Privacy Policy

Effective Date: June 30, 2025

This Privacy Policy describes how NotionSync ("we," "our," or "us") collects, uses, and protects your personal information when you use our form builder service that integrates with Notion.

1. Data Controller

NotionSync
Email: noreply@sales.notionsync.co

For data protection inquiries, please contact us at the email address above.

2. Information We Collect

2.1 Account Information

• Data: Name, email address, encrypted password
• Legal Basis: Contract performance (to provide our service)
• Retention: Until account deletion + 30 days for security purposes

2.2 Notion Integration Data

• Data: Notion workspace access tokens, database IDs, database structures
• Legal Basis: Contract performance (to sync form data to your Notion workspace)
• Retention: Until you disconnect your Notion account + 7 days

2.3 Form Data

• Data: Form configurations, field settings, form names and descriptions
• Legal Basis: Contract performance (to provide form building services)
• Retention: Until form deletion or account closure

2.4 Form Submissions

• Data: Data submitted through your forms by end users
• Legal Basis: Legitimate interest (to process and deliver form submissions)
• Retention: We act as a processor - data is immediately synced to your Notion and deleted from our servers within 24 hours
• Note: You are the data controller for form submission data

2.5 Payment Information

• Data: Billing details processed through Stripe (we do not store payment card details)
• Legal Basis: Contract performance (to process subscription payments)
• Retention: Billing records kept for 7 years for accounting purposes

2.6 Usage Analytics

• Data: Feature usage, form creation statistics, submission counts
• Legal Basis: Legitimate interest (to improve our service)
• Retention: Aggregated analytics kept indefinitely, individual usage data for 24 months

2.7 Communication Data

• Data: Support emails, contact form messages
• Legal Basis: Legitimate interest (to provide customer support)
• Retention: 3 years for support history

3. How We Use Your Information

We process your personal data to:

• Provide our service: Create and manage forms, sync data to Notion
• Maintain your account: Authentication, subscription management
• Process payments: Handle billing through Stripe
• Send notifications: Form submission alerts via email (using Resend)
• Provide support: Respond to inquiries and troubleshoot issues
• Improve our service: Analyze usage patterns and optimize features
• Legal compliance: Meet regulatory requirements

4. Data Sharing and Third Parties

4.1 Service Providers

We share data with trusted service providers:

• Stripe: Payment processing (PCI DSS compliant)
• Resend: Email notification delivery
• NeonTech: Database hosting (data encrypted at rest)
• Notion: API integration for data synchronization

4.2 Data Transfers

Our service providers may process data outside the EU. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Service provider certifications (e.g., Privacy Shield successors)

5. Data Security

We implement robust security measures:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls: Role-based access with multi-factor authentication
• Regular security audits: Quarterly security assessments
• Incident response: 72-hour breach notification procedures

6. Your Rights Under GDPR

You have the following rights:

6.1 Right of Access

Request a copy of your personal data we hold.

6.2 Right to Rectification

Correct inaccurate or incomplete personal data.

6.3 Right to Erasure

Request deletion of your personal data (subject to legal obligations).

6.4 Right to Restrict Processing

Limit how we process your data in certain circumstances.

6.5 Right to Data Portability

Receive your data in a machine-readable format.

6.6 Right to Object

Object to processing based on legitimate interests.

6.7 Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time.

To exercise your rights: Email noreply@sales.notionsync.co with your request. We will respond within 30 days.

7. Cookies and Tracking

We use essential cookies for:

• Authentication: Keep you logged in
• Preferences: Remember your settings
• Security: Prevent CSRF attacks

We do not use advertising or tracking cookies. You can manage cookies through your browser settings.

8. Data Retention

9. Children's Privacy

Our service is not intended for users under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected such data, please contact us immediately.

10. International Transfers

We primarily process data within the EU/EEA. When data is transferred internationally, we ensure adequate protection through appropriate safeguards.

11. Automated Decision Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

12. Data Protection Officer

For data protection matters, contact our privacy team at noreply@sales.notionsync.co.

13. Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your privacy rights.

For EU residents, find your local authority at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will:

• Post the updated policy on our website
• Email registered users about material changes
• Update the "Last Updated" date

15. Contact Us

For privacy-related questions or to exercise your rights:

Email: noreply@sales.notionsync.co
Subject Line: "Privacy Inquiry"

We aim to respond to all privacy inquiries within 30 days as required by GDPR.

This policy complies with the General Data Protection Regulation (GDPR) and other applicable privacy laws.