Privacy Policy

Last Modified: May 30, 2026

Synthro (Pty) Ltd. ("Synthro," "we," "our," or "us") respects your privacy and is committed to protecting your Personal Information in compliance with the Protection of Personal Information Act, 2013 (POPIA), the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), United Kingdom, and Switzerland, and other applicable privacy laws.

This Privacy Policy explains how we collect, use, disclose, store, and protect information you provide when using the Synthro cloud-based Human Resources Management System (HRMS), including the NALA AI Assistant, and all related services (collectively, the "Services"). It also describes your rights under POPIA and GDPR and how to exercise them.

By accessing or using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, you must discontinue use of the Services immediately.

Effective Date: January 22, 2026
Last Modified: May 30, 2026
Contact: privacy@synthro.io

1. Information We Collect and Our Use

We collect Personal Information in connection with your visits to and use of the Services. This collection includes information that you provide directly, information from third parties, and information that is collected automatically such as through the use of cookies and other technologies.

Information That You Provide

We collect Personal Information that you submit directly to us. The categories of information we collect can include:

(a) Registration Information

What We Collect: When you register for an account on the Site, we collect your name, email address, business name, phone number (optional), and password.

How We Use It:

  • To create and manage your account
  • To authenticate your identity and provide access to the Services
  • To communicate with you about your account, including service updates, security alerts, and administrative messages
  • To provide customer support and respond to your inquiries
  • To enforce our Terms of Service and detect unauthorized access or fraudulent activity
  • To comply with legal obligations, including tax and accounting requirements

Legal Basis (POPIA/GDPR): Performance of our contract with you (Terms of Service), our legitimate interests in managing our business, preventing fraud, and ensuring service security, and compliance with legal obligations.

(b) Business Information

What We Collect: During onboarding, we collect business details including your business registration number (if applicable), tax reference number (SARS number), industry, business size (number of employees), and business location.

How We Use It:

  • To set up your business profile on the Services
  • To tailor the Services to your business needs (e.g., compliance with specific industry regulations)
  • To verify your business identity for fraud prevention
  • To comply with tax, accounting, and regulatory obligations
  • To generate business intelligence and industry benchmarks (in aggregated, anonymized form)

(c) Payment Information

What We Collect: If you purchase a subscription, we collect your billing address, tax identification number (if applicable), and transaction details (date, amount, plan selected). We do not store credit card numbers.

How We Use It:

  • To process your subscription payments
  • To generate invoices and tax documentation
  • To detect and prevent payment fraud
  • To manage your subscription (upgrades, downgrades, cancellations)
  • To comply with financial regulations and tax obligations

Third-Party Payment Processors: We use Paystack (https://paystack.com) to process payments. All credit card information is provided directly to Paystack and is subject to their privacy policy: https://paystack.com/privacy. Paystack is PCI-DSS compliant and uses industry-standard encryption to protect your payment information.

(d) Communications and Support

What We Collect: When you contact us via email, phone, chat, or support forms, we collect your name, email address, phone number (if provided), and the content of your communication.

How We Use It:

  • To respond to your inquiries and provide customer support
  • To troubleshoot technical issues and improve our Services
  • To maintain records of customer interactions for quality assurance
  • To resolve disputes and enforce our agreements
  • To improve our products and services based on your feedback

(e) NALA AI Assistant Interactions

What We Collect: When you use the NALA AI Assistant, we collect:

  • Your input queries (questions, prompts, and instructions)
  • AI-generated responses and suggestions
  • Metadata about your database structure (column names, table names, row headings) to provide context-aware assistance
  • Usage patterns (frequency of use, types of queries, satisfaction ratings if provided)

IMPORTANT: We do NOT collect the actual content of your employee data, performance reviews, leave records, or documents stored in the Services without your explicit consent.

How We Use It:

  • To generate AI-powered responses to your HR management queries
  • To improve the accuracy, relevance, and performance of NALA
  • To train and fine-tune our AI models (using anonymized data only)
  • To detect and prevent misuse or abuse of the AI features
  • To provide you with personalized assistance based on your usage patterns

AI Model Providers: We use OpenAI (https://openai.com), Anthropic (https://www.anthropic.com), and Moonshot AI (https://www.moonshot.ai) to power NALA's AI capabilities. Moonshot AI provides the Kimi (kimi-k2) and Moonshot (moonshot-v1) models that NALA uses for South African labour-law, legal, and real-time information queries, and Moonshot AI processes this data on infrastructure located outside South Africa. Your queries and our responses may be processed by these providers subject to their respective privacy policies:

You can opt out of having your NALA interactions used for AI training by adjusting your privacy settings in your account preferences.

(f) Marketing and Newsletter Subscriptions

What We Collect: If you subscribe to our newsletters, blog updates, or marketing communications, we collect your email address, name (optional), and communication preferences.

How We Use It:

  • To send you marketing emails about new features, product updates, webinars, and special offers
  • To provide you with HR best practices, compliance tips, and industry insights
  • To measure the effectiveness of our marketing campaigns (email open rates, click-through rates)
  • To personalize marketing content based on your interests and usage patterns

You can unsubscribe at any time by clicking the "Unsubscribe" link in any marketing email or by contacting us at marketing@synthro.io.

(g) User Content

After registration, you may create, upload, or transmit files, documents, videos, images, data, or information as part of your use of the Services (collectively, "User Content"). This includes employee profiles, performance reviews, leave applications, documents, training records, goals, and any other content you choose to store in the Services.

How We Use User Content:

  • To provide the Services to you (storage, retrieval, search, analytics)
  • To generate reports, dashboards, and business intelligence insights
  • To enable collaboration features (e.g., sharing documents with managers)
  • To provide backup and disaster recovery
  • To comply with legal obligations (e.g., responding to valid legal requests)

You have full control over User Content. You can edit, delete, export, or restrict access to User Content at any time through the Services interface. User Content is YOUR data, and we will not access, use, or share it except as necessary to provide the Services or as required by law.

Information from Third-Party Sources

We may receive Personal Information about you from third parties and combine this information with other data we collect from you. Third parties may include:

(a) Single Sign-On (SSO) Providers

What We Collect: If you use Google, Microsoft, or LinkedIn to sign in to the Services, we receive your name, email address, and profile picture from the selected provider. This sign-in flow uses only the following scopes: email, profile, and openid. We do not request access to any Google services (such as Gmail, Drive, or Calendar) as part of the sign-in process.

Providers:

  • Google: https://policies.google.com/privacy
  • Microsoft: https://privacy.microsoft.com/privacystatement
  • LinkedIn: https://www.linkedin.com/legal/privacy-policy

(b) Google Calendar Integration (OAuth 2.0)

Synthro offers an optional Google Calendar Integration that allows you to connect your Google Calendar to the Services. This integration is separate from and independent of the Google sign-in feature described in (a) above. You must explicitly enable this integration through Account Settings → Integrations → Google Calendar.

OAuth Scope Requested:

https://www.googleapis.com/auth/calendar.events

This is a Google-classified sensitive scope. While the scope technically grants the ability to manage calendar events, Synthro uses it for one purpose only: to write HR activity events to your connected calendar — specifically to create, and where necessary update or delete, all-day events for approved leave, disciplinary hearings, performance-review meetings, and task due dates that you generate inside Synthro. Granting this scope is required for the integration to function and is subject to Google's sensitive scope review process.

What Data We Access from Your Google Calendar:

  • We write the title, description, date, optional location, and reminder settings of HR events that Synthro itself creates on your behalf.
  • We read only the event identifier and title of events Synthro previously created — matched by a private "synthroId" tag we attach, or by an exact title-and-date match — and only so that we do not create a duplicate of the same HR event. This read returns nothing more than the event ID and title.

What We Do NOT Access:

  • We do not read, list, store, or display your personal calendar events — including their attendees, descriptions, locations, video-conferencing links, or recurrence patterns
  • We do not use your calendar to populate a dashboard, feed the NALA AI Assistant, or detect free/busy availability
  • Your Gmail messages, contacts, or Google Drive files
  • Your Google account password or any authentication credentials
  • Any Google service outside of the Calendar Events API
  • Calendars you have not explicitly connected to Synthro

How We Use This Data:

  • To create HR activity events — approved leave, disciplinary hearing dates, performance-review meetings, and task due dates — on the calendar you connected, so they appear automatically alongside your other events
  • To update or remove an HR event we previously created when the underlying HR activity changes (for example, a hearing is rescheduled)
  • To check, before creating an event, whether Synthro has already created the same event — solely to prevent duplicates

How We Store This Data:

  • Your OAuth access token and refresh token are stored encrypted (AES-256) in our database and are never exposed to other users or used for any purpose other than writing HR events to your calendar via the Google Calendar API
  • We do not store a copy of your Google Calendar. The only calendar identifier we retain is the ID of an event Synthro itself created, stored against the corresponding HR record and protected by Row Level Security (RLS), so that we can update or de-duplicate that specific event later
  • Any Google Calendar data is never used to train, fine-tune, or develop AI or machine-learning models
  • Google Calendar data is never shared with other organisations or third parties outside of what is strictly necessary to operate the integration for you

Data Retention for Google Calendar Integration:

  • OAuth tokens: Retained while the integration is active. Immediately revoked and deleted upon disconnecting
  • Stored Synthro-created event IDs: Removed within 30 days of disconnecting the integration
  • Events created through Synthro: Remain in your Google Calendar unless you delete them (in Google Calendar or in Synthro), because they belong to you

How to Revoke Google Calendar Access:

  • Within Synthro: Go to Account Settings → Integrations → Google Calendar → Disconnect. This immediately revokes all tokens and queues deletion of cached event data.
  • Via Google Account: Go to myaccount.google.com/permissions, find "Synthro", and click Remove Access. Revoking access here also invalidates all stored tokens in Synthro.

Note: Revoking Google Calendar access does not affect your Synthro account, your Google sign-in, or any other Synthro features. The Google Calendar Integration is entirely optional.

Legal Basis (POPIA): Your explicit consent (POPIA Section 11(1)(a)). You consent to this processing when you complete the Google OAuth authorisation flow and connect your calendar. You may withdraw consent at any time by disconnecting the integration as described above.

Google Privacy Policy: https://policies.google.com/privacy  |  Google API Services User Data Policy: developers.google.com/terms/api-services-user-data-policy

Limited Use Disclosure — Google API Services User Data Policy

Synthro's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data obtained through Google APIs (including Google sign-in data and Google Calendar data):

  • Is used only to provide or improve the user-facing features described in this section — writing HR activity events (approved leave, disciplinary hearings, review meetings, and task due dates) to the calendar you connected, and reading only Synthro-created events to avoid duplicates. It is not used for any other purpose.
  • Is never used for advertising, ad targeting, ad personalisation, or any marketing purpose, and is never transferred to or used by advertising platforms, data brokers, or information resellers.
  • Is never sold, rented, or transferred to third parties, except as strictly necessary to provide and operate the integration for you, to comply with applicable law, or as part of a merger or acquisition with comparable Limited Use commitments.
  • Is never used to train, fine-tune, or develop generalised or non-personalised AI or machine-learning models.
  • Is never read by any human, except: (i) with your explicit prior consent for specific data; (ii) where necessary for security purposes such as investigating abuse; (iii) to comply with applicable law; or (iv) where the data has been aggregated and anonymised and is used for internal operations in accordance with applicable privacy and other laws.

The analytics, marketing, and advertising practices described elsewhere in this Privacy Policy (including in the section below) apply only to website and product usage data we collect ourselves. They do not apply to, and are never combined with, any data obtained through Google APIs.

(c) Analytics and Marketing Partners

We may receive information from analytics platforms (e.g., Google Analytics, Plausible), advertising networks, and marketing automation tools about how you interact with our marketing campaigns and website.

You can opt out of analytics tracking by adjusting your cookie preferences through our cookie banner or Privacy Settings.

Information Collected Automatically

We, and our third-party partners, automatically collect certain types of usage information when you visit our Site or use our Services through cookies, web beacons, embedded scripts, log files, and similar tracking technologies.

(a) Device and Browser Information

What We Collect:

  • IP address (which may reveal your approximate geographic location)
  • Browser type and version (e.g., Chrome 120, Safari 17)
  • Operating system (e.g., Windows 11, macOS Sonoma, Android 14)
  • Device type and model (e.g., iPhone 15, Samsung Galaxy S24)
  • Screen resolution and device identifiers
  • Language preferences and time zone settings

(b) Usage Information

What We Collect:

  • Pages you visit on our Site and features you use in the Services
  • Time and duration of your visits and sessions
  • Links you click and actions you take
  • Search queries you enter
  • Files you upload or download
  • Error messages and crash reports

2. How We Share Personal Information

We may share your Personal Information in the instances described below. For further information on your choices regarding your information, see Section 3: Control Over Your Information.

(a) Service Providers and Business Partners

We share Personal Information with third-party service providers and business partners who perform services on our behalf or help us provide the Services. These third parties are contractually obligated to:

  • Use your Personal Information only for the purposes we specify
  • Implement appropriate security measures to protect your information
  • Comply with applicable data protection laws, including POPIA and GDPR
Service Provider CategoryPurposeExamples
Cloud InfrastructureHosting, storage, and computing resourcesSupabase
Payment ProcessingPayment processing, fraud detection, billingPaystack
AI and Machine LearningAI-powered features (NALA)OpenAI, Anthropic, Moonshot AI (Kimi)
Email and CommunicationsTransactional emails, support communicationsResend
Analytics and MonitoringWebsite analytics, performance monitoringGoogle Analytics, Plausible, Sentry
Customer SupportHelp desk, live chat, ticketingIntercom, Zendesk
Calendar IntegrationGoogle Calendar event management for scheduling features (optional integration — only when you connect your Google Calendar via Account Settings → Integrations). Data subject to Google API Services User Data Policy and Limited Use requirements.Google LLC (Google Calendar API)

(b) Legal Requirements and Law Enforcement

We may disclose your Personal Information to third parties if we reasonably believe that such disclosure is necessary to:

  • (i) Comply with Legal Obligations: Respond to valid legal processes (subpoenas, court orders, search warrants), comply with applicable laws and regulations
  • (ii) Enforce Our Rights: Enforce our Terms of Service, investigate and prevent violations of our policies
  • (iii) Protect Safety: Protect the rights, property, and safety of Synthro, our users, employees, or the public

We will use reasonable efforts to notify you before disclosing your Personal Information in response to legal requests, unless notification is prohibited by law.

(c) Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, sale of assets, or similar business transaction, your Personal Information may be transferred to the acquiring or successor entity. We will notify you before your Personal Information is transferred and becomes subject to a different privacy policy.

(d) Aggregated and Anonymized Data

We may share aggregated or anonymized information that does not directly or indirectly identify you with third parties for research, analytics, benchmarking, and marketing purposes. For example:

  • Industry benchmarks (e.g., "Average employee turnover rate in the technology industry")
  • Usage statistics (e.g., "80% of users create performance reviews quarterly")
  • Trend reports (e.g., "Remote work increased by 30% in 2025")

Anonymized data cannot be traced back to you and is not considered Personal Information under POPIA or GDPR.

(e) With Your Consent

We may share your Personal Information with third parties when you give us explicit consent to do so. You can withdraw your consent at any time by contacting us at privacy@synthro.io.

3. Control Over Your Information

You have choices regarding how we collect, use, and share your Personal Information.

(a) Account Information

You can access, update, or delete certain Personal Information through your account settings:

  • Profile Information: Update your name, email, phone number, and profile picture
  • Business Information: Update your business name, industry, and size
  • Communication Preferences: Manage your email subscriptions and notification settings
  • Privacy Settings: Control cookie preferences, analytics tracking, and AI training opt-outs

To delete your account:

  1. Go to Account Settings → Security → Delete Account
  2. Confirm deletion and specify a reason (optional)
  3. Your account and associated data will be deleted within 60 days

(b) Email Communications

Marketing Emails: You can opt out of marketing emails by:

  • Clicking "Unsubscribe" at the bottom of any marketing email
  • Adjusting your email preferences in Account Settings
  • Contacting us at marketing@synthro.io

Note: You cannot opt out of service-related emails, such as account verification, password resets, subscription confirmations, billing notices, security alerts, and Terms of Service updates.

(c) Cookie Preferences

You can control cookies through:

  • Our Cookie Banner: When you first visit our Site, you can accept or reject non-essential cookies
  • Privacy Settings: Adjust your cookie preferences at any time through the Privacy Settings link in the footer
  • Browser Settings: Configure your browser to block or delete cookies (note: this may affect Service functionality)

(d) Data Access, Correction, and Deletion Requests

Under POPIA, GDPR, and other data protection laws, you have the right to:

(i) Access

Request a copy of the Personal Information we hold about you

(ii) Correction

Request correction of inaccurate or incomplete Personal Information

(iii) Deletion

Request deletion of your Personal Information (subject to legal retention requirements)

(iv) Portability

Request a copy of your Personal Information in a structured, machine-readable format

(v) Restriction

Request that we limit how we use your Personal Information

(vi) Objection

Object to our processing of your Personal Information

To exercise these rights:

  • Email us at privacy@synthro.io with your request
  • Provide proof of identity (e.g., copy of ID or passport)
  • Specify which right you wish to exercise and provide details

We will respond within 30 days (or as required by applicable law).

4. How We Use Cookies and Other Tracking Technology

We and our third-party partners use Tracking Technologies to automatically collect usage and device information when you visit our Site or use our Services.

Types of Cookies We Use

Cookie TypePurposeExamplesDuration
Strictly NecessaryEssential for the Services to functionAuthentication cookies, security tokens, session managementSession or up to 1 year
FunctionalRemember your preferences and settingsLanguage preference, timezone, theme (dark mode)Up to 1 year
AnalyticsUnderstand how you use the ServicesGoogle Analytics, PlausibleUp to 2 years
MarketingDeliver personalized advertisementsGoogle Ads, Facebook Pixel, LinkedIn Insight TagUp to 90 days

Specific Cookies and Local Storage

NameProviderTypePurposeDuration
synthro_cookie_consentSynthroStrictly NecessaryStores your cookie consent preferences for GDPR/POPIA compliance13 months
synthro_cookie_consent_timestampSynthroStrictly NecessaryTracks when consent was given to enforce 13-month re-consent requirement13 months
sb-*-auth-tokenSupabaseStrictly NecessaryAuthentication token for secure login sessions7 days
synthro_auth_stateSynthroStrictly NecessaryCaches authentication state for performance optimizationSession
login_attemptsSynthroStrictly NecessaryTracks failed login attempts to prevent brute force attacks15 minutes
login_rate_limit_expirySynthroStrictly NecessaryEnforces account lockout after multiple failed login attempts15 minutes
synthro-ui-themeSynthroFunctionalStores your theme preference (light/dark/system mode)Persistent
selected_planSynthroFunctionalRemembers your selected pricing plan during registration7 days
_gaGoogle AnalyticsAnalyticsDistinguishes unique users and calculates visitor, session, and campaign data2 years
_gidGoogle AnalyticsAnalyticsDistinguishes users for analytics purposes24 hours
_ga_*Google AnalyticsAnalyticsProperty-specific Google Analytics 4 measurement ID cookie2 years
__vercel_*VercelAnalyticsPerformance monitoring and web vitals trackingSession
paystack_sessionPaystackStrictly NecessarySecurely processes payment transactions30 minutes

Note on Local Storage: We use browser local storage (similar to cookies) to store some preferences locally on your device. This data never leaves your device unless you explicitly consent to analytics tracking. Local storage items include authentication tokens, theme preferences, and cached data for performance optimization.

Managing Cookies

You have control over cookies:

  • (i) Cookie Banner: When you first visit our Site, you can accept or reject non-essential cookies
  • (ii) Privacy Settings: Adjust your preferences at any time through the Privacy Settings link
  • (iii) Browser Settings: Configure your browser to block or delete cookies

Note: Disabling cookies may affect your ability to use certain features of the Services, such as staying logged in, saving preferences, or making payments.

5. Data Retention and Security

How Long We Keep Your Information

We retain your Personal Information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data TypeRetention PeriodReason
Active Account DataFor the duration of your subscription + 60 days after account closureTo provide the Services and allow data retrieval after cancellation
Payment Records7 years after transactionTax and accounting obligations (SARS requirements)
Support Communications3 years after resolutionCustomer support quality assurance, dispute resolution
Marketing ConsentsUntil you withdraw consent + 1 yearLegitimate interests in maintaining marketing records
NALA AI Interactions (anonymized)Indefinitely (unless you opt out)Improving AI accuracy and performance

Data Security

We implement appropriate technical and organizational security measures designed to protect your Personal Information against unauthorized access, use, alteration, disclosure, or destruction.

(i) Encryption

  • Data in Transit: TLS 1.3 encryption
  • Data at Rest: AES-256 encryption
  • Backups: Encrypted and geographically distributed

(ii) Access Controls

  • MFA: Multi-factor authentication for all admin accounts
  • RBAC: Role-based access control
  • Least Privilege: Employees have minimum necessary access

(iii) Infrastructure Security

  • Network-level firewalls
  • Real-time intrusion detection
  • DDoS protection (Cloudflare)
  • Regular vulnerability scanning
  • Annual penetration testing

(iv) Application Security

  • OWASP Top 10 secure coding practices
  • Code reviews for security vulnerabilities
  • Automated dependency scanning
  • Bug bounty program

No Security is 100% Foolproof

While we implement industry-standard security measures, no system is completely secure. We cannot guarantee the absolute security of your Personal Information.

In the event of a data breach, we will:

  1. Investigate the incident and determine the scope of the breach
  2. Notify affected users via email within 72 hours (where feasible)
  3. Notify the Information Regulator (South Africa) and other relevant authorities as required by law
  4. Provide information about the breach, affected data, and remediation steps
  5. Implement additional security measures to prevent future breaches

Your Responsibility:

  • Keep your password confidential and secure
  • Use a strong, unique password (at least 12 characters with letters, numbers, and symbols)
  • Enable multi-factor authentication (MFA) on your account
  • Log out of your account when using shared or public devices
  • Report any unauthorized access or suspicious activity to security@synthro.io

6. Links to Third-Party Websites and Services

Our Site and Services may contain links to third-party websites, applications, or services that we do not own or operate (e.g., LinkedIn, Google, Paystack, integration partners).

We are not responsible for:

  • The privacy practices of third-party websites or services
  • The content, accuracy, or security of third-party websites
  • Your interactions with third parties

Your use of third-party services is at your own risk. We encourage you to review the privacy policies of any third-party website or service before providing any Personal Information.

Third-Party Integrations: If you authorize integrations with third-party applications (e.g., Google Workspace, Slack, Xero), those applications may access certain information from your Synthro account as described during the authorization process.

You can revoke third-party integrations at any time through Account Settings → Integrations.

7. Children's Privacy

Our Services are not intended for children under the age of 18.

We do not knowingly collect Personal Information from children under 18.

If you are under 18, do not:

  • Register for an account
  • Use the Services
  • Provide any Personal Information to us

If we learn that we have collected Personal Information from a child under 18, we will delete that information as soon as possible. If you believe we have collected information from a child under 18, please contact us immediately at privacy@synthro.io with:

  • The child's name and age
  • The nature of the information collected
  • How the information was collected

Parent/Guardian Rights:

If you are a parent or guardian and believe your child has provided us with Personal Information, you have the right to access, request deletion, or object to further processing of the information.

8. Changes to This Privacy Policy

We reserve the right to change this Privacy Policy from time to time in our sole discretion to reflect changes in our practices, legal requirements, or Services.

How We Notify You of Changes:

(i) Material Changes:

For significant changes that affect your rights or how we use your Personal Information, we will notify you by:

  • Sending an email to the primary email address associated with your account (at least 30 days before the changes take effect)
  • Posting a prominent notice on our Site and within the Services
  • Requiring you to accept the updated Privacy Policy before continuing to use the Services (for significant changes)

(ii) Non-Material Changes:

For minor changes (e.g., clarifications, formatting, contact information updates), we will:

  • Update the "Last Modified" date at the top of this Privacy Policy
  • Post the updated policy on our Site

Your Responsibility:

It is your responsibility to review this Privacy Policy periodically. By continuing to use the Services after changes become effective, you accept the updated Privacy Policy.

If you do not agree with the updated Privacy Policy:

  • Stop using the Services
  • Close your account (see Section 3)
  • Contact us to request deletion of your Personal Information (subject to retention requirements)

9. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Synthro (Pty) Ltd.

Registration Number: 2025/975079/07

Email:

Physical Address: Johannesburg, South Africa

Website: https://www.synthro.io

(a) Information Officer

For any questions about this Privacy Policy or to exercise your POPIA rights, contact our Information Officer at dpo@synthro.io

(b) Compliance and Whistleblower Reporting

Synthro is committed to maintaining the highest standards of legal compliance, data protection, and ethical business practices. If you become aware of any violations of this Privacy Policy, security breaches, POPIA violations, fraud, corruption, or other misconduct related to our Services, we encourage you to report it through our confidential reporting channels.

How to Report Compliance Concerns:

(i) What You Can Report:

  • Violations of POPIA, GDPR, or other data protection laws
  • Unauthorized access to or disclosure of Personal Information
  • Security vulnerabilities or data breaches
  • Fraudulent activity or financial misconduct
  • Corruption, bribery, or unethical business practices
  • Harassment, discrimination, or hostile work environment (for Synthro employees or contractors)
  • Violations of this Privacy Policy or our Terms of Service
  • Any other illegal or unethical conduct related to our Services

(ii) Anti-Retaliation Protection:

Synthro prohibits retaliation against any individual who, in good faith, reports a compliance concern or participates in an investigation. This includes:

  • Termination or suspension of Services (for customers who report in good faith)
  • Disciplinary action, demotion, or termination (for employees or contractors who report in good faith)
  • Threats, harassment, or intimidation

Note: This anti-retaliation protection applies only to reports made in good faith. Knowingly false or malicious reports may result in termination of Services or legal action.

(iii) Investigation and Response:

Upon receiving a compliance report, we will:

  • Acknowledge receipt of your report within 5 business days (if contact information is provided);
  • Conduct a thorough, impartial investigation;
  • Take appropriate corrective action if violations are substantiated (including policy changes, employee discipline, service improvements, or notification to affected parties);
  • Notify the Information Regulator or other authorities if required by law (e.g., for data breaches affecting 500+ individuals or high-risk breaches);
  • Provide feedback on the outcome of the investigation if you provided contact information (subject to confidentiality and legal constraints).

(iv) Confidentiality:

We treat all compliance reports as confidential to the extent permitted by law. If you submit an anonymous report, we will not attempt to identify you. However, please note that in some cases (e.g., legal proceedings, regulatory investigations), we may be required by law to disclose information about the report or the reporter.

10. International Data Transfers and Hosting

Important: Synthro serves customers in South Africa only. We comply with POPIA (not GDPR).

(a) Where Your Data Is Hosted

Your Personal Information is processed and stored on servers located outside South Africa. Specifically:

Hosting Locations:

  • Primary Database and Backend: Supabase, Inc. (United States - AWS us-east-1 region)
  • AI Processing (NALA Assistant): OpenAI, LLC and Anthropic, PBC (United States); Moonshot AI for the Kimi and Moonshot models (processed internationally outside South Africa)
  • Payment Processing: Paystack Payments Limited (Nigeria and South Africa)
  • Email Delivery: Resend, Inc. (United States)
  • CDN and Security: Cloudflare, Inc. (United States - distributed globally)

(i) Why We Use International Hosting:

  • Cost-effectiveness: International cloud providers offer better pricing and performance than SA-only hosting
  • Reliability: AWS and Cloudflare provide 99.9%+ uptime with advanced DDoS protection
  • Scalability: Cloud infrastructure allows us to scale as your business grows
  • Security: Enterprise-grade encryption, SOC 2 Type II compliance, and regular security audits

(b) Your Consent to International Transfers

By using the Services, you expressly consent to the transfer of your Personal Information to the United States and other countries where our service providers are located.

This consent is required under POPIA Section 72 for transfers to countries that do not have "adequate" data protection laws (as determined by the South African Information Regulator).

What This Means for You:

  • Your data may be subject to U.S. laws (including the CLOUD Act, which may allow U.S. government access)
  • Our service providers' privacy policies and security practices govern how they handle data
  • We require all service providers to maintain security standards equivalent to POPIA through contractual agreements
  • You can withdraw consent at any time by terminating your account (but this will end your access to the Services)

(c) Safeguards for International Transfers

Even though your data is stored internationally, we implement the following safeguards:

  • Encryption in Transit: TLS 1.3 for all data transmitted between your browser and our servers
  • Encryption at Rest: AES-256 encryption for data stored in databases and object storage
  • Contractual Protections: Data Processing Agreements with all service providers requiring POPIA-equivalent security
  • Access Controls: Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) for all administrative access
  • Regular Audits: Annual SOC 2 Type II audits of our infrastructure providers
  • Data Minimization: We only transfer data that is necessary to provide the Services

BY USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY, INCLUDING THE COLLECTION, USE, AND SHARING OF YOUR PERSONAL INFORMATION AS DESCRIBED HEREIN.

Last Updated: May 30, 2026