← Back to Home

Privacy Policy

Last updated: December 9, 2025

Note: This is a translation for convenience only. In case of discrepancies between the German and the English version, the German version shall prevail.

1. Introduction

With this Privacy Policy, we inform you about the type, scope, and purpose of the processing of personal data ("Data") within the scope of using the service Super Productivity Sync. This policy also explains your rights under the General Data Protection Regulation (GDPR).

2. Data Controller

[Contact Name]
[Country]

Email: [Email]

A Data Protection Officer has not been appointed as the statutory requirements for this are not met (fewer than 20 persons constantly involved in data processing).

3. What Data We Process

(1) Inventory Data

• Email address
• Password (stored exclusively as a cryptographic hash)
• Registration date
• Account status information (e.g., Active, Inactive)

(2) Content Data

This includes all data you save in the "Super Productivity" app and synchronize via the Service:

• Tasks
• Projects
• Notes
• Time tracking entries
• Settings

Note: If End-to-End Encryption (E2EE) is activated, this data exists on our server exclusively in encrypted form.

(3) Meta and Log Data

Technically necessary when accessing the server:

• IP address
• Time of access
• App version / Browser type
• Operating system
• Error and diagnostic information

4. Legal Basis for Processing

We process your data based on the following legal bases:

(1) Performance of Contract (Art. 6(1)(b) GDPR)

• Storage of your account
• Synchronization of your content
• Technical provision of the Service
• Sending security-relevant system emails (e.g., password reset)

(2) Legitimate Interest (Art. 6(1)(f) GDPR)

• Server and service security
• Detection and defense against misuse (DDoS, brute force attacks)
• Error analysis and stability improvement

(3) Legal Obligations (Art. 6(1)(c) GDPR)

This applies to tax retention obligations for paid plans or official requests for information.

5. Hosting and Infrastructure

The Service is hosted by:

Alfahosting GmbH
Ankerstraße 3b
06108 Halle (Saale)
Germany
Website: https://alfahosting.de/

Data Location: Processing takes place exclusively on servers in Germany.

Data Processing Agreement: We have concluded a Data Processing Agreement (DPA) with Alfahosting GmbH in accordance with Art. 28 GDPR. No transfer to a third country takes place via the hoster.

6. Data Processing during Synchronization

A) Standard Synchronization (without E2EE)

• Your content data is transmitted via TLS/SSL transport encryption.
• It is stored in our database on the server. No end-to-end encryption is used here.
• Access by the Provider is technically possible but occurs exclusively if required for maintenance, diagnosis, or defense against technical disturbances.

B) End-to-End Encryption (E2EE – optional)

If you enable E2EE in the app:

• Your data is encrypted locally on your device before transmission.
• The server stores only encrypted data blocks ("Blobs").
• We have no access to your keys and cannot restore, decrypt, or view the data.
• Loss of the key results in permanent data loss.

7. Email Sending

We send exclusively transactional emails (e.g., password reset, email address confirmation, security-relevant system messages). Data processing is carried out based on Art. 6(1)(b) GDPR (Performance of Contract).

Service Provider: Emails are sent technically via the mail servers of our hosting provider Alfahosting GmbH (see Section 5). No external email marketing providers are used. The data thus remains within the German infrastructure.

8. Storage Duration and Deletion

(1) Account Deletion

If you delete your account via the app settings, we will delete your inventory data and content data immediately, but no later than within 7 days from all active systems.

(2) Inactivity (Free Accounts)

We reserve the right to delete free accounts that have not been used for more than 12 months. This will only occur after prior notification to the registered email address.

(3) Server Log Files

Log data (IP addresses) are automatically deleted after 7 to 14 days, unless security-relevant incidents require longer storage.

(4) Statutory Retention Obligations

For paid accounts, we are obliged to retain invoice-relevant data for up to 10 years in accordance with statutory requirements.

9. Transfer to Third Parties

Data is generally not transferred to third parties unless:

• You have expressly consented (Art. 6(1)(a) GDPR),
• It is necessary for the performance of the contract (e.g., transfer to payment service providers for premium accounts),
• It serves the technical provision (see Hosting),
• Or we are legally obliged to do so (e.g., to law enforcement agencies).

We never sell your data to third parties or advertisers.

10. Your Rights

Under the GDPR, you have the following rights at any time:

• Right of Access to your data stored by us (Art. 15 GDPR)
• Right to Rectification of incorrect data (Art. 16 GDPR)
• Right to Erasure of your data (Art. 17 GDPR)
• Right to Restriction of Processing (Art. 18 GDPR)
• Right to Data Portability (export of your data) (Art. 20 GDPR)
• Right to Object to processing (Art. 21 GDPR)
• Right to Withdraw Consent (Art. 7(3) GDPR)

To exercise your rights (e.g., deletion), a simple email is sufficient: [Email]

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

The Saxon Data Protection Commissioner (Sächsischer Datenschutzbeauftragter)
Website: https://www.saechsdsb.de/

12. Cookies and Tracking

The SuperSync service uses only technically necessary session cookies for authentication. We do not use tracking cookies, analytics services, or advertising technologies.

13. Automated Decision-Making

We do not use automated decision-making or profiling as defined by Art. 22 GDPR.

14. Contact

If you have any questions about data protection, please contact us:

Email: [Email]