Privacy Policy

This Privacy Policy outlines our practices regarding the collection, use, and disclosure of personal information when you use our ("Platform").

By accessing or using Synco, you agree to the terms outlined in this Privacy Policy. If you do not agree with these terms, please do not use our Platform.

1. Who we are

Synco is operated by Woodili Limited, a private limited company registered in Hong Kong (Company No. 74106757) with registered offices at The L. Plaza, 367–375 Queen's Road Central, Sheung Wan, Hong Kong (“Synco”, “we”, “our”, “us”).

This Policy explains how we handle personal data when:

  • Sellers use Synco to manage personalized orders and collect customization data; and
  • Buyers submit personalization details via Synco on a seller’s behalf.

2. Our role

  • Controller (Sellers): For seller accounts and related data (e.g., account, billing, security, CRM/communications to sellers), Synco is the Data Controller.
  • Processor (Buyers): For buyer-submitted personalization data collected for a seller’s order (text, photos, audio/video, etc.), the seller is the Data Controller and Synco acts as the Data Processor, processing strictly under the seller’s instructions.

3. Data we process

3.1 Seller data (Synco as Controller)

  • Account & contact: name, email(s), shop info, profile image.
  • Authentication & security: login identifiers, device/user-agent, IP, event logs; secondary email (if provided).
  • Billing & subscriptions: plan, status, payment method metadata (actual payments handled by payment processors), invoices, charge history.
  • CRM & support: messages, tickets, feedback, preferences.
  • Usage/technical: actions in the dashboard, settings you configure.

3.2 Buyer data (Synco as Processor for sellers)

  • Order verification: magic-link email events or order-number + ZIP/postcode checks.
  • Personalization content: text, names, messages, images/photos, audio/video you upload, and any form fields the seller requires.
  • Submission telemetry: timestamps, limited technical data (IP, device/user-agent) for security and abuse prevention

We do not market to buyers, sell personal data, or use buyer content for unrelated purposes.

4. How we collect data

  • Directly from sellers when creating/using an account or contacting support.
  • Directly from buyers via Synco forms/links sent at the seller’s request.
  • Automatically via our services (basic operational and security logs).

5. Why we use data & legal bases

5.1 Sellers (Controller)

  • Provide and secure the service (contract & legitimate interests): run accounts, connect shops, prevent fraud, troubleshoot, maintain availability.
  • Billing and compliance (legal obligation/contract): invoices, tax/audit records, subscription management.
  • Product improvement (legitimate interests): anonymous/aggregated analytics to improve features.
  • Customer communications (legitimate interests/consent where required): service emails; optional product updates to sellers (you can opt out anytime).

5.2 Buyers (Processor)

  • Order fulfillment for the seller (contract/legitimate interests of the seller and buyer): collect and deliver personalization data to the seller; confirm submissions; secure the flow (verification, anti-abuse).
  • No marketing to buyers. Synco does not send promotional emails to buyers.

5.3 Sensitive & children’s data

  • Synco does not request sensitive data, but personalization may contain it. Sellers are responsible for ensuring a lawful basis (typically explicit consent) and for informing buyers.
  • If content includes a child’s personal data, the buyer (usually the parent/guardian) must be authorized to provide it.

6. Seller responsibility toward buyers

Sellers using Synco are Data Controllers for buyer data. Sellers should:

  • Provide their own Privacy Policy and Terms of Service to buyers and obtain any required consent (e.g., a consent checkbox on the personalization form).
  • Use buyer data only to fulfill the order and in line with applicable laws.
    If a seller does not provide valid policies/consents, Synco may limit or suspend related features. Synco is not liable for a seller’s non-compliance.

7. Retention

  • Buyer personalization content: retained up to 60 days from submission to allow fulfillment and handle shipping/logistics issues (e.g., lost/damaged items), then permanently deleted with no recovery from Synco systems (subject to brief backup/replication lags). Sellers may keep copies in their own systems under their policies.
  • Buyer verification & email-send logs:retained for a limited period to provide an audit trail (e.g., to confirm a request/confirmation was sent/received) and for security; deleted or anonymized when no longer needed.
  • Seller account data:kept while the account is active; after closure, retained only as needed for legitimate interests or legal obligations (e.g.,invoices and billing records typically 7 years under tax/audit rules); security logs for a limited, proportionate period.
  • We follow the storage limitation and data minimization principles and apply deletion/anonymization schedules accordingly.

8. International transfers

Your data may be processed outside your region (for example, in data centers operated by our cloud providers). Whenever we transfer personal data internationally, we implement appropriate safeguards consistent with GDPR Chapter V —suchas Standard Contractual Clauses or equivalent lawful mechanisms—and apply technical/organizational measures (e.g., encryption, access controls) to protect it, so that it receives a level of protection essentially equivalent to that of your home jurisdiction.

9. Security

We use industry-standard measures to protect data:

  • Encryption in transit and (where applicable) at rest.
  • Access controls and least-privilege permissions.
  • Monitoring and logging for security events; incident response procedures.

10. Sub-processors (third-party providers)

We use carefully selected third parties to help deliver the Service (e.g., cloud hosting, authentication, email delivery, payments, CRM/support). Where a provider processes personal data on our behalf, it does so under written data-protection termsthat impose confidentiality, security, restrictions on use, assistance with data-subject rights, and deletion/return of data at the end of the engagement. For international transfers we implement appropriate safeguards (such as the EU Standard Contractual Clauses or equivalent mechanisms) to ensure an essentially equivalent level of protection.

Some providers (for example, certain payment services) act asindependent controllers for the data they receive; in those cases we share only the minimum necessary information for their services.

We do not list provider names publicly in this Policy, but a current list of material subprocessors can be made available to seller customers upon request.

11. Your rights

11.1 Sellers (where Synco is Controller)

Depending on your location (e.g., EU/UK GDPR, California CCPA/CPRA and similar laws), you can:

  • Access your personal data;
  • Correct inaccurate data;
  • Delete data (we may retain what’s legally required);
  • Object/Restrict certain processing based on legitimate interests;
  • Portability for data you provided to us;
  • Opt out of seller marketing at any time (service/transactional emails will still be sent);
  • Lodge a complaint with your supervisory authority.

11.2 Buyers (where Synco is Processor)

Please contact the seller (your Data Controller) to exercise your rights regarding personalization data. If you contact Synco, we’ll notify and assist the seller in responding and will delete/limit processing in our systems when instructed and lawful.

We may need reasonable verification of identity to process requests and will respond within applicable legal timeframes.

12. Cookies & similar tech

Synco uses essential cookies and similar technologies for security, session management, and basic product analytics. We donot use them for cross-site advertising. Sellers can manage preferences in their browser; blocking essential cookies may affect functionality (e.g., login).

13. Do we sell data?

No. We do not sell personal data and do not share it for cross-context behavioral advertising.

14. Data about minors

Synco is not directed to children. Buyers must only submit a child’s data if they are the parent/guardian or have lawful authority. If we learn we have collected children’s data without proper authority, we will delete it.

15. Changes to this Policy

We may update this Policy from time to time. We’ll change the “Last updated” date and, where appropriate, notify sellers in-app or by email. Continued use of Synco after an update means you acknowledge the changes.

16. Contact us

Questions, requests, or complaints about privacy can be sent to our privacy team:

Email: hello@woodili.com

Postal:Woodili Limited, The L. Plaza, 367–375 Queen's Road Central, Sheung Wan, Hong Kong