Privacy Policy

Last updated: February 10, 2025

1. Introduction

5sync OÜ ("we," "us," or "our") is an Estonian limited liability company registered in Tallinn, Estonia. We are deeply committed to protecting your privacy and personal data. This Privacy Policy describes how we collect, process, store, and safeguard your information when you use our cloud storage and file synchronization service ("Service").

As a company incorporated under Estonian law and operating within the European Union, we are fully subject to and compliant with the General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and all other applicable data protection legislation. Privacy is not an afterthought for us — it is the foundation upon which 5sync was built.

This policy applies to everyone who interacts with our Service, including website visitors, free-tier users, and paid subscribers. By using 5sync, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

We follow a strict data minimization principle. We only collect what is absolutely necessary to operate the Service:

Account Data: When you register, we collect your email address and a cryptographically hashed password (using Argon2id). If you choose a paid plan, your payment details are handled entirely by Stripe — we store only a truncated card identifier and billing country for invoice purposes.

Usage Data: We record login timestamps, session durations, storage quota consumption, and feature interactions (e.g., link created, file uploaded). This data is used solely for service operation, capacity planning, and abuse prevention.

Device Data: We collect your IP address (for rate-limiting and security), browser user-agent string, and operating system version. IP addresses are automatically truncated after 14 days and fully purged after 30 days.

We do NOT access your files. Zero-knowledge encryption means we cannot read them. Every file is encrypted on your device before it reaches our servers. Your encryption keys are derived from your password and never transmitted to us. Even under a lawful interception order, we can only provide encrypted ciphertext that is mathematically impossible to decrypt without your key.

3. How We Use Your Data

We process your personal data for the following clearly defined purposes:

Service operation: To create and maintain your account, authenticate sessions, synchronize files across your devices, manage storage quotas, and process subscription payments.
Security and integrity: To detect brute-force login attempts, identify compromised accounts, prevent service abuse, and enforce rate limits. We employ automated monitoring that triggers alerts — no human reviews your data unless an incident is confirmed.
Communication: To send essential transactional messages such as account verification emails, password reset links, payment receipts, and security alerts. With your explicit opt-in consent, we may also send product updates no more than once per month. You can unsubscribe from non-essential emails at any time via your account settings.
Service improvement: To analyze aggregated, anonymized usage patterns in order to improve performance, prioritize feature development, and optimize infrastructure. We never build individual behavioral profiles.
Legal obligations: To comply with applicable Estonian and EU laws, respond to valid legal processes, and fulfill our regulatory reporting duties.

4. Data Storage and Security

All 5sync data resides exclusively in Tallinn, Estonia, hosted on dedicated infrastructure provided by Hetzner Estonia. Our servers are housed in Tier III certified data centers with redundant power, climate control, and 24/7 physical security. Data never leaves the European Economic Area.

We implement a defense-in-depth security architecture:

Encryption at rest: Server-side storage volumes are encrypted with AES-256-XTS. Your files carry an additional layer of client-side zero-knowledge encryption on top of this.
Encryption in transit: All connections use TLS 1.3 with forward secrecy. We enforce HSTS with a minimum max-age of one year and are preloaded in major browsers.
Zero-knowledge architecture: File encryption and decryption happen exclusively on your device using keys derived from your password via Argon2id. We never possess your plaintext keys.
Infrastructure access control: Server access is restricted to a small operations team using hardware security keys (FIDO2) and IP allowlisting. All administrative actions are immutably logged.
Continuous monitoring: We run automated vulnerability scanning and conduct independent penetration tests at least annually. Results are reviewed and remediated within defined SLAs.

We do not sell, rent, license, or trade your personal data. We do not share data with advertisers, data brokers, or any third party for marketing purposes. Period.

We share limited data with the following processors, each bound by a GDPR-compliant Data Processing Agreement:

Payment processor (Stripe, Inc.): When you subscribe to a paid plan, Stripe processes your payment card details. We transmit only the data required to complete the transaction. Stripe acts as an independent data controller for payment fraud prevention. See Stripe's Privacy Policy.
Email delivery service: We use a transactional email provider to deliver account verification, password reset, and notification emails. Only your email address and the message content are shared with this provider.
Law enforcement: We may disclose account metadata (email, registration date, IP logs) — but never file contents, which we cannot access — in response to a valid order issued by a Estonian court. We will notify you of any such disclosure unless we are legally prohibited from doing so by the court order itself.

6. Cookies

We use only strictly necessary cookies to operate the Service. We do not use analytics cookies, advertising cookies, or any third-party cookies whatsoever.

Cookie Name	Purpose	Duration
`session_id`	Authenticates your active login session and maintains state across page loads	Session (cleared when browser closes)
`preferences`	Stores your interface preferences such as display theme and sort order	1 year
`csrf_token`	Prevents cross-site request forgery attacks on form submissions	Session

Because we use only essential cookies required for the Service to function, no cookie consent banner is necessary under GDPR and the ePrivacy Directive. There are no tracking pixels, fingerprinting scripts, or behavioral analytics on any 5sync page.

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

Right of access (Art. 15): You may request a complete copy of all personal data we hold about you, including metadata, logs, and account information. We will provide this in a structured, commonly used format.
Right to rectification (Art. 16): If any personal data we hold is inaccurate or incomplete, you have the right to request correction. You can update your email address and profile details directly in your account settings.
Right to erasure (Art. 17): You may request the deletion of all your personal data. Upon receiving a verified erasure request, we will permanently delete your account and all associated data, subject to the retention periods described in Section 8.
Right to data portability (Art. 20): You may request an export of your personal data in a machine-readable format (JSON). File exports can be performed directly through the desktop application or the REST API.
Right to restriction of processing (Art. 18): You may request that we limit our processing of your data to storage only while a dispute or verification is pending.
Right to object (Art. 21): You may object to any processing of your data that is based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

To exercise any of these rights, send an email to privacy@5sync.com from the email address associated with your account. We will verify your identity and respond within 30 calendar days. There is no fee for exercising your rights. If your request requires additional time due to complexity or volume, we will notify you of an extension of up to 60 additional days.

If you believe we have not adequately addressed your request, you have the right to lodge a complaint with the Estonian supervisory authority: Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate), Tatari 39, 10134 Tallinn, Estonia — aki.ee.

8. Data Retention

We retain personal data only for the minimum period necessary to fulfill the purposes outlined in this policy:

Account data: Retained for the duration of your active account, plus 30 days after you request deletion. This grace period allows you to reactivate your account if the deletion was unintentional. After 30 days, all account data is permanently and irreversibly destroyed.
Files: Deleted immediately and permanently upon your request. When you empty your trash or delete a file, the encrypted data is removed from primary storage without delay. There is no "soft delete" window for file contents.
Backups: Encrypted infrastructure backups that may contain account metadata are rotated and purged on a 90-day cycle. Because of our zero-knowledge architecture, file contents in backups remain encrypted with your key and are unreadable by us.
Server logs: Access logs containing IP addresses are truncated after 14 days and fully anonymized after 90 days. Anonymized aggregate data (request counts, error rates) may be retained indefinitely for operational monitoring.

9. Children's Privacy

5sync is not designed for or directed at individuals under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If we discover that a minor has created an account without verifiable parental consent, we will promptly delete the account and all associated data.

If you are a parent or legal guardian and believe that your child has registered for 5sync, please contact us immediately at privacy@5sync.com and we will take swift action.

10. Changes to This Policy

We may revise this Privacy Policy to reflect changes in our practices, new features, or evolving legal requirements. When we make material changes, we will notify you by email at least 30 days before the updated policy takes effect. A summary of changes will be included in the notification.

Non-material changes (such as formatting or clarification of existing terms) may be made without advance notice. The "Last updated" date at the top of this page will always reflect the most recent revision. We encourage you to review this page periodically.

11. Data Protection Officer

We have appointed a dedicated Data Protection Officer (DPO) who oversees all aspects of our data protection strategy, conducts internal audits, and serves as the point of contact for data subjects and supervisory authorities.

You can reach our DPO at:

Email: dpo@5sync.com
Address: 5sync OÜ, Attn: Data Protection Officer, Pärnu mnt 15, 10141 Tallinn, Estonia

12. Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:

5sync OÜ
Pärnu mnt 15
10141 Tallinn, Estonia

Email: privacy@5sync.com