This Privacy Policy explains what personal data LekSync collects, why we collect it, how we use and share it, and what rights you have under applicable data protection laws — including India's Digital Personal Data Protection Act, 2023 ("DPDPA"), the EU/UK General Data Protection Regulation ("GDPR"), and the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"). If anything below is unclear, please contact us using the details in §13.

1. Who We Are

LekSync ("LekSync", "we", "our", "us") is a mobile application and companion website operated by [LEGAL_ENTITY_NAME], with its registered office at [REGISTERED_ADDRESS], India. For the purposes of the GDPR, we are the "data controller" of your personal data. For the purposes of the DPDPA, we act as the "Data Fiduciary".

The grievance officer and data protection contact for all data-related matters is: LekSync Support — leksync.official@gmail.com.

2. What This Policy Covers

This Privacy Policy applies to:

The LekSync Android application (the "App").
Our website at https://leksync.in, including the browser-based receiver.
Any related services or communications we provide.

3. The Personal Data We Collect

3.1 Data You Provide Directly

Account details: When you sign in with Google or email, we receive your name, email address and profile picture from the sign-in provider.
Nickname and avatar: An optional display name and avatar you choose within the App.
Referral codes: Codes you generate, share or redeem.
Support communications: Any emails, messages or attachments you send us.

3.2 Data Collected Automatically

Device and technical data: Device model, operating-system version, App version, preferred language, Firebase-assigned installation ID and a randomly-generated anonymous user ID used for analytics and crash reporting.
Usage data: Aggregated, anonymous events (screens visited, features used, session durations, errors encountered) collected through Firebase Analytics.
Crash diagnostics: Stack traces, device state and the App state at the point of failure, collected through Firebase Crashlytics.
Online-room metadata: When you host or join an online room, we store the room code, your nickname, your plan tier, join/leave timestamps and IP addresses strictly for the duration of the signalling handshake needed to establish the peer-to-peer connection.
Push notification token: A Firebase Cloud Messaging (FCM) token unique to your installation, used to deliver promotional announcements, feature updates and referral reward notifications. Every installation is automatically subscribed to our promos topic; you can opt out at any time from your device's App notification settings (see §7).
Subscription signals: Purchase token, order ID, purchase state and plan SKU received from Google Play Billing. We do not receive your card number, CVV, or any payment-instrument data.

3.3 Data We Expressly Do Not Collect

We do not access your contacts, SMS messages, call logs, location, calendar, or any health data.
We do not upload, copy, scan, index, fingerprint or store your music or video files on our servers. Media plays from your local device only.
We do not record, transcribe or retain the audio that streams between devices, including microphone audio.
We do not upload, store, or share photos, video or any other image captured by the camera during QR scanning — the camera preview is consumed locally by the in-App decoder and discarded frame by frame.
We do not upload, log, transmit, persist or share any Wi-Fi hotspot network name (SSID) or password obtained from a scanned QR code. These values are used only within your device's process memory for the single purpose of joining the host's hotspot, and are released when that flow ends.
We do not read your clipboard. When automatic Wi-Fi join falls back to the manual path, we write the hotspot password to your clipboard so you can paste it into Android's Wi-Fi prompt — we never read clipboard contents back into the App.
We do not sell your personal data. We do not share personal data with advertising networks and we do not display third-party advertisements in the App.
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

4. How We Use Your Data and Our Legal Bases

Under the GDPR and the DPDPA, each use of personal data must have a lawful basis. The table below explains what we do and why.

Provide and maintain the service (accounts, playback, streaming, subscriptions) — legal basis: performance of a contract with you.
Enable optional features (online rooms, referral rewards, in-app messaging) — legal basis: performance of a contract / consent where you initiate the feature.
Diagnose crashes and operational issues — legal basis: legitimate interests in keeping the App reliable. You can disable crash reporting by opting out from your device settings.
Understand aggregate usage to improve the App — legal basis: legitimate interests in product improvement, using anonymised/aggregated data.
Send announcement notifications through FCM — legal basis: legitimate interests in keeping users informed, with a clear opt-out via your device's notification settings.
Prevent fraud, abuse and referral-code manipulation — legal basis: legitimate interests in protecting the service.
Comply with legal obligations (tax, accounting, lawful requests) — legal basis: compliance with a legal obligation.

5. How Music, Video and Voice Streaming Works

LekSync streams audio (and, optionally, the audio track of locally-stored video files) in two modes:

Hotspot mode (local): Audio is sent directly device-to-device over UDP on your local Wi-Fi hotspot. Track metadata (title, artist, duration and a thumbnail-sized album-art image) travels on the same local network. Nothing related to playback leaves your local network or reaches our servers in this mode.
Online mode (Internet): Audio is sent peer-to-peer using WebRTC with end-to-end DTLS encryption. Microphone audio, when enabled by either party, is delivered as an encrypted WebRTC audio track. We use Firebase Firestore only for the initial signalling handshake (exchanging session descriptions and ICE candidates); neither the music, the video audio, nor the microphone audio passes through our servers. Google STUN servers are used solely for NAT traversal and do not see the media stream.

Online rooms support multiple receivers simultaneously (the Android App and the leksync.in web receiver). Your subscription plan determines how many receivers can join a single room.

5.1 Referral Program

When you redeem someone's referral code, your nickname (or, if you haven't set one, the email associated with your account) is shared with the code's owner inside their LekSync App so they know who used their code. The same applies in reverse: when you share your code, your name will be shown to the friend who redeems it. No additional personal information is exchanged. Both users receive a free Premium trial in line with the published program limits. We may revoke trials granted through fraud, abuse or self-referral.

5.2 Microphone

Live microphone is a two-way feature: the host can speak to the receivers, and receivers can speak back to the host. The microphone only activates when you explicitly enable it from the Connected Devices menu (host side) or the mic button (receiver side) — it is never switched on silently or without a clear on-screen indicator. Mic audio is delivered live to the other end and is discarded the moment it's played. We never record, buffer beyond the transport jitter buffer, persist, or store microphone audio.

5.3 Camera & QR Scanning

The camera is used only when you tap Offline — Scan Hotspot QR on the receiver screen. The scanner consumes the live camera preview locally on your device; frames are passed directly to an in-App barcode decoder and discarded after each frame. No photos, video or still images are captured, saved, uploaded or transmitted. The scanner closes the moment a QR is decoded or you press Back. We show you a plain-language explanation before the Android permission prompt appears.

5.4 Wi-Fi Hotspot Credentials

A decoded Wi-Fi QR contains the host's hotspot name (SSID) and password. Those values are used once, inside your device's process, to request a temporary Wi-Fi connection through Android's standard WifiNetworkSpecifier API — Android itself shows a confirmation dialog asking you to approve the connection. If the automatic join fails on your device, LekSync offers a manual fallback that copies the password to your clipboard and opens Android's Wi-Fi Settings so you can paste it into the system prompt yourself. Credentials are not stored by the App, are never uploaded to our servers, and are not shared with any third-party service. You may only scan a QR code for a network the network owner has authorised you to join (see §4 of our Terms).

6. Third-Party Services and Data Sharing

We share personal data only with service providers who help us run LekSync, and only to the extent needed for each service to function. Each provider processes data under its own privacy policy.

Google Firebase (Google LLC / Google Ireland Limited) — Authentication, Firestore database, Crashlytics, Analytics, Cloud Messaging, In-App Messaging. Firebase privacy.
Google Play Billing (Google LLC) — Subscription processing, refund handling.
Google STUN infrastructure — WebRTC NAT traversal; used only for signalling the network path, not the media.

We may disclose personal data to public authorities where required by law, regulation, court order, or to protect our rights, users or the public. We will push back on over-broad requests where lawful to do so.

We do not sell personal data, and we do not share personal data with advertising networks or cross-context behavioural advertising partners. For CCPA/CPRA residents, this means we do not "sell" or "share" personal information as those terms are defined in that law.

7. Notifications and In-App Messaging

Every install is subscribed to our promos FCM topic so we can announce important updates, feature releases and referral rewards. You can stop receiving these at any time by turning off notifications for LekSync in Android Settings → Apps → LekSync → Notifications. Critical, security, and service-level messages may still appear as in-App banners.

8. International Transfers

Firebase, Google Play and Google STUN services are operated by Google and may process data in data centres outside your home country, including the United States and the European Union. For transfers out of the EEA, UK or India, we rely on the Standard Contractual Clauses adopted by the European Commission and, where applicable, the UK International Data Transfer Addendum. You may request a copy of the safeguards in place by contacting us.

9. Data Retention

Account data — kept for as long as your account is active. Deleted within 30 days of your account-deletion request, except where we must retain a minimum for legal, tax or accounting reasons.
Online-room metadata — kept for up to 24 hours after the room closes for abuse diagnostics, then deleted or anonymised.
Crash reports — retained for up to 90 days by Firebase Crashlytics and then deleted automatically.
Aggregate analytics — retained for up to 14 months in Firebase Analytics (or the then-current default) and then auto-deleted.
Support correspondence — retained for up to 24 months after resolution.

10. Security

We apply reasonable technical and organisational measures: TLS in transit between the App and Firebase, DTLS encryption for WebRTC audio in online mode, Firestore security rules that scope reads and writes to the authenticated user, and principle-of-least-privilege for our own access. No internet-connected system is perfectly secure, so we encourage you to use a strong unique password and keep your device up to date.

11. Your Rights

Depending on where you live, you may have some or all of the following rights:

Access — request a copy of the personal data we hold about you.
Correction / rectification — correct inaccurate or incomplete data.
Erasure / deletion — delete your account and associated personal data via the in-App account-deletion flow, or by emailing us.
Restriction / objection — object to or restrict certain processing based on legitimate interests.
Data portability — receive a machine-readable export of data you provided.
Withdraw consent — where processing is based on consent, withdraw it at any time.
Nominate (DPDPA, India) — nominate another person to exercise your rights in the event of your death or incapacity.
Non-discrimination (CCPA, California) — exercise your privacy rights without being discriminated against.
Complain to a supervisory authority — in India the Data Protection Board once notified, in the EU/UK your local Data Protection Authority, in California the Attorney-General.

We'll respond to verifiable requests within the timeframes required by the applicable law (typically 30 days, extendable where allowed). To exercise any right, email leksync.official@gmail.com from the email address associated with your account.

12. Children's Privacy

LekSync is not directed at children under 13 (or the equivalent minimum digital-consent age in your jurisdiction — 16 in parts of the EU, 18 for DPDPA India). We do not knowingly collect personal data from children under that age. If you believe we have, please contact us and we will delete it promptly. Users under 18 should use the App only with the involvement of a parent or legal guardian.

13. Contact and Grievance Redressal

For questions, data-subject requests, or privacy complaints, contact:

Email: leksync.official@gmail.com
Postal: [LEGAL_ENTITY_NAME], [REGISTERED_ADDRESS], India

Under the DPDPA, we aim to acknowledge grievances within 72 hours and resolve them within 30 days. If you are in the EU/UK and are unhappy with our response, you may lodge a complaint with your local Data Protection Authority.

14. Cookies and Similar Technologies (Website)

Our website uses only strictly-necessary first-party cookies for session continuity and CSRF protection. We do not use advertising cookies or cross-site tracking. The browser-based receiver at /receiver/ uses localStorage to remember your chosen display name between sessions; clearing your browser data erases it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you via the App or by email. Continued use of LekSync after an updated policy takes effect constitutes acceptance of the revised terms.