Privacy Policy

Last updated: February 5, 2026

Overview

sine~sync is built on the principle of zero-knowledge encryption. We cannot read your data, and we've designed our systems to minimize the information we collect about you.

What We Cannot See

Due to our zero-knowledge architecture:

  • Your memories and observations - All synced data is encrypted on your device before transmission. We only store encrypted blobs.
  • Your encryption keys - Your master password and secret key never leave your device.
  • Your embeddings - Vector embeddings are encrypted along with your data.
  • Your vault contents - We cannot decrypt or access any vault data.

What We Collect

We collect minimal information necessary to provide the service:

  • Account information - Email address for authentication and communication.
  • Usage metadata - Storage usage, sync timestamps, and device identifiers (not linked to content).
  • Payment information - Processed securely by Stripe. We do not store credit card numbers.
  • Error logs - Anonymous crash reports to improve the service (no personal data included).

How We Use Your Information

  • To provide and maintain the sine~sync service
  • To process payments and manage subscriptions
  • To send important service updates (you can opt out of marketing emails)
  • To respond to support requests
  • To improve our service based on anonymous usage patterns

Data Storage and Security

Your encrypted data is stored on Google Cloud Platform infrastructure. Even in the event of a data breach, attackers would only obtain encrypted blobs that are computationally infeasible to decrypt without your master password and secret key.

We use industry-standard security practices including:

  • AES-256-GCM encryption for all stored data
  • Argon2id key derivation (64MB memory, 3 iterations)
  • TLS 1.3 for all data in transit
  • Regular security audits

Data Retention

Your encrypted data is retained as long as your account is active. Upon account deletion:

  • Immediately - Your account is marked as deleted, all sessions are revoked, and you are removed from any shared vaults you do not own. Your email is retained during the grace period so you can contact support to recover your account.
  • Within 30 days - All encrypted vault data, sync items, device records, account information (including email), and associated cloud storage blobs are permanently deleted.
  • Payment records - Retained as required by law (typically 7 years for tax purposes).

The 30-day grace period exists to prevent accidental data loss. During this period, data is inaccessible but not yet permanently deleted. This timeline is compliant with GDPR (30 days) and CCPA (45 days) requirements.

Third-Party Services

We use the following third-party services:

  • Stripe - Payment processing
  • Google Cloud Platform - Infrastructure and storage
  • Resend - Transactional emails

These services have their own privacy policies and we encourage you to review them.

Your Rights

You have the right to:

  • Access - View and access your account information.
  • Export - Export your data by running a local sync before account deletion to retain a decrypted copy.
  • Delete - Delete your account and all associated data from the Subscription page. You must cancel any active subscription first.
  • Opt out - Opt out of marketing communications at any time.

These rights apply to all users regardless of jurisdiction, including under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). To exercise any of these rights, contact us at privacy@sinesync.ai.

Children's Privacy

sine~sync is not intended for use by children under 13. We do not knowingly collect information from children under 13.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

Contact Us

If you have questions about this privacy policy, please contact us at privacy@sinesync.ai.