Legal

Privacy Policy

Last updated: 2026-05-04

This notice explains how the ssyncc service (operated by Syndicast Ltd) handles personal data. Company details are in the Legal Notice.

1. Data controller

Syndicast Ltd, Unit A30, Red Scar Industrial Estate, Longridge Road, Preston PR2 5NA, United Kingdom. VAT: GB261954683. Contact: hello@syndicast.co.uk.

Processing is governed by the UK GDPR and the Data Protection Act 2018. For visitors from the European Union, the EU GDPR also applies.

2. What we collect

Account data (registered users)

  • email address (required)
  • password as a hash (we never store it in plain text)
  • name (optional)
  • preferred language
  • account creation timestamp

Content you provide

The data shown on your landing page (page name, description, RSS URL, stream URL, channel lists, etc.) — you supply this and it is publicly visible on the page you publish. You are responsible for this content.

Logged data (visitors of public pages)

When someone visits a ssyncc page, our own anonymous analytics records server-side:

  • IP address (used to determine the visitor's country, then only kept inside a hashed session ID)
  • country (from IP geo lookup, country code only)
  • browser (User-Agent header)
  • referrer (where the visitor arrived from)
  • event (pageview or click, and the clicked link's category)
  • a session ID hash with daily rotation (from IP + User-Agent + daily salt)

We do not personally identify the visitor. The raw IP address is not retained as an identifier — only the analytics aggregates remain (number of views, country breakdown, clicks, etc.).

Subscribers (per-page data)

If your page has a subscriber section, visitors may submit their email and name. This data is your customer's data — you are the controller and we only process it on your instructions (Data Processing Agreement is part of the Terms of Service).

Cookie-based analytics (consent-only)

If you select "Accept all" in the cookie banner, Google Analytics 4 measures usage. Details in the Cookie Policy. Without consent, no GA cookie is set.

3. What we use the data for

  • account management and login (UK GDPR Art. 6(1)(b) — performance of contract)
  • delivering your public page (UK GDPR Art. 6(1)(b))
  • producing analytics aggregates for the page owner (UK GDPR Art. 6(1)(f) — legitimate interest in improving the service)
  • detecting security incidents and preventing abuse (UK GDPR Art. 6(1)(f))
  • complying with legal obligations (UK GDPR Art. 6(1)(c)), e.g. invoicing, tax

4. How long we keep it

  • account data: until you close the account, plus 30 days (recovery window)
  • landing page content: deleted with the account
  • analytics events: 24 months, then aggregated and the detailed events deleted
  • session ID hash: 30 days
  • billing records: 8 years (UK + HU tax law minimum)

5. Who we share it with

We do not sell or willingly share your data. Our processors:

  • Hosting and CDN provider (technical service, EU-located data centre)
  • Email provider (password reset, important system messages)
  • Google Analytics — only if you accepted "all" cookies

We disclose data to authorities only where legally required.

6. International transfers

Data is stored primarily on EU servers. Some processors (e.g. Google Analytics if you opted in) involve US-based company groups — these comply with the EU-US Data Privacy Framework and the UK International Data Transfer Agreement.

7. Your rights (UK + EU GDPR)

  • access to data we hold about you
  • rectification (correction of inaccurate data)
  • erasure ("right to be forgotten")
  • data portability (export of your data in a structured format)
  • objection (to legitimate-interest based processing)
  • complaint to your supervisory authority: UK ICO (ico.org.uk) or HU NAIH (naih.hu)

To exercise any of your rights, write to: hello@syndicast.co.uk. We respond within 30 days.

8. Audio content — important statement

ssyncc does not store audio files. Podcast episodes are loaded into the listener's browser directly from the user-supplied RSS feed host (Anchor, Megaphone, Buzzsprout, etc.). Live radio streams are served from the broadcasters' own servers (Icecast/Shoutcast). ssyncc is purely a link and metadata layer — therefore the feed host and stream operator handle listener-side data per their own privacy policies. Your landing page only sees a visitor when they click (which goes into our analytics).

9. Security

HTTPS everywhere, passwords hashed with bcrypt, database over an encrypted channel, strict role-based access. Incidents are notified to data subjects and the supervisory authority within 72 hours.

10. Changes

If this policy changes materially, we email registered users and update the "Last updated" date above.