Privacy Policy

1. Information We Collect

We collect information in two main ways: directly from you when you use our Services, and automatically through your interactions with our platform.

Information You Provide Directly

• Mobile Phone Number: Required for account registration and used as your primary login identifier. We use your phone number to send SMS verification codes (OTPs) for authentication.
• Name & Profile Information: Your full name and optionally a profile photo, used to personalise your experience.
• Farm & Agricultural Data: Information about your palm oil plots, including farm boundaries, acreage, planting dates, yield records, fertiliser and pesticide application records, harvest data, and palm health observations submitted through PalmLulus or PalmView.
• GPS Coordinates & Location Data: Precise geolocation data associated with your farms and field activities, including plot polygon coordinates, scouting waypoints, and transport routes. This data is fundamental to our monitoring, compliance, and analytics services.
• Organisation Information: If you register as part of a company, cooperative, or mill, we collect your organisation name, role, and relevant contact details.
• Communications: Records of your interactions with our support team via email or in-app messaging.

Information Collected Automatically

• Device Information: Device type, operating system version, unique device identifiers, mobile network carrier, and app version.
• Usage Data: Feature interactions, session duration, pages viewed, search queries within the app, crash reports, and performance diagnostics.
• Log Data: IP address, browser type, referring/exit pages, date and time stamps of access events, and other standard web server log data.
• Location Data: If you grant location permission to the PalmLulus app, we may collect real-time GPS coordinates during field data collection sessions. You can revoke this permission at any time through your device settings.
• Cookies & Tracking Technologies: Small files stored on your browser to maintain session state and improve functionality (see Section 10 for details).

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, operate, and maintain the features of PalmLulus, PalmView, and our web platform — including farm monitoring, yield analytics, AI-powered agronomic insights, and supply chain traceability.
• Identity Verification & Account Security: To send SMS OTP codes for authentication, verify your identity, and protect your account from unauthorised access.
• EUDR & Regulatory Compliance: To generate due diligence statements, geospatial risk reports, and traceability documentation required under the EU Deforestation Regulation (EUDR) and other applicable sustainability standards.
• Product Improvement: To analyse usage patterns, identify bugs, and develop new features. We may use aggregated and anonymised data to train and improve our AI models.
• Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
• Communications: To send transactional messages (account notifications, service updates) and, with your explicit consent, relevant product updates. We do not send unsolicited marketing SMS.
• Legal Compliance: To comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms of Service.

3. SMS Communications

We take a minimal approach to SMS communications. Our policy is clear:

• Authentication Only: We send SMS messages exclusively for account verification and login authentication (OTP codes). We do not send promotional, marketing, or advertising SMS messages.
• Message Frequency: You will only receive an SMS when you actively trigger an authentication event — such as registering an account, logging in, or verifying a new device. We do not send scheduled or periodic SMS messages of any kind.
• No Third-Party Sharing for SMS Marketing: Your phone number is never sold, rented, or shared with third parties for marketing or advertising purposes. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
• SMS Provider: Authentication SMS messages are delivered via Twilio, Inc., a third-party communications platform. Twilio processes your phone number solely to deliver the OTP on our behalf and is bound by confidentiality and data processing obligations.
• Message & Data Rates: Standard message and data rates charged by your mobile carrier may apply to SMS messages you receive. Synga does not charge separately for SMS delivery.
• Opt-Out: Reply STOP to any SMS from Synga to opt out. You may also close your account by contacting hello@synga.ai. Opting out of authentication SMS will prevent OTP-based login.

4. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following limited circumstances:

• Service Providers: We share data with trusted third-party vendors who provide infrastructure and operational services on our behalf, including:
  • Twilio, Inc. — SMS delivery for authentication.
  • Supabase — Database hosting, authentication services, and file storage.
  • Isar — Local on-device encrypted database used by PalmLulus app to store plot data offline. Data stored in Isar remains on your device and is only uploaded to cloud when you enable sync.
  • OneSignal — Push notification delivery service, used only when you grant notification permissions in the PalmLulus app. OneSignal processes a device token only; your personal data is not shared.
  • Google Play / Apple App Store — App distribution platforms. These platforms have their own privacy policies governing your use of their stores.
  • Mapping and satellite imagery providers used in our monitoring tools.
  These providers are contractually obligated to use your data only as necessary to provide services to us and to maintain appropriate security measures.
• EUDR & Regulatory Authorities: Geospatial and supply chain data may be shared with relevant regulatory bodies, certification schemes, or buyers as part of EUDR due diligence reporting, where required by law or as necessary to provide our compliance services to you.
• Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you of any such change and provide options where required by law.
• Legal Requirements: We may disclose your information if required to do so by law, court order, or government authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Data Storage & Security

Storage Location: Your personal data and farm data are stored on servers located in Singapore, hosted on Supabase's managed infrastructure. We have chosen Singapore-based hosting to ensure data sovereignty and alignment with Singapore's Personal Data Protection Act (PDPA).

Security Measures: We implement industry-standard security practices to protect your data, including:

• TLS/HTTPS encryption for all data transmitted between your device and our servers.
• Encryption at rest for database records and stored files.
• Role-based access controls limiting employee access to personal data on a need-to-know basis.
• Regular security reviews and penetration testing.
• Multi-factor authentication for internal administrative access.

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly notifying affected users if a data breach occurs that poses a significant risk to your rights.

6. Data Retention

We retain your personal information for as long as your account remains active or as needed to provide you with the Services. More specifically:

• Account Data: Retained for the duration of your account and for up to 12 months after account closure, to allow reactivation and for legal and audit purposes.
• Farm & Agricultural Data: Retained as long as necessary to fulfil EUDR compliance obligations, which may require records to be maintained for a minimum of 5 years from the date of the relevant transaction.
• Authentication Logs: Retained for up to 90 days for security monitoring and fraud prevention.
• Usage Analytics: Aggregated and anonymised usage data may be retained indefinitely for product improvement purposes.

When we no longer need your data, we will securely delete or anonymise it in accordance with our data disposal procedures.

7. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data. We are committed to honouring these rights regardless of your location:

• Access: You have the right to request a copy of the personal data we hold about you.
• Correction: You have the right to request that we correct any inaccurate or incomplete personal data.
• Deletion: You have the right to request that we delete your personal data, subject to certain exceptions (e.g., where we are required by law to retain it).
• Data Portability: You have the right to request that we provide your data in a structured, machine-readable format, and to transfer that data to another service provider where technically feasible.
• Restriction of Processing: You have the right to ask us to restrict the processing of your data in certain circumstances.
• Objection: You have the right to object to processing of your personal data for direct marketing purposes.

To exercise any of these rights, please contact us at hello@synga.ai. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

8. Children's Privacy

Our Services are not directed at, or intended for use by, children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at hello@synga.ai and we will promptly delete that information from our records.

Users between the ages of 13 and 18 should review these Terms with a parent or guardian before using our Services.

9. International Data Transfers

Synga is headquartered in Singapore. Your information is primarily stored and processed in Singapore. However, some of our third-party service providers (such as Twilio) may process data in other countries, including the United States.

When we transfer personal data internationally, we take steps to ensure that appropriate safeguards are in place, including:

• Entering into data processing agreements with service providers that include standard contractual clauses or equivalent protections.
• Working only with providers who maintain certifications or compliance frameworks appropriate for personal data processing.
• Minimising the scope of data transferred to only what is necessary for the specific service function.

By using our Services, you acknowledge that your information may be transferred to and processed in countries with different data protection laws than your home country. We are committed to ensuring your data remains protected regardless of where it is processed.

10. Cookies & Analytics

Our website (synga.ai) uses cookies and similar tracking technologies to enhance your browsing experience and understand how visitors use our site.

Types of Cookies We Use

• Essential Cookies: Necessary for the website to function, including session management and security features. These cannot be disabled without affecting core functionality.
• Analytics Cookies: Help us understand visitor behaviour, popular pages, and areas for improvement. We may use tools such as privacy-respecting analytics platforms to collect aggregated, anonymised data.
• Preference Cookies: Remember your settings and preferences for a better experience on return visits.

You can control and manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies, though disabling certain cookies may affect the functionality of our website. Please note that our mobile applications do not use browser cookies but may use similar device-level identifiers for analytics.

11. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our data practices, Services, or applicable laws. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify registered users via email or in-app notification where material changes affect how we process their personal data.

We encourage you to review this page periodically. Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

We aim to respond to all privacy-related inquiries within 30 days. For urgent data breach notifications or security concerns, please include "URGENT" in the subject line of your email.