This is Synthesis Pte Ltd (Synthesis) uses publicly available data to identify insights and trends in consumer behaviour and language. We deliver these insights to brands and companies who in turn use them to improve their products and services.
Data protection and respecting individuals’ right to privacy is a high priority for us. The purpose of this document is to disclose the measures we have put in place with regards how we use individuals’ data; comply with relevant local and international legislation; protect the rights of our staff, clients and partners; and protect against the risks of a data breach.
Everyone who works for or with Synthesis has responsibility for ensuring data is collected, stored and handled appropriately as laid out in this document.
Any questions should be directed to our Data Protection Officer, Harriet Robertson (firstname.lastname@example.org) or the board of directors. These parties have responsibility for:
1. Data Minimisation. We only collect the data we need for the task in hand and for historical benchmarking. We do not collect, process or store data excessively, e.g. without a specific purpose or ‘in case it becomes useful at a later date’. We do not collect sensitive data (see below).
2. Anonymisation. As far as possible, we work with fully anonymised data. This means it is impossible to trace back from one of our data points to an individual person. We do this by removing altogether or scrambling personal identifiers such as name/usernames and generalising or aggregating other identifiers such as geo-tagging so that they cannot be used to trace or track back to an individual.
N.B. Anonymised data is not considered personal and therefore does not fall under the scope of the GDPR (see GDPR Recital 26).
3. Pseudonymisation. Where we cannot fully anonymise data, we collect, process and store data in a way that can no longer be attributed to a specific individual (GDPR Art. 4(5)). This means if a data leak occurred it would be possible, but very hard for a 3rd party to attribute our data points back to an individual. We do this by encryption of personal identifiers and/or storing separately any other information which could allow an individual to be personally identified.
4. Being forgotten. Our data collection, processing and storage respect an individual’s right to be forgotten. This means if we collect content from a public platform that is later made private or deleted it will automatically be removed from our data set. We do this by storing only the link to content, not the content itself, following Data Minimisation procedures.
5. Confidentiality. Data is never be shared with unauthorised third parties outside Synthesis, even informally.
6. Security. Our data is stored on Google Cloud Platform (GCP) and is password protected, restricted to authorised team members and all access history is logged. We operate a clean desk policy to minimise the risk of data breach from physical documents.
We collect data from Public Sources and Anonymised Data Sources such as (but not restricted to) those listed below.
The data we collect is always already in the public sphere. The mechanisms of each platform/source mean that individuals have consented to placing their data in the public realm according to local laws. We collect data in such a way that if individuals remove their data from the public sphere this is reflected in our data set. We do this by storing only the link to content, not the content itself.
We do NOT use data collection methods to access content from closed or private spaces within social platforms.
We do NOT collect sensitive data about individual, e.g. relating to the following categories:
We operate non-personalised data processing methods. This means our processing tools are designed to aggregate and generalise data to look for macro patterns. We do not, and cannot, use the data we collect to build detailed pictures of individuals.
We do work with broad typologies, but take careful steps to ensure this is contextual and aggregated information. We never look at the specifics of personal data that could identify an individual. For example we might process data by geography to look for patterns at a country/ city level, but we would never collect or process data that specifically tracked an individual across specific locations; or we might process data to identify differences across genders, but we would never collect or process data based on sexual preference or link to genetic identifiers.
We anonymise and/or psuedynomise data during processing to protect the privacy of individuals behind the data points we collect. This means we obscure or allocate a code name to each piece of content and remove personal data identifiers such as a full name, an identification number, location data or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR Art 4).
Our data is stored on Google Cloud Platform (GCP). We take the following steps to ensure this is a secure space, protected from unauthorised access, accidental deletion and malicious hacking attempts.