From 2f7a00371a510bbf42f4a8f0b45a668e7842a14d Mon Sep 17 00:00:00 2001 From: Johannes Millan Date: Thu, 15 Jan 2026 12:48:18 +0100 Subject: [PATCH] fix(supersync): improve GDPR compliance in legal documents - Remove placeholder address text from privacy policies (DE/EN) - Expand HTML privacy policy with full GDPR disclosures: - Legal bases (Art. 6), data subject rights (Art. 15-22) - Supervisory authority, retention periods, DPA info - Cookies/tracking and automated decision-making sections - Align HTML terms with German ToS: - Add proper termination notice periods (2 weeks/good cause) - Add 6-week notice for ToS amendments - Add consumer withdrawal rights (14 days) - Add ODR platform link and jurisdiction info --- .../super-sync-server/privacy-policy-en.md | 2 - packages/super-sync-server/privacy-policy.md | 2 - .../public/privacy.template.html | 298 ++++++++++++++---- packages/super-sync-server/public/terms.html | 144 +++++++-- 4 files changed, 356 insertions(+), 90 deletions(-) diff --git a/packages/super-sync-server/privacy-policy-en.md b/packages/super-sync-server/privacy-policy-en.md index 35de592df..43ffe6706 100644 --- a/packages/super-sync-server/privacy-policy-en.md +++ b/packages/super-sync-server/privacy-policy-en.md @@ -12,8 +12,6 @@ With this Privacy Policy, we inform you about the type, scope, and purpose of th ## 2. Controller **Johannes Millan** -[Insert Street and House Number here] -[Insert Zip Code and City here] Germany Email: contact@super-productivity.com diff --git a/packages/super-sync-server/privacy-policy.md b/packages/super-sync-server/privacy-policy.md index 50ee77a01..a28f90373 100644 --- a/packages/super-sync-server/privacy-policy.md +++ b/packages/super-sync-server/privacy-policy.md @@ -10,8 +10,6 @@ Mit dieser Datenschutzerklärung informieren wir Sie über die Art, den Umfang u ## 2. Verantwortlicher **Johannes Millan** -[Hier Straße und Hausnummer ergänzen] -[Hier PLZ und Ort ergänzen] Deutschland E-Mail: contact@super-productivity.com diff --git a/packages/super-sync-server/public/privacy.template.html b/packages/super-sync-server/public/privacy.template.html index e36cdae79..22112d639 100644 --- a/packages/super-sync-server/public/privacy.template.html +++ b/packages/super-sync-server/public/privacy.template.html @@ -30,6 +30,11 @@ margin-bottom: 1rem; color: var(--text); } + h3 { + margin-top: 1.5rem; + margin-bottom: 0.75rem; + color: var(--text); + } p { margin-bottom: 1rem; color: var(--text); @@ -57,6 +62,11 @@ background: rgba(255, 255, 255, 0.05); border-radius: 0.5rem; } + .note { + font-style: italic; + color: var(--text-light); + font-size: 0.9em; + } @@ -68,83 +78,243 @@ >

Privacy Policy

Last updated: December 9, 2025

- -

1. Information We Collect

-

- We collect information you provide directly to us, such as when you create or - modify your account, request customer support, or communicate with us. -

- - -

2. How We Use Your Information

-

- We use the information we collect to operate, maintain, and provide the features - of the Service, to verify your identity, and to provide customer support. +

+ Note: This is a translation for convenience only. In case of discrepancies between + the German and the English version, the German version shall prevail.

-

3. Data Storage and Security

+

1. Introduction

- We implement security measures designed to protect your information from - unauthorized access, disclosure, alteration, and destruction. We support - end-to-end encryption, allowing you to encrypt your data on your device before it - is sent to our servers. + With this Privacy Policy, we inform you about the type, scope, and purpose of the + processing of personal data ("Data") within the scope of using the service + Super Productivity Sync. This policy also explains your rights + under the General Data Protection Regulation (GDPR).

-

4. Data Sharing

-

- We do not share your personal information with third parties except as described - in this privacy policy or with your consent. -

- -

5. Data Retention

-

- We retain your account information and sync data for as long as your account is - active or as needed to provide you the Service. You may request deletion of your - account and data at any time. -

- -

6. Children's Privacy

-

- Our Service is not directed to individuals under the age of 13. We do not - knowingly collect personal information from children under 13. -

- -

7. Changes to This Policy

-

- We may update this Privacy Policy from time to time. We will notify you of any - changes by posting the new Privacy Policy on this page. -

- -

8. Data Controller

-

The data controller responsible for your personal data is:

+

2. Data Controller

{{ PRIVACY_CONTACT_NAME }}
- {{ PRIVACY_ADDRESS_STREET }}
- {{ PRIVACY_ADDRESS_CITY }}
{{ PRIVACY_ADDRESS_COUNTRY }}

Email: {{ PRIVACY_CONTACT_EMAIL }}
- -

9. Contact Us

- If you have any questions about this Privacy Policy, please contact us at - {{ PRIVACY_CONTACT_EMAIL }}. + A Data Protection Officer has not been appointed as the statutory requirements for + this are not met (fewer than 20 persons constantly involved in data processing). +

+ +

3. What Data We Process

+ +

(1) Inventory Data

+ + +

(2) Content Data

+

+ This includes all data you save in the "Super Productivity" app and synchronize + via the Service: +

+ +

+ Note: If End-to-End Encryption (E2EE) is activated, this data exists on our server + exclusively in encrypted form. +

+ +

(3) Meta and Log Data

+

Technically necessary when accessing the server:

+ + +

4. Legal Basis for Processing

+

We process your data based on the following legal bases:

+ +

(1) Performance of Contract (Art. 6(1)(b) GDPR)

+ + +

(2) Legitimate Interest (Art. 6(1)(f) GDPR)

+ + +

(3) Legal Obligations (Art. 6(1)(c) GDPR)

+

+ This applies to tax retention obligations for paid plans or official requests for + information. +

+ +

5. Hosting and Infrastructure

+

The Service is hosted by:

+
+ Alfahosting GmbH
+ Ankerstraße 3b
+ 06108 Halle (Saale)
+ Germany
+ Website: https://alfahosting.de/ +
+

+ Data Location: Processing takes place exclusively on servers in + Germany. +

+

+ Data Processing Agreement: We have concluded a Data Processing + Agreement (DPA) with Alfahosting GmbH in accordance with Art. 28 GDPR. No transfer + to a third country takes place via the hoster. +

+ +

6. Data Processing during Synchronization

+ +

A) Standard Synchronization (without E2EE)

+ + +

B) End-to-End Encryption (E2EE – optional)

+

If you enable E2EE in the app:

+ + +

7. Email Sending

+

+ We send exclusively transactional emails (e.g., password reset, email address + confirmation, security-relevant system messages). Data processing is carried out + based on Art. 6(1)(b) GDPR (Performance of Contract). +

+

+ Service Provider: Emails are sent technically via the mail + servers of our hosting provider Alfahosting GmbH (see Section 5). + No external email marketing providers are used. The data thus remains within the + German infrastructure. +

+ +

8. Storage Duration and Deletion

+ +

(1) Account Deletion

+

+ If you delete your account via the app settings, we will delete your inventory + data and content data immediately, but no later than within + 7 days from all active systems. +

+ +

(2) Inactivity (Free Accounts)

+

+ We reserve the right to delete free accounts that have not been used for more than + 12 months. This will only occur after prior notification to the + registered email address. +

+ +

(3) Server Log Files

+

+ Log data (IP addresses) are automatically deleted after + 7 to 14 days, unless security-relevant incidents require longer + storage. +

+ +

(4) Statutory Retention Obligations

+

+ For paid accounts, we are obliged to retain invoice-relevant data for up to + 10 years in accordance with statutory requirements. +

+ +

9. Transfer to Third Parties

+

Data is generally not transferred to third parties unless:

+ +

We never sell your data to third parties or advertisers.

+ +

10. Your Rights

+

Under the GDPR, you have the following rights at any time:

+ +

+ To exercise your rights (e.g., deletion), a simple email is sufficient: + {{ PRIVACY_CONTACT_EMAIL }} +

+ +

11. Right to Lodge a Complaint

+

+ You have the right to lodge a complaint with a data protection supervisory + authority. The authority responsible for us is: +

+
+ The Saxon Data Protection Commissioner (Sächsischer + Datenschutzbeauftragter)
+ Website: + https://www.saechsdsb.de/ +
+ +

12. Cookies and Tracking

+

+ The SuperSync service uses only technically necessary session cookies for + authentication. We do not use tracking cookies, analytics services, or advertising + technologies. +

+ +

13. Automated Decision-Making

+

+ We do not use automated decision-making or profiling as defined by Art. 22 GDPR. +

+ +

14. Contact

+

If you have any questions about data protection, please contact us:

+

+ Email: + {{ PRIVACY_CONTACT_EMAIL }}

diff --git a/packages/super-sync-server/public/terms.html b/packages/super-sync-server/public/terms.html index f2aa31bc2..05079f7b7 100644 --- a/packages/super-sync-server/public/terms.html +++ b/packages/super-sync-server/public/terms.html @@ -50,6 +50,11 @@ .back-link:hover { color: var(--primary); } + .note { + font-style: italic; + color: var(--text-light); + font-size: 0.9em; + } @@ -61,6 +66,10 @@ >

Terms of Service

Last updated: December 9, 2025

+

+ Note: This is a translation for convenience only. In case of discrepancies between + the German and the English version, the German version shall prevail. +

1. Acceptance of Terms

@@ -73,7 +82,9 @@

SuperSync is a data synchronization service designed to work with the Super Productivity application. It allows users to synchronize their task data across - multiple devices. + multiple devices. The Service is provided in its currently available version ("as + available"). The Provider may further develop, modify, restrict, or discontinue + the Service at any time.

3. User Accounts

@@ -87,45 +98,134 @@ to access the Service and for any activities or actions under your account.

-

4. Data Privacy and Security

+

4. Data Security and Encryption

- Your use of the Service is also governed by our Privacy Policy. We take reasonable - measures to protect your data, including end-to-end encryption support when - enabled by the user. + Your use of the Service is also governed by our Privacy Policy. Data transmission + is encrypted via TLS/SSL. By default, data is stored without end-to-end + encryption. +

+

+ You may optionally enable End-to-End Encryption (E2EE). If enabled, your + encryption keys are generated and managed locally by you. + Warning: We have no access to these keys and cannot recover + encrypted data if you lose your key. Loss of your encryption key results in + permanent data loss. +

+

+ Backups are performed on a best-effort basis. You are obligated to create regular + local backup copies of your data.

-

5. Future Pricing

+

5. User Obligations

+

You agree:

+ +

+ If you violate these Terms and the Provider is held liable by third parties as a + result, you shall indemnify the Provider against all related claims. +

+ +

6. Future Pricing

The Service is currently provided free of charge. However, we reserve the right to introduce fees for the Service in the future. We will provide notice of any such changes before they become effective.

-

6. Termination

+

7. Termination

- We may terminate or suspend your account immediately, without prior notice or - liability, for any reason whatsoever, including without limitation if you breach - the Terms. + You may delete your account at any time via the app settings, thereby terminating + the contract. +

+

+ For free services, we may terminate the contractual relationship with a notice + period of two (2) weeks. We may terminate or suspend your account immediately + without notice only for good cause (e.g., violation of these Terms, illegal + activities). +

+

For paid services, the notice periods stated in the order process apply.

+ +

8. Changes to Terms

+

+ We may amend these Terms if necessary to adapt to technical developments, changes + in legal frameworks, new functions, security requirements, or business models. +

+

+ Amendments will be communicated to you at least + six (6) weeks before they take effect. The notification will + include your right to object and your right to terminate the contract. If you do + not object within the notice period, the amendments are deemed accepted.

-

7. Limitation of Liability

+

9. Limitation of Liability

- In no event shall SuperSync, nor its directors, employees, partners, agents, - suppliers, or affiliates, be liable for any indirect, incidental, special, - consequential or punitive damages, including without limitation, loss of profits, - data, use, goodwill, or other intangible losses, resulting from your access to or - use of or inability to access or use the Service. + The Provider is liable without limitation in cases of intent, gross negligence, + and culpable injury to life, body, or health. +

+

+ In cases of slight negligence, the Provider is only liable for the breach of + essential contractual obligations. In these cases, liability is limited to the + foreseeable damage typical for the contract. +

+

+ Data Loss: Liability for data loss is limited to the effort that + would have been required for recovery assuming proper, reasonable, and regular + data backup by you. If you have not created sufficient backups, liability is + excluded insofar as the damage would have been avoidable through backups. +

+

+ E2EE Data: The Provider is not liable for data loss, data + corruption, or inaccessibility attributable to key loss, incorrect key management + by you, or use of the optional E2EE function.

-

8. Changes

+

10. Right of Withdrawal for Consumers

- We reserve the right, at our sole discretion, to modify or replace these Terms at - any time. What constitutes a material change will be determined at our sole - discretion. + If you are a consumer and conclude a paid contract, you are entitled to a + statutory right of withdrawal of 14 days. Details are regulated + in the separate cancellation policy provided during the order process.

-

9. Contact Us

-

If you have any questions about these Terms, please contact us.

+

11. Applicable Law and Jurisdiction

+

+ The law of the Federal Republic of Germany applies, excluding the UN Sales + Convention (CISG). If you are a merchant, a legal entity under public law, or a + special fund under public law, Leipzig is the exclusive place of jurisdiction. + Statutory places of jurisdiction apply to consumers. +

+ +

12. Online Dispute Resolution

+

+ Platform of the EU Commission for Online Dispute Resolution: + https://ec.europa.eu/consumers/odr/ +

+

+ The Provider is not obligated and not willing to participate in dispute resolution + proceedings before a consumer arbitration board. +

+ +

13. Contact Us

+

+ If you have any questions about these Terms, please + contact us. +