Privacy Policy
Last updated: June 2026 — Version 1.1
Our Core Principle: Sundy is designed with privacy as its foundation. We cannot access your encrypted data, we don't collect your files, and we don't track your usage. Your secrets remain yours.
1. Introduction
Sundy Data Labs ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you use the Sundy encrypted storage application ("Service").
We are a company registered in Indonesia, operating globally. By using Sundy, you agree to the collection and use of information in accordance with this policy.
2. Information We Cannot Access
Sundy is designed so that we have zero knowledge of your encrypted data:
- Your Files: All encryption happens locally on your device. We never receive, transmit, or have access to your encrypted files.
- Your Passwords: Passwords are used locally to derive encryption keys. They are never transmitted to us.
- Your Encryption Keys: Keys are generated and stored only on your device.
- Content of Your Vaults: We have no technical capability to decrypt or access your vault contents.
3. Information We Collect
3.1 License Activation Data
When you purchase and activate a license, we collect:
- Machine ID: A one-way hashed identifier derived from a combination of hardware attributes on your macOS device (used solely to bind your license to your device and detect license misuse). The raw hardware values are not stored.
- Email address: Provided during purchase; used to send your license key and purchase receipt.
- Payment information: Handled entirely by our PCI-compliant payment processor. We receive only a transaction reference and your email — we do not store card numbers, bank account details, or full billing addresses.
GDPR lawful basis: Article 6(1)(b) — performance of a contract (processing is necessary to activate your license and provide the Software you purchased). We do not rely on consent for this processing.
Retention: License records are retained for the lifetime of your license plus 7 years for accounting and tax compliance purposes, then deleted or anonymised.
3.2 Website Analytics
Our website (sundy.io) uses Google Tag Manager (GTM-WXXJRMXX) for optional, privacy-respecting analytics only if you consent via the cookie banner. GTM is not loaded until you accept. We do not use cookies for advertising or cross-site tracking. You can withdraw consent at any time using Cookie settings.
GDPR lawful basis: Article 6(1)(a) — your freely given, specific, and informed consent. Refusing or withdrawing analytics consent has no effect on your use of the Software or website.
Retention: Aggregated analytics data is retained for up to 24 months, then deleted.
3.3 Support Communications
If you contact us for support, we retain your communication (email address and message content) to provide assistance, track issue resolution, and improve our service.
GDPR lawful basis: Article 6(1)(b) — performance of a contract (where you are a licensed user) or Article 6(1)(f) — our legitimate interest in improving our product and resolving technical issues.
Retention: Support emails are retained for 3 years after the last correspondence, then deleted.
4. Cookies and Similar Technologies
This section explains how we use cookies, local storage, and similar technologies on our website. The Sundy desktop application itself does not set marketing or advertising cookies.
4.1 What we use
- Essential (local storage): Remembers your cookie consent choice so the banner is not shown on every visit. Legal basis: legitimate interest / necessary for your requested service (GDPR Art. 6(1)(f) and ePrivacy consent where required).
- Analytics (optional, consent-based): If you click “Accept all” or enable analytics in Cookie settings, we load Google Tag Manager (container ID: GTM-WXXJRMXX) to collect aggregated, anonymous usage statistics (pages viewed, approximate region, device type). GTM is not loaded until you consent. We configure Google Consent Mode with advertising storage denied. Legal basis: your consent (GDPR Art. 6(1)(a)). You may refuse without affecting core site functionality.
4.2 What we do not use
- Advertising or retargeting cookies
- Social-media tracking pixels (unless explicitly added later with separate consent)
- Cookies that access your encrypted Sundy vault data (technically impossible — encryption is local)
4.3 Managing cookies
On your first visit, a banner lets you choose Accept all, Essential only, or open Cookie settings. You can change your choice anytime via the footer link or by clearing site data in your browser.
Browser controls: most browsers let you block or delete cookies under privacy/security settings.
4.4 Retention
Consent records are stored locally in your browser until you clear site data or we increment the consent version (which may prompt you again).
5. How We Use Information
The limited information we collect is used exclusively to:
- Validate and provide software licenses
- Process purchases and issue refunds
- Provide customer support
- Improve our software and documentation
- Comply with legal obligations
6. Data Storage and Security
- License data is stored securely with encryption at rest
- We use industry-standard security practices to protect our systems
- Payment processing is handled by PCI-compliant third-party providers
- We retain license records for the duration of your license validity
7. Third-Party Services
We use the following third-party services:
- Payment Processors: To handle transactions securely (e.g., Stripe, PayPal). These providers have their own privacy policies.
- Email Services: To send purchase confirmations and support responses.
We do not sell, trade, or transfer your information to other parties.
8. Your Rights (GDPR & similar laws)
If you are in the European Economic Area, United Kingdom, or another jurisdiction with comparable privacy laws, you have the following rights regarding personal data we process as data controller (e.g. license purchases, support email, website consent):
- Access (Art. 15 GDPR): Request a copy of the personal data we hold about you and information about how we process it.
- Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data, subject to legal retention obligations (e.g. tax records).
- Restriction of processing (Art. 18): Ask us to restrict processing while a dispute about accuracy or lawfulness is resolved.
- Data portability (Art. 20): Receive personal data you provided to us in a structured, machine-readable format (applies to contract-based and consent-based processing).
- Object to processing (Art. 21): Object to processing based on legitimate interests. We will cease unless we can demonstrate compelling legitimate grounds.
- Withdraw consent (Art. 7(3)): Where processing is based on consent (e.g. optional analytics cookies), withdraw consent at any time via Cookie settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Lodge a complaint: You have the right to lodge a complaint at any time with your local supervisory authority. For example: the EDPS or your national DPA (e.g. CNIL in France, BfDI in Germany, ICO in the UK at ico.org.uk). We encourage you to contact us first so we can try to resolve your concern.
To exercise these rights, contact us at privacy@sundy.io. We respond within one calendar month (extendable by two further months for complex requests, with notice). There is no fee for exercising these rights.
9. International Data Transfers
We are based in Indonesia. Some of the third-party service providers we use (such as payment processors and email platforms) may process data in countries outside your country of residence, including the United States.
Where we transfer personal data of EEA or UK residents to countries that have not received an EU/UK adequacy decision, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs): We enter into European Commission-approved SCCs with third-party processors whose services require international transfer.
- Adequacy decisions: We may transfer to countries that have been granted an EU adequacy decision (list maintained by the European Commission).
- Processor commitments: Our payment and email providers maintain EU/UK GDPR-compliant data processing agreements which we make available on request.
To obtain a copy of the relevant transfer mechanism or for further information, contact us at privacy@sundy.io.
10. Children's Privacy
Sundy is not intended for users under 16 years of age. We do not knowingly collect information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes (such as new categories of data collected, new purposes, or new third-party processors), we will provide at least 30 days' notice by posting a notice on our website and, where we hold your email address, by email. Minor clarifications or corrections may take effect immediately. Where processing is based on consent and we materially change how we process that data, we will request fresh consent before the change takes effect.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Email: privacy@sundy.io
- Company: Sundy Data Labs
- Location: Indonesia
Remember: The most sensitive data — your encrypted files and passwords — never leaves your device and is technically impossible for us to access. This is privacy by design.