Privacy Policy

This Privacy Policy explains how Origin Run Pte. Ltd. ("Origin Run", "we", "us", or "our") collects, uses, discloses, and protects information when you use the Origin Run Platform — an AI-powered manufacturing ERP. The Platform processes sensitive operational information (e.g., production data, invoices, packing lists, batch records), AI-generated content (e.g., work order drafts, quality insights, smart reminders), digitally signed documents, and personal data (e.g., staff contact details, vendor contacts, signatory information).

Related: Terms and Conditions.

1. Roles: Controller vs. Processor

• Customer Content: For Trade Data and documents uploaded by a Customer, Origin generally acts as a service provider / processor on the Customer’s instructions.
• Platform Operations: For account creation, authentication, billing/admin, fraud prevention, and platform security, Origin may act as a controller of certain personal data.

2. Information We Collect

2.1 Account and Identity Data

• Name, email address, phone number, job title/role, organization identifiers.
• Authentication signals (e.g., OTP verification events) and account settings.

2.2 Business and Trade Workflow Data

• Company profiles, counterparties, contacts, and relationship metadata.
• Trade capture: commodity, quantity, unit, incoterms, payment terms, prices, formulas, tolerances, laycan windows, and notes.
• Subcontracts, contract status, generation and delivery events.
• Logistics data: ports, shipments, vessel details, ETD/ETA, tracking events, documents, and operational fields (e.g., demurrage, laytime).
• Invoices, invoice numbers, tax/GST classification where applicable, and supporting documentation.
• Commission tracking: salesperson/referral agent identifiers and computed commission entries.

2.3 Document Generation Data

• Inputs used to generate commercial invoices, proforma invoices, packing lists, credit/debit notes, and contract PDFs (e.g., line items, quantities, pricing, banking details, shipping marks).
• Generated document metadata: document type, generation timestamps, version history, and distribution records.
• Template selections, clause choices, and formatting preferences used during document creation.

2.4 Digital Signing Data

• Signatory information: names, email addresses, job titles, and organizational affiliations of persons invited to sign documents.
• Signing events: timestamps, IP addresses, completion status, and access logs for each signing session.
• Document state: signed/unsigned status, signing order, and sealed document records.

2.5 AI and Insights Data

• Inputs to AI features: trade data, deal parameters, and natural language queries submitted through the dashboard or WhatsApp.
• AI-generated outputs: contract drafts, risk scores, deal analysis narratives, actionable insights, and executive summaries.
• Smart reminder triggers: deadline dates, certification expiry dates, payment due dates, demurrage thresholds, and the reminder/alert events generated from them.
• Conversation history for WhatsApp AI interactions (stored per-user within the organization's tenant).

2.6 Compliance and Verification Data (if enabled)

• KYC/KYB information such as identification documents, beneficial ownership information, and screening outcomes where required for compliance.
• Sanctions and adverse media screening: counterparty names and identifiers submitted to OpenSanctions for screening against international watchlists, PEP lists, and sanctions registers.
• EUDR geolocation data: plot coordinates and country-of-origin data for supply chain traceability statements under the EU Deforestation Regulation.
• ISCC certification records: certificate identifiers, expiry dates, commodity scopes, and mass balance account data for sustainability compliance tracking.

2.7 Technical and Usage Data

• Device and browser metadata, IP address, timestamps, and basic telemetry logs.
• Security logs and audit events (e.g., login attempts, permission changes, document access) to protect the Platform.

3. How We Use Information

• Provide the Services: operate trade workflows, generate documents (invoices, packing lists, contracts, credit/debit notes), and enable collaboration with counterparties.
• Document Generation: populate and render invoices, packing lists, and other commercial documents from your Trade Data inputs.
• Digital Signing: facilitate electronic signature workflows, authenticate signatories, record signing events, and maintain audit trails.
• AI Features: generate contract drafts, deal risk analysis, actionable insights, and smart reminders from your organization's data. Your data is processed within your tenant and is not used to train models for other customers.
• Smart Reminders: monitor deadlines, certification expirations, payment due dates, and operational thresholds to proactively generate alerts and notifications.
• Security and fraud prevention: detect abuse, protect accounts, and maintain audit logs.
• Support: respond to requests and troubleshoot issues.
• Compliance: meet legal obligations (e.g., AML/CTF, sanctions, record-keeping) where applicable.
• Improve the Platform: debug, test, and improve performance and usability (using aggregated, anonymized data where possible).

4. Legal Bases (where applicable)

Depending on your jurisdiction, we may process personal data based on one or more of the following legal bases: performance of a contract, legitimate interests (e.g., platform security), compliance with legal obligations, and/or consent (where required).

5. How We Share Information

We do not sell personal data. We may share information as follows:

• With counterparties: sharing trade documents and contact details required to execute the specific trade workflow you initiate.
• With vendors/processors: hosting, storage, messaging/email delivery, analytics/monitoring, and verification providers under confidentiality and data processing obligations. Key sub-processors include:
  • OpenAI: powers AI Copilot features (natural language queries, contract drafts, insights). Your trade data is sent to OpenAI's API under a zero-retention data processing agreement — OpenAI does not use your data to train its models.
  • Sentry: application error monitoring. Error reports may include de-identified request context. No trade content or personal trade data is intentionally included in error payloads.
  • AISStream.io: real-time AIS vessel position data. The Platform transmits MMSI numbers of vessels in active shipments to subscribe to live position feeds. No trade or personal data is shared.
  • OpenSanctions: sanctions and adverse media screening. Company names and identifiers of counterparties are submitted for screening against international sanctions lists. Screening is limited to name/identifier matching.
  • Meta (WhatsApp Business API): message delivery and webhook processing for WhatsApp integrations. Messages sent via WhatsApp are routed through Meta's infrastructure and subject to Meta's data policies.
  • Alpha Vantage / Commodities-API: live commodity price data for benchmark pricing. No personal or trade data is sent — only benchmark code lookups.
• For legal reasons: when required by law, regulation, court order, or to protect rights, safety, and security.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets (subject to appropriate safeguards).

6. Data Retention

We retain data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and maintain business records. Trade and invoice records may be retained for extended periods due to commercial and regulatory requirements.

7. Security

We use administrative, technical, and organizational safeguards designed to protect data, including:

• Multi-tenant data isolation (each organization's data is architecturally separated).
• Role-based access controls and permission management.
• Encryption in transit (TLS) and at rest for sensitive data.
• Audit logging of document access, signing events, and administrative actions.
• Secure signing links with unique tokens for counterparty document access.
• Session management and automatic session expiration.

No method of transmission or storage is completely secure; you should also use strong credentials and appropriate internal access controls.

7a. AI Data Processing

The following principles govern how we handle data in connection with AI Features:

• Tenant Isolation: AI Features operate exclusively on your organization's data within your tenant. Your Trade Data is never shared with, visible to, or used to improve services for other customers.
• No Cross-Tenant Training: We do not use your Content or Trade Data to train machine learning models for other organizations.
• Third-Party AI Providers: Some AI capabilities may use third-party language model providers. When third-party AI services are used, data is transmitted securely and subject to data processing agreements that prohibit the provider from retaining or training on your data.
• AI Output Retention: AI-generated outputs (insights, risk scores, contract drafts) are stored within your tenant and subject to the same data retention and deletion policies as other Content.
• Human Oversight: AI Features are designed to augment, not replace, human decision-making. All AI outputs require user review before action.

8. International Transfers

Your data may be processed in countries other than where you are located. Where required, we implement appropriate safeguards for cross-border transfers.

9. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or object to processing of personal data, and to request portability.

Because much of the Platform content is business/trade data controlled by the Customer, requests may need to be handled via your organization’s administrator.

10. Cookies and Similar Technologies

We may use cookies or similar technologies for session management, security, preferences (e.g., theme), and basic analytics. You can control cookies through your browser settings, but some features may not function properly.

11. Children’s Privacy

The Services are not directed to children, and we do not knowingly collect personal data from children.