Legal

Privacy Policy

Last updated: 17 March 2025 · Effective: 17 March 2025

🛡️

Singapore PDPA Compliance Notice

This Privacy Policy is prepared in compliance with Singapore's Personal Data Protection Act 2012 (PDPA) (No. 26 of 2012, as amended by the Personal Data Protection (Amendment) Act 2020). We are committed to protecting your personal data and upholding your rights as a data subject.

1. Data Controller

AdProtect AI Pte. Ltd. is the data controller responsible for the personal data collected through this platform.

Data Protection Officer (DPO): privacy@adprotect.ai

2. Personal Data We Collect

We collect personal data that is necessary to provide the Service, in accordance with PDPA Section 18 (Purpose Limitation Obligation):

2.1 Account Data

Full name and email address (for account registration)
Password (stored as PBKDF2-SHA256 hash — never stored in plain text)
Business/clinic name and specialty (optional)

2.2 Transactional Data

Subscription plan and billing history (processed by Paddle; we do not store card numbers)
Check usage records (type, timestamp, risk score — no raw content retained)

2.3 Technical Data

IP address, browser type, and device type (for security and fraud detection)
Session tokens (stored in browser localStorage; no persistent tracking cookies)

2.4 Uploaded Content

Images, videos, text, or URLs submitted for compliance checking are processed in memory by the AI engine and permanently deleted immediately after analysis. This content is not stored, indexed, or used for AI model training.

3. Purposes of Collection and Use

Under PDPA Section 18, we collect and use personal data only for the following notified purposes:

Purpose	Legal Basis (PDPA)
Account creation and authentication	Consent (s.13) / Contract necessity
Providing AI compliance checking service	Contract necessity
Processing subscription payments	Contract necessity
Sending transactional emails (verification, receipts)	Contract necessity
Service improvement via aggregated analytics	Legitimate interests (anonymised data)
Fraud detection and abuse prevention	Legitimate interests / Legal obligation
Compliance with regulatory requests	Legal obligation (s.17)

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

4. Data Transfers and Third-Party Processors

In accordance with PDPA Section 26, we ensure adequate protection for any data transferred outside Singapore:

Cloudflare (Pages / D1 Database)

Platform hosting and database storage

📍 Global CDN; database region: Asia-Pacific

OpenAI API

AI-powered compliance analysis engine

📍 United States (SOC 2 Type II certified)

Paddle.com Market Limited

Payment processing and subscription management

📍 United Kingdom (UK GDPR compliant)

Resend

Transactional email delivery

📍 United States

5. Data Retention

Data Type	Retention Period
Uploaded content (images, videos, text)	Deleted immediately after AI processing
Account profile data	Duration of account + 30 days after deletion
Check history summaries (no raw content)	12 months from date of check
Payment and billing records	7 years (IRAS tax compliance requirement)
Security logs (IP, access logs)	90 days
Email communication records	2 years

6. Data Security

We implement the following technical and organisational measures in accordance with PDPA Section 24 (Protection Obligation):

Encryption in Transit: All data transmitted over HTTPS/TLS 1.3;
Password Security: PBKDF2-SHA256 with 100,000 iterations and unique salts;
Access Controls: Role-based access controls; admin functions require elevated authentication;
Infrastructure Security: Hosted on Cloudflare with DDoS protection and WAF;
Content Isolation: Uploaded content processed in isolated worker environments and not persisted;
Breach Response: We will notify affected users and the PDPC within 3 calendar days of discovering a notifiable data breach (PDPA s.26D).

7. Your Rights Under PDPA

👁

Right of Access

Request a copy of personal data we hold about you (PDPA s.21).

✏️

Right of Correction

Request correction of inaccurate or incomplete data (PDPA s.22).

🚫

Right to Withdraw Consent

Withdraw consent for non-essential data processing at any time.

📦

Right to Data Portability

Request your account data in a machine-readable format (2020 Amendment Act).

❌

Right to Erasure

Request deletion of your account and all associated personal data via dashboard or email.

To exercise any of these rights, email privacy@adprotect.ai. We will respond within 10 business days.

8. Cookies and Local Storage

We use browser localStorage (not traditional cookies) solely for:

Storing your JWT authentication token (session management);
Caching your user profile for faster page loads.

We do not use third-party advertising or tracking cookies, cross-site tracking pixels, or analytics cookies (Google Analytics or similar).

You can clear localStorage data at any time via your browser settings. This will log you out of the Service.

9. Children's Privacy

The Service is intended for users aged 18 and above. We do not knowingly collect personal data from minors. If we become aware that personal data has been collected from a person under 18 without verifiable parental consent, we will delete such data promptly.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in law, technology, or our practices. Material changes will be communicated via email and in-app notification at least 14 days before they take effect.

11. Contact and Complaints

Data Protection Officer: privacy@adprotect.ai

Response time: within 10 business days

If you are dissatisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.