Legal

Privacy Notice

Effective 24 April 2026 · Version 1.1

Who we are

The OriginTrace platform is operated by SYSMERA LIMITED, acting as data controller for personal data collected through origintrace.app.

Contact our Data Protection Officer at dpo@origintrace.app.

What we collect

  • Inquiry data — name, email, organisation, role, country, and free-text notes submitted via the pilot-inquiry or contact-sales forms.
  • Minimal technical data — short-lived server logs used only to keep the site reliable and to block abuse.

We do not use tracking cookies, advertising pixels, or third-party analytics by default on this site.

Why we collect it

Inquiry data is processed so we can respond to your request. The legal basis is your explicit consent (ticked before submission) and our legitimate interest in replying to prospective partners.

Technical logs are processed under legitimate interest to keep the site reliable and to detect abuse.

How long we keep it

  • Pilot and sales inquiries: up to 24 months from last contact, then deleted.
  • Technical logs: up to 30 days.
  • If you enter into a contract with us, contract-related data is retained for the durations required by Rwandan and other applicable law.

Data residency & sub-processors

Protecting the sovereignty of African data is a core commitment of this platform. We design around the following principles:

  • In-region by default.Platform data (farmer records, plots, visits, deliveries) is stored in facilities located in, or equivalent to, the partner's country of origin wherever technically feasible.
  • No unnecessary transfer. Data is not transferred out of Africa for operational convenience. Where a cross-border transfer is strictly required (for example, for an email reply to a correspondent overseas), it is governed by Standard Contractual Clauses or equivalent legal safeguards.
  • Limited, audited sub-processors. We rely on a small set of commercial-grade service providers for hosting, email delivery, and domain security. Sub-processors are bound by written agreements that mirror the obligations we owe you.
  • No routing through jurisdictions with incompatible surveillance regimes. Where public-internet routing is unavoidable, transport is end-to-end encrypted and no plaintext copies of personal data are stored outside the designated regional tier.

The current list of sub-processors, with locations and roles, is available to verified partners on request under NDA. Contact dpo@origintrace.app for the current register. A summary version forms part of every Data Processing Agreement we sign with cooperative partners.

Your rights

Under Rwandan data-protection law, the GDPR, and other applicable regimes, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent at any time

Email dpo@origintrace.app to exercise any of these. We respond within 30 days.

You may also complain to the Rwanda Data Protection Office or, if you are in another jurisdiction, the supervisory authority in your country of residence.

Platform data

Data captured inside the OriginTrace platform (farmer records, visits, deliveries, lot-level traceability) is owned by the participating cooperative and controlled by them, not by SYSMERA. Our role there is strictly as a processor under contract, governed by a Data Processing Agreement that addresses residency, access, retention, and exit.

Changes to this notice

Material changes will be announced at the top of this page and communicated by email where we have one. Minor clarifications are logged in the version history below.

1.1 · 24 April 2026 — tightened sub-processor disclosure to match African data-residency expectations; register now available on request.

1.0 · 24 April 2026 — initial publication.