Privacy Policy

This policy describes how SinQS ("we", "us") processes personal data when you use our websites and services.

1. Data controller

SinQS
Schelmseweg 5, 6816 PA Arnhem, Netherlands
Contact: Herre de Jong (owner)
Email: info@sinqsaudit.com

2. Categories of personal data

• Account & access: name, email address, password (stored by our authentication provider), two-factor authentication (TOTP) enrollment status, sign-in metadata.
• Organisation profile: company name and identifiers, address and contact details you provide, roles (for example admin / primary contact), team invitations.
• Audit content: information you enter in audits (including notes, responses, uploaded plans, generated reports), timestamps, and related workflow state.
• Billing: purchase history, invoice references, tax identifiers where you supply them, payment context processed by our payment provider (we do not store full card numbers on SinQS servers).
• Technical & security: server logs, diagnostics, error reports, and (on the client) session replay segments where enabled for troubleshooting.

3. Purposes and legal bases (GDPR)

• To provide the service (contract): account, workspace, audits, reporting, credits, and team collaboration.
• Security & reliability (legitimate interest / contract): authentication, optional MFA, abuse prevention, incident response, product diagnostics.
• Compliance (legal obligation where applicable): accounting, tax, and regulatory requirements for invoices and records.
• Where you give consent (consent): explicit acceptance during registration or invitations, where we ask for it in the product.

4. Processors and recipients

We use trusted service providers as processors, including in particular:

• Supabase — database, authentication, file storage for audit assets and logos (region and DPA per your Supabase agreement).
• Stripe — payments, invoices, tax calculation where you purchase credits (Stripe handles card data according to its policies).
• Sentry (EU ingest) — error monitoring and a sampled portion of performance traces. Default PII collection is disabled, and Session Replay is only captured around an error event, with all text and inputs masked and media blocked.
• Resend — sending of transactional emails (account invitations, welcome messages, and similar notifications). Resend processes the recipient email address and message content to deliver the email.
• Vercel — hosting and edge delivery of the web application.
• Google — if you choose "Sign in with Google", Google processes sign-in data under its terms and privacy policy.

A transfer outside the EEA may occur where a vendor processes data in other regions; we rely on appropriate safeguards such as standard contractual clauses where applicable. See each vendor's documentation and DPA.

5. Retention

• Account & workspace data: kept while your account or organisation subscription is active, and processed for deletion when you use in-product account deletion, subject to safeguards below.
• Generated audit report files (PDF) in our storage: automatically deleted after 6 months from the report record timestamp used by our purge process (see product notices and Terms). Files past that window may no longer be available for download or data export.
• Other uploads (for example audit plan documents, company logos): retained until you remove them, replace them, delete the workspace, or as described in our technical cleanup flows.
• Logs & diagnostics: retained per sub-processor configuration and our operational needs, typically for a limited period unless law requires longer storage.

6. Security measures

We apply administrative and technical measures appropriate to the risk, including TLS in transit, segmented access with row-level security on application data, and multi-factor authentication (TOTP) for end users unless your deployment explicitly disables that requirement. MFA reduces unauthorised access to your account; keep your authenticator device safe.

7. Cookies and local storage

We use the following strictly necessary technologies. We do not use advertising or analytics cookies.

• Authentication session cookies (Supabase) — keep you signed in and complete OAuth / PKCE flows.
• Inactivity timestamp (browser local storage, key lastActivityTimestamp) — used by the client to log you out automatically after a period of inactivity.
• UI preferences — for example a cookie that remembers whether the sidebar is open or closed.
• Cookie notice acknowledgement (browser local storage) — remembers that you have seen the notice so it does not reappear.

You can clear cookies and local storage in your browser at any time; you will need to sign in again afterwards.

8. Your rights

Depending on applicable law (including the GDPR), you may have rights to access, rectify, erase, restrict, object, and port your personal data, and to withdraw consent where processing is based on consent. You can export data from your profile where available and delete your account in settings. You may also contact us at info@sinqsaudit.com. You may lodge a complaint with your local supervisory authority.

9. International users and other privacy laws

SinQS is offered internationally. We apply this policy as a baseline regardless of where you are located, and recognise that local law may grant additional rights. If you are located in any of the regions below, the following also applies:

• European Economic Area (GDPR / AVG): the rights set out above apply directly. You may complain to your national supervisory authority (in the Netherlands: Autoriteit Persoonsgegevens).
• United Kingdom (UK GDPR & Data Protection Act 2018): equivalent rights apply; you may complain to the Information Commissioner's Office (ICO).
• Switzerland (revFADP / nFADP): equivalent rights apply; the competent authority is the Federal Data Protection and Information Commissioner (FDPIC).
• California (CCPA / CPRA): we do not "sell" or "share" personal information for cross-context behavioural advertising. California residents have the right to know, delete, correct, and limit the use of sensitive personal information; exercise these rights via the contact email above. We do not discriminate against you for exercising your rights.
• Other US state privacy laws (Colorado, Connecticut, Utah, Virginia, Texas, Oregon and others): equivalent rights of access, deletion, correction and portability are honoured to the extent required.
• Canada (PIPEDA & Quebec Law 25): equivalent rights apply; the Quebec privacy contact is our standard privacy contact.
• Brazil (LGPD): equivalent rights apply; supervisory authority is the ANPD.
• Australia (Privacy Act 1988 / APPs): we apply Australian Privacy Principles to data of individuals located in Australia.
• South Africa (POPIA), India (DPDP Act 2023), Japan (APPI), South Korea (PIPA), Singapore (PDPA), UAE (PDPL), New Zealand (Privacy Act 2020): equivalent statutory rights of access, correction, deletion and portability are honoured to the extent applicable to our processing.

Where any of these laws give you stronger rights than this policy describes, those stronger rights will apply. To exercise any right, contact us at info@sinqsaudit.com.

10. International transfers

Some of our processors host or replicate data outside your country, including (depending on the service) the European Union, the United Kingdom, Switzerland, the United States, and other regions. Where data is transferred outside the EEA, the UK or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum / IDTA, and the Swiss SCC supplement, together with vendor certifications (for example the EU-US Data Privacy Framework where applicable). The relevant safeguards are documented in the data processing agreements we hold with each provider listed in section 4.

11. Children

SinQS is a business service and not directed at children.

12. Changes

We may update this policy from time to time. Material changes will be reflected by updating the date above.