POPIA Compliance
Protection of Personal Information Act, 2013
Last Modified: January 22, 2026
Synthro (Pty) Ltd. ("Synthro," "we," "our," or "us") is committed to full compliance with South Africa's Protection of Personal Information Act, 2013 (POPIA), which regulates how organizations process personal information. This compliance statement details how we meet all 8 Conditions for Lawful Processing of Personal Information as required by POPIA.
Responsible Party: Synthro (Pty) Ltd.
Registration Number: 2025/975079/07
Address: Johannesburg, South Africa
Contact: dpo@synthro.io | privacy@synthro.io
Effective Date: January 22, 2026
POPIA's 8 Conditions for Lawful Processing
Synthro appoints an Information Officer, maintains a POPIA Manual, and ensures compliance infrastructure.
We process personal information lawfully, minimally, and only with a valid legal basis (consent, contract, legal obligation).
Personal information is collected for specific, explicit, and legitimate HR operations purposes only.
We do not use personal information for purposes incompatible with the original collection purpose.
We ensure personal information is complete, accurate, not misleading, and updated where necessary.
We maintain transparent privacy practices with accessible Privacy Policy and POPIA Manual.
TLS 1.3 encryption, AES-256, MFA, RBAC, firewalls, IDS, and SOC 2 Type II certified vendors protect data.
You have rights to access, correct, delete, object, and request your personal information (30-day response).
Condition 1: Accountability
POPIA Requirement: The Responsible Party must ensure that the conditions for lawful processing are complied with.
How We Comply:
Information Officer Appointed and Registered
We have designated a registered Information Officer responsible for ensuring POPIA compliance:
- Contact: dpo@synthro.io
- Registration Number: 2026-000907 (Information Regulator)
- Registration Status: Registered with the Information Regulator (Section 55 POPIA)
- Responsibilities: Oversee data protection policies, handle data subject requests, investigate privacy complaints, liaise with the Information Regulator
Verification: You can verify our Information Officer registration at justice.gov.za/inforeg
Data Protection Policies Maintained
We have documented and implemented comprehensive data protection policies, including:
- Data Protection Policy (master policy covering all POPIA conditions)
- Data Retention and Deletion Policy
- Security Incident Response Plan
- Data Breach Notification Procedure
- Employee Data Handling Training Manual
Regular Compliance Audits
We conduct regular audits to ensure ongoing POPIA compliance:
- Quarterly Internal Reviews: Compliance team reviews data processing activities, policy updates, and incident reports
- Annual Third-Party Audits: Independent external auditors assess POPIA compliance and security posture
- Continuous Monitoring: Automated systems monitor data access, processing activities, and security events
Documentation of Processing Activities (POPIA Section 51)
We maintain records of all processing activities, including:
- Categories of Personal Information processed
- Purposes of processing
- Recipients or categories of recipients to whom Personal Information is shared
- Planned international transfers of Personal Information
- Retention periods for each category of information
- Security measures implemented to protect Personal Information
Employee Training
All Synthro employees receive mandatory POPIA training:
- New Hire Training: POPIA fundamentals, data handling best practices, confidentiality obligations
- Annual Refresher Training: Policy updates, incident case studies, emerging privacy risks
- Role-Specific Training:
- Developers: Secure coding, privacy by design, data minimization
- Support Team: Handling sensitive customer data, identity verification
- Sales/Marketing: Lawful marketing, consent management, opt-out procedures
Condition 2: Processing Limitation
POPIA Requirement: Personal Information must be processed lawfully, fairly, and in a manner that does not infringe on the privacy of the data subject.
How We Comply:
Lawful Basis for All Processing
We only process Personal Information when we have a valid lawful basis under POPIA Section 11:
| Processing Activity | Lawful Basis | POPIA Section |
|---|---|---|
| Creating your account | Consent (you provide your information voluntarily) | Section 11(1)(a) |
| Providing our Services (HRMS, payroll, NALA AI) | Contract performance (necessary to deliver Services you subscribed to) | Section 11(1)(b) |
| Processing payments via Paystack | Contract performance (necessary to process subscription payments) | Section 11(1)(b) |
| Tax invoices, financial records, B-BBEE compliance | Legal obligation (required by SA tax law, Companies Act, B-BBEE regulations) | Section 11(1)(c) |
| Fraud detection, security monitoring, abuse prevention | Legitimate interest (protect our systems, prevent fraud, ensure service integrity) | Section 11(1)(f) |
| Marketing emails, product updates, newsletters | Consent (explicit opt-in required; you can opt-out anytime) | Section 11(1)(a) |
Purpose Specification at Collection
We inform you of the purpose for which we are collecting your Personal Information at the time of collection (see Condition 6: Openness below).
Data Minimization
We collect only the Personal Information that is adequate, relevant, and not excessive for the purposes for which it is processed. For example:
- We do NOT require your ID number, race, or religion to create an account
- We collect payment details only when you subscribe to a paid plan
- We do NOT access the content of employee data stored in your HRMS (NALA AI processes only metadata unless you explicitly share content for assistance)
Collection Directly from Data Subject
We collect Personal Information directly from you whenever possible (e.g., when you register, update your profile, or contact us). We may collect from third parties only with your authorization (e.g., Single Sign-On providers like Google or Microsoft).
Condition 3: Purpose Specification
POPIA Requirement: Personal Information must be collected for a specific, explicitly defined, and lawful purpose.
How We Comply:
Clear Purpose Statements
Our Privacy Policy explicitly states the purpose for each category of Personal Information:
- Registration Information: Account creation, authentication, service provision
- Payment Information: Payment processing, invoicing, fraud prevention
- Usage Data: Service improvement, analytics, troubleshooting
- NALA Interactions: AI-powered assistance, model training (with consent)
- Marketing Data: Sending promotional emails (with consent)
No Further Processing Incompatible with Original Purpose
We do not use your Personal Information for purposes incompatible with the original purpose, unless:
- We obtain your consent for the new purpose; OR
- The new purpose is required by law.
Example:
- Allowed: Using your email (collected for account creation) to send service notifications
- Not Allowed: Using your email (collected for account creation) to send marketing emails without your separate consent
Purpose Change Notifications
If we need to process your Personal Information for a new purpose incompatible with the original purpose, we will:
- Notify you of the new purpose
- Provide an explanation for why the change is necessary
- Obtain your consent (if required by law)
- Give you the option to object or withdraw consent
Condition 4: Further Processing Limitation
POPIA Requirement: Personal Information must not be processed for a secondary purpose unless that processing is compatible with the original purpose.
How We Comply:
Compatibility Assessment
Before processing Personal Information for any secondary purpose, we assess compatibility based on:
- Relationship: Is the new purpose related to the original purpose?
- Context: Would you reasonably expect this use based on our relationship?
- Nature: Is the Personal Information sensitive (e.g., health data, biometrics)?
- Consequences: What is the potential impact on you?
- Safeguards: Are additional security measures needed?
Examples of Compatible Further Processing
| Original Purpose | Compatible Secondary Purpose | Why Compatible |
|---|---|---|
| Process subscription payment | Send payment receipt via email | Directly related to payment transaction |
| Provide HRMS Services | Send service updates about new features | Related to service provision |
| Customer support | Analyze support tickets to improve service quality | Improves support experience |
Examples Requiring Separate Consent
| Original Purpose | Incompatible Secondary Purpose | Why Consent Needed |
|---|---|---|
| Account creation | Marketing emails | Not reasonably expected without consent |
| Usage analytics | Sharing data with third-party advertisers | Changes nature and recipient of data |
| Employee data management | Using employee data for AI training | Different purpose, requires explicit consent |
Archival and Research
We may process Personal Information for historical, statistical, or research purposes if:
- The data is de-identified or anonymized where possible
- Adequate safeguards are implemented
- The processing does not cause harm or adversely affect you
Condition 5: Information Quality
POPIA Requirement: Personal Information must be complete, accurate, not misleading, and updated where necessary.
How We Comply:
Accuracy at Collection
We take reasonable steps to ensure Personal Information is accurate when collected:
- Email Verification: We send confirmation emails to verify email addresses
- Data Validation: Forms include validation rules (e.g., correct email format, valid phone numbers)
- Error Checking: Payment information is validated with payment processors in real-time
Ongoing Accuracy
We enable you to maintain accurate Personal Information:
- Self-Service Updates: You can update your profile, business information, and preferences at any time through Account Settings
- Periodic Reviews: For customers on Enterprise plans, we conduct annual data accuracy reviews
- Correction Requests: You can request corrections by emailing privacy@synthro.io
Minimizing Inaccuracy
We do not use inaccurate or outdated Personal Information to:
- Make decisions that materially affect you
- Communicate with you (we remove bounced emails from our systems)
- Generate reports or analytics (we clean and validate data before processing)
Deletion of Inaccurate Data
If Personal Information cannot be corrected or is no longer needed, we will:
- Delete the information promptly
- Notify you of the deletion
- Cease all processing of that information
Your Responsibility: You are responsible for providing accurate information when registering, updating your information when it changes, and notifying us if you become aware of inaccuracies.
Condition 6: Openness
POPIA Requirement: Data subjects must be notified when their Personal Information is collected, including purpose, recipients, and their rights.
How We Comply:
Privacy Policy
Our comprehensive Privacy Policy is:
- Publicly available: www.synthro.io/privacy
- Easy to find: Linked in our footer, registration forms, and app navigation
- Written in plain language: Avoids legal jargon where possible
- Detailed: Explains what we collect, why, how we use it, who we share with, and your rights
Just-in-Time Notices
We provide specific notices at the point of data collection:
- Registration: "We collect your email to create your account and send service notifications"
- Payment: "Your payment is processed by Paystack. See their privacy policy at [link]"
- NALA AI: "Your queries are processed by OpenAI. You can opt out of AI training in Settings"
- Cookies: Cookie banner explains cookie types, purposes, and how to manage preferences
Information Officer Contact
We clearly display contact information for our Information Officer:
- Email: dpo@synthro.io
- Purpose: Handle data subject requests, privacy inquiries, and complaints
Notification of Changes
We notify you of material changes to how we process your Personal Information:
- Email: Sent to your registered email address at least 30 days before changes take effect
- In-App Notice: Prominent banner in the Services
- Updated Date: Privacy Policy shows "Last Modified" date
POPIA Manual (Section 18)
We maintain a POPIA Manual (available upon request) that describes:
- Categories of Personal Information we hold
- Purpose of processing
- Categories of data subjects
- Recipients or categories of recipients
- Planned international transfers
- Security measures
- Objection and complaint procedures
Request our POPIA Manual: Email privacy@synthro.io
Condition 7: Security Safeguards
POPIA Requirement: Appropriate, reasonable technical and organizational measures must secure Personal Information.
How We Comply:
Technical Security Measures
(i) Encryption:
- Data in Transit: TLS 1.3 encryption for all data transmitted between your browser and our servers
- Data at Rest: AES-256 encryption for all databases, file storage, and backups
- End-to-End Encryption: Available for sensitive documents and communications (optional feature)
(ii) Access Controls:
- Authentication: Password-based authentication with option for Multi-Factor Authentication (MFA)
- Authorization: Role-Based Access Control (RBAC) ensures users can only access authorized data
- Session Management: Automatic session timeout after 30 minutes of inactivity
- Least Privilege: Employees have access only to data necessary for their job functions
(iii) Network Security:
- Firewalls: Network-level firewalls block unauthorized access
- Intrusion Detection: Real-time monitoring detects suspicious activity and triggers alerts
- DDoS Protection: Cloudflare protects against distributed denial-of-service attacks
- Web Application Firewall (WAF): Blocks common web attacks (SQL injection, XSS, CSRF)
(iv) Application Security:
- Secure Development: OWASP Top 10 best practices followed throughout development lifecycle
- Code Reviews: All code changes peer-reviewed for security vulnerabilities
- Dependency Scanning: Automated tools scan for vulnerable third-party libraries
- Penetration Testing: Annual third-party security audits and penetration tests
(v) Data Loss Prevention:
- Automated Backups: Daily encrypted backups stored in multiple geographic locations
- Disaster Recovery: Recovery Point Objective (RPO) of 24 hours, Recovery Time Objective (RTO) of 4 hours
- Backup Testing: Quarterly restore drills ensure backups are functional
Organizational Security Measures
(i) Employee Training:
- Annual POPIA Training: All employees complete data protection training
- Secure Coding Training: Developers receive specialized security training
- Phishing Simulations: Quarterly simulated phishing attacks to test awareness
(ii) Confidentiality Agreements:
- All employees, contractors, and service providers sign confidentiality agreements
- Agreements include obligations to protect Personal Information and report security incidents
(iii) Background Checks:
- Criminal background checks conducted for employees with access to Personal Information (where permitted by law)
(iv) Access Logging:
- All access to Personal Information is logged with timestamps, user IDs, and actions performed
- Logs are monitored for suspicious activity and retained for 12 months
(v) Incident Response Plan:
We maintain a documented Security Incident Response Plan that includes:
- Detection: Automated monitoring and employee reporting mechanisms
- Assessment: Incident severity classification (Critical, High, Medium, Low)
- Containment: Immediate actions to prevent further unauthorized access
- Investigation: Root cause analysis and impact assessment
- Notification: Data subject notification (within 72 hours where feasible) and Information Regulator notification (if required)
- Remediation: Patches, security enhancements, and lessons learned
- Documentation: Comprehensive incident reports maintained for regulatory review
Third-Party Security
- Vendor Assessments: All service providers undergo security assessments before engagement
- Contractual Obligations: Data Processing Agreements require service providers to implement appropriate security measures
- Ongoing Monitoring: Annual security reviews of service providers
- SOC 2 Type II Compliance: Cloud infrastructure providers (AWS, Google Cloud) are SOC 2 Type II certified
Physical Security
- Data Centers: Tier III+ certified data centers with 24/7 security guards, biometric access controls, surveillance cameras
- Environmental Controls: Fire suppression, temperature monitoring, redundant power supplies
Data Breach Response
In the event of a data breach affecting your Personal Information, we will:
- Investigate: Immediately investigate the breach to determine scope and impact
- Contain: Take immediate action to contain the breach and prevent further unauthorized access
- Notify You: Send email notification within 72 hours (where feasible) including:
- Nature of the breach (what happened, when, how)
- Categories of Personal Information affected
- Likely consequences of the breach
- Measures taken to address the breach
- Recommendations for protecting yourself (e.g., change passwords, monitor accounts)
- Notify Information Regulator: Report to the Information Regulator of South Africa (if required under POPIA Section 22)
- Remediate: Implement additional security measures to prevent future breaches
- Document: Maintain records of the breach and response for regulatory review
Report Security Concerns: security@synthro.io
Condition 8: Data Subject Participation
POPIA Requirement: Data subjects must be able to request confirmation of whether we hold their Personal Information, request access, and request correction or deletion.
Your Rights Under POPIA:
(i) Right to Be Notified (Section 18)
You have the right to be notified when we collect your Personal Information, including purpose, recipients, and your rights.
How to Exercise: We provide notifications automatically (see Condition 6: Openness above).
(ii) Right of Access (Section 23)
You have the right to request:
- Confirmation of whether we hold your Personal Information
- A description of the Personal Information held
- The identity of third parties who have or have had access to the information
- Information about the source of the information (if not collected directly from you)
How to Exercise:
- Email privacy@synthro.io with subject line "POPIA Access Request"
- Provide proof of identity (copy of ID or passport)
- Specify what information you want to access
- Response Time: Within 30 days
- Fee: Free for first request; reasonable fee may apply for subsequent requests (not exceeding prescribed amount)
(iii) Right to Correction (Section 24)
You have the right to request correction, destruction, or deletion of your Personal Information if it is:
- Inaccurate, irrelevant, excessive, out of date, incomplete, misleading; OR
- Obtained or processed unlawfully
How to Exercise:
- Self-Service: Update your profile information through Account Settings
- Email Request: privacy@synthro.io with details of corrections needed
- Response Time: We will correct, delete, or destroy the information within a reasonable time or notify you if we refuse (with reasons)
(iv) Right to Object (Section 11(3))
You have the right to object to the processing of your Personal Information on reasonable grounds relating to your particular situation, unless:
- Processing is required by law; OR
- Processing is necessary to pursue our or a third party's legitimate interests that override your interests
How to Exercise:
- Email privacy@synthro.io with subject line "POPIA Objection"
- Explain the grounds for your objection
- Response Time: Within 30 days
- Outcome: We will either cease processing or provide reasons why processing must continue
(v) Right to Object to Direct Marketing (Section 69)
You have the right to object to the processing of your Personal Information for direct marketing purposes (including marketing emails, SMS, calls).
How to Exercise:
- Click "Unsubscribe" in any marketing email
- Adjust preferences in Account Settings → Communications
- Email marketing@synthro.io
- Response Time: Immediate (within 48 hours)
(vi) Right to Complain (Section 74)
You have the right to lodge a complaint with the Information Regulator if you believe we have violated POPIA.
How to Exercise:
- Contact Us: We encourage you to contact us first at privacy@synthro.io to resolve concerns
- Response Time: We will respond within 30 days
No Charge for Exercising Rights
We do not charge a fee for exercising your rights under POPIA, except:
- Access Requests: Reasonable fee for subsequent requests within a 12-month period (not exceeding prescribed amount under POPIA regulations)
- Manifestly Unfounded or Excessive Requests: We may charge a reasonable fee or refuse the request (with justification)
Identity Verification
To protect your Personal Information from unauthorized access, we may require you to verify your identity before processing your request. Acceptable forms of identification include:
- Copy of South African ID card or passport
- Driver's license
- Proof of address (if necessary to verify identity)
Response Timeframes
- Access Requests: 30 days
- Correction Requests: Reasonable time (typically 30 days)
- Objection Requests: 30 days
- Marketing Opt-Out: Immediate (within 48 hours)
- Complaint Response: 14 days (acknowledgment) + 30 days (resolution)
We will notify you if we need more time (up to 60 days for complex requests) and explain the reason for the delay.
Special Categories of Personal Information
POPIA imposes stricter requirements for processing special Personal Information (Section 26), which includes:
- Religious or philosophical beliefs
- Race or ethnic origin
- Trade union membership
- Political persuasion
- Health or sex life
- Biometric information
- Criminal behavior or alleged commission of an offense
Synthro's Policy
We Do NOT Collect Special Personal Information unless:
- You provide explicit consent for a specific purpose (e.g., health information for leave management related to medical conditions); AND
- Processing is necessary for a lawful purpose; AND
- Additional safeguards are implemented (enhanced encryption, restricted access, audit logging)
Employment Equity Act (EEA) Compliance
If you enable our B-BBEE or Employment Equity reporting features, we may collect race, gender, and disability information from employees only with their explicit, informed consent and solely for the purpose of:
- Preparing Employment Equity reports required by the EEA
- B-BBEE verification and scorecard calculations
- Compliance with Department of Labour regulations
Safeguards:
- Employees can refuse to provide this information
- Information is stored separately with enhanced security
- Access restricted to authorized users only
- Information is not used for any other purpose (e.g., hiring, promotion, disciplinary decisions)
Health Information
We do NOT process health information unless:
- You enable optional features that require health data (e.g., sick leave management, medical aid integration)
- You obtain explicit consent from employees
- Processing is necessary for employment law compliance or benefits administration
If we process health information on your behalf (as Operator):
- You (the customer) are the Responsible Party
- You must have a lawful basis and employee consent
- We implement additional security measures (encryption, access logs, data minimization)
International Data Transfers (POPIA Section 72)
Your Personal Information may be transferred to and processed in countries outside South Africa, including:
- United States: Cloud infrastructure (AWS, Google Cloud), AI providers (OpenAI, Anthropic)
- European Union: Cloud infrastructure (regional availability zones)
- Other Countries: Service providers for specific features (see www.synthro.io/subprocessors)
POPIA Requirements for International Transfers
Personal Information may only be transferred outside South Africa if:
- The recipient country has adequate data protection laws (as determined by the Information Regulator); OR
- The recipient is subject to a binding corporate rule or legally enforceable agreement providing adequate protection; OR
- You consent to the transfer after being informed of the risks; OR
- The transfer is necessary for the performance of a contract; OR
- The transfer is for your benefit and it is not practicable to obtain your consent
How We Comply
Adequacy Assessments:
We assess whether recipient countries provide adequate protection based on:
- Existence of data protection laws
- Independent regulatory oversight
- International commitments (e.g., GDPR adequacy decisions)
- Legal remedies available to data subjects
Data Processing Agreements:
All international service providers sign Data Processing Agreements that include:
- Standard Contractual Clauses (SCCs) approved by EU authorities or equivalent protections
- Obligations to implement appropriate security measures
- Restrictions on onward transfers
- Rights to audit and inspect
- Data subject rights and remedies
Supplementary Measures:
For transfers to countries without adequate protection, we implement supplementary technical and organizational measures:
- Encryption: Data encrypted in transit and at rest
- Access Controls: Strict access restrictions limit who can access data
- Transparency: We disclose all international transfers in our Privacy Policy
- Government Access: We resist unlawful government data requests and notify you where permitted by law
Your Control:
- We disclose all international transfers in our Privacy Policy
- You can object to specific transfers by contacting privacy@synthro.io
- You can request that your data be stored only in South Africa (Enterprise plans only, additional fees may apply)
List of International Transfers: See our Privacy Policy at www.synthro.io/privacy or request details at privacy@synthro.io
Children's Privacy (POPIA Section 35)
Our Services are NOT intended for children under 18.
POPIA prohibits processing Personal Information of children (under 18) without consent of a parent or guardian, except where:
- The child is above 13 and has the competence to understand the risks and benefits; AND
- Processing is for educational, artistic, cultural, or recreational purposes
Synthro's Policy
No Collection from Children:
- We do not knowingly collect Personal Information from children under 18
- Our Terms of Service require users to be 18 or older
- We do not target marketing to children
Discovery of Child Data:
If we learn that we have collected Personal Information from a child under 18 without parental consent, we will:
- Delete the information within 7 days
- Notify the parent or guardian (if contact information is available)
- Close the account
- Investigate how the collection occurred and implement preventive measures
Parent/Guardian Rights:
If you are a parent or guardian and believe your child has provided Personal Information to us:
- Contact us immediately at privacy@synthro.io
- Provide proof of parental relationship
- We will delete the information and close the account
Automated Decision-Making (POPIA Section 71)
POPIA requires that automated decisions significantly affecting you must:
- Not be based solely on automated processing of Personal Information to assess behavior, creditworthiness, reliability, location, health, or personal preferences
- Provide you with the right to request human intervention and review
Synthro's Policy
Limited Automated Decision-Making:
We use automated systems for:
- Fraud Detection: Automated analysis of payment patterns to detect fraudulent transactions
- Spam Filtering: Automated detection of spam or abusive content
- System Security: Automated blocking of suspicious login attempts
These automated decisions are made for security and fraud prevention purposes and do not significantly affect you in a way that requires human intervention.
NALA AI Assistance:
- NALA provides AI-generated suggestions for HR management
- IMPORTANT: NALA's suggestions are informational only and do not constitute automated decisions
- Human Review Required: You must review, verify, and approve all NALA suggestions before implementing them
- No Binding Decisions: NALA cannot make binding employment decisions (hiring, firing, discipline, promotions) on your behalf
Your Rights:
If you believe an automated decision has significantly affected you:
- You can request human review of the decision
- You can challenge the decision and provide additional information
- You can request an explanation of how the decision was made
Request Human Review: privacy@synthro.io with subject line "Automated Decision Review Request"
POPIA Compliance Summary
| POPIA Condition | Synthro's Compliance | Evidence |
|---|---|---|
| 1. Accountability | Information Officer appointed, policies documented, regular audits | www.synthro.io/privacy, DPO contact: dpo@synthro.io |
| 2. Processing Limitation | Lawful bases identified, purpose specified at collection, data minimization | Privacy Policy Section 1 |
| 3. Purpose Specification | Clear purpose statements, no incompatible further processing | Privacy Policy Section 1, Terms of Service |
| 4. Further Processing Limitation | Compatibility assessments, consent obtained for incompatible uses | Privacy Policy Section 1 |
| 5. Information Quality | Accuracy at collection, self-service updates, correction procedures | Account Settings, Privacy Policy Section 3 |
| 6. Openness | Privacy Policy, just-in-time notices, POPIA Manual available | www.synthro.io/privacy, privacy@synthro.io |
| 7. Security Safeguards | Encryption, access controls, incident response, annual audits | Privacy Policy Section 5, Security Documentation |
| 8. Data Subject Participation | Access, correction, objection, deletion procedures documented | Privacy Policy Section 3, privacy@synthro.io |
Contact Our Information Officer
For questions, concerns, or requests related to POPIA compliance or your Personal Information:
Information Officer (Registered)
- Email: dpo@synthro.io
- Registration Number: 2026-000907 (Information Regulator)
- Subject Line: [Your specific request, e.g., "POPIA Access Request", "Correction Request", "Objection"]
Other Privacy Contacts
- General Privacy Inquiries: privacy@synthro.io
- Security Issues: security@synthro.io
- Data Breach Reports: security@synthro.io
Physical Address
Synthro (Pty) Ltd.
Johannesburg, South Africa
By using our Services, you acknowledge that you have read, understood, and agree to our POPIA-compliant processing of your Personal Information as described in this disclosure and our Privacy Policy.
Last Updated: January 22, 2026