you can manage your cookie preferences as described above.
9. Data Security
We implement reasonable technical and organisational measures to protect personal information against unauthorised access, loss, alteration, disclosure, or destruction. These measures include encryption of data in transit, TLS 1.2 or higher, encryption of sensitive data at rest, including API credentials stored using AES-256 encryption, multi-factor authentication for access to production systems, role-based access controls, and regular monitoring and logging.
For a detailed description of our security measures, please refer to Schedule 2 (Technical and Organisational Measures) of our DPA.
While we take reasonable steps to protect your personal information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal information.
10. Your Rights
Depending on where you are located, you may have certain rights regarding your personal information.
10.1 Rights Under the Australian Privacy Act
If you are located in Australia, you have the right to request access to the personal information we hold about you, request correction of any inaccurate or incomplete personal information, and lodge a complaint with us about how we handle your personal information, or with the Office of the Australian Information Commissioner if you are not satisfied with our response.
10.2 Rights Under the GDPR (EEA, UK, Switzerland)
If you are located in the EEA, UK, or Switzerland, you have the right to access your personal data, rectify inaccurate personal data, erase your personal data, restrict the processing of your personal data, receive your personal data in a structured, commonly used, machine-readable format, object to processing based on our legitimate interests, withdraw consent at any time where processing is based on consent, and lodge a complaint with your local data protection supervisory authority.
10.3 Rights Under U.S. State Privacy Laws (Including CCPA)
If you are a resident of California or another U.S. state with applicable privacy legislation, you may have the right to know what personal information we collect, use, disclose, and sell, request deletion of your personal information, opt out of the sale or sharing of your personal information, we do not sell or share personal information as defined by the CCPA, correct inaccurate personal information, and not be discriminated against for exercising your privacy rights.
We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
10.4 Exercising Your Rights
To exercise any of the rights described above, please contact us at [email protected]. We will respond to your request within the timeframe required by applicable law, typically 30 days, or 45 days under the CCPA. We may need to verify your identity before processing your request.
11. Children's Privacy
The Service is not directed at individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us at [email protected] and we will take steps to delete such information.
12. Third-Party Links and Services
The Website and Service may contain links to third-party websites, applications, and services that are not operated by Synckony. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party website or service before providing your personal information.
When you activate an Integration through the Service, your store data is delivered to the third-party application you have selected. That application's privacy policy governs its handling of the data. Synckony is not responsible for the privacy practices of third-party applications accessible through our Integration catalog.
13. Data Processed as a Processor
When Synckony processes personal information on behalf of its customers, for example, ecommerce store data retrieved through the Connected Platform API, Synckony acts as a data processor. In this capacity, Synckony processes personal information only in accordance with the customer's documented instructions, as set out in our DPA.
If you are an end customer of a Synckony customer, for example, a shopper who placed an order on a Neto merchant's store, and wish to exercise your data protection rights, please contact the merchant directly. The merchant is the data controller for your personal information and is responsible for responding to your requests.
Synckony's processing of store data is designed to minimise data exposure. We maintain a Shadow State consisting only of cryptographic fingerprints, xxHash64 hashes, for change detection. The Shadow State does not contain any personal information. Full store data flows transiently through our systems for the purposes of change detection and webhook delivery, and is not persistently stored beyond a 72-hour retry buffer.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Privacy Policy on the Website with a revised "Last Updated" date, and where required by applicable law, by sending you a notification via email.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information.
15. How to Contact Us
If you have any questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact us at:
Synckony Pty Ltd
Email: [email protected]
Website: www.synckony.com.au
For Australian residents: If you are not satisfied with our response to your privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
For EEA/UK residents: You have the right to lodge a complaint with your local data protection supervisory authority.
16. Additional Disclosures
16.1 California Residents (CCPA/CPRA)
The following additional disclosures apply to California residents:
Categories of personal information collected: Identifiers, such as name, email address, and IP address, commercial information, such as billing records and subscription details, internet or electronic network activity, such as usage data, log data, and cookies, and professional information, such as company name and job role where provided.
Sources of personal information: Directly from you, automatically through the Website and Service, and from third-party authentication and payment providers.
Purposes for collection: As described in Section 3 (How We Use Your Information).
Categories of personal information disclosed for a business purpose: Identifiers and internet activity information to service providers, including hosting, analytics, payment processing, authentication, error tracking, and monitoring.
Sale or sharing of personal information: We do not sell or share personal information as those terms are defined under the CCPA.
Sensitive personal information: We do not collect or process sensitive personal information as defined under the CCPA.
Retention: As described in Section 7 (Data Retention).
16.2 "Do Not Sell or Share My Personal Information"
We do not sell or share your personal information. If you have questions or wish to exercise your rights under the CCPA, please contact us at [email protected].
This Privacy Policy was last updated in March 2026.