Privacy Policy
Last updated: 21 April 2026
SyncScreen (“the Service”) is operated by Longfield Media (“we”, “us”, “our”). We are committed to protecting the privacy of our users and this policy explains how we collect, use, store, and share your personal data when you use SyncScreen.
1. Data Controller
Longfield Media is the data controller for personal data processed through SyncScreen. If you have any questions about this policy, contact us at support@syncscreen.uk.
2. What We Collect
2.1 Account Data
When your account is created (by an administrator on your behalf), we store:
- Your name, email address, and a hashed version of your password
- The organisation (customer) your account belongs to
- Your role within the platform (e.g. admin, standard user)
We do not offer self-registration. Accounts are created by administrators who invite you via email.
2.2 Session & Security Data
When you log in, we record:
- Your IP address and browser user-agent string
- A session token stored as an HTTP-only cookie
This data is used to authenticate your requests and detect unauthorised access. Sessions expire after 24 hours.
2.3 Media Files
When you upload images or videos, we store the file content, original filename, file size, and MIME type. Media files are stored on Cloudflare R2 (see Section 5).
2.4 Display & Device Data
For each display (screen) registered in the platform, we store:
- A display name and unique pairing code
- The display’s external IP address (recorded at each heartbeat)
- A device-lock cookie to bind a specific device to a display code
- Online/offline status and last-seen timestamp
2.5 Proof-of-Play Analytics
SyncScreen records which content was played on each display, when it started, and for how long. This data (“impressions”) is used to generate proof-of-play reports and is retained indefinitely unless your organisation requests deletion.
2.6 On-Device Caching
The SyncScreen player caches media files locally using IndexedDB and caches player HTML via a Service Worker. This enables offline playback. Cached data remains on the device until the display is unlinked or the cache is cleared.
2.7 Native Android App
The SyncScreen Android app stores the display pairing code in encrypted local storage (EncryptedSharedPreferences). It also stores screen orientation and player preferences. The app does not collect any personal data beyond what the web player transmits (heartbeats and impressions).
2.8 Third-Party Integrations
If you connect a third-party account (e.g. Canva), we store OAuth tokens, your provider user ID, and display name. You can disconnect integrations at any time, which deletes the stored tokens.
3. How We Use Your Data
We use the data we collect to:
- Provide and operate the SyncScreen service
- Authenticate users and maintain session security
- Deliver content to registered displays
- Generate proof-of-play analytics and reports
- Send transactional emails (account invitations, password resets)
- Enforce account limits and trial periods
- Detect and prevent abuse (rate limiting, device locking)
- Provide customer support (including admin account impersonation)
4. Legal Basis for Processing
We process your data on the following legal bases under UK GDPR:
- Contract performance — processing necessary to provide the SyncScreen service to your organisation
- Legitimate interests — security logging (IP, user agent), abuse prevention, and service improvement
- Consent — where you explicitly agree to these terms when accepting your account invitation
5. Third-Party Services
We share limited data with the following third-party service providers:
| Provider | Purpose | Data Shared |
|---|---|---|
| Cloudflare (R2) | Media file storage & CDN delivery | Uploaded media files |
| Railway | Application hosting & database | All platform data (encrypted at rest) |
| Resend | Transactional email delivery | Email addresses, first names |
| Canva (optional) | Design import integration | OAuth tokens, design metadata |
We do not sell your personal data. We do not use your data for advertising or profiling.
6. Cookies
SyncScreen uses the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | User authentication | 24 hours |
| Device-lock cookie | Binds a display device to its pairing code | Until display is unlinked |
| OAuth state cookie | CSRF protection during third-party login flows | 10 minutes |
We do not use any analytics, advertising, or tracking cookies. All cookies are strictly necessary for the operation of the Service.
7. Data Retention
- Account data — retained until the account is deleted by an administrator
- Session data (IP, user agent) — automatically deleted after 24 hours
- Media files — retained until deleted by the user or administrator
- Impression data — retained indefinitely for reporting; deleted on request
- Invite tokens — expire and are deleted after 7 days
- Integration tokens — deleted when the integration is disconnected
8. Data Security
We protect your data through:
- Passwords hashed with bcrypt (10 rounds)
- HTTPS/TLS encryption for all data in transit
- Database encryption at rest (Railway managed PostgreSQL)
- HTTP-only, secure session cookies
- IP-based rate limiting on all public endpoints
- Tenant isolation — each organisation’s data is logically separated
- Encrypted local storage on Android devices (AES-256)
9. Admin Impersonation
Platform administrators may impersonate customer accounts for the purpose of providing support, troubleshooting issues, or verifying account configuration. Impersonation sessions are tracked in the session record.
10. Your Rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your personal data
- Data portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Restriction — request restriction of processing in certain circumstances
To exercise any of these rights, contact us at support@syncscreen.uk. We will respond within 30 days.
11. Children
SyncScreen is a business-to-business service and is not directed at individuals under 18. We do not knowingly collect data from children.
12. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify affected users via email or an in-app notice. Continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact
If you have questions about this privacy policy or wish to make a complaint, contact us at:
Longfield Media
Email: support@syncscreen.uk
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.