Auto-assign shifts to your entire team with one clickTry it free
Back to home

Privacy Policy

Last updated: February 2026.

1. Introduction β€” Who We Are

Synqo is a workforce management software-as-a-service (SaaS) platform that helps employers and organizations manage scheduling, attendance, time off, and workforce analytics. Synqo is operated as a sole proprietorship based in Bosnia and Herzegovina, and the service is available at https://synqo.work.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how we protect it, and what rights you have regarding your data. It applies to all users of our website and application, including organization owners, managers, and employees who use the platform.

By using the Synqo service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not use our service.

2. Data We Collect

We collect various categories of data to provide and improve our service. Below are the categories of data we process.

2.1 Account Data

When you register for Synqo, we collect your full name, email address, organization name, and industry. This data is necessary to create and manage your account.

2.2 Employee / Workforce Data

When you, as an administrator or manager, add employees to the platform, we collect their names, email addresses, phone numbers, employee numbers, assigned roles, employment status, and contract dates. This data is entered by the organization administrator on behalf of employees.

2.3 Attendance & Work Data

The platform records employee check-in and check-out times, QR code scans, location data (if applicable), break times, and total work hours. This data is central to the core attendance and time-tracking functionality of the service.

2.4 Schedule Data

We process data about shifts, paid time off (PTO) requests, holidays, shift change requests, and scheduling. This data powers the scheduling and leave management features.

2.5 Payment Data

When you subscribe to a paid plan, we process subscription and billing information. Payments are handled by our partner Lemon Squeezy (Paddle). We do not store credit card numbers or full payment instrument details on our servers.

2.6 Technical Data

We automatically collect technical data when you use our service, including IP addresses, user agent strings, browser information, device type, and operating system data. This data helps us maintain security and improve performance.

2.7 Communication Data

We collect information you submit through contact forms, bug reports, and newsletter sign-ups. This includes your email address, name, and message content.

2.8 Cookies and Similar Technologies

We use cookies and similar technologies for session authentication, storing language preferences, and analytics. For more information, see Section 9 (Cookies) of this policy.

3. How We Use Your Data

We use your data for the following purposes:

  • Providing and operating the service β€” managing your account, organization, locations, and user access.
  • Employee scheduling, attendance tracking, and PTO management β€” creating shifts, recording work hours, processing time-off requests, and managing holidays.
  • Processing payments and managing subscriptions β€” handling charges, plan upgrades, cancellations, and invoicing through our billing partner.
  • Sending transactional emails β€” welcome emails, employee invitations, subscription confirmations, change notifications, and password resets.
  • Analytics and service improvement β€” analyzing usage patterns to improve performance, user experience, and platform functionality.
  • Security, fraud prevention, and abuse detection β€” protecting platform integrity, detecting unauthorized access, and preventing misuse of the service.
  • Legal compliance β€” complying with applicable laws, regulations, and legal obligations, including responding to lawful requests from authorities.

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR) and applicable data protection laws in Bosnia and Herzegovina, we process your personal data based on the following legal grounds:

  • Contract performance β€” processing is necessary to provide the service you signed up for, including account management, scheduling, attendance, and leave management.
  • Legitimate interests β€” we process certain data based on our legitimate business interests, including platform security, analytics, service improvement, and fraud prevention, provided those interests do not override your rights.
  • Consent β€” for certain processing activities, such as newsletter subscriptions and optional cookies, we obtain your explicit consent. You may withdraw consent at any time.
  • Legal obligation β€” we are required to retain certain data to comply with legal obligations, including tax and accounting records.

5. Data Sharing and Third Parties

We do not sell your personal data. We only share data with service providers that are necessary for the operation of our platform. Each provider processes data in accordance with their own data processing agreements.

  • Supabase β€” authentication and database hosting. All application data (user accounts, organization data, attendance records, schedules) is stored in Supabase infrastructure.
  • Vercel β€” hosting, deployment, and analytics. Vercel processes request logs, performance data, and page visit information.
  • Lemon Squeezy / Paddle β€” payment processing and subscription management. They handle billing information, subscription data, and transaction details. All payment card data is processed exclusively by these partners.
  • Resend β€” transactional email delivery. Processes email addresses and email content to deliver service-related messages (invitations, confirmations, notifications).
  • Sentry β€” error monitoring. Collects technical error data, which may include user identifiers, to help us diagnose and fix issues.
  • Google Analytics (if enabled) β€” anonymized usage analytics for understanding visit patterns and improving user experience.

6. International Data Transfers

Some of our service providers operate outside the European Economic Area (EEA) and Bosnia and Herzegovina. Specifically, Supabase, Vercel, and Resend are based in the United States.

When data is transferred outside the EEA or Bosnia and Herzegovina, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.

You may contact us at info@synqo.work for more information about the specific safeguards applied to data transfers.

7. Data Retention

We retain your data only for as long as necessary for the purposes described in this policy. Our retention practices are:

  • Active accounts β€” data is retained while your account is active and you are using the service.
  • After account deletion β€” personal data is removed within 30 days of account closure, except where retention is legally required.
  • Backups β€” data may persist in encrypted backups for up to 90 days after deletion.
  • Legal obligations β€” certain records (e.g., tax and accounting records) are retained for as long as required by law, typically 5 or more years.
  • Newsletter β€” your email address is retained until you unsubscribe from the newsletter.
  • Contact submissions β€” data submitted through contact forms and bug reports is retained for 12 months.

8. Your Rights (GDPR / Data Subject Rights)

Under applicable data protection laws, you have the following rights regarding your personal data:

  • Right of access β€” you have the right to request a copy of the personal data we hold about you.
  • Right to rectification β€” you have the right to request correction of inaccurate or incomplete data.
  • Right to erasure (β€œright to be forgotten”) β€” you have the right to request deletion of your personal data, subject to certain legal limitations.
  • Right to restrict processing β€” you have the right to request restriction of processing of your data in certain circumstances.
  • Right to data portability β€” you have the right to receive your data in a structured, commonly used, and machine-readable format.
  • Right to object β€” you have the right to object to processing of your data that is based on legitimate interests.
  • Right to withdraw consent β€” where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
  • Right to lodge a complaint β€” you have the right to lodge a complaint with the competent data protection supervisory authority if you believe your data has been processed in violation of applicable regulations.

To exercise any of the above rights, contact us at info@synqo.work. We will respond to your request within 30 days.

9. Cookies

Our website uses cookies β€” small text files stored on your device. We use the following categories of cookies:

Essential Cookies

These cookies are necessary for the website to function and cannot be disabled. They include authentication session cookies and locale preference storage. Without these cookies, the service cannot function correctly.

Analytics Cookies

We use Vercel Analytics and optionally Google Analytics to collect anonymized data about site usage. These cookies help us understand how users interact with our platform and how we can improve it.

Advertising Cookies

We do not use advertising or third-party tracking cookies.

You can manage cookie preferences via the consent banner displayed on your first visit or through your browser settings.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. Our security measures include:

  • Encryption in transit β€” all communication between your browser and our servers is protected by HTTPS/TLS encryption.
  • Encryption at rest β€” data stored in the database is protected by storage-level encryption.
  • Access controls and authentication β€” data access is restricted to authorized users through authentication and role-based access systems.
  • Row Level Security (RLS) policies β€” at the database level, we enforce row-level security policies that ensure data isolation between organizations. Users of one organization cannot access the data of another.
  • Regular security practices β€” we regularly review and update our security measures and practices in line with industry standards.

Despite our efforts, no method of transmission or storage over the internet is 100% secure. We cannot guarantee absolute security of your data, but we commit to applying reasonable protective measures.

11. Children's Privacy

The Synqo service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we discover that we have collected data from a child under 16 without appropriate parental consent, we will take steps to promptly delete that data.

If you are a parent or guardian and believe that your child has provided personal data through our service, please contact us at info@synqo.work so that we can take appropriate action.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

For material changes, we will notify you via email or through an in-app notification before the changes take effect. The last updated date at the top of this page will be revised with each update.

Your continued use of the Synqo service after changes are posted constitutes your acceptance of the updated policy.

Previous versions of this policy are available upon request. Contact us at info@synqo.work if you wish to access earlier versions.

13. Contact

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, you may contact us:

info@synqo.work

Website: https://synqo.work

Synqo, Bosna i Hercegovina / Bosnia and Herzegovina