Privacy Policy

BeSync as a processor/service provider (most Workspace content). When processing Customer Content inside a Customer Workspace — collecting standups, generating reports, extracting project signals, syncing tasks, and providing the "Ask BeSync" assistant — we generally act as processor on behalf of the Customer (the controller).

BeSync as a controller (limited contexts). We act as a controller for:

• Website analytics and cookie preferences
• Billing and account administration data for Customer administrators/billing contacts
• Our own security logs, fraud prevention, and service improvement telemetry

Account, Admin & Billing Data (Controller)

• Name, work email, job title, and role (Owner/Admin/PM/Viewer)
• Authentication and account metadata (login timestamps, SSO configuration metadata)
• Workspace administration settings and preferences
• Billing contact details, invoice history, plan level

Workspace & Collaboration Platform Metadata (Processor)

• Workspace/tenant identifiers, channel identifiers and names
• User identifiers, display name, profile fields made available by platform scopes
• Message metadata (timestamps, channel IDs, thread IDs) and message content only from sources the Customer authorises

Standup Data (Processor)

• Free-text responses from direct message flows (yesterday / today / blockers)
• Optional structured selections (project, tags, blockers)
• Timestamps and completion state

Message Processing for Project Signals (Processor)

• Blockers, risks, dependencies
• Deadlines and due dates mentioned in text
• Requests and task updates
• Links and references contained in messages

Usage Data, Device Data & Logs

• IP address, device/browser type, app version
• Event logs (features used, settings changes, integration sync events)
• Audit logs of admin actions
• Error and performance telemetry (crash logs, latencies)

When we process as a processor (Customer Content)

We use Personal Data to provide core Service functions, process authorised messages, execute integrations, provide sprint planning and dependency checks, provide the "Ask BeSync" assistant, provide support, and maintain security.

Legal basis (GDPR/UK GDPR): The Customer (as controller) is responsible for identifying the lawful basis for processing employee/workspace Personal Data. BeSync processes Customer Content under the Customer's instructions and our DPA.

When we process as a controller (website, billing, service security)

• Contract performance — to provide the Service and manage accounts/billing
• Legitimate interests — security, service improvement, preventing abuse, internal analytics
• Consent — for marketing emails where required and for non-essential cookies
• Legal obligation — tax/accounting, responding to lawful requests

AI Model Training Policy

Default position: We do not use Customer Content to train general-purpose AI models shared across customers unless the Customer explicitly opts in via a written agreement or a clear product setting designed for that purpose.

Sharing within BeSync entities. InfraSync Tech LTD UK may share Personal Data with InfraSync Teknoloji TR to deliver engineering, operations, support, and related services, under contractual controls and confidentiality obligations.

Sub-processors

We may share Personal Data with vetted sub-processors for cloud hosting, monitoring and error tracking, email delivery, customer support, payment processing, AI infrastructure/model providers, and website analytics.

International Transfers

Personal Data may be processed in multiple countries, including the United Kingdom and Turkey. Under UK GDPR, transfers may require appropriate safeguards such as the UK IDTA or the UK Addendum to EU Standard Contractual Clauses. Under Turkey's KVKK, cross-border transfers are permitted under conditions such as explicit consent or where adequate protection applies.

We retain Personal Data only as long as necessary to provide the Service, meet contractual obligations, comply with legal obligations, resolve disputes, and enforce agreements.

Security Measures

• Access controls and least-privilege principles
• Encryption in transit and, where applicable, at rest
• Logging and monitoring
• Secure development and vulnerability management practices
• Incident response procedures

Customer Controls (Admins)

• Which channels/conversations are monitored
• Enabled features (e.g., date extraction, persona insights)
• Approval policies for task creation/sync and due date writes
• Access roles (RBAC) for dashboards and reports
• Integrations and their permissions/tokens

If BeSync is acting as a controller for your Personal Data, you may have rights such as access, rectification, erasure, restriction, objection, data portability, withdrawing consent, and lodging a complaint with a supervisory authority.

Employees/end users in a Customer Workspace: For most Customer Content and workplace data, BeSync acts as a processor and your employer is the controller. You should usually direct requests to your employer/workspace admin first.

To contact us regarding privacy: [email protected] — Subject line: "Privacy Request – BeSync"

Supervisory Authorities

• In the UK: the Information Commissioner's Office (ICO)
• In Turkey: the Personal Data Protection Authority (KVKK)