Privacy Policy
Last updated: May 2, 2026
This Privacy Policy explains how SYNC Studio collects, uses, retains, and shares your personal data when you visit shop.sync-ai.studio or buy a product. For any data-related question, write to info@sync-ai.studio.
Who we are
SYNC Studio publishes downloadable Claude AI skill kits and web mini-apps for professionals and entrepreneurs. Our storefront is at shop.sync-ai.studio. The data controller for the purposes of GDPR is the operator of SYNC Studio.
What we collect
We collect: (a) your email address, required to deliver your purchase and authenticate you; (b) your name, if you provide it during account creation; (c) your purchase history (Stripe session ID, product, amount, currency, timestamp); (d) authentication metadata (bcrypt-hashed password, refresh token records). We never see, store, or process your payment-card information — Stripe handles that directly. Server access logs may capture IP address and user-agent for security purposes (retained 30 days, with download tokens redacted before storage).
How we use your data
To deliver the product you purchased (download link via email; dashboard access for mini-apps), to authenticate you on return visits, to issue receipts, to respond to support requests, to detect and prevent fraud or abuse, and to comply with legal obligations. We do not use your data for advertising, profiling, or behavioral targeting, and we do not sell or rent it to third parties.
Third-party processors
Stripe (Stripe, Inc., USA) processes payments and may receive your name, billing address, email, and card details directly. Resend (Resend, Inc., USA) delivers transactional email (purchase receipts, download links). Vercel Blob (Vercel, Inc., USA) stores the encrypted ZIP files of purchased kits. Anthropic (Anthropic, PBC, USA) is invoked only when you actively use a mini-app that calls Claude (e.g. Health Practitioner Hub). DigitalOcean (DigitalOcean, LLC, USA) provides our server hosting. Each processor is bound by its own privacy commitments and standard contractual clauses for international data transfers.
Retention
Account data: while your account is active, plus 90 days after a deletion request. Purchase records: 5 years for accounting and tax compliance. Download tokens: 60 days past expiry, then deleted. Server access logs: 30 days. We honor immediate deletion requests for any data that is not subject to a legal retention obligation.
Your rights
Under the EU GDPR, the California CCPA, and equivalent laws elsewhere, you have the right to access, rectify, delete, port, restrict the processing of, and object to certain processing of your personal data. EU residents may also lodge a complaint with their national data protection authority (in France: the CNIL, www.cnil.fr). To exercise any right, write to info@sync-ai.studio with proof of identity.
Cookies and similar technologies
We use only strictly necessary cookies for session management, authentication, and basic security (e.g., the next-auth session cookie). We do not set advertising or analytics cookies on initial page load. If we ever add analytics or marketing cookies, we will request your consent first and update this policy.
Contact and changes
Contact: info@sync-ai.studio. We may update this policy to reflect product changes or legal requirements; the 'last updated' date above is the source of truth. Material changes will be announced via email or via a banner on the site.