Privacy Policy

The controller responsible for data processing within the meaning of the GDPR is:

We collect the following categories of personal data:

• –Account data: email address, display name, and authentication provider (email/password, Google, or Apple) — collected when you create an account.
• –Mind map data: nodes, edges, and map metadata — stored in our Supabase database if you are signed in. Maps created without an account are stored exclusively in your browser's localStorage and are not transmitted to our servers.
• –Quiz and learning data: flashcards generated from your mind maps and your spaced-repetition progress (intervals, ease factors, review history) — stored in our Supabase database if you are signed in and use the Study feature.
• –Usage data: session tokens, timestamps of saves and updates — stored as part of normal service operation.
• –Technical data: browser type, operating system, IP-derived technical information, log data, and referring URL — may be processed to ensure security and functionality.

Synecct offers different sign-in methods. Authentication is handled via Supabase Auth.

• –Email & Password: Your email address and a securely hashed password are processed for account creation and login.
• –Sign in with Google: We use Google OAuth 2.0. After your consent, Google transmits basic account information such as your name and email address to us.
• –Sign in with Apple: We use Sign in with Apple. Apple may provide a unique identifier, your name, and either your real email address or a relay address, depending on your settings.

Supabase acts as a processor for hosting, authentication, and database services. Where required, a Data Processing Agreement is concluded with Supabase.

If you use Synecct without an account, your mind map data is stored exclusively in your browser's localStorage. In that case, this data is not transmitted to us unless you actively use a cloud feature.

If you are signed in and save content to the cloud, your maps are stored in our database and associated with your user account.

Synecct offers optional AI-powered features for signed-in users, including automatic flashcard generation and node explanations. These features are powered by Google's Gemini API.

When you use these features, the text content of your mind map nodes (titles, notes, list items, and flow steps) is transmitted to Google's Gemini API for processing. No images, account information, or personally identifying data beyond the node content you have entered is sent.

• –Purpose: to generate study flashcards and concise explanations from your mind map content.
• –Legal basis: performance of a contract / provision of the requested feature (Art. 6(1)(b) GDPR).
• –Data processor: Google LLC, operating under Google's Privacy Policy (policies.google.com/privacy).
• –Data transfer: processing may involve servers in the United States. Google states participation in the EU-U.S. Data Privacy Framework.
• –Retention: mind map content sent to the Gemini API is not stored by Synecct beyond the duration of the API request. Generated flashcards are stored in our Supabase database as described in Section 2.
• –Opt-out: AI features are only triggered when you actively click the Study or Explain button. You can use Synecct fully without using these features.

Generated flashcards and your spaced-repetition progress are stored per mind map in our database and can be deleted by deleting the associated map or your account.

• –Performance of a contract (Art. 6(1)(b) GDPR): to provide the service, user accounts, authentication, cloud sync, and AI-powered features.
• –Legitimate interests (Art. 6(1)(f) GDPR): to maintain security, prevent abuse, troubleshoot issues, and ensure stable operation.
• –Consent (Art. 6(1)(a) GDPR): for optional analytics technologies or cookies, where legally required.

We may use external service providers that process personal data on our behalf or as independent controllers, depending on the service.

• –Supabase: hosting, database, authentication infrastructure, and storage of mind maps, flashcards, and learning progress.
• –Google Gemini API: AI processing of mind map content for flashcard generation and node explanations (only when AI features are actively used). Privacy policy: policies.google.com/privacy
• –Google: if Google sign-in or Google Analytics is enabled.

We may use Google Analytics 4 to better understand how Synecct is used. If analytics is not active yet, no analytics data is processed. If analytics is activated, it should only be loaded after valid consent where this is legally required.

Google Analytics may process information such as page views, session data, approximate device and browser information, and interactions on the website. According to Google, data from EU users is first collected via EU-based domains and servers, and individual IP addresses of EU users are not logged or stored.

Data processing by Google may involve transfers to the United States. Google states that it participates in the EU-U.S. Data Privacy Framework. Additional contractual safeguards may apply depending on the setup.

We use the following storage mechanisms:

• –localStorage (essential): stores locally created mind maps, certain local app states, and cached AI-generated flashcards to avoid redundant API calls.
• –sessionStorage (essential): may temporarily store the active cloud map ID or session-related state during a browser session.
• –Authentication cookies or tokens (essential): used to maintain your login session.
• –Analytics cookies (optional): only if analytics is enabled and you have provided any required consent.

• –Account data is retained for as long as your user account exists.
• –Cloud-stored map data is retained until you delete it or delete your account, unless statutory retention obligations require otherwise.
• –Flashcards and spaced-repetition progress are retained until you delete the associated map or your account.
• –Mind map content sent to the Gemini API is processed in real time and not stored by Synecct beyond the API request.
• –Technical logs and security-related data are retained only as long as necessary for the stated purposes.
• –Analytics data, if used, is retained according to the configured retention period in the analytics service.

Under the GDPR, you have the following rights:

• –Right of access (Art. 15 GDPR)
• –Right to rectification (Art. 16 GDPR)
• –Right to erasure (Art. 17 GDPR)
• –Right to restriction of processing (Art. 18 GDPR)
• –Right to data portability (Art. 20 GDPR)
• –Right to object (Art. 21 GDPR)
• –Right to withdraw consent at any time with effect for the future, where processing is based on consent

To exercise any of these rights, please contact us at contact@huansystems.com.

You also have the right to lodge a complaint with the Austrian Data Protection Authority:

We may update this Privacy Policy from time to time. The version published on this page is the current version.