Skip to content

Data you own and control

Here’s exactly what leaves your device, where it goes, and what we don’t do with it. No hand-on-heart language: the point of this page is to tell you the shape of the data flow in specific enough terms that you can decide for yourself whether it is the shape you want.

Your syndicate’s data lives in a managed database on servers we rent in the European Economic Area. The app keeps a local copy on your device, a filtered slice of the relevant data, so it can run without a signal; writes queue locally and push back when you reconnect. The filter is per-membership: you only ever receive data for syndicates you belong to.

The kinds of data that replicate to the device (bookings, usage logs, maintenance, financial transactions, and so on) are listed on Offline capabilities. Some areas are deliberately online-only (settlements, invites, notification preferences) because they either need a server-side check or are too sensitive to last-write-wins conflicts.

Crash reports. When the app crashes, we collect the technical trace of where the code failed, the device model, the OS version, and the app version, linked to your account so we can follow it up. We do not collect your content and we do not collect syndicate data. If you had a flight log open when the app crashed, the crash report does not contain that log, only the trace of where the code failed.

That is the whole list of non-sync egress. No analytics SDK, no advertising identifiers, no third-party tracking.

  • We don’t sell your data.
  • We don’t train AI models on your data.
  • We don’t show ads.
  • We don’t share your data with marketing or advertising partners.

These are commitments, not hedges. The business model is straightforward (see Subscription philosophy) and none of the above is part of it.

A syndicate’s data belongs to the syndicate, not to any one member, because it is shared by all of them. When you delete your own account, your personal profile and your own identifying records are removed; records that belong to the syndicate as a whole (shared financial records, the booking history that the group relied on) may be retained in anonymised form for the other members, so their records of the syndicate are not torn up when one person leaves.

The in-app confirmation states this directly: deleting your account removes you from all syndicates, and your bookings and financial records are anonymised rather than destroyed. Deletion happens 30 days after you request it, and you can cancel any time before then; after that it is irreversible.

If you are the only member of a syndicate, there is no one left whose records depend on yours, and the syndicate can be wound up. If you are one of several, your departure does not erase the syndicate.

How long we keep things, and when they are removed

Section titled “How long we keep things, and when they are removed”

Your data does not sit around forever once it stops being used. A few automatic rules apply, all with the same aim: keep what the group still relies on, and clear out what has been abandoned.

  • Idle free syndicates are eventually removed. A free syndicate that goes about six months with no activity is deleted, along with its data. Members are emailed a warning well before the date, and again as it approaches, so it never happens unannounced. Any activity resets the clock, and paid syndicates are never removed this way.
  • Orphaned accounts are eventually removed. If you leave your last syndicate and do not join or create another, your own account is deleted a couple of months later, again after email warnings. Joining a syndicate in the meantime stops it.
  • A closed syndicate stays recoverable for a while. Closing a syndicate makes it read-only and keeps it reinstatable through a retention window before it is finally removed. See Close a syndicate.
  • Financial records outlive the rest. Wherever money has changed hands, an anonymised financial trail is kept even after a syndicate or account is gone, and financial records are held for as long as tax rules require. That is for the group’s audit trail and our legal obligations, not for anything to do with you personally.

Deletion you ask for yourself works differently and is covered above. The timings here can be adjusted over time; the binding version is always the Privacy Policy and Terms of Service (see below).

Separately from account deletion, you have fine-grained privacy controls at the syndicate level while you are a member. Three settings (whether member names appear on other people’s calendar bookings, which roles see the financial detail of other members’ usage logs, and whether usage photos are visible across the syndicate) are configured on Privacy & Visibility. Photos attached to usage logs are stored privately and served only via short-lived signed URLs; see usage photo privacy for the exact rules.

None of these settings are feature-gated. They apply equally on the free tier and the paid tier.

You can ask for a copy of your personal data at any time. Email support@syndik8.app from the address on your account, and we will send it to you in a common, machine-readable format within 30 days. This is your data-portability right under UK GDPR, and it is separate from deleting your account: asking for a copy leaves your account and your syndicates exactly as they are.

This page explains the shape of the policy in plain terms. The legal versions live in-app at Account → About → Terms of Service and Account → About → Privacy Policy. They are also available as public routes (/terms and /privacy) so you can read them before signing up or share a link with a prospective member. The legal text is the binding version; if anything here and there disagree, the legal text governs.