Last updated: March 10, 2026
Privacy Policy
Quick Summary
Who We Are
Syn Development Inc. is a company incorporated in British Columbia, Canada. We operate syn.bike, a cloud-based bike suspension and linkage design platform. We act as a data controller for personal data we collect directly from users. For business customers who use Syn to manage data on behalf of their own users, we act as a data processor — see B2B and Data Processing Agreements below.
Cookies
We use cookies and similar technologies (like local browser storage) primarily for authentication. This allows you to log in once and have your session retained over time. We use Google Cloud Platform for authentication. More information on their policies can be found at https://cloud.google.com/privacy.
We also use cookies from our payment partner Stripe for security and fraud prevention during the payment process. More information is available at https://stripe.com/privacy.
Non-essential cookies are only set with your consent. Our analytics tool (Umami) does not use cookies and requires no consent.
Data Collected
We collect as little data as possible while operating our service. Data falls into two broad categories:
1. Account and User Data: Login information (email, name, optional profile image, optional phone number), data you create using our services (Bike and Spring objects), and for paid users, billing information including address. Stripe handles all sensitive payment card data directly — we never see or store card numbers.
In general, your data is only visible to you. If you use team features, basic account information (name, email, profile image) is visible to your team administrator.
Deleting your account triggers a 14-day grace period during which you may reactivate via a link sent at the time of deletion. After the grace period expires, all personal data is permanently removed within 30 days (for a total maximum of 44 days from your deletion request), except where retention is required by law.
2. Analytics and Diagnostic Data: We use Umami for privacy-respecting website analytics (no cookies, no cross-site tracking) and Sentry for error monitoring to maintain platform reliability. See Sub-Processors for details.
Interpretation and Definitions
Interpretation
Capitalized words have meanings defined below. Definitions apply equally in singular and plural forms.
Definitions
You means the individual accessing or using the Service, or the company or other legal entity on whose behalf that individual is acting.
Company (referred to as "the Company", "We", "Us", or "Our") refers to syn Development Inc., British Columbia, Canada.
Application means the software program provided by the Company, named Syn, accessible via web browser or desktop client.
Account means a unique account created for You to access our Service.
Website refers to syn, accessible at https://syn.bike and associated subdomains such as https://app.syn.bike and https://syn.bike/docs.
Service refers to the Application, the Website, or both.
Sub-Processor means any natural or legal person who processes data on behalf of the Company to assist in providing the Service.
Personal Data means any information that relates to an identified or identifiable individual.
Usage Data means data collected automatically, either generated by use of the Service or from the Service infrastructure itself.
Cookies means small files placed on your device by a website, used to store information about your browsing session or preferences.
Device means any device used to access the Service, such as a computer, phone, or tablet.
Data Processing Agreement (DPA) means a contract governing how the Company processes personal data on behalf of a business customer acting as a data controller.
Data Controller Information
The data controller responsible for your personal data is:
syn Development Inc. 1083 Mount Newton Cross Road, Saanichton, BC, Canada
Privacy contact: privacy@syn.bike
The Company has not appointed a Data Protection Officer (DPO) as its processing activities do not meet the thresholds requiring one under GDPR Article 37. All data protection inquiries should be directed to privacy@syn.bike.
EU/EEA Representative (GDPR Article 27): If you are located in the EU/EEA, our designated representative for data protection matters can be contacted at privacy@syn.bike. Details of any locally appointed representative will be published at https://syn.bike/privacy/.
UK Representative (UK GDPR Article 27): If you are located in the United Kingdom, our designated representative for data protection matters can be contacted at privacy@syn.bike. Details of any locally appointed representative will be published at https://syn.bike/privacy/.
Sub-Processors
We engage the following third-party service providers who may process personal data on our behalf. We have Data Processing Agreements in place with each where required by law.
| Provider | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Google Cloud Platform (GCP) | Core infrastructure: hosting, database, authentication, file storage, cloud functions | United States and European Union (region varies by service) | https://cloud.google.com/privacy |
| Stripe | Payment processing and billing | United States | https://stripe.com/privacy |
| Sentry | Error monitoring and application diagnostics | United States | https://sentry.io/privacy/ |
| Umami (self-hosted) | Privacy-respecting website analytics (no cookies, no cross-site tracking). Umami is open-source software self-hosted on our own GCP infrastructure — Umami (the company) does not receive or process any data. | United States (self-hosted on GCP us-central1) | https://umami.is/privacy |
| Twilio SendGrid | Transactional and marketing email delivery | United States | https://www.twilio.com/en-us/legal/privacy |
| Railway | Logging infrastructure: log database and log dashboard. No customer personal data is processed. | United States | https://railway.com/legal/privacy |
Collecting and Using Your Personal Data
Types of Data Collected
Personal Data
We may collect the following personally identifiable information:
- Email address
- First and last name
- Phone number (optional)
- Billing address (paid accounts)
- Profile image (optional)
- Usage Data (see below)
Providing your email address and name is required to create an Account and use the Service. If you do not provide this information, we cannot provide the Service to you. Billing address is required for paid Subscriptions; without it, we cannot process your payment. All other personal data listed above is optional — declining to provide it will not affect your ability to use the core Service.
Usage Data
Usage Data is collected automatically when using the Service. It may include your device's IP address, browser type and version, pages visited, time and date of visit, time spent on pages, unique device identifiers, and other diagnostic data.
When you access the Service on a mobile device, we may also collect device type, unique device ID, mobile operating system, and browser type.
Error and Diagnostic Data
We use Sentry to capture application errors and crashes. Error reports may include your IP address, user identifier, browser and OS information, and application state at the time of the error. We configure Sentry to minimize collection of personal data in error context, but stack traces and session data may incidentally include it.
Analytics Data
We use Umami to understand aggregate usage patterns. Umami does not use cookies and does not collect personally identifiable information. Data collected includes page views, referrer, country (derived from IP, not stored), browser type, and device type. No cross-site tracking occurs.
Third-Party Login Services
You may create an account using the following third-party services: Google, Microsoft. When you do, we receive basic profile information (name, email, profile image) from that provider. We do not receive your password.
Tracking Technologies and Cookies
We use cookies and similar technologies as follows:
- Essential cookies: Required for authentication and session management. Cannot be disabled without breaking core functionality. These are strictly necessary under Article 5(3) of the ePrivacy Directive and do not require consent. The underlying data processing is based on performance of a contract (GDPR Article 6(1)(b)).
- Functional cookies: Remember your preferences (e.g., theme, settings). Legal basis: consent. You may decline these without affecting core functionality.
- Analytics: We use Umami, which does not use cookies. No consent required.
- Payment: Stripe places cookies during checkout for fraud prevention. Legal basis: legitimate interests / performance of contract.
You may control cookie preferences through your browser settings. Withdrawing consent for non-essential cookies will not affect your ability to use the core Service.
Legal Bases for Processing
For users in the EU, UK, or other jurisdictions with similar requirements, we process personal data only where a lawful basis applies. The table below maps our main processing activities to their legal basis.
| Processing Activity | Data Involved | Legal Basis |
|---|---|---|
| Creating and managing your account | Name, email, password hash | Performance of a contract (Article 6(1)(b)) |
| Providing the core Service (bike/spring design, cloud solving) | Account data, bike/spring objects | Performance of a contract (Article 6(1)(b)) |
| Processing payments | Billing address, payment records | Performance of a contract; Legal obligation (Article 6(1)(b), (c)) |
| Sending transactional emails (receipts, account notices) | Email address | Performance of a contract (Article 6(1)(b)) |
| Sending marketing or promotional emails | Email address | Consent (Article 6(1)(a)) — you may opt out at any time |
| Error monitoring via Sentry | IP address, user ID, app state | Legitimate interests (Article 6(1)(f)) — maintaining platform reliability; limited to diagnostic data with 90-day retention; minimal privacy impact given technical nature of data |
| Analytics via Umami | Anonymized usage data | Legitimate interests (Article 6(1)(f)) — understanding aggregate usage to improve the Service; no PII collected, no cookies, no cross-site tracking; negligible privacy impact |
| Team features (sharing user info with team admins) | Name, email, profile image | Performance of a contract (Article 6(1)(b)) |
| Fraud and security monitoring | IP address, usage patterns | Legitimate interests / Legal obligation (Article 6(1)(f), (c)) — detecting and preventing fraud and unauthorized access; limited to security-relevant signals; proportionate to risk |
| Retaining billing records | Billing address, transaction history | Legal obligation (Article 6(1)(c)) |
| Responding to legal requests | As required | Legal obligation (Article 6(1)(c)) |
Use of Your Personal Data
We use Personal Data to:
- Provide, operate, and maintain the Service
- Manage your Account and authenticate your identity
- Process payments and manage subscriptions
- Contact you with transactional communications related to your account
- Send marketing communications, where you have consented or where permitted by applicable law
- Monitor and improve Service performance and reliability
- Investigate and resolve errors or security incidents
- Comply with legal obligations
- Respond to legal requests from public authorities
Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law.
| Data Type | Retention Period |
|---|---|
| Account and profile data | Duration of account, plus 30 days following deletion |
| Bike and spring objects | Duration of account, plus 30 days following deletion |
| Billing and transaction records | 7 years from transaction date (legal/tax obligation) |
| Error logs (Sentry) | 90 days |
| Analytics data (Umami) | 24 months, then aggregated or deleted |
| Email communication logs (transactional receipts, account notifications, marketing consent records) | 3 years (or as required for legal compliance) |
| Authentication logs | 90 days |
| Inactive accounts | Accounts with no activity for 3 years will be flagged for deletion; account holders will receive at least 30 days' notice before deletion is carried out |
When you delete your account, personal data is permanently removed following the process described in the Quick Summary above (14-day grace period, then deletion within 30 days), except where retention is required by law (e.g., billing records).
International Transfer of Your Personal Data
Syn Development Inc. is based in British Columbia, Canada, and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). The European Commission has recognized Canada as providing an adequate level of data protection for recipients subject to PIPEDA (Commission Decision 2002/2/EC).
Some of our infrastructure (Google Cloud Platform) operates in European Union regions, meaning data processed on those resources does not leave the EU and is not subject to international transfer requirements. However, some sub-processors are based in or route data through the United States, which does not have a blanket adequacy decision for all purposes. Where we transfer personal data to the US, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-US Data Privacy Framework (DPF) certifications held by sub-processors where applicable
- Contractual Data Processing Agreements with each sub-processor
By using the Service, you acknowledge that your data may be processed in countries outside your jurisdiction. We take reasonable steps to ensure adequate protection is in place for all international transfers.
Disclosure of Your Personal Data
We do not sell, rent, or trade your personal data.
We may disclose your personal data in the following circumstances:
- Service Providers: To sub-processors listed above, solely to operate the Service
- Business Transfers: In connection with a merger, acquisition, or sale of assets — you will be notified prior to your data being transferred and becoming subject to a new privacy policy
- Legal Requirements: Where required by law, court order, or government request
- Protection of Rights: Where necessary to protect the rights, property, or safety of the Company, our users, or the public
Security of Your Personal Data
We implement industry-standard technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews.
However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and no later than 72 hours after becoming aware of the breach, as required under GDPR Article 33. Where we act as a data processor on behalf of a business customer, we will notify that customer within 48 hours after becoming aware of the breach, giving them time to meet their own regulatory obligations. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required under GDPR Article 34. Where applicable law requires notification (such as under PIPEDA or US state breach notification laws), we will comply with those requirements as well.
Automated Decision-Making
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals, as described in GDPR Article 22.
B2B and Data Processing Agreements
If you are a business using Syn on behalf of your own users or clients, you may be acting as a data controller in respect of personal data processed through the Service, and we act as your data processor.
Our Terms and Conditions include baseline data protection provisions (security measures, breach notification, sub-processor management, and data portability) that apply to all customers by default.
Our standard Data Processing Agreement (DPA) is publicly available and provides the full set of GDPR Article 28 obligations, including documented instructions, confidentiality, security measures, sub-processor management, data subject rights assistance, audit rights, data deletion and return, and international transfer safeguards. The DPA applies to all customers who use Syn as a data processor. For customers requiring customized data processing terms, please contact privacy@syn.bike. In the event of a conflict between the Terms and the DPA, the DPA shall prevail.
GDPR Privacy (EU and EEA Users)
Your Rights
If you are located in the EU or EEA, you have the following rights under the GDPR:
- Right of Access (Article 15): Request a copy of the personal data we hold about you
- Right to Rectification (Article 16): Request correction of inaccurate or incomplete data
- Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
- Right to Restriction of Processing (Article 18): Request that we limit how we use your data in certain circumstances
- Right to Data Portability (Article 20): Receive your personal data in a structured, machine-readable format
- Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, withdraw it at any time without affecting prior lawful processing
- Right Not to Be Subject to Automated Decision-Making (Article 22): We do not engage in such processing (see above)
To exercise any of these rights, contact us at privacy@syn.bike. We will respond without undue delay and in any event within one month of receiving your request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests — we will inform you of any such extension within the first month. We may request identity verification before fulfilling a request.
Right to Complain
You have the right to lodge a complaint with the supervisory authority in your EU member state or, for cross-border issues, the lead supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
UK GDPR (United Kingdom Users)
If you are located in the United Kingdom, the UK GDPR and Data Protection Act 2018 apply. Your rights are substantially equivalent to those described under GDPR above.
To exercise your rights or make a complaint, contact us at privacy@syn.bike. You also have the right to complain to the Information Commissioner's Office (ICO) at https://ico.org.uk.
CCPA and CPRA Privacy (California Residents)
Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the following rights:
- Right to Know: The categories and specific pieces of personal information we have collected about you, and how it is used and shared
- Right to Access: Request a copy of the personal information we hold about you
- Right to Delete: Request deletion of your personal information, subject to legal exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Service
- Right to Non-Discrimination: Exercising your rights will not result in denial of service or different pricing
Categories of personal information collected and purposes:
| Category | Examples | Business Purpose |
|---|---|---|
| Identifiers | Name, email, IP address | Account creation, authentication, communications |
| Commercial information | Billing records, subscription history | Payment processing, subscription management |
| Internet or network activity | Usage data, error logs, pages visited | Service operation, error monitoring, security |
Disclosure for business purposes: We disclose identifiers and internet/network activity to our infrastructure and error monitoring sub-processors (Google Cloud Platform, Sentry) to operate and maintain the Service. We disclose commercial information to Stripe for payment processing. We disclose identifiers to Twilio SendGrid for email delivery. See the Sub-Processors table for a complete list.
Retention: See the Data Retention table above. We do not retain personal information longer than reasonably necessary for disclosed purposes.
To exercise your rights, you (or your authorized agent) may contact privacy@syn.bike. If you designate an authorized agent to make a request on your behalf, we may require the agent to provide proof of signed written authorization and may verify your identity directly. We will respond within 45 days (extendable by an additional 45 days where reasonably necessary).
Canadian Privacy (PIPEDA)
As a company incorporated in British Columbia, Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
We take reasonable steps to ensure that personal information in our possession is accurate, complete, and up-to-date for the purposes for which it is used. You can update your account information at any time through your Account settings.
Under PIPEDA, you have the right to:
- Access the personal information we hold about you
- Challenge the accuracy or completeness of your information and have it amended
- Withdraw consent for collection, use, or disclosure (subject to legal and contractual limits)
- Lodge a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca
We will be responsive to the forthcoming Consumer Privacy Protection Act (CPPA / Bill C-27) as it progresses into law.
Children's Privacy
The Service is not intended for use by anyone under the age of 18, as set out in our Terms and Conditions. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a person under 18, contact us at privacy@syn.bike and we will delete it promptly.
For users under 16 in EU/EEA jurisdictions, parental or guardian consent may be required for the processing of personal data, depending on applicable member state law.
Links to Other Websites
Our Service may contain links to websites we do not operate. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites. We recommend reviewing the privacy policy of any site you visit.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will provide at least thirty (30) days' notice via in-app notification or email prior to the change taking effect. Where a change affects the legal basis for processing or introduces new categories of data collection, we will seek your renewed consent where required by applicable law. Continued use of the Service after the notice period constitutes acceptance of the updated policy.
Contact Us
If you have questions, requests, or complaints about this Privacy Policy or our data practices, you can reach us:
By email: privacy@syn.bike
By mail: syn Development Inc. 1083 Mount Newton Cross Road, Saanichton, BC, Canada
Online: https://syn.bike/privacy/
We aim to respond to all privacy inquiries within 30 days.