Privacy Policy

n8n Sync ("n8n Sync", "we", "us") helps you promote n8n workflows between environments. This policy explains what personal data we collect, why, and how we handle it. The data controller is Automate Amsterdam (KVK 82771987). You can reach us at contact@n8n-sync.com or through our contact form.

Account information. Your email address and authentication identifiers when you sign up (handled by Supabase Auth). If you sign in with GitHub, we receive your GitHub account identifier and an access token (stored encrypted) used only to commit workflows to repositories you authorise.

n8n connection details. The base URL of each n8n instance you connect and an API key for it. The API key is stored encrypted in Supabase Vault and used only to call your n8n instance on your behalf. To provide the service we read your workflow definitions, credential metadata, and environment-variable keys, and we store your promotion history along with a snapshot of each production workflow (its nodes, parameters, and connections) so you can roll back. We do not have access to the secret values stored inside your n8n credentials, since n8n's API does not expose them.

Billing information. Payments are handled by Stripe. We store your subscription status and a Stripe customer/subscription identifier; we do not store your card details.

Communications. When you contact us through the support form or the website contact form, we receive your name, email address, and message (delivered via Resend).

Technical data. Basic server logs (timestamps, error information) needed to operate and secure the service.

We use your information to:

• provide and operate the service (connect to your n8n, promote workflows, keep history, enable rollback);
• process payments and manage your subscription;
• respond to support and contact requests;
• maintain security, prevent abuse, and debug issues;
• send essential service emails (for example, notifications you configure and billing messages).

Where the GDPR applies, we process your data on these bases: performance of our contract with you (providing the service and billing); our legitimate interests (securing and improving the service and preventing abuse); your consent where required (for example, optional integrations); and compliance with legal obligations.

We rely on a small set of trusted providers ("sub-processors") to run n8n Sync:

• Supabase — database, authentication, and encrypted secret storage (Vault) for your n8n API keys and tokens.
• Vercel — hosting and serving of the application.
• Stripe — payment processing and subscription management.
• Resend — delivery of transactional, notification, and support emails.
• Google (Analytics) — optional, consent-gated. We use Google Analytics 4 on the marketing site to understand which pages visitors read and how they got there. No tracking takes place until you click "Accept all" in the cookie banner.
• Google (reCAPTCHA) — we use Google reCAPTCHA v3 to verify that submissions to our public contact form come from humans, not bots. The reCAPTCHA script is only loaded when you actually submit the form; it returns a risk score to our server, which we use to discard obvious bot traffic.

Your data is processed in the European Union (our Supabase and Vercel regions), except where a sub-processor operates from outside the EU as noted above (for example, Google for analytics and reCAPTCHA). We enter into data-processing terms with these providers where applicable.

API keys and access tokens are encrypted at rest in Supabase Vault and decrypted only server-side to perform the actions you request; they are never exposed to the browser. Access to your data is restricted per account using row-level security, and data in transit is protected with TLS. No system is perfectly secure, but we take reasonable measures to protect your information.

We keep your information for as long as your account is active. You can delete connected instances or close your account at any time; doing so removes the associated encrypted secrets from the Vault. We may retain limited records where required for legal, accounting, or security reasons.

If you are in the EU/EEA (or a similar jurisdiction), you have the right to access, correct, delete, export, or restrict processing of your personal data, and to object to certain processing. To exercise these rights, contact us at contact@n8n-sync.com. You also have the right to lodge a complaint with your local data protection authority — in the Netherlands, the Autoriteit Persoonsgegevens.

We group cookies and similar browser storage into two categories. The first is loaded automatically; the second only after you opt in through the cookie banner.

Strictly necessary. These are required to operate the service and cannot be turned off:

• Sign-in tokens stored in localStorage on the app domain (via Supabase Auth).
• n8nSync_authed — a small cookie scoped to .n8n-sync.com that tells the marketing site you have an active session on the app, so we can show "Go to dashboard" instead of "Sign in." It holds no token and no personal data, only a flag.
• n8nSync.selectedInstanceId, n8nSync.gettingStartedDismissed.v1, and similar preference keys in localStorage — used to remember which n8n instance you last picked and whether you've dismissed onboarding hints.
• n8nSync.consent.v1 in localStorage — your consent choice itself, so we don't re-ask on every page.

Analytics (consent required). Loaded only after you click "Accept all" in the cookie banner. Rejecting leaves these blocked and the rest of the site continues to work normally.

• Google Analytics 4 — sets cookies named _ga, _ga_* (and a few short-lived helpers) to count unique visitors, attribute traffic sources, and measure page engagement. IP addresses are anonymised by Google before processing. Data is processed by Google Ireland Ltd. and Google LLC in the United States; we rely on Google's Standard Contractual Clauses and your consent as the legal basis.

Anti-abuse (legitimate interest). Google reCAPTCHA v3 is loaded on the public contact form only at the moment you submit, in order to detect automated abuse. reCAPTCHA may set or read cookies and inspect browser characteristics; we rely on it because we have a legitimate interest in keeping the inbox free of spam. If you do not wish to use reCAPTCHA, you can email us directly instead of using the form — see "Contact" below.

Changing your mind. You can withdraw consent at any time by clearing site data in your browser (Settings → Privacy → Clear site data) and choosing "Reject analytics" the next time the banner appears. Rejecting on a tab where analytics has already been loaded takes effect on the next page refresh.

We may update this policy from time to time. We will update the "Last updated" date above and, for material changes, notify you where appropriate.

Questions about this policy or your data? Reach us at contact@n8n-sync.com or through our contact form.