Privacy Policy

Last updated: March 2026

1. Introduction

CrossSync ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information when you use the CrossSync service ("the Service").

2. Information We Collect

We collect only the information necessary to provide the Service:

2.1 Account Information

When you register, we collect your name, email address, and company name. This information is stored in our database (hosted on Supabase) and used to manage your account, communicate with you, and provide support.

2.2 Your Customers' Data

CrossSync does not store your customers' personal information. When the Service synchronises data between Lightspeed Retail (R-Series) and HubSpot, customer records (names, email addresses, phone numbers, addresses, etc.) pass through the Service in memory only. This data is never written to a database, file system, or log. Once the synchronisation request completes, the data is discarded from memory.

2.3 OAuth Tokens

To connect to your Lightspeed Retail (R-Series) and HubSpot accounts, we store OAuth access and refresh tokens. These tokens are encrypted at rest using AES-256-GCM encryption before being stored in our database. Tokens are only decrypted in memory at the moment they are needed to make API calls on your behalf.

2.4 Payment Information

Payments are processed by Paystack. We do not collect, store, or have access to your full credit or debit card details. Paystack handles all payment data in compliance with PCI-DSS standards. We only store your Paystack customer ID and subscription ID to manage your billing.

3. Cookies and Local Storage

CrossSync does not use traditional tracking cookies. For authentication, we store a JSON Web Token (JWT) in your browser's localStorage. This token is used solely to authenticate your requests to the Service and is removed when you log out. We do not use any third-party tracking or analytics cookies.

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Authenticate your identity and manage your account.
  • Process payments and manage subscriptions.
  • Communicate with you about your account, updates, or support requests.
  • Comply with legal obligations.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

5. Third-Party Services

The Service integrates with and relies on the following third-party providers:

  • Supabase — Database hosting and authentication infrastructure.
  • Paystack — Payment processing and subscription management.
  • Lightspeed Retail (R-Series) — Point-of-sale and retail management platform (connected via OAuth).
  • HubSpot — CRM platform (connected via OAuth).

Each of these services operates under its own privacy policy. We encourage you to review their respective policies.

6. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)) — processing your account data is necessary to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — operational logging (without PII) and security monitoring to maintain the Service.
  • Consent (Art. 6(1)(a)) — you provide explicit consent before syncing customer data between Lightspeed and HubSpot. You may withdraw consent at any time by disabling the sync or deleting your account.
  • Legal obligation (Art. 6(1)(c)) — where retention of certain records is required by law.

CrossSync acts as a data processor when handling your customers' personal data during synchronisation. You (the user) remain the data controller and are responsible for ensuring you have lawful grounds to process and transfer that data.

7. Data Retention

We retain your account information for as long as your account is active or as needed to provide the Service. If you delete your account, we will remove your personal data from our systems within 30 days, except where retention is required by law. OAuth tokens are deleted immediately upon account deletion or disconnection of an integration.

Sync history logs (which do not contain customer PII) are retained for 90 days after a sync run completes, after which they are automatically purged. Audit logs related to account actions are retained for 12 months.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption of sensitive credentials (AES-256-GCM), secure HTTPS connections, and access controls. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

9. Your Rights (GDPR)

Under the GDPR and applicable data protection laws, you have the following rights:

  • Right of Access (Art. 15) — request a copy of all personal data we hold about you.
  • Right to Rectification (Art. 16) — correct any inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17) — delete your account and all associated data. You can do this self-service from the Billing & Data page in your dashboard, or by contacting us.
  • Right to Data Portability (Art. 20) — export your account data in a machine-readable JSON format. Available self-service from the Billing & Data page.
  • Right to Restrict Processing (Art. 18) — request that we limit how we process your data.
  • Right to Object (Art. 21) — object to processing based on legitimate interests.
  • Right to Withdraw Consent (Art. 7(3)) — withdraw consent at any time by disabling syncing or deleting your account.

You may exercise these rights self-service through your dashboard or by contacting us at the email address below. We will respond to all requests within 30 days. If you believe your rights have been violated, you have the right to lodge a complaint with your local data protection authority.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after the updated policy becomes effective constitutes your acceptance of the changes.

11. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us via our contact page or email us at support@crosssync.app.