Privacy Policy
This policy explains what personal information Winnow collects from you, how we use it, who we share it with, and the rights you have over it. We follow the Singapore Personal Data Protection Act 2012 ("PDPA") as our primary framework, with additional provisions for visitors covered by the EU/UK General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA").
1. Who we are
"Winnow" (also "we", "us", "our") refers to the operators of the website at winnow.markets, currently a sole-proprietor venture based in Singapore, with incorporation as a Singapore private limited company pending. Until incorporation completes, the data controller for purposes of the PDPA, GDPR, UK GDPR, and applicable US state privacy laws is the natural person operating Winnow, contactable via the email below.
Winnow operates from Singapore and intentionally serves users in Singapore, the United States, the European Union, the United Kingdom, and other jurisdictions where it is lawful for us to do so. We have designed this policy to address the privacy frameworks of each of these jurisdictions.
Our designated Data Protection Officer (DPO) for purposes of PDPA section 11 is the operator named above. All privacy-related correspondence, including data subject requests and complaints, should be directed to enquiry@winnow.markets with the subject line "Privacy".
EU / UK representative. We have not currently appointed a representative under Article 27 of the GDPR or the equivalent provision under the UK GDPR. Our processing is occasional, does not involve special categories of personal data at scale, and is unlikely to result in a risk to the rights and freedoms of natural persons. If our processing scale or risk profile changes such that an EU or UK representative becomes required, we will appoint one and update this policy accordingly. EU and UK data subjects may continue to contact us directly at the email above.
2. What personal information we collect
We collect the minimum information necessary to operate the service. Specifically:
2.1 Information you provide directly
- Email address — when you sign up for our newsletter or briefings via any signup form on our site.
- Source attribution tag — when you submit a signup form, we record which page or briefing the form was submitted from (e.g. "hero", "briefing-corn-cot"). This is used internally to understand which content drives signups.
- Correspondence content — if you email us directly, we retain the content of your message and our reply.
2.2 Information collected automatically
- Server logs — our hosting provider (Vercel) records technical information about each request to our site, including IP address, user agent, request timestamp, and requested URL. This data is used for security, debugging, and operational purposes.
- No cookies, no analytics trackers, no fingerprinting — as of the effective date of this policy, our website does not set cookies, run third-party analytics, or use device fingerprinting. If we add any of these in the future, we will update this policy and, where required, request your consent.
2.3 What we do not collect
- Names (unless you voluntarily provide them in correspondence)
- Phone numbers
- Payment information (our current offering does not accept payment; a future paid tier will be handled by a regulated payment processor and disclosed via an updated policy)
- Sensitive personal data as defined by GDPR Article 9 (racial origin, political opinions, health data, etc.)
- Information about minors — see Section 11
3. Why we collect this information and our legal basis
| Purpose | Information used | Legal basis (PDPA / GDPR) |
|---|---|---|
| Deliver newsletter and briefings you subscribed to | Email address, source tag | Your consent (PDPA s.13; GDPR Art. 6(1)(a)) |
| Respond to correspondence you initiate | Email address, message content | Legitimate interest in operating the service (PDPA Schedule 1; GDPR Art. 6(1)(f)) |
| Site security, abuse prevention, debugging | Server logs | Legitimate interest (GDPR Art. 6(1)(f)) |
| Internal analytics on which content drives signups | Source attribution tag | Legitimate interest (GDPR Art. 6(1)(f)) |
We do not sell personal information to third parties under any circumstances. This applies regardless of jurisdiction and is restated in Section 9 below for CCPA purposes.
4. Third-party service providers (data processors)
We rely on a small number of third-party providers to operate Winnow. Each of these is a "data processor" acting on our instructions, governed by a data processing agreement or equivalent contractual terms. We have selected providers with strong privacy practices, but we encourage you to review their privacy policies directly.
| Provider | Function | Data accessed | Location |
|---|---|---|---|
| Beehiiv | Newsletter delivery and subscriber management | Email address, source tag, subscription status | United States |
| Vercel | Website hosting and serverless function execution | Request logs (IP, user agent, URL) | Global edge network; primary processing in United States |
| Cloudflare | DNS resolution and email routing for our enquiry@winnow.markets address | Email metadata for forwarded messages; DNS query logs | Global; primary processing in United States |
5. International transfers of personal data
Because our processors are based primarily in the United States, your personal information may be transferred outside Singapore and outside the European Economic Area or United Kingdom. We rely on the following safeguards:
- For PDPA transfers: our processors are contractually bound to provide a standard of protection comparable to that under the PDPA, satisfying section 26 of the PDPA and Regulation 10 of the Personal Data Protection Regulations 2021.
- For GDPR transfers: we rely on European Commission Standard Contractual Clauses (SCCs) executed with each processor, supplemented by their internal technical and organisational measures.
- For UK GDPR transfers: we rely on the UK International Data Transfer Addendum to the EU SCCs.
If you would like a copy of the relevant transfer documentation, contact us at the address above.
6. How long we retain your information
- Newsletter subscribers: we retain your email address and source tag for as long as you remain subscribed, plus a 30-day buffer after unsubscription to handle reactivation and avoid accidental re-import.
- Correspondence: we retain email correspondence for up to 24 months from the last message, after which it is deleted unless an active matter requires longer retention.
- Server logs: our hosting provider retains request logs for up to 30 days for operational and security purposes.
When the retention period ends or when you exercise your right to deletion, we will delete your personal information from our active systems. Limited residual copies may remain in encrypted backups for up to 90 days; these are not used for any purpose and are overwritten in the normal course of operations.
7. Your rights
7.1 Under the Singapore PDPA
You have the right to:
- Withdraw consent for the processing of your personal information at any time (PDPA s.16). For our newsletter, you can do this via the one-click unsubscribe link in every email, or by emailing us.
- Access the personal information we hold about you and information about how it has been used or disclosed in the past 12 months (PDPA s.21).
- Correct personal information that is inaccurate or incomplete (PDPA s.22).
- Make a complaint to the Personal Data Protection Commission (PDPC) at pdpc.gov.sg if you believe we have not handled your data in accordance with the PDPA.
7.2 If you are in the EU, UK, or EEA (under GDPR / UK GDPR)
In addition to the above, you have the right to:
- Access your personal data (Art. 15)
- Rectification of inaccurate or incomplete data (Art. 16)
- Erasure ("right to be forgotten") (Art. 17)
- Restriction of processing (Art. 18)
- Data portability — receive your data in a structured, commonly-used, machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office at ico.org.uk; in the EU, your national data protection authority)
7.3 If you are in the United States
The US does not currently have a federal privacy law of general application. Your rights depend on the state in which you reside. We extend the following rights to all US users regardless of state of residence:
- Right to know what personal information we collect, use, and disclose
- Right to access a copy of personal information we hold about you
- Right to delete personal information we have collected from you
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of personal information — not applicable here because we do not sell or share personal information as those terms are defined under any US state privacy law
- Right to limit use of sensitive personal information — not applicable here because we do not collect sensitive personal information
- Right to non-discrimination — we will not discriminate against you for exercising any of these rights
These rights derive from, among others, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and the Texas Data Privacy and Security Act (TDPSA). Residents of other US states with applicable privacy laws have equivalent rights under their respective state laws.
Authorized agents. Where state law permits (such as under CCPA), you may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority and your identity before responding.
Shine the Light (California Civil Code §1798.83). We do not share personal information with third parties for their direct marketing purposes, so there is nothing to disclose under this provision.
7.4 How to exercise your rights
To exercise any of these rights, email us at enquiry@winnow.markets with the subject "Privacy Request" and describe what you would like us to do. We will respond within 30 days for PDPA/GDPR requests and 45 days for CCPA requests. We may need to verify your identity by confirming you have control of the email address associated with your data.
8. Security
We take reasonable technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. These include:
- HTTPS encryption for all traffic between your browser and our servers
- Encrypted storage of subscriber data by our newsletter provider
- Access controls limiting who can view subscriber lists (currently: only the operator)
- No storage of payment information (we do not yet accept payments)
- Use of established, security-reviewed service providers (Beehiiv, Vercel, Cloudflare)
No internet-based service can guarantee absolute security. If we become aware of a personal data breach that is likely to result in significant harm, we will notify affected individuals and the PDPC (and other relevant authorities) as required by law.
9. We do not sell your personal information
For the avoidance of doubt: we do not sell, rent, trade, or otherwise transfer personal information to third parties for marketing or monetary consideration. This applies regardless of jurisdiction. We have never sold personal information and we have no plans to do so.
10. Cookies and similar technologies
As of the effective date of this policy, winnow.markets does not use cookies, web beacons, pixel tags, or similar tracking technologies. This is by design.
If we add any such technology in the future (for example, a privacy-respecting analytics tool), we will:
- Update this policy with a description of what is set and why
- Where required by law (including under the EU ePrivacy Directive and Singapore's voluntary cookie guidance), present a consent banner allowing you to accept, reject, or customise
11. Children's privacy
Winnow is not directed at, designed for, or intentionally targeted at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected such information, please contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. When we do, we will:
- Change the "Last updated" date at the top of this page
- Where the change is material, notify current subscribers via email at least 14 days before the new policy takes effect
- Preserve previous versions of this policy in our records for at least 24 months and make them available on request
Continued use of our service after a policy change indicates your acceptance of the updated policy. If you do not agree to the changes, you may withdraw consent and request deletion of your information at any time.
13. How to contact us
For any questions, requests, or complaints about this policy or our handling of your personal information:
- Email: enquiry@winnow.markets (subject line: "Privacy")
- Postal address: Available on request, for verified data subject requests requiring documented correspondence
For complaints you believe we have not adequately addressed:
- Singapore (PDPC): pdpc.gov.sg
- UK (ICO): ico.org.uk
- EU: your national data protection supervisory authority
- California: California Privacy Protection Agency at cppa.ca.gov
- Other US states: your state Attorney General's office
This policy reflects our practices as of the effective date above. We have drafted it to reflect the actual data we collect and the actual purposes for which we use it; we have not included generic boilerplate that does not apply to our service.