Your privacy, plainly stated

Account information

When you create a 300Sync account or install 300Sync from the HubSpot Marketplace, we collect the email address and name associated with your HubSpot portal. We also store your HubSpot portal ID and, where applicable, the organization ID from your connected third-party software.

OAuth tokens and credentials

To sync data on your behalf, we store the OAuth access and refresh tokens issued by HubSpot and your connected integration (e.g., Clio, ServiceTitan, Jobber). For integrations that use API key or credential-based authentication rather than OAuth, we store only the encrypted form of those credentials. All tokens and credentials are encrypted at rest using AES-256-GCM. We never store your passwords.

Sync configuration and field mappings

We store the sync settings you configure: which object types to sync, field mapping rules, sync direction preferences, and conflict resolution strategy. This configuration is necessary to operate the service.

Sync logs and metadata

We log the outcome of each sync run: timestamp, number of records processed, number of records created or updated, and any errors encountered. Log entries reference record counts and error codes — they do not contain the content of your records (names, contact details, case information, etc.).

Billing information

Payments are processed by Stripe. We do not store credit card numbers, CVV codes, or full payment card details on our servers. We receive and store a Stripe customer ID, your current subscription plan, and billing status from Stripe.

Usage data

We collect aggregate usage metrics: monthly record sync counts per portal, API request counts, and feature usage flags. This data is tied to your portal ID and is used to enforce plan limits and to understand how the product is used at an aggregate level. We do not build individual behavioral profiles.

What we do NOT collect

• The content of your synced records (contact names, emails, phone numbers, case details, service records, etc.) is never stored in our database. We process it transiently in memory during a sync run and write it directly to the destination system.
• We do not log PII such as email addresses, phone numbers, client names, or API keys in any application log.
• We do not use advertising cookies, tracking pixels, or third-party analytics that identify individual users.
• We do not sell, rent, or broker your data to any third party.

We use the information we collect only to operate and improve 300Sync. Specifically:

• Providing the service: We use your OAuth tokens to authenticate API requests to HubSpot and your connected integration on your behalf. We use your sync configuration to determine what to sync and how.
• Authentication: We use session cookies to keep you signed in to the 300Sync dashboard. These cookies are strictly necessary for authentication and contain no tracking information.
• Billing and plan enforcement: We use your subscription data from Stripe to determine your plan tier and enforce record limits and feature access.
• Monitoring and reliability: We use sync logs and usage metrics to detect errors, investigate failures, and ensure the service is operating correctly.
• Product improvement: We use aggregated, non-identifying usage data (e.g., which integrations are most used, average sync frequency) to prioritize product development.
• Customer support: When you contact us for support, we may access your account metadata (portal ID, connection status, recent sync logs) to diagnose your issue. We will not access the content of your synced records.
• Legal compliance: We may use or disclose your information where required by law, legal process, or to protect the rights, property, or safety of 300Sync, our users, or others.

Pass-through architecture

300Sync is designed as a pass-through integration platform. During a sync run, we fetch records from your source system (e.g., Clio contacts), transform them according to your field mapping configuration, and write them to the destination system (e.g., HubSpot contacts). The record data exists in memory only for the duration of that operation and is not persisted to our database.

What is stored in our database

Our database (Neon PostgreSQL, hosted in the United States) stores:

• Portal and connection records (portal ID, connection status, connected provider, last sync timestamp)
• Encrypted OAuth tokens and credentials required to make API calls on your behalf
• Your sync configuration (field mappings, enabled objects, sync direction, frequency)
• Sync log summaries (record counts, error codes, timestamps — not record content)
• Billing metadata received from Stripe (plan, customer ID, subscription status)

HIPAA-compliant integrations

Integrations with healthcare-adjacent platforms (Open Dental, Boulevard) apply a data classification filter during sync. Clinical notes, medical history, treatment plans, diagnosis codes, and other protected health information (PHI) are explicitly excluded from sync operations and are never transmitted to HubSpot. Only administrative and contact data (names, appointment schedules, practice metadata) is processed.

Data location

All data stored by 300Sync is hosted in the United States. Our application is deployed on Vercel (US regions). Our database runs on Neon PostgreSQL (AWS us-east-1). Background jobs are processed by Inngest (US). If you are located outside the United States and connect to 300Sync, your account data will be transferred to and stored in the United States.

300Sync uses a small set of trusted third-party services to operate. Each service receives only the data necessary for its specific function.

We do not use Google Analytics, Facebook Pixel, Segment, Mixpanel, or any other third-party tracking or analytics service. We do not share your data with advertising networks.

Integration providers

When you connect a third-party integration (e.g., Clio, ServiceTitan, Jobber, Buildium, etc.), 300Sync acts as a conduit. Data from your connected system is transmitted to HubSpot according to your configuration. Your use of those third-party platforms is governed by their own terms of service and privacy policies — not this one.

Security is a core design principle of 300Sync, not an afterthought. We implement the following controls:

• Encryption at rest: All OAuth tokens and API credentials are encrypted using AES-256-GCM before being written to the database. Encryption keys are stored separately from the data they protect.
• Encryption in transit: All communication between your browser, our servers, and third-party APIs is encrypted using TLS 1.2 or higher. HSTS is enforced to prevent downgrade attacks.
• OAuth-only authentication: For integrations that support it, we use OAuth 2.0 exclusively. We never ask for or store your passwords to third-party systems.
• CSRF protection: OAuth authorization flows use session-bound nonces stored in httpOnly cookies with a 10-minute expiry, preventing cross-site request forgery attacks.
• HMAC request verification: Requests from HubSpot to our backend are verified using HMAC signatures. Our system fails closed — unsigned requests are rejected when signature verification is enabled.
• No PII in logs: Our application logging policy explicitly prohibits logging email addresses, phone numbers, contact names, OAuth tokens, or API keys. Log entries reference IDs and error codes only.
• Security headers: Our web application sets Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy, and Permissions-Policy headers on all responses.
• Access controls: Administrative functions require server-side role verification. No administrative capability is exposed to regular users. We do not operate a public admin panel.

We retain your data for as long as your account is active and for a reasonable period after account termination to allow for dispute resolution and legal compliance.

• Active account data: Account records, connection configurations, field mappings, and encrypted tokens are retained for the duration of your subscription.
• Sync logs: Sync run logs (record counts, timestamps, error summaries) are retained for 90 days by default. Logs older than 90 days are automatically purged.
• After disconnection: When you disconnect an integration, the associated OAuth tokens and credentials for that connection are deleted immediately from our database.
• After account termination: When you cancel your subscription or request account deletion, we delete your account data within 30 days. Billing records required for tax compliance are retained for 7 years as required by law.
• Backup retention: Database backups are retained for up to 30 days. Data deleted from the active database will be permanently removed from backups within that window.

Depending on your location, you may have the following rights regarding your personal data. We honor these rights for all users, regardless of jurisdiction.

To exercise any of these rights, email privacy@300sync.com with a description of your request. We will respond within 30 days. We may ask you to verify your identity before processing the request. There is no charge for submitting a rights request.

Legal basis for processing (GDPR)

For users in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract performance — processing necessary to provide the 300Sync service you have subscribed to
• Legitimate interests — security monitoring, fraud prevention, and aggregate analytics that do not override your fundamental rights
• Legal obligation — retaining billing records as required by applicable tax law

300Sync is a business-to-business software service designed for use by organizations and business professionals. It is not directed at children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@300sync.com and we will promptly delete the information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify you by email or via an in-app notification.

Your continued use of 300Sync after a policy update constitutes your acceptance of the revised policy. If you do not agree with the changes, you may discontinue use of the service and request deletion of your account.

We encourage you to review this page periodically. The current effective date is always displayed at the top of this policy.

If you have questions, concerns, or requests related to this Privacy Policy or the handling of your personal data, please contact us: