Privacy Policy

Last updated: 2025-12-04

1. Introduction

Paddly.io ("we", "us", "our") is committed to protecting your personal data in compliance with the Personal Data Protection Act 2012 (PDPA) of Singapore. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our AI-powered CRM services.

2. Data We Collect

We collect the following categories of personal data:

  • Account Information: Name, email address, phone number, company name, job title
  • Customer Data: Lead and contact information you input (names, emails, phones, companies)
  • Activity Data: Notes, call summaries, AI-generated suggestions, deal history
  • Usage Data: Login activity, feature usage, session duration
  • Technical Data: IP address, browser type, device information
  • Payment Data: Billing address, payment method details (processed by Stripe)

3. How We Use Your Data

We use your personal data for the following purposes:

  • Providing and improving our CRM services
  • Generating AI-powered suggestions and risk alerts
  • Processing payments and managing subscriptions
  • Sending service-related communications
  • Analyzing usage patterns to improve our product
  • Complying with legal obligations

Important: Your data is never used to train public AI models. AI features are powered by your data in isolation for your benefit only.

4. Legal Basis for Processing

Under PDPA, we process your personal data based on:

  • Consent: When you sign up and agree to our terms
  • Contract: To fulfill our service agreement with you
  • Legal Obligation: To comply with applicable laws
  • Legitimate Interests: To improve and secure our services

5. Data Sharing and Disclosure

We do not sell your personal data. We may share data with:

  • Service Providers: Supabase (database), Cloudflare (hosting), Stripe (payments), OpenAI (AI processing)
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with merger, acquisition, or asset sale

6. International Data Transfers

Your data may be processed in countries outside Singapore through our service providers. We ensure adequate protection through:

  • Contractual safeguards with service providers
  • Selection of providers with strong privacy practices
  • Technical measures (encryption, access controls)

7. Data Retention

We retain your personal data for:

  • Account Data: Until you request deletion or close your account
  • Customer Data: Until you delete it or close your account
  • Activity Data: 3 years after account closure for legal compliance
  • Backups: 30 days after deletion from primary systems

8. Your Rights Under PDPA

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Withdrawal: Withdraw consent for data processing
  • Deletion: Request deletion of your personal data
  • Portability: Export your data in a machine-readable format

To exercise these rights, email us at privacy@paddly.io. We will respond within 30 days.

9. Data Security

We implement reasonable security measures including:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Row-Level Security (RLS) database policies
  • Regular security audits and vulnerability assessments
  • Access controls and authentication requirements
  • Secure OAuth token storage with AES-GCM encryption

10. Cookies

We use the following cookies:

  • Essential Cookies: Required for authentication and core functionality
  • Analytics Cookies: To understand how you use our service (optional)

You can manage cookie preferences through our cookie consent banner.

11. Data Breach Notification

In the event of a data breach that is likely to result in significant harm, we will:

  • Notify the Personal Data Protection Commission (PDPC) within 3 calendar days
  • Notify affected individuals as soon as practicable
  • Take immediate steps to contain and remediate the breach

12. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through our service. Continued use after changes constitutes acceptance.

14. Contact Us

For privacy-related inquiries:

15. PDPC Information

For more information about PDPA and your rights, visit the Personal Data Protection Commission.