Legal

Privacy Policy

How we handle personal data under Singapore’s PDPA.

Last updated: 9 July 2026

Template — review with legal counsel before launch. This document is provided as a practical starting point for a Singapore-based corporate secretary provider. It is not legal advice and must be reviewed and adapted by qualified counsel before you rely on it.

1. About this policy

This Privacy Policy explains how registered entity name — to be finalised (“CorpSec AI”, “we”) collects, uses, discloses and protects personal data, in accordance with Singapore’s Personal Data Protection Act 2012 (PDPA).

It covers two different roles. For data about your own account and users, we act as an organisation/controller. For your clients’ personal data that you upload and process through the Service, you are the controlling organisation and we act as your data intermediary (processor) — that processing is governed by our Data Processing Agreement, which prevails over this policy for such data.

2. Personal data we collect

Depending on how you use the Service, we may collect:

  • Account data: name, work email, role, firm name and login credentials.
  • Usage and device data: log data, IP address, actions taken, and diagnostic information used to operate and secure the Service.
  • Billing data: plan, invoices and payment metadata (card details are handled by our payment processor, not stored by us).
  • Client data you upload (as processor on your behalf): company records, officer/beneficial-owner details and documents, which may include identifiers such as NRIC/passport numbers. We apply masking to such identifiers in the application and before they are sent to AI models.

3. How we use personal data

We use personal data to:

  • Provide, operate, secure and improve the Service and support you.
  • Authenticate users, administer accounts, roles and billing.
  • Maintain audit logs and meet legal, regulatory and record-keeping obligations.
  • Communicate service, security and (where permitted) product information.
  • Detect, prevent and respond to fraud, abuse and security incidents.

4. AI processing and no training

The Service uses third-party AI models to generate drafts and analyses from the inputs you provide. Your data is not used to train AI models, and our AI providers are engaged under terms that prohibit training on your data. Identifiers such as NRIC/passport numbers are masked before content is sent to AI models where feasible.

6. Disclosure and sub-processors

We do not sell personal data. We disclose personal data only to: (a) sub-processors who help us run the Service under appropriate contractual protections; (b) professional advisers; (c) authorities where required by law; and (d) a successor in a merger or acquisition. Our current sub-processors include cloud hosting, database/storage, AI model and payment providers, listed with their purpose and region on our Security page and in the DPA.

7. International transfers

The Service is hosted in Singapore. Some sub-processors may process limited data outside Singapore; where they do, we take steps to ensure a standard of protection comparable to the PDPA, consistent with the PDPA Transfer Limitation Obligation.

8. Retention

We retain personal data for as long as needed to provide the Service and for legitimate business, legal and record-keeping purposes. Because our customers are regulated corporate service providers, certain records and audit logs may be retained for the statutory periods applicable to them (for example, AML/CDD records for at least five years). Audit logs are append-only and are not edited or deleted.

9. Security

We apply administrative, technical and organisational safeguards described on our Security page, including encryption in transit and at rest, per-firm tenant isolation, access controls, identifier masking and immutable audit logging. No system is perfectly secure; you are responsible for safeguarding your credentials and configuring access appropriately.

10. Your rights

Subject to the PDPA and applicable law, individuals may request access to or correction of their personal data, and may withdraw consent. For client data we hold as your processor, please direct such requests to the controlling organisation (our customer); we will assist our customer in responding as set out in the DPA. To exercise rights in respect of data we control, contact our Data Protection Officer below.

11. Data Protection Officer & contact

Data Protection Officer: DPO name / role — to be appointed. Contact: privacy@corpsec.ai. Registered address: registered address — to be finalised, Singapore.

12. Changes

We may update this policy from time to time. Material changes will be notified by email or in-product notice, and the “last updated” date will change. Your continued use after changes take effect constitutes acceptance.