Privacy and data handling

Who is responsible

Sylva is operated by Vimix AS (org. no. NO 935 850 983, Norway). For the data you enter about your own organisation and supply chain, your organisation is the controller and Vimix AS processes it on your behalf to provide the service. For contact and account information, Vimix AS is the controller. Questions go to martin@vimix.no.

What Sylva stores

• Account data: name, work email, and the organisation you belong to.
• Due-diligence records your organisation enters: suppliers and their contact details, plot geometries, shipment cases, risk assessments, legality documents and certificates, and the audit trail of who did what and when.
• Supplier intake submissions: when you send a supplier an intake link, what they submit (plot lists, documents, messages) is staged for your review. The supplier needs no account, and the link can be revoked at any time.
• Satellite screening results for the plots you screen, kept as evidence with the date and data sources of each run.

Where it is hosted

The database and document storage run on Supabase in the EU (Frankfurt, eu-central-1). The application is served by Vercel. Data is encrypted in transit, and every database query is scoped to your organisation at the database layer, so one tenant can never read another’s rows. Sign-in supports optional two-factor authentication, and passwords are checked against known breach databases before they are accepted.

Who else processes data, and when

• Supabase (EU, Frankfurt): database, file storage and authentication. Always.
• Vercel: application hosting, delivery and anonymised page statistics (Web Analytics). Always.
• FAO Open Foris WHISP and Copernicus Data Space: plot coordinates are sent for deforestation screening and satellite imagery when you run a screen. Coordinates only, never names or documents.
• Anthropic: when you use an AI-assisted feature (document reading, drafting, the in-app assistant), the relevant document or query is processed by the Claude API. AI features are optional, drafts are never saved without your review, and nothing is used to train models.
• Resend: sends the weekly digest email, if your organisation enables it.

How long records are kept

The EUDR itself sets the floor: operators must keep due-diligence records for five years (Art. 4(3) and Art. 5(5)), so case files, evidence and audit trails are retained accordingly while your account is active. If you leave, you can export your records first; the register export and the authority package exist for exactly that. Contact and account data is deleted on request where no legal retention duty applies.

Your rights

People whose data appears in the system (users, supplier contacts) can ask for access, correction or deletion via martin@vimix.no. Where your organisation is the controller, requests are routed to it. Deletion requests are honoured unless the record falls under the five-year EUDR retention duty, in which case that is the answer you will get, with the legal basis.

Page statistics, no tracking

sylva.land uses Vercel Web Analytics to count page visits: which pages are read and roughly how often. It sets no cookies, and the counts are aggregated and anonymised, so we see numbers, not people, and nothing follows you to other sites. There are no advertising trackers or third-party cookies. The only cookies on the site are the ones that keep you signed in to the app.