This Privacy Policy describes how Stitch Agency ("we", "us", "SyncTime") collects, uses, and protects your personal data when you use the SyncTime mobile app and related services. We are the data controller for the SyncTime platform itself; the clinic, salon, or wellness business you book with (your "Clinic") is an independent data controller for the appointment, treatment, and clinical information they hold about you.

Short version. We collect the minimum data needed to let you book and manage appointments with your Clinic. Your data is stored in the United Kingdom and European Union. We don't sell it, we don't share it across Clinics, and you can delete your account at any time from inside the app or by emailing us.

1. Who we are

SyncTime is operated by Stitch Agency, a company registered in the United Kingdom. For data protection enquiries, contact privacy@synctime.co.uk.

2. What data we collect

Account information

  • Name — so your Clinic can identify you.
  • Email address and / or phone number — used to sign you in and send appointment confirmations.
  • Profile photo — optional; only if you choose to upload one.
  • Date of birth — optional; used by some loyalty programmes to send birthday rewards.

Booking and treatment data

  • Appointments you book, reschedule, or cancel.
  • Treatments selected.
  • Notes or preferences you share with your Clinic through the app.
  • Loyalty rewards balance, tier status, and redemption history.

Payment information

Payments are processed by Stripe. SyncTime never sees or stores your full card number, CVV, or bank details. We store only a transaction reference and the amount paid, so we can show your payment history and process refunds.

Technical data

  • Device identifiers (used only for fraud prevention via Apple App Attest and Google Play Integrity).
  • App version, operating system, and locale.
  • Push notification tokens, if you grant notification permission.
  • Crash diagnostics and basic usage analytics, aggregated and anonymised.

What we don't collect

  • Biometric data. Face ID and Touch ID happen entirely on your device. SyncTime never receives or stores your biometric template.
  • Location. We don't track your location.
  • Contacts, microphone, or camera roll — except when you actively choose to upload a profile photo.
  • Cross-app or web tracking. We don't use advertising trackers.

3. How we use your data

  • To let you sign in, book appointments, and manage your account.
  • To send appointment confirmations, reminders, and updates (you can disable non-essential notifications).
  • To operate loyalty rewards, where your Clinic offers them.
  • To process payments and refunds via Stripe.
  • To protect the service from fraud and abuse.
  • To comply with our legal obligations, including financial and tax record-keeping.

Our legal bases under UK GDPR are: contract (to provide the booking service you've signed up for), legitimate interests (fraud prevention, service operation), consent (optional marketing communications), and legal obligation (tax and financial records).

4. Who we share data with

RecipientWhyWhere
Your Clinic So they can fulfil your appointment and provide treatment. UK / EU
Google Cloud / Firebase Our hosting and database provider. UK / EU regions
Stripe Payment processing. UK / EU / USA (under approved transfer mechanisms)
Apple, Google Push notification delivery; in-app fraud signals (App Attest / Play Integrity). USA (approved transfers)

We do not sell your personal data. We do not share data between Clinics — each Clinic sees only its own clients, enforced at the database level.

5. Where your data is stored

SyncTime's primary data is stored in Google Cloud regions in the United Kingdom and European Union. Some sub-processors (Stripe, Apple, Google) process data in other jurisdictions; transfers outside the UK / EEA are protected by Standard Contractual Clauses or equivalent safeguards.

6. How long we keep your data

  • Account profile — until you delete your account.
  • Bookings and treatment history — kept by your Clinic in line with healthcare and tax law (typically 6–8 years in the UK).
  • Payment records — 6 years, to meet HMRC requirements.
  • Crash logs and analytics — 90 days, then aggregated or deleted.
  • After account deletion — personal data is removed from active systems within 30 days; encrypted backups roll off within 90 days.

7. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and associated data (see Account Deletion).
  • Receive a copy of your data in a portable format.
  • Restrict or object to certain processing.
  • Withdraw consent for marketing communications at any time.
  • Complain to the Information Commissioner's Office if you believe your rights have been breached.

To exercise any of these rights, email privacy@synctime.co.uk. We respond within 30 days.

8. Children

SyncTime is intended for adults aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has registered an account, contact privacy@synctime.co.uk and we will delete it.

9. Security

Data in transit is encrypted with TLS. Data at rest is encrypted by our cloud provider. Access controls, multi-tenant database rules, and audit logging prevent staff and clinics from accessing data they have no business with. App access is protected by phone or email verification, with optional Face ID / Touch ID convenience.

10. Cookies and tracking

The SyncTime mobile app does not use cookies. This marketing website uses only the cookies strictly necessary to deliver the page; we do not run third-party analytics, advertising trackers, or cross-site tracking.

11. Changes to this policy

We may update this policy from time to time. Material changes will be flagged inside the app and the "Last updated" date above will change. Continued use of the app after a change means you accept the revised policy.

12. Contact

Stitch Agency — operator of the SyncTime platform.
Email: privacy@synctime.co.uk