+31 65888 8706

info@devbox.nl

Contact
Support
nl

NL
nl

NL

en

EN

nl

NL
nl

NL

en

EN

Home    /   SyncBox   /

Privacy policy

Privacy Policy – SyncBox

Last updated: September 15, 2025

This Privacy Policy describes how SyncBox, operated by DevBox B.V. (“we”, “us”, “our”), handles personal data of its customers and users globally. It informs you of what data we handle on your behalf, how we process it, where and how long we store it, your rights, and our legal responsibilities. If you are using SyncBox under a customer contract, that contract may include additional terms.

1. Scope; controller and processor roles

  1. SyncBox acts as a data processor when it temporarily handles personal data on behalf of its customers who determine the purposes and means of processing. You (the customer) remain the data controller for that data.
  2. For personal data that we collect to manage our own operations (e.g. account signup, billing, or legal compliance), DevBox B.V. is the data controller.

2. What data do we handle?

Depending on your use of SyncBox, we may temporarily process and store a range of data, including:

  • Account and identity information (e.g. name, address, email, company name) — for management, billing, customer support.
  • Connection settings for external systems — credentials or configuration data (properly encrypted).
  • Synchronization metadata — timestamps, volumes, error messages, logs — used for monitoring, troubleshooting, auditing.
  • Customer data from connected systems — only handled if you configure the sync; stored only for the duration necessary.

3. Legal basis and purpose of processing

We process personal data only where one or more of the following legal bases apply:

  • To fulfill our contractual obligations to you;
  • To comply with legal obligations (e.g. financial or regulatory reporting);
  • For our legitimate interests (e.g. improvement of our service, security, preventing fraud), except where those interests conflict with your rights or freedoms;
  • With your explicit consent, where required (e.g. optional features, marketing).

The purposes for which we handle data include: service fulfilment (synchronizations), access/authentication, support, improvements, security, legal compliance.

4. Data security and protection

We commit to strong security measures:

  • All sensitive data is encrypted at rest and in transit; we use industry-standard encryption (e.g. AES-256, TLS).
  • Tenant-specific encryption keys; optionally, you may provide your own storage account for greater control.
  • Access controls, audit logs, monitoring of unauthorized access.
  • Regular security reviews and risk assessments.

5. International data transfers

Because SyncBox is global and may operate or use services in multiple jurisdictions:

  • Where personal data is transferred outside the European Economic Area (EEA) or other region with strict privacy laws, we ensure adequate safeguards are in place (e.g. Standard Contractual Clauses (SCCs), Binding Corporate Rules (if applicable), or other legally recognized mechanisms).
  • For transfers to countries with less stringent privacy laws, we adopt additional security measures, and where required by law, obtain explicit consent.

6. Retention and deletion

We retain data only as long as necessary for the purposes for which it is handled, and in compliance with statutory obligations:

  • Synchronization logs and other temporary or metadata are deleted automatically after 5 weeks by default, unless you configure otherwise.
  • Data stored for operational or legal compliance is deleted within 3 months after termination of services or your request, unless retention is required under applicable law.
  • You may request earlier deletion of your data.

7. User / data subject rights

Depending on applicable law (e.g. GDPR, UK GDPR, CCPA, etc.), data subjects have a range of rights:

  • Right to access your data.
  • Right to correct inaccurate or incomplete data.
  • Right to deletion (erasure).
  • Right to object to or restrict processing.
  • Right to data portability, where applicable.
  • Right to withdraw consent to optional processing.

We will respond to valid requests within applicable legal timeframes (typically 30 days under GDPR; shorter or different under other laws).

8. Data Protection Officer and privacy oversight

  • If required by law in a given jurisdiction, we will appoint a Data Protection Officer (DPO).
  • We maintain internal policies, conduct privacy impact assessments (PIAs or DPIAs) for high-risk processing, document our processing activities, and audit our privacy practices.

9. Third-parties, vendors, subprocessors

  • We may engage third-party service providers (subprocessors) to perform functions (e.g. hosting, storage, security monitoring). These subprocessors are bound by contractual obligations to maintain confidentiality, data protection, and only process data as directed.
  • We provide you with a list of subprocessors and update you if new ones are added.

10. Breach notification

  • In the event of a security breach that affects personal data, we commit to notifying you without undue delay and in any case within the time required by applicable law.
  • We also notify relevant supervisory authorities when required (for example, within 72 hours under GDPR after becoming aware of a notifiable breach).
  • We will also cooperate in any investigations and provide necessary information.

11. Limitation of liability

  • SyncBox processes data solely as configured by you. You are responsible for ensuring that the personal data you provide or configure into SyncBox is lawfully obtained, accurate, complete, and that you have the right to process it.
  • We implement strong technical and organisational measures, but we cannot guarantee absolute security. We are not liable for losses resulting from circumstances beyond our control, including third-party acts, force majeure, or regulatory changes.
  • Our liability, whether in contract, tort, or otherwise, is limited to the maximum extent permitted by applicable law.

12. Applicable law; jurisdiction

  • This Privacy Policy and our services are governed by the laws of The Netherlands and applicable EU law (if you are located in the EU).
  • If you are located outside of the EU, local mandatory privacy laws may also apply.

13. Updates to this policy

  • We may change this policy from time to time (for example, to reflect changes in legal requirements or service changes).
  • When we do, we will update the “Last updated” date above and where required, obtain any required consents.
  • We encourage you to review this policy periodically.

14. Contact information

If you have questions or concerns about this Privacy Policy, or want to exercise your rights, contact:

DevBox B.V.
Data Protection / Privacy Team
Email: privacy@devbox.nl