Privacy Policy

Sinlung Tech ("we," "our," or "us") is a technology infrastructure and product development company. We design, build, and operate digital products on behalf of our clients. This Privacy Policy explains how we collect, use, and protect information processed through our infrastructure, including data received from applications we develop and manage for our clients.

This policy applies to the Sinlung Tech website, our internal infrastructure and services, and data processed on behalf of our client applications.

1. Our Role as a Data Processor and Controller

Sinlung Tech operates in two capacities with respect to personal data:

• Data Controller: For data collected directly through our own website and business operations (such as contact form submissions, business inquiries, and direct communications).
• Data Processor / Infrastructure Partner: For data received from client applications that we develop and manage. Our clients are the data controllers for their end users. We process this data to provide technology infrastructure services, including authentication, hosting, analytics, and platform operations.

2. Information We Collect

2.1 From Our Own Website and Business

• Name, email address, and message content submitted through contact forms
• Business inquiry details
• Website usage data (pages visited, browser type, IP address)

2.2 From Client Applications

As the technology infrastructure partner for our client applications, we manage and process data entrusted to us by our clients. Where a client entrusts Sinlung Tech with data management, we process all data within the scope of that engagement, which may include but is not limited to:

• Email addresses and authentication credentials
• User profile information (name, display name, profile photo)
• Authentication tokens and session data
• Device identifiers and push notification tokens
• Transactional data (order history, purchase values, product interactions)
• Usage data, browsing behaviour, and interaction logs

The specific data managed varies by client application and is determined by the scope of services we provide. Where a client self-manages certain aspects of their data, we process only the data within our designated scope.

3. How We Use Information

3.1 Infrastructure and Service Operations

• Providing authentication and identity services across client applications
• Operating and maintaining our Single Sign-On (SSO) infrastructure, where configured for client applications
• Hosting, deploying, and monitoring client applications and their databases
• Delivering push notifications and communication services
• Ensuring platform security, uptime, and performance

3.2 Analytics, Audit, and Research

For data entrusted to us by our clients, Sinlung Tech may use managed data for:

• Internal audit and security analysis of managed infrastructure
• Business analysis, usage research, and data-driven insights to improve our services
• Generating aggregated, anonymised insights to inform product development and service improvements
• Analysing usage and transactional patterns to optimise infrastructure, authentication, and platform performance

All such analysis is conducted within the confidentiality boundaries of each client — data from one client is never exposed to or used in the context of another client.

3.3 Identity and SSO Services

We operate authentication infrastructure that may utilise third-party identity providers (such as social networks, cloud authentication services, and enterprise identity platforms) as well as our own proprietary SSO service. The specific identity providers used for any given client application are determined by Sinlung Tech based on technical and security requirements, and may change without notice to end users. Where our SSO service is configured, user identity data may be linked across multiple client applications to provide a unified authentication experience — this is only done with appropriate authorisation and in accordance with the respective client application's terms.

3.4 Business Operations

• Responding to business inquiries and contact form submissions
• Managing client relationships
• Complying with legal obligations

4. Data Isolation Between Client Products

By default, user data from different client applications is logically isolated within our infrastructure. Data from one client application is not accessible to or shared with another client application unless:

• The end user has provided explicit authorisation for cross-product data linking (e.g., through SSO consent)
• The client applications are operated by the same client entity and have obtained appropriate user consent
• Required by law or legal process

5. How We Share Information

We do not sell personal information to third parties. We may share information in the following circumstances:

• Infrastructure Providers: We utilise third-party cloud services, databases, authentication platforms, and hosting providers to operate our infrastructure. These providers process data on our behalf under contractual obligations and their own privacy policies. The specific providers used are determined by Sinlung Tech and may change based on technical requirements.
• Client Applications: Data processed on behalf of a client application is accessible to that client in accordance with our service agreement with them.
• Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, data may be transferred as part of the transaction.

6. Data Retention

We retain data for as long as necessary to provide our services:

• Client application data: Retained for the duration of our service agreement with the client. Upon termination of a client relationship, data is deleted or returned to the client within 90 days, except where retention is required by law.
• Identity and SSO data: Authentication records are retained for as long as the associated user account is active within any client application utilising our identity services.
• Business communications: Retained for up to 3 years for business relationship management.
• Aggregated analytics: Anonymised and aggregated data may be retained indefinitely as it cannot be used to identify individuals.

7. Data Security

We implement industry-standard technical and organisational measures to protect data processed through our infrastructure, including:

• Encryption in transit (TLS/HTTPS) and at rest
• Access controls and role-based permissions
• Regular security assessments and monitoring
• Secure development practices and code review
• Infrastructure monitoring and incident response procedures

8. Data Breach Notification

In the event of a data breach affecting personal information processed through our infrastructure, we will:

• Notify affected client(s) within 72 hours of becoming aware of the breach
• Provide details of the nature, scope, and impact of the breach
• Cooperate with clients in notifying affected end users as required by applicable law
• Take immediate steps to contain and remediate the breach

9. User Rights

If you are an end user of a client application operated on our infrastructure, your primary point of contact for exercising data rights (access, correction, deletion) is the client application itself. The client application's privacy policy governs your relationship with that service.

If you wish to exercise data rights with respect to information held directly by Sinlung Tech (e.g., from our website or business communications), or if a client application has directed you to us, please contact us at privacy@sinlungtech.com.

10. Client Obligations

Our client applications are responsible for obtaining appropriate user consent for the collection and processing of personal data, including disclosure that data may be processed through Sinlung Tech's infrastructure. Clients must maintain their own privacy policies that accurately describe their data practices and reference Sinlung Tech as their technology infrastructure partner.

11. Children's Privacy

Our infrastructure services are not directed at children under the age of 13. We do not knowingly process personal information of children under 13 unless a client application is specifically designed for a younger audience and has obtained appropriate parental consent. Our clients are responsible for compliance with applicable children's privacy laws within their applications.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated revision date. We will also notify our clients of significant changes that may affect data processing under our service agreements.

13. Contact Us

For questions about this Privacy Policy or our data practices:

• Email: privacy@sinlungtech.com
• General inquiries: hello@sinlungtech.com