Privacy Policy
Last updated: 19 May 2026
This Privacy Policy explains what personal data we collect when you use Sinkron (the "Service"), why we collect it, how we use it, who we share it with, and the rights you have over it. We've tried to write it in plain English. The Service is operated by Sinkron Ltd ("Sinkron", "we", "us"), a company incorporated in England and Wales (company number 17234988, registered office 20 Wenlock Road, London, England, N1 7GU).
For the purposes of UK GDPR and the EU GDPR, Sinkron Ltd is the data controller of the personal data described below.
1. What we collect
1.1 Account data
- Email address (required for account creation and login).
- First and last name.
- A hashed password and, if you enable two-factor authentication, an encrypted TOTP secret plus a small set of recovery codes.
- Your preferred role on the platform (Customer or Provider).
- Account audit metadata: account creation date, last sign-in timestamps, password-reset events, security-relevant events.
1.2 Usage & technical data
- IP address of requests to the API and dashboard, used for rate-limiting, abuse prevention, and security audit logs.
- User-agent string and basic device information from your browser.
- Sessions you create, the container images you run, resource sizes, runtime durations, and cost breakdowns. We do not inspect the contents of your containers or the data they process.
- For Providers: the machine fingerprint (Linux machine-id), hostname, IP address, advertised capacity, and rate settings of each host you connect.
1.3 Payment data
- Crypto deposit addresses we generate for you, and the on-chain transactions that fund them (sender address, amount, transaction hash). USDC on the Base network is the only currency we accept.
- Withdrawal destination addresses you instruct us to send to, and the resulting transaction hashes.
- The Compute Credit ledger: a per-user, append-only log of deposits, session charges, commissions, adjustments, and earnings.
We do not collect bank-card details. We do not collect KYC documents at this stage; we may need to collect them in future if regulation requires.
2. Why we collect it (purposes & legal bases)
- Operate the Service (contractual necessity, Art. 6(1)(b) GDPR) — provide the dashboard, run sessions, bill, pay Providers, send transactional emails.
- Keep the Service secure (legitimate interests, Art. 6(1)(f) GDPR) — detect and prevent abuse, fraud, unauthorised access; maintain audit logs.
- Communicate with you (contractual necessity and legitimate interests) — verification emails, password resets, billing notifications, deposit confirmations, session lifecycle alerts.
- Meet legal obligations (legal obligation, Art. 6(1)(c) GDPR) — comply with applicable accounting, tax, and anti-abuse laws.
We do not send marketing emails at this time. If we ever do, it will be opt-in for non-essential communications.
3. Who we share it with
We use a small set of service providers ("processors") to operate Sinkron. Each processes the data described below on our behalf under contractual data-processing terms.
- Contabo GmbH (Germany) — backbone server hosting. Hosts the API, dispatcher, and database.
- Neon, Inc. (or equivalent managed Postgres provider) — encrypted-in-transit-and-at-rest database storage.
- Resend, Inc. (USA) — transactional email delivery (verification, password reset, lifecycle notifications). Receives your email address and the body of the email.
- Tailscale Inc. (USA / Canada) — secure overlay network between the backbone, the dispatcher, and Provider hosts. Sees only network metadata (peer IDs, encrypted traffic), not your container contents.
- Cloudflare, Inc. (USA) — DNS resolution.
- GitHub, Inc. (USA, Microsoft subsidiary) — container image registry for the agent and platform images.
- Amazon Web Services, Inc. (USA, Frankfurt region) — S3 object storage for the optional customer-storage feature; STS credentials minted per user. Only used when you enable Storage.
- Coinbase Cloud / Base — the L2 network on which USDC deposits and withdrawals are settled. On-chain transactions are public by their nature.
We don't sell your personal data, and we don't share it with third parties for their own marketing purposes.
We may disclose information when required by a binding legal request (court order, valid subpoena, lawful government request). We push back on overbroad requests where appropriate.
4. Where your data is stored
The primary database and application servers are hosted in the EEA (Germany, via Contabo). Some processors listed in section 3 are based in the United States or other jurisdictions. Where personal data is transferred outside the UK or EEA, we rely on the appropriate transfer mechanisms (Standard Contractual Clauses or the UK International Data Transfer Addendum, plus any additional safeguards the processor offers, such as encryption at rest and in transit).
5. How long we keep it
- Account & ledger data: kept while your account exists and for up to 6 years after account closure to satisfy UK accounting and tax record-keeping requirements.
- Security and audit logs: retained for up to 24 months, then aggregated or deleted.
- Session metadata: retained for up to 24 months for billing and dispute resolution; then aggregated.
- Email-verification tokens, password-reset tokens, bootstrap-installer tokens: short-lived (minutes to 1 hour); deleted on use or expiry.
6. Your rights
If you're in the UK, the EEA, or another jurisdiction with a similar privacy regime, you have the following rights over your personal data:
- Access a copy of the personal data we hold about you.
- Correction of inaccurate or incomplete data. Most fields are editable from your account; for the rest, email us.
- Erasure of your data, subject to the retention obligations described in section 5 (we may need to keep some financial records for legal compliance).
- Restriction or objection to specific kinds of processing, where the legal basis is legitimate interests.
- Portability of the data you provided to us, in a machine-readable format.
- Withdraw consent at any time where consent is the legal basis for processing. Withdrawal does not affect past lawful processing.
- Complain to the UK Information Commissioner's Office (ico.org.uk) or your local EEA supervisory authority if you think we've handled your data badly.
To exercise these rights, email privacy@sinkron.network. We'll respond within 30 days, and usually faster.
7. Cookies & local storage
- Auth session cookie. We set a single, httpOnly, SameSite=Strict, Secure cookie containing your JWT after sign-in. It's used solely to keep you signed in and to authenticate your API requests. It's essential to the Service; we do not currently use cookies for advertising or analytics.
- Local storage. The dashboard stores a small "session marker" with your name and preferences in your browser's local storage so the UI loads correctly after a refresh. No sensitive token is stored client-side.
8. Children
Sinkron is not directed at children under 18. We don't knowingly collect data from children. If you believe a child has provided us with personal data, contact us at privacy@sinkron.network and we'll delete it.
9. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced in advance by email or in-product notice. The "Last updated" date at the top tells you when the current version took effect.
10. Contact
For privacy queries, including to exercise the rights in section 6, email privacy@sinkron.network. For other matters, info@sinkron.network is the general inbox.