Privacy Policy

Who We Are

SYNE Limited is a company incorporated in England and Wales (Company Number: 10541448), with its registered office at Office 7 35-37 Ludgate Hill,London EC4M 7JN, United Kingdom. References in this Policy to "SYNE One", "we", "us", or "our" include SYNE and, where applicable, its subsidiary or associate entities in Australia and India operating under the SYNE One brand.

SYNE One is the data controller for personal data processed in connection with our website at https://one.syne.com and our platform services, unless we are processing data on behalf of a customer organisation (in which case we act as a data processor and the customer is the controller).

For data processed in the European Economic Area, our EU representative is:

This Privacy Policy applies to visitors to our website, individuals who create a SYNE One account or use our platform services, business contacts and representatives of our customers, suppliers and partners, individuals who apply for employment with SYNE One, and individuals who attend our events or sign up for our newsletter.

If you are a business customer using SYNE One's platform to process data about your own employees, suppliers, or counterparties, please see our separate Data Processing Agreement, which governs our obligations as a data processor on your behalf.

Data We Collect

We collect personal data in several ways: directly from you when you use our platform or contact us, automatically through your use of our website and services, and in some cases from third parties.

Data you provide directly

• Account registration: name, work email address, company name, job title, phone number, and password
• Platform use: financial data, procurement records, supplier information, contract content, invoice details, and other business data you input into the platform
• Identity verification: government-issued identification documents, company registration documents, and beneficial ownership information (required for trade finance and certain regulated services)
• Communications: content of emails, support tickets, form submissions, and chat messages you send to us
• Marketing: email address and preferences when you subscribe to our newsletter or register for a webinar
• Recruitment: CV, work history, references, and any information you provide during an application process

Data collected automatically

• Log data: IP address, browser type and version, device information, operating system, pages visited, time and date of visits, referral URLs, and session duration
• Usage data: feature usage patterns, actions taken within the platform, error logs, and API call metadata
• Cookies and similar technologies: session cookies, authentication tokens, preference cookies, and analytics identifiers (see Section 9 for full details)
• Location data: approximate geographic location inferred from IP address - we do not collect precise device GPS location

Data from third parties

• Open Banking: where you connect a bank account, your bank provides us with transaction data, account balances, and account holder information with your explicit authorisation
• Identity verification providers: identity verification results and risk scores from services such as Onfido or Jumio when you complete KYC verification
• Credit reference agencies: business credit scores and company registration data from providers including Dun & Bradstreet and Companies House
• Marketplace suppliers: company information, ESG certification data, and performance records submitted by suppliers who list on the SYNE Marketplace
• ESG verification bodies: certification status and audit results from bodies such as GOTS, FSC, and Rainforest Alliance

How We Use Your Data

We use your data only for the purposes listed above. We do not sell personal data to third parties, and we do not use personal data for automated decision-making that produces legal or similarly significant effects without human review.

Legal Basis for Processing

Under the UK GDPR and EU GDPR, we are required to identify a lawful basis for each type of personal data processing. The primary bases we rely on are:

• Contract performance (Article 6(1)(b)): Processing necessary to deliver the services you have contracted for, including platform access, invoicing, procurement, and trade finance
• Legal obligation (Article 6(1)(c)): Processing required by applicable law, including anti-money laundering regulations, tax law, sanctions compliance, and financial services regulation
• Legitimate interests (Article 6(1)(f)): Processing for purposes including fraud prevention, platform security, product improvement, and marketing to existing customers - where we have assessed that our interests do not override your privacy rights
• Consent (Article 6(1)(a)): Processing for marketing communications to non-customers, and for non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing

Where we rely on legitimate interests, you have the right to object to that processing. Please see Section 8 for how to exercise this right.

Sharing Your Data

We share personal data with third parties only where necessary and on a lawful basis. We do not sell personal data. The categories of recipients are:

Service providers and sub-processors

We use carefully selected sub-processors to help deliver our services. All sub-processors are bound by data processing agreements that require them to protect your data to at least the same standard as this Policy:

A full and current list of our sub-processors is available at syneone.com/sub-processors. We will provide 30 days' notice of any new sub-processor and, where required, by email to data controllers using our platform.

Finance and trade partners

To facilitate trade finance, invoice discounting, and PO finance, we share relevant financial and identity data with our banking and DFI partners - including HSBC, BNP Paribas, DEG, and IFC - solely for the purpose of assessing and providing finance products you have applied for. We share only the minimum data necessary for each application.

Marketplace counterparties

When you engage with suppliers or buyers on the SYNE Marketplace, your business profile, product requirements, and RFQ responses are shared with the relevant counterparties as part of the sourcing and contracting process. This is necessary to fulfil the purpose for which you listed or searched on the Marketplace.

ESG verification bodies

To verify supplier sustainability credentials, we share relevant data with accredited certification bodies and audit organisations. These organisations process data under their own privacy policies and accreditation requirements.

Regulatory and legal disclosure

We may disclose personal data to law enforcement authorities, regulators, courts, or other public authorities where required by applicable law, to comply with a legal obligation, or to protect the rights, property, or safety of SYNE One, our users, or the public. We will notify you of any such disclosure where we are legally permitted to do so.

Business transfers

If SYNE One undergoes a merger, acquisition, or sale of all or part of its business, personal data held by us may be transferred to the acquiring entity as part of that transaction. We will notify you of any such transfer and any consequential changes to this Privacy Policy before they take effect.

International Transfers

SYNE One primarily stores and processes personal data within the United Kingdom and the European Economic Area (EEA). However, some of our sub-processors operate in countries outside the UK/EEA, including the United States. Where data is transferred to countries that have not been recognised as providing an equivalent level of data protection, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs): We use the European Commission's standard contractual clauses for transfers from the EEA, and the UK International Data Transfer Agreement (IDTA) for transfers from the UK
• Adequacy decisions: We transfer data to countries that have received an adequacy decision from the UK Government or European Commission without requiring additional safeguards
• Binding Corporate Rules: Where applicable, we rely on binding corporate rules approved by a relevant supervisory authority

You may request a copy of the safeguards we have in place for any specific international transfer by contacting our DPO at dpo@syneone.com.

Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, and to resolve disputes. Our standard retention periods are:

When data is no longer required, we securely delete or anonymise it. Anonymised and aggregated data may be retained indefinitely for analytical and research purposes.

Your Rights

Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data. These rights apply in most circumstances - in some cases, legal obligations may limit our ability to fulfil certain requests.

How to exercise your rights

Contact our Data Protection Officer at dpo@syneone.com, or submit a request via Settings → Privacy → Data Requests in your account. We will verify your identity before processing any request and respond within 30 calendar days (extendable to 90 days for complex requests, with notice).

There is no charge for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to act.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies on our website and platform. A cookie is a small text file stored on your device when you visit a website. We use the following categories of cookies:

You can manage your cookie preferences at any time via our Cookie Preference Centre, accessible from the footer of any page or from Settings → Privacy → Cookie Preferences when logged in.

For a complete list of all cookies we set, including names, purposes, and durations, please see our full Cookie Policy.

Security

We implement technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, destruction, or damage. Our security programme includes:

• Encryption at rest: All personal data stored on SYNE One infrastructure is encrypted using AES-256
• Encryption in transit: All data in transit between your device and our servers is encrypted using TLS 1.3
• Access control: Role-based access control limits data access to authorised personnel on a need-to-know basis. All internal access to production data is logged and audited
• Multi-factor authentication: MFA is required for all SYNE One employee access to production systems and is strongly recommended for customer accounts
• Penetration testing: We conduct annual independent penetration tests and quarterly automated vulnerability scanning
• SOC 2 Type II and ISO 27001: Our information security management system is certified to ISO 27001 and independently audited to SOC 2 Type II standards annually
• Incident response: We maintain a documented incident response plan and conduct regular tabletop exercises with our security team

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by law - within 72 hours for notifiable breaches under UK and EU GDPR.

To report a security vulnerability, please contact security@syneone.com. We operate a responsible disclosure programme and will acknowledge reports within 24 hours.

Children's Data

SYNE One's platform and services are designed for use by businesses and professionals. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly.

If you believe a child has provided personal data to SYNE One, please contact our DPO at dpo@syneone.com and we will take immediate steps to remove the data.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will notify you by displaying a prominent notice on our website and within the platform, by sending an email notification to the address registered on your account, and by requiring acknowledgement of the updated policy on next login for changes that materially affect how we process your data.

The "Last updated" date at the top of this Policy reflects the most recent revision. We maintain an archive of previous versions, available on request from our DPO.

Your continued use of SYNE One's platform after notification of changes constitutes acceptance of the updated Policy.

Contact & Complaints

Contacting us about privacy

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our Data Protection Officer:

We aim to respond to all privacy-related enquiries within 5 business days and to complete substantive requests within 30 calendar days.

Supervisory authority complaints

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the relevant supervisory authority:

• United Kingdom: Information Commissioner's Office (ICO) - ico.org.uk - 0303 123 1113
• European Union: The Irish Data Protection Commission (DPC) - dataprotection.ie
• Singapore: Personal Data Protection Commission (PDPC) - pdpc.gov.sg

We always welcome the opportunity to address your concerns directly before you contact a supervisory authority, but you are entitled to contact the authority at any time.