Privacy Policy
Last updated: February 7, 2026
This Privacy Policy explains how SyncFiction processes your personal data in accordance with the EU General Data Protection Regulation (DSGVO), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Telemedia Data Protection Act (TTDSG).
Controller
The controller within the meaning of Art. 4(7) DSGVO is:
Email: [email protected]
A Data Protection Officer is not required, as the statutory appointment requirements under BDSG §38 are not met at present.
Legal Bases for Processing
Art. 6(1)(b) DSGVO — Performance of contract
AI processing is necessary for the performance of the contract as described in our Terms of Service. Without AI processing, the service as contractually defined cannot be provided.
| Processing activity | Data categories |
|---|---|
| Account creation and management | Name, email, profile data (via Clerk) |
| Syncing Royal Road fictions to your library | Library data, fiction content |
| Generating EPUB files | Fiction content, upload metadata |
| Delivering EPUBs via Dropbox or email | Provider credentials, EPUB files |
| AI features (semantic search, summaries, character extraction, recaps, chat) | Library data, fiction content, chat messages |
| Storing reading progress | Reading progress, chapter metadata |
Art. 6(1)(f) DSGVO — Legitimate interests
| Processing activity | Legitimate interest |
|---|---|
| Application logging (Axiom) | Ensuring service stability, debugging errors, and preventing abuse |
| Rate limiting and quota enforcement | Preventing abuse and ensuring fair resource usage |
You have the right to object to processing based on legitimate interests (see Right to Object below).
Art. 6(1)(a) DSGVO — Consent
| Processing activity | Notes |
|---|---|
| Connecting Dropbox as a delivery provider | You initiate the OAuth flow; revocable at any time in settings |
| Connecting an email address for delivery | You provide the address; removable at any time in settings |
Art. 6(1)(c) DSGVO — Legal obligation
We may process data where required to comply with applicable legal obligations.
Obligation to provide data (Art. 13(2)(e) DSGVO)
Providing your account data (email, authentication identifier) is a contractual requirement necessary to use SyncFiction. You are not legally obliged to provide it, but without it the service cannot be provided. Connecting a Dropbox account and a delivery email address are optional.
Automated decision-making (Art. 13(2)(f) DSGVO)
We do not carry out automated individual decision-making or profiling within the meaning of Art. 22 DSGVO.
Sub-Processors
Each sub-processor receives only the data necessary for its function:
| Service | Legal entity | Country | Purpose | Data categories |
|---|---|---|---|---|
| Clerk | Clerk, Inc. | USA | Authentication, user management | Name, email, user ID |
| Dropbox | Dropbox, Inc. | USA | File delivery (user-initiated) | OAuth tokens, EPUB files |
| AWS SES | Amazon Web Services EMEA SARL | Luxembourg (EU) | Email delivery | Recipient email, EPUB attachments |
| Cloudflare R2 | Cloudflare, Inc. | USA | Object storage | EPUB files, cover images |
| OpenAI | OpenAI, LLC | USA | Embeddings, batch AI processing | Fiction text, embeddings |
| Google AI | Google Ireland Limited | Ireland (EU) | AI chat, recaps, batch processing | Fiction text, chat messages |
| Axiom | Axiom, Inc. | USA | Application logging | Logs (may contain user IDs, error data) |
We may disclose data if required by law or in response to a valid legal request from a competent authority.
International Transfers
Your data is primarily stored on servers in Germany (Netcup, Nürnberg). Some sub-processors process data in the United States. Transfers to Clerk, Dropbox, and Cloudflare are covered by the EU-U.S. Data Privacy Framework (DPF). Transfers to OpenAI and Axiom are covered by Standard Contractual Clauses (Art. 46(2)(c) DSGVO). AWS SES and Google AI process data within the EU. You may request a copy of the applicable safeguards by contacting us.
Cookies
SyncFiction uses cookies for authentication and session management. No tracking, advertising, or analytics cookies are used.
| Cookie | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
__session, __session_* | Clerk (first-party) | Session authentication | Session / up to 7 days | Strictly necessary |
__client_uat, __client_uat_* | Clerk (first-party) | Session freshness check | Session | Strictly necessary |
__refresh_* | Clerk (first-party) | Token refresh | Session | Strictly necessary |
clerk_active_context | Clerk (first-party) | Active session context | Session | Strictly necessary |
These cookies are strictly necessary for the operation of the service and are exempt from consent requirements under §25(2) TTDSG.
Data Retention
| Data category | Retention period |
|---|---|
| Account data | Until you delete your account |
| Library, reading progress, subscriptions | Until you delete your account |
| Provider credentials (Dropbox, email) | Until you disconnect the provider or delete your account |
| AI chat history | Until you delete your account |
| EPUB files and cover images | Until the associated fiction is removed or your account is deleted; files may persist for up to 30 days after deletion |
| Application logs (Axiom) | 30 days |
| Redis data (queues, rate limits) | Ephemeral; expires automatically via TTL (minutes to 24 hours) |
| Database backups | 7 days, then automatically overwritten |
When your account is deleted, all user-linked data is removed. Fiction content you created that is used by other users may be retained on the basis of Art. 17(3)(a) DSGVO (freedom of expression and information).
Right to Object (Art. 21 DSGVO)
You have the right to object at any time, on grounds relating to your particular situation, to processing of your personal data based on Art. 6(1)(f) DSGVO (legitimate interests). If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.
To object, contact us at [email protected].
Your Rights
Under the DSGVO, you have the following additional rights:
- •Access (Art. 15) — request a copy of the personal data we hold about you
- •Rectification (Art. 16) — request correction of inaccurate personal data
- •Erasure (Art. 17) — request deletion of your personal data, subject to legal retention obligations and where no overriding legitimate grounds exist
- •Restriction of processing (Art. 18) — request that we restrict processing under certain circumstances
- •Data portability (Art. 20) — receive the personal data you provided to us in a structured, commonly used, machine-readable format. This applies only to data you directly provided and that we process on the basis of contract or consent. It does not cover derived or generated data such as AI outputs, embeddings, or recommendations.
- •Withdraw consent (Art. 7(3)) — where processing is based on your consent, you may withdraw it at any time via the same means you used to grant it (e.g., in your settings) or by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- •Lodge a complaint (Art. 77) — you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement
To exercise any of these rights, contact us at [email protected]. We will respond within one month. In cases of particular complexity, this period may be extended by a further two months, in which case we will inform you.
Minors
SyncFiction is not directed at persons under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the application.