Legal
Privacy Policy
How we handle personal data under Singapore’s PDPA.
1. About this policy
This Privacy Policy explains how registered entity name — to be finalised (“CorpSec AI”, “we”) collects, uses, discloses and protects personal data, in accordance with Singapore’s Personal Data Protection Act 2012 (PDPA).
It covers two different roles. For data about your own account and users, we act as an organisation/controller. For your clients’ personal data that you upload and process through the Service, you are the controlling organisation and we act as your data intermediary (processor) — that processing is governed by our Data Processing Agreement, which prevails over this policy for such data.
2. Personal data we collect
Depending on how you use the Service, we may collect:
- Account data: name, work email, role, firm name and login credentials.
- Usage and device data: log data, IP address, actions taken, and diagnostic information used to operate and secure the Service.
- Billing data: plan, invoices and payment metadata (card details are handled by our payment processor, not stored by us).
- Client data you upload (as processor on your behalf): company records, officer/beneficial-owner details and documents, which may include identifiers such as NRIC/passport numbers. We apply masking to such identifiers in the application and before they are sent to AI models.
3. How we use personal data
We use personal data to:
- Provide, operate, secure and improve the Service and support you.
- Authenticate users, administer accounts, roles and billing.
- Maintain audit logs and meet legal, regulatory and record-keeping obligations.
- Communicate service, security and (where permitted) product information.
- Detect, prevent and respond to fraud, abuse and security incidents.
4. AI processing and no training
The Service uses third-party AI models to generate drafts and analyses from the inputs you provide. Your data is not used to train AI models, and our AI providers are engaged under terms that prohibit training on your data. Identifiers such as NRIC/passport numbers are masked before content is sent to AI models where feasible.
5. Legal bases and consent
We process personal data to perform our contract with you, to comply with legal obligations, for our legitimate interests in operating and securing the Service, and, where required, with consent. For client data you upload, you are responsible for having the necessary consent or other lawful basis under the PDPA and for issuing any required notifications to individuals.
6. Disclosure and sub-processors
We do not sell personal data. We disclose personal data only to: (a) sub-processors who help us run the Service under appropriate contractual protections; (b) professional advisers; (c) authorities where required by law; and (d) a successor in a merger or acquisition. Our current sub-processors include cloud hosting, database/storage, AI model and payment providers, listed with their purpose and region on our Security page and in the DPA.
7. International transfers
The Service is hosted in Singapore. Some sub-processors may process limited data outside Singapore; where they do, we take steps to ensure a standard of protection comparable to the PDPA, consistent with the PDPA Transfer Limitation Obligation.
8. Retention
We retain personal data for as long as needed to provide the Service and for legitimate business, legal and record-keeping purposes. Because our customers are regulated corporate service providers, certain records and audit logs may be retained for the statutory periods applicable to them (for example, AML/CDD records for at least five years). Audit logs are append-only and are not edited or deleted.
9. Security
We apply administrative, technical and organisational safeguards described on our Security page, including encryption in transit and at rest, per-firm tenant isolation, access controls, identifier masking and immutable audit logging. No system is perfectly secure; you are responsible for safeguarding your credentials and configuring access appropriately.
10. Your rights
Subject to the PDPA and applicable law, individuals may request access to or correction of their personal data, and may withdraw consent. For client data we hold as your processor, please direct such requests to the controlling organisation (our customer); we will assist our customer in responding as set out in the DPA. To exercise rights in respect of data we control, contact our Data Protection Officer below.
11. Data Protection Officer & contact
Data Protection Officer: DPO name / role — to be appointed. Contact: privacy@corpsec.ai. Registered address: registered address — to be finalised, Singapore.
12. Changes
We may update this policy from time to time. Material changes will be notified by email or in-product notice, and the “last updated” date will change. Your continued use after changes take effect constitutes acceptance.