Privacy Notice

Palindrome provides ESG, sustainability, governance, evidence, approval, and reporting software for business customers.

For privacy questions or data-rights requests, contact privacy@palindrome.my.

We may collect account and operations information such as name, email address, role, organization, invite status, authentication activity, support communications, security events, and product administration records.

Customers may enter or upload workspace content including ESG records, environmental metrics, governance records, employee or worker information, salary or diversity fields, migrant worker passport or permit details, privacy complaints, grievances, policies, certificates, uploaded evidence files, generated reports, customer ESG packs, import metadata, and audit history.

Uploaded spreadsheet imports are parsed for supported modules; Palindrome keeps import metadata by default and does not retain the uploaded spreadsheet file unless a future feature explicitly says otherwise.

We use personal data for PDPA-aligned service purposes: account access, authentication, role permissions, organization workspaces, ESG data entry, approvals, evidence tracking, audit history, exports, generated reports, customer ESG packs, public report share links, support, security monitoring, abuse prevention, legal administration, and compliance administration.

We use workspace data to provide the functions customers request, including calculations, dashboard summaries, readiness checks, approval workflows, retention exports, deletion/anonymization requests, and evidence cleanup tracking.

We do not sell personal data.

Where a customer enters or uploads personal data into its Palindrome workspace, the customer is usually responsible for deciding what data is collected, why it is collected, and whether it may be uploaded to Palindrome.

Palindrome processes customer workspace data to provide the service and follows customer instructions subject to product, security, legal, and retention requirements.

We may disclose or make data available to service providers that help us provide Palindrome, such as hosting, database, storage, authentication, email routing, analytics, monitoring, support, and professional services providers.

Supabase is Palindrome's current infrastructure provider for hosted database, authentication, and file storage. We may update service-provider categories as the product changes.

We may also disclose data where required by law, to protect the service, to enforce agreements, or as part of a business transaction.

Palindrome's current Supabase project is hosted in Singapore (`ap-southeast-1`). This means Palindrome currently uses cross-border processing and storage outside Malaysia.

The previous Sydney (`ap-southeast-2`) hosting posture is no longer the active production posture after the Singapore migration.

Where data is processed or stored outside Malaysia, Palindrome relies on contractual, technical, and organizational safeguards with its infrastructure providers. Customers should not describe the current service as locally hosted in Malaysia.

We keep personal data only for as long as needed for the purposes described in this notice, the customer agreement, the retention schedule, security needs, legal obligations, audit requirements, dispute resolution, deletion proof, or legitimate business records.

Admins can create retention requests, generate export packages, record legal holds, and request deletion, anonymization, or personal-data minimization through the current retention controls. A legal hold blocks destructive execution, and the default account-termination posture uses a 30-day export window before deletion or anonymization.

Higher-risk personal data, such as worker identifiers, salary, complaint, grievance, passport, permit, or sensitive evidence data, should be minimized, masked, deleted, or anonymized when the purpose no longer applies.

Deletion or anonymization affects the live workspace first. Database rows may remain in Supabase backup systems until the provider backup window expires, and database backups do not restore deleted Supabase Storage objects.

Subject to applicable law and verification, individuals may request access to personal data, correction of personal data, deletion where applicable, anonymization or minimization where applicable, withdrawal or limitation of processing where applicable, portability where applicable, or information about how personal data is handled.

If a request relates to data inside a customer workspace, Palindrome may need to refer the request to the customer or coordinate with the customer because the customer controls that workspace content.

Requests can be sent to privacy@palindrome.my. Palindrome may need to verify the requester, identify the relevant customer workspace, and preserve limited audit or legal records even after a deletion or anonymization request.

Palindrome uses Supabase-backed organization scoping, row-level security, role permissions, authentication, audit logs, retention audit events, and operational safeguards to protect customer workspaces.

Customers are responsible for managing user access, collecting data lawfully, limiting unnecessary personal data, reviewing generated outputs, and sharing exports or public report links only with authorized recipients.

Supabase is responsible for the security controls it provides as Palindrome's hosted infrastructure provider. Palindrome remains responsible for configuring and using those services appropriately in the product.

Palindrome may update this notice when the product, legal obligations, service providers, hosting region, or retention controls change.

This notice describes Palindrome's current posture and product controls. It is not a certification that a customer's own PDPA program is complete.

Before publication for Malaysian data subjects, Palindrome should provide a Bahasa Malaysia version of the Privacy Notice and any required choices, or obtain legal advice on the required publication sequence and wording.