Privacy Policy

At Sensay, we adhere to the following principles when processing your personal data:

3.1. Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We ensure that you are informed about how your data will be used and that we handle your data with integrity.

3.2. Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes. We do not process your data in ways that are incompatible with these purposes.

3.3. Data Minimization

We ensure that the personal data we collect is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We strive to minimize the amount of data we collect and retain.

3.4. Accuracy

We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. We have processes in place to address inaccurate or incomplete data.

3.5. Storage Limitation

We keep personal data in a form that permits identification of data subjects for no longer than necessary for the purposes for which the data is processed.

3.6. Integrity and Confidentiality

We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.

3.7. Accountability

We are responsible for and can demonstrate compliance with the above principles.

Sensay collects and processes various types of personal data to provide and improve our Service. The categories of data we collect include:

4.1. Personal Identifiers

• Full name
• Email address
• Phone number
• User account credentials
• Postal address (if provided)
• Date of birth (if provided)
• Profile picture (if uploaded)

4.2. Technical Data

• IP address
• Device type and model
• Operating system and version
• Browser type and version
• Mobile device identifiers (e.g., IDFA, AAID)
• Time zone setting
• Geolocation data (if permitted by you)
• Internet service provider

4.3. Usage Data

• Pages or features accessed
• Time spent on different parts of the Service
• Interaction patterns (e.g., clicks, scrolls)
• Search queries
• Content created or uploaded
• Preferences and settings
• Frequency and timing of Service use

4.4. Communication Data

• Email correspondence
• Chat logs
• Customer support tickets and interactions
• Survey responses
• Feedback provided

4.5. Profile Data

• User preferences
• Interests
• Skills and expertise
• Professional background
• Educational information
• Social media profiles (if linked)

4.6. Financial Data (for paid services)

• Payment card details (processed securely through third-party payment processors)
• Billing address
• Transaction history

4.7. Content Data

• Text, audio, or video content created using our Service
• Files uploaded to our Service
• Data used to create and train digital replicas

4.8. Metadata

• Data about how and when content was created
• Editing history
• Version information

4.9. Third-party Data

• Information obtained from third-party services (with your consent)
• Public data from social media profiles (if linked)

4.10. Inference Data

• Data derived from analyzing your use of our Service
• Predictions or inferences about your preferences or behaviors

We collect this data through various means, including:

• Direct provision by you when you create an account, use our Service, or communicate with us
• Automatic collection through cookies, web beacons, and similar technologies
• Third-party sources, such as social media platforms or data providers (with your consent)

It's important to note that while we collect this range of data, we only process what is necessary for the specific purposes outlined in this policy. You have control over much of the data you provide and can manage your privacy settings within our Service.

Sensay uses your personal data for various purposes to provide, maintain, and improve our Service. Here's a detailed breakdown of how we use your data:

5.1. Providing and Improving Our Service

• Creating and managing your account
• Authenticating your identity and providing access to our Service
• Personalizing your experience based on your preferences and usage patterns
• Developing new features and functionalities
• Conducting research and analysis to improve our Service
• Troubleshooting issues and bugs
• Training and improving our AI models and algorithms

5.2. Communicating with You

• Sending service-related notifications and updates
• Providing customer support and responding to your inquiries
• Sending newsletters, promotional materials, and marketing communications (with your consent)
• Inviting you to participate in surveys or provide feedback
• Notifying you about changes to our Service or policies
• If we send marketing messages to Singapore telephone numbers, we will check the Do‑Not‑Call Registry or rely on the 'ongoing relationship' exemption in accordance with the PDPA's DNC provisions.

5.3. Enhancing User Experience

• Customizing content and recommendations based on your preferences and behavior
• Remembering your settings and preferences
• Providing a seamless experience across different devices
• Analyzing usage patterns to optimize our user interface and features

5.4. Ensuring Security and Compliance

• Detecting and preventing fraud, spam, abuse, and security incidents
• Verifying your identity for security purposes
• Conducting security audits and risk assessments
• Complying with legal obligations and responding to lawful requests from public authorities
• Enforcing our terms of service and other policies

5.5. Creating and Managing Digital Replicas

• Processing your data to create digital representations or clones
• Training AI models to simulate aspects of your behavior, knowledge, or personality
• Storing and managing the data associated with your digital replicas
• Providing access controls for your digital replicas

5.6. Analytics and Business Intelligence

• Generating aggregated, anonymized data for statistical analysis
• Measuring the effectiveness of our marketing campaigns
• Analyzing user engagement and retention
• Producing internal reports on Service usage and performance

5.7. Financial Transactions (for paid services)

• Processing payments and refunds
• Maintaining billing records
• Preventing fraudulent transactions

5.8. Product Development and Research

• Conducting market research and analysis
• Testing new features and functionalities
• Developing and improving our AI technologies
• Collaborating with research partners (using anonymized data)

5.9. Legal and Regulatory Compliance

• Maintaining records for regulatory purposes
• Responding to legal requests and subpoenas
• Establishing, exercising, or defending legal claims

5.10. Customization and Advertising

• Tailoring content and advertisements to your interests (with your consent)
• Measuring the performance of advertising campaigns
• Providing relevant offers and promotions

It's important to note that we always strive to use the minimum amount of data necessary to accomplish these purposes. We also provide you with controls to manage how your data is used, as detailed in the "User Levels of Control" section of this policy.

We collect, use and disclose your Personal Data only where permitted under Singapore's Personal Data Protection Act 2012 ("PDPA") or (for users located in the European Economic Area or United Kingdom) the GDPR.

6.1. Consent

You have given clear consent for a specific purpose (e.g. when you tick a box or connect a social‑media account).

6.2. Deemed Consent

Your consent is deemed when:

• you voluntarily provide the data for a particular transaction; or
• the collection, use or disclosure is reasonably necessary to conclude or perform that transaction.

6.3. Deemed Consent by Notification

Where we notify you of a new purpose and give you a reasonable opportunity to opt‑out before proceeding (PDPA s.15A).

6.4. Legitimate Interests Exception

We may rely on the statutory "legitimate interests" exception where the benefits to you or us outweigh any adverse effect on you, and we implement appropriate safeguards (PDPA Second Schedule, Para 1(e); s.13(1)(d)). AGC Singapore

6.5. Other Statutory Exceptions

Including:

• Business Improvement (PDPA Schedule 2, Para 1(f));
• Research (Para 1(g));
• Vital Interests / Emergencies (Para 1(b));
• Investigations and Legal Proceedings (PDPA Part 4).

Withdrawal of consent. You may withdraw your consent at any time by emailinginfo@sensay.ai. We will process the request within a reasonable period and inform you of any likely consequences (e.g. loss of service functionality).

Note for EEA/UK users. Where GDPR applies, we will continue to rely on the GDPR legal bases (Art. 6 & 9) in parallel and you retain all GDPR rights described in Section 16 below.

Sensay may disclose your personal data to various parties under specific circumstances. We ensure that any third parties with whom we share your data are contractually bound to protect your data with the same level of care and security that we provide. Here's a detailed overview of how we may disclose your data:

7.1. Subsidiaries and Affiliates:

• We may share your data with our subsidiaries and affiliated companies for purposes consistent with this privacy policy.
• This sharing helps us provide integrated services across our organization and may include data transfers to different jurisdictions where our affiliates operate.

7.2. Service Providers and Contractors:

• We engage third-party service providers to perform certain business functions on our behalf. These may include:
• Cloud storage providers
• Payment processors
• Customer support services
• Analytics providers
• Marketing and advertising partners
• IT and security services
• These service providers are given access only to the personal data they need to perform their specific functions, and they are contractually obligated to maintain the confidentiality and security of your data.

7.3. Business Partners:

• With your consent, we may share your data with business partners for joint marketing initiatives or collaborative services.
• We ensure that these partners adhere to strict data protection standards and use your data only for the specified purposes.

7.4. Legal Compliance and Law Enforcement:

• We may disclose your data to comply with applicable laws, regulations, or legal processes.
• This includes responding to court orders, subpoenas, or requests from government or regulatory authorities.
• We may also disclose data if we believe it's necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the physical safety of any person.

7.5. Business Transfers:

• In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your data may be transferred as part of Sensay's business assets.
• We will notify you if such a transfer occurs and outline any choices you may have regarding your data.

7.6. With Your Consent:

• We may share your personal data with third parties when you have given us your explicit consent to do so.
• We will always ask for your consent before sharing your data for purposes not covered by this privacy policy.

7.7. Aggregated or Anonymized Data:

• We may share aggregated or anonymized data that does not directly identify you with third parties for various purposes, including business intelligence, marketing, and research.

7.8. Public Forums:

• If you post information in public areas of our Service, such as forums or comment sections, this information may be visible to other users and the public.
• We recommend being cautious about what personal information you disclose in these public spaces.

7.9. Social Media Platforms:

• If you choose to connect your Sensay account with social media platforms, we may share certain information with those platforms to enable features like single sign-on.
• The data shared and how it's used will be governed by the privacy policies of those social media platforms.

7.10. Enterprise Clients:

• For our enterprise clients, we may share certain data with the organization that manages your Sensay account, in accordance with our agreement with that organization.

7.11. Professional Advisors:

• We may disclose your data to professional advisors, such as lawyers, auditors, and insurers, where necessary in the course of the professional services they render to us.

We take great care to ensure that any disclosures of your personal data are necessary and proportionate. We implement appropriate safeguards to protect your data during any transfers or disclosures, including data encryption and contractual obligations for recipients to protect your data.

If you have concerns about how your data is shared, please contact us using the information provided in the "Contact Details" section of this policy.

At Sensay, we prioritize the security and privacy of our clients' data. Our robust security measures are designed to protect sensitive information at every stage of the data lifecycle. We continuously update our security protocols to stay ahead of potential threats and meet the evolving needs of our users, including our enterprise clients.

We implement reasonable administrative, physical and technical safeguards to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal of your personal data, and to protect against similar risks, as required by PDPA s.24.

Here's a comprehensive overview of our security measures:

8.1. Data Encryption at Rest

• All customer data stored in our systems is encrypted using Advanced Encryption Standard (AES) with 256-bit key length.
• This industry-standard encryption ensures that data remains secure even if unauthorized access to our storage systems occurs.
• Encryption keys are managed securely and rotated regularly.

8.2. Data Encryption in Transit

• We use Transport Layer Security (TLS) to encrypt all data transmitted between our clients and our servers.
• This ensures that data cannot be intercepted or tampered with during transmission.
• We regularly update our TLS protocols to maintain the highest level of security.

8.3. Regular Security Audits

• We conduct regular internal and third-party security audits to identify and address potential vulnerabilities.
• These audits include penetration testing, vulnerability assessments, and code reviews.
• We promptly address any identified issues and continuously improve our security posture.

8.4. Access Controls

• Strict access controls and authentication measures are in place to ensure that only authorized personnel can access sensitive data.
• We implement multi-factor authentication for all employee access to our systems.
• Access rights are regularly reviewed and updated based on the principle of least privilege.

8.5. Network Security

• Our infrastructure is protected by enterprise-grade firewalls and intrusion detection/prevention systems.
• We employ network segmentation to isolate sensitive data and systems.
• Regular vulnerability scans and patch management ensure our systems are up-to-date and secure.

8.6. Physical Security

• Our data centers are protected by multiple layers of physical security measures.
• These include 24/7 surveillance, biometric access controls, and environmental controls.

8.7. Employee Training and Awareness

• All employees undergo regular security awareness training.
• We have strict policies and procedures in place for handling sensitive data.

8.8. Incident Response Plan

• We maintain a comprehensive incident response plan to quickly address any potential security breaches.
• Our team is trained to detect, respond to, and mitigate security incidents promptly.

8.9. Compliance

• Our security measures are designed to comply with industry standards and regulations such as GDPR, CCPA, and HIPAA where applicable.
• We regularly review and update our practices to maintain compliance with evolving regulations.

8.10. Third-Party Risk Management

• We carefully vet and monitor all third-party service providers who may have access to our systems or data.
• We require our vendors to maintain stringent security standards and undergo regular assessments.

8.11. Data Backup and Recovery

• We maintain regular backups of all critical data.
• Our backup systems are encrypted and stored securely in geographically separate locations.
• We regularly test our data recovery procedures to ensure business continuity.

8.12. Upcoming Security Enhancement: Enterprise Node with FHE

We are excited to announce an upcoming security feature that will provide an unprecedented level of data protection for our enterprise clients:

Enterprise-Run Nodes with Fully Homomorphic Encryption (FHE)

• Enterprise clients will soon have the option to run their own Sensay nodes within their own infrastructure.
• These nodes will utilize Fully Homomorphic Encryption (FHE), a cutting-edge encryption technology that allows computations to be performed on encrypted data without decrypting it.

Key benefits of this feature include:

• Enhanced Data Control: Clients maintain complete control over their data, as it never leaves their infrastructure in an unencrypted form.
• Confidentiality of AI Operations: The AI models can process encrypted data, ensuring that even Sensay cannot access the raw data or the specifics of how it's being used.
• Regulatory Compliance: This approach can help enterprises meet strict regulatory requirements regarding data locality and privacy.
• Customization: Enterprises can customize their node setup to meet specific security and operational requirements.
• Future-Proof Security: FHE provides protection against potential future threats, including those from quantum computing.

8.13. Data Breach Reporting

If a data breach occurs that: (a) is likely to result in significant harm to you, or (b) affects 500 or more individuals, we will:

• Notify the Personal Data Protection Commission (PDPC) as soon as practicable and in any case no later than three (3) calendar days after establishing that the breach is notifiable (PDPA s.26D).
• Notify affected individuals as soon as practicable after notifying the PDPC, providing:
• the nature of the data breached;
• when it occurred;
• actions we have taken or will take;
• guidance on what you can do to protect yourself.

We keep an incident register and review our security controls after every reportable event.

We are committed to continuously improving our security measures and providing our clients with the highest level of data protection available. If you have any questions about our security practices or the upcoming Enterprise Node with FHE feature, please contact our security team.

At Sensay, we understand that different types of data require different levels of privacy and protection. To address this, we have implemented a multi-layered approach to data management and privacy:

9.1. Public Replicas

• These are digital replicas designed for broad interaction and sharing.
• Public replicas can engage with a wide audience, providing general information and experiences.
• They do not contain or disclose sensitive personal data.
• Users have control over what information is included in their public replicas.

9.2. Private Replicas

• Private replicas are restricted to the user and specific whitelisted accounts.
• These replicas contain more detailed and personal information.
• Access is strictly controlled to ensure that only trusted individuals can interact with private replicas.
• Users can manage the whitelist and revoke access at any time.

9.3. Secrets in Public Replicas

• Some public replicas include "Secrets", which are pieces of information accessible only to whitelisted accounts.
• This feature allows users to share certain details selectively, even within a public setting.
• It provides an additional layer of privacy for sensitive information within otherwise public replicas.

9.4. Data Storage and Transfer

• All data, regardless of its privacy layer, is stored securely using encryption at rest.
• Data transfers between privacy layers or to authorized third parties are conducted using secure, encrypted channels.
• We ensure that data storage and transfer processes comply with GDPR and other relevant regulations.

9.5. Access Controls

• Each privacy layer has its own set of access controls.
• Users can define and manage access permissions for their replicas and data.
• Our system enforces these access controls rigorously to prevent unauthorized data access.

9.6. Data Isolation

• We maintain strict isolation between different users' data and between different privacy layers.
• This ensures that data from one privacy layer or user cannot inadvertently leak into another.

9.7. Audit Trails

• We maintain detailed audit trails of all access to and modifications of data across all privacy layers.
• Users can review these audit trails to monitor access to their data.

9.8. Data Minimization

• We apply the principle of data minimization across all privacy layers.
• Only the data necessary for the intended purpose is collected and processed within each layer.

9.9. User Education

• We provide clear guidance and education to users about the different privacy layers and their implications.
• Users are empowered to make informed decisions about which privacy layer to use for different types of data and interactions.

9.10. Consent Management

• Users must provide explicit consent for data to be moved between privacy layers.
• Consent is granular, allowing users to control exactly what data is shared and with whom.

9.11. Data Portability

• Users can export their data from any privacy layer in a machine-readable format.
• This supports data portability rights and allows users to transfer their data between services if desired.

9.12. Deletion and Right to be Forgotten

• Users can request deletion of their data from any privacy layer.
• We ensure that data is securely and completely erased across all relevant systems and backups.

By implementing these privacy layers and management practices, we aim to provide our users with flexible, powerful tools to control their data while ensuring the highest standards of privacy and security.

At Sensay, we believe in empowering our users with comprehensive control over their personal data. We provide various tools and settings that allow you to manage your privacy preferences and data usage. Here's a detailed overview of the control you have:

10.1. Account Settings

• Modify your profile information at any time
• Update your contact details and communication preferences
• Change your password and security settings
• Manage linked accounts (e.g., social media integrations)

10.2. Privacy Settings

• Control the visibility of your profile and content
• Manage who can see and interact with your digital replicas
• Set default privacy levels for new content you create
• Control data sharing with third-party integrations

10.3. Data Access

• Request a copy of all personal data we hold about you
• Download your data in a machine-readable format
• View and manage your data across different privacy layers

10.4. Data Modification

• Edit or update any of your personal data
• Correct inaccuracies in your information
• Request changes to how your digital replicas behave or respond

10.5. Data Deletion

• Delete specific pieces of content or data
• Request complete deletion of your account and associated data
• Understand the implications of data deletion on your service usage

10.6. Consent Management

• View and modify your consent settings for various data processing activities
• Opt in or out of specific data uses, such as marketing communications or research
• Withdraw consent for processing activities at any time

10.7. Digital Replica Control

• Create, modify, or delete your digital replicas
• Control the data sources used to train your replicas
• Manage access permissions for your replicas
• Pause or deactivate your replicas temporarily or permanently

10.8. Communication Preferences

• Choose which types of communications you want to receive from us
• Set preferences for notification frequency and channels
• Unsubscribe from marketing communications with a single click

10.9. Third-Party Data Sharing

• View which third parties have access to your data
• Control what data is shared with these parties
• Revoke access for specific third parties at any time

10.10. Data Portability

• Export your data in a standard, machine-readable format
• Transfer your data to other services or platforms

10.11. Activity Logs

• View logs of activities related to your account and data
• Monitor access to your digital replicas
• Receive notifications for important account activities

10.12. AI Training Opt-Out

• Choose whether your data can be used to train our AI models
• Opt out of specific types of AI training or usage

10.13. Cookie Control

• Manage your cookie preferences through our cookie banner
• Choose which types of cookies you accept or reject
• Update your cookie settings at any time

10.14. Geographic Restrictions

• Set geographic restrictions on where your digital replicas can be accessed
• Control data processing locations for compliance with local regulations

10.15. Two-Factor Authentication

• Enable or disable two-factor authentication for enhanced account security
• Choose your preferred 2FA method (e.g., SMS, authenticator app)

10.16. Account Deactivation

• Temporarily deactivate your account without deleting your data
• Understand the difference between deactivation and deletion

These controls are accessible through your account settings on our platform. We are committed to continually improving and expanding these controls to give you the utmost transparency and authority over your personal data.

If you need assistance with any of these controls or have questions about managing your data, please contact our support team. We're here to help you understand and exercise your data rights effectively.

As a data controller, Sensay implements various organizational and technical measures to ensure the proper handling and protection of user data. These company-level controls are designed to comply with data protection regulations and maintain the trust of our users. Here's an overview of our internal controls:

11.1. Data Processing

• Consent-Based Processing: We process personal data primarily based on explicit consent from users. Consent is obtained transparently, and users are informed about the specific purposes for which their data will be used.
• Legitimate Business Purposes: In addition to consent, we may process data for legitimate business purposes, such as improving services, conducting research, and ensuring security and compliance. We conduct regular assessments to ensure these purposes are justified and do not override user rights.

11.2. Data Protection

• Encryption Protocols: All data, both in transit and at rest, is secured using advanced encryption protocols to prevent unauthorized access and data breaches.
• Access Controls: Strict access control measures are implemented to ensure that only authorized personnel can access sensitive data. This includes multi-factor authentication and role-based access controls.
• Security Audits: Regular security audits are conducted to identify and mitigate potential vulnerabilities. These audits are performed by internal and external experts to ensure comprehensive security coverage.

11.3. Data Auditing

• Regular Audits: We conduct regular audits of our data processing activities to ensure compliance with GDPR and other relevant data protection regulations. These audits assess data handling practices, security measures, and user consent management.
• Transparency Reports: We provide transparency reports to users, outlining data processing activities, security measures, and any incidents or breaches that may have occurred. These reports are part of our commitment to transparency and accountability.

11.4. Data Protection Officer (DPO)

• We have appointed a Data Protection Officer responsible for overseeing our data protection strategy and implementation.
• The DPO ensures that we remain compliant with data protection laws and serves as a point of contact for users and supervisory authorities on privacy matters.

11.5. Employee Training

• All employees undergo regular data protection and privacy training.
• We maintain a culture of privacy awareness throughout the organization.

11.6. Data Protection Impact Assessments (DPIAs)

• We conduct DPIAs for new projects or significant changes that involve processing personal data.
• These assessments help us identify and mitigate privacy risks before they occur.

11.7. Vendor Management

• We carefully vet and monitor all third-party vendors who may have access to user data.
• Data processing agreements are in place with all vendors, ensuring they adhere to our strict data protection standards.

11.8. Incident Response Plan

• We maintain a comprehensive incident response plan to address potential data breaches quickly and effectively.
• Regular drills and updates ensure our team is prepared to handle any data protection incidents.

11.9. Data Retention Policies

• We have implemented clear data retention policies that define how long different types of data are kept.
• Automated systems ensure that data is securely deleted when it is no longer needed for the purposes for which it was collected.

11.10. Compliance Monitoring

• We continuously monitor changes in data protection laws and regulations.
• Our policies and practices are regularly updated to ensure ongoing compliance.

11.11. Privacy by Design

• We incorporate privacy considerations into all stages of product development and business operations.
• Privacy-enhancing technologies are integrated into our systems and processes.

11.12. Internal Audits

• Regular internal audits are conducted to ensure that our data protection practices align with our policies and legal requirements.
• Audit findings are reported to senior management and used to drive continuous improvement.

11.13. Documentation

• We maintain detailed documentation of all our data processing activities, including purposes, categories of data, recipients, and security measures.
• This documentation is regularly reviewed and updated to ensure accuracy and completeness.

11.14. Data Minimization Practices

• We implement data minimization techniques to ensure we only collect and process the data necessary for specified purposes.
• Regular reviews are conducted to identify and eliminate unnecessary data collection or processing.

These company-level controls demonstrate our commitment to protecting user data and maintaining the highest standards of privacy and security. We continuously evaluate and enhance these controls to adapt to the evolving data protection landscape and to meet the expectations of our users.

At Sensay, we employ advanced encryption technologies to ensure the highest level of data protection for our users. Our approach includes both end-to-end encryption providing robust security for sensitive information.

12.1. Data Encryption

• We use end-to-end encryption to protect data from the moment it is collected until it reaches its intended destination.
• This ensures that data remains secure during transmission and storage, and can only be decrypted by the intended recipient.

12.2. Secure Channels

• All communication between users and Sensay's servers is encrypted using secure channels (e.g., TLS/SSL).
• This prevents unauthorized interception and access to sensitive information during transit.

12.3. Encrypted Storage

• Data stored on Sensay's servers is encrypted using advanced encryption standards.
• Even if data is accessed unlawfully, it remains unreadable and secure without the proper decryption keys.

12.4. Key Management

• We implement robust key management practices to ensure the security of encryption keys.
• Keys are rotated regularly and stored securely, separate from the encrypted data.

12.5. Client-Side Encryption

• Where possible, we implement client-side encryption, meaning data is encrypted on the user's device before being transmitted to our servers.
• This ensures that even Sensay cannot access the unencrypted data.

12.6. Perfect Forward Secrecy

• We employ perfect forward secrecy in our encryption protocols.
• This means that even if a encryption key is compromised in the future, it cannot be used to decrypt past communications.

12.7. Encrypted Backups

• All data backups are encrypted to ensure that data remains protected even in backup storage.

We retain personal data only for as long as it is reasonably necessary to fulfil the purpose for which it was collected, or as required for legal or business purposes. When retention is no longer necessary, we will destroy or anonymise the data in a secure manner in compliance with PDPA s.25.

Sensay Data Retention and Usage policies are compliant with both PDPA for Singaporean users and GDPR for European users.

13.1. General Retention Periods

• Account Information: Retained for the duration of your account's active status. If you haven't used your account for 24 months, we will notify you and may deactivate your account if you don't respond.
• Transaction Data: Kept for 7 years to comply with tax and accounting regulations.
• Communication Records: Stored for 3 years from the date of last communication for customer support purposes.
• Usage Data: Retained for 18 months to improve our services and user experience.
• Marketing Data: Kept for 2 years from the last interaction unless you opt-out earlier.

13.2. Data Associated with Digital Replicas

• Retained for as long as the digital replica is active.
• Users can delete their replicas at any time, which will trigger the deletion of associated data.
• Inactive replicas that haven't been accessed for 12 months may be archived or deleted after notifying the user.

13.3. Log Data and Analytics

• System logs are retained for 6 months for security and troubleshooting purposes.
• Aggregated, anonymized analytics data may be retained indefinitely as it cannot be used to identify individuals.

13.4. Data Backup Retention

• We maintain encrypted backups of data for disaster recovery purposes.
• Backups are retained for 30 days, after which they are securely deleted.

13.5. Legal Hold

• If we receive a legal order or are involved in litigation, we may need to retain certain data beyond our normal retention period.
• We will notify affected users of such legal holds unless prohibited by law.

13.6. User-Requested Deletion

• When you request deletion of your data, we will delete or anonymize it within 30 days.
• Some data may be retained in encrypted backups for up to 30 additional days until those backups are overwritten.

13.7. Archived Data

• Some data may be archived for statistical, historical, or research purposes.
• Archived data is secured with strong encryption and access controls.

13.8. Retention of Encrypted Data

• For data protected by end-to-end encryption or FHE, the encrypted data may be retained, but without the decryption keys, it remains inaccessible and effectively deleted.

13.9. Third-Party Data Retention

• We require our third-party service providers to adhere to retention periods compatible with our policies.
• We conduct regular audits to ensure compliance.

13.10. Review and Update of Retention Policies

• Our data retention policies are reviewed annually and updated as necessary to reflect changes in our services, legal obligations, and user needs.

13.11. User Control Over Retention

• Users can request earlier deletion of their data at any time through their account settings or by contacting our support team.
• We provide tools for users to export their data before requesting deletion.

13.12. Retention Notifications

• We will notify users before deleting their data due to inactivity or the end of a retention period, giving them the opportunity to extend the retention if desired.

13.13. Anonymization

• Where possible, we anonymize data instead of deleting it entirely. This allows us to retain useful information for analytics and service improvement without compromising individual privacy.

13.14. Special Categories of Data

• Special categories of personal data (e.g., health information) are subject to shorter retention periods unless a longer retention is required by law or explicitly consented to by the user.

We are committed to being transparent about our data retention practices. If you have any questions about how long we retain specific types of data, please contact our Data Protection Officer using the information provided in the "Contact Details" section of this policy.

Remember that even after data is deleted from our active systems, it may persist in backups for a limited time. However, we ensure that all backups are securely deleted according to our retention schedule.

Cookies are small text files that are placed on your device when you visit our website or use our services. They help us provide you with a better experience and allow certain features to function properly. At Sensay, we use cookies and similar technologies (like web beacons and pixels) for various purposes. Here's a detailed explanation of our cookie usage:

14.1. Types of Cookies We Use

14.1.1. Essential Cookies

• These are necessary for the Service to function and cannot be switched off.
• They are usually only set in response to actions you take, such as setting your privacy preferences, logging in, or filling in forms.
• You can set your browser to block these cookies, but some parts of the site may not work properly.

14.1.2. Performance Cookies

• These help us understand how you use our Service by collecting and reporting information anonymously.
• They allow us to count visits and traffic sources so we can measure and improve the performance of our site.
• If you block these cookies, we won't know when you've visited our site.

14.1.3. Functionality Cookies

• These enable the website to provide enhanced functionality and personalization.
• They may be set by us or by third-party providers whose services we have added to our pages.
• If you block these cookies, some of these services may not function properly.

14.1.4. Targeting Cookies

• These may be set through our site by our advertising partners.
• They are used to build a profile of your interests and show you relevant ads on other sites.
• They don't store personal information directly, but are based on uniquely identifying your browser and device.

By continuing to use this site, you consent to the collection, use and disclosure of cookies data in accordance with the Singapore PDPA.

14.2. How We Use Cookies

• To remember your preferences and settings
• To keep you logged in to our Service
• To understand how you use our Service
• To detect and prevent fraud
• To analyze the performance and effectiveness of our Service
• To display personalized content and advertising

14.3. Third-Party Cookies

• Some cookies are placed by third-party services that appear on our pages.
• We use third-party analytics services (e.g., Google Analytics) which use cookies to help us analyze how users use the Service.
• We have agreements with these third parties ensuring they handle your data in compliance with data protection regulations.

14.4. Cookie Consent

• When you first visit our Service, we will ask for your consent to use non-essential cookies.
• You can change your cookie preferences at any time through our cookie settings panel.

14.5. Managing Cookies

• Most web browsers allow you to control cookies through their settings preferences.
• However, limiting cookies may impact your experience and functionality of our Service.

14.6. Cookie Lifespan

• Session Cookies: These are temporary and are deleted when you close your browser.
• Persistent Cookies: These remain on your device until they expire or you delete them.

14.7. Do Not Track

• Some browsers have a "Do Not Track" feature. Our Service does not currently respond to "Do Not Track" signals.

14.8. Updates to Cookie Policy

• We may update our Cookie Policy from time to time. We will notify you of any significant changes.

14.9. Cookies and Personal Data

• While cookies themselves don't typically contain personal data, they can be linked with personal data you provide in other ways (e.g., when you log in).
• We treat information collected by cookies and other technologies as non‑personal information unless applicable law requires otherwise.

14.10. Cookie-Like Technologies

• We also use technologies like web beacons, pixels, and local storage, which function similarly to cookies.
• Our Cookie Policy applies to these technologies as well.

14.11. Opting Out

• You can opt-out of certain cookie-based tracking through industry programs like the Digital Advertising Alliance or Network Advertising Initiative.

14.12. Mobile Devices

• If you access our Service through a mobile device, similar data may be collected through other technologies like mobile ad identifiers.

For more detailed information about the specific cookies we use and their purposes, please visit our Cookie Settings panel, accessible through the Service. If you have any questions about our use of cookies, please contact us using the information in the "Contact Details" section.

At Sensay, we recognize that the creation and use of digital replicas (or "digital clones") raise important ethical considerations. We are committed to addressing these concerns transparently and responsibly. Here's an overview of our approach to the ethical aspects of digital cloning:

15.1. Informed Consent

• We obtain explicit, informed consent from individuals before creating their digital replicas.
• Users are provided with clear, comprehensive information about the process, potential uses, and implications of their digital replicas.
• Consent can be withdrawn at any time, leading to the deactivation and deletion of the digital replica.

15.2. Transparency

• We are open about the capabilities and limitations of our digital replica technology.
• Users are informed about how their data is used to create and maintain their digital replicas.
• We provide clear information about who can access and interact with digital replicas.

15.3. Privacy and Data Protection

• Digital replicas are subject to the same stringent privacy and security measures as other personal data.
• Users have granular control over what information is included in their digital replicas and how they are used.

15.4. Accuracy and Representation

• We strive to ensure that digital replicas accurately represent the individual's knowledge, personality, and values.
• Users can review and modify their digital replicas to ensure they align with their current views and preferences.

15.5. Preventing Misuse

• We have strict policies against using digital replicas for deception, impersonation, or any malicious purposes.
• Technical measures are in place to prevent unauthorized creation or use of digital replicas.

15.6. Emotional and Psychological Impact

• We acknowledge the potential emotional impact of interacting with digital replicas, especially of deceased individuals.
• Clear labeling ensures that users are always aware they are interacting with a digital replica, not the actual person.

15.7. Intellectual Property Rights

• We respect the intellectual property rights of individuals in relation to their digital replicas.
• Users retain rights over the content and intellectual property they contribute to their digital replicas.

15.8. Ethical Use in Business and Research

• We have guidelines for the ethical use of digital replicas in business, education, and research contexts.
• Any use of digital replicas for research purposes is subject to ethical review and approval.

15.9. Child Protection

• We have special safeguards and restrictions for the creation and use of digital replicas of minors.
• Parental consent is required for any digital replica creation involving individuals under the age of consent.

15.10. Cultural Sensitivity

• We respect cultural differences in attitudes towards digital representation and afterlife.
• Users can set cultural preferences that affect how their digital replicas operate.

15.11. Transparency in AI Interaction

• We clearly disclose when AI is being used in the creation or operation of digital replicas.
• Users are informed about the extent of AI involvement in generating responses or behaviors.

15.12. Right to be Forgotten

• Users have the right to completely delete their digital replicas and associated data.
• We provide clear processes for exercising this right, including posthumous deletion requests.

15.13. Ethical Review Board

• We maintain an independent ethical review board to assess and advise on ethical issues related to digital cloning.
• This board regularly reviews our practices and policies to ensure they align with ethical standards.

15.14. Ongoing Ethical Assessment

• We continuously evaluate the ethical implications of advancements in our digital cloning technology.
• We engage with ethicists, policymakers, and the public to address emerging ethical concerns.

15.15. Education and Awareness

• We provide resources to help users understand the ethical implications of digital cloning.
• We participate in public discussions and academic forums on the ethics of AI and digital representation.

15.16. Posthumous Management

• We offer options for users to set preferences for the management of their digital replicas after death.
• These include options for deletion, archiving, or continued operation under specified conditions.

15.17. Ethical AI Training

• Our AI models used in digital replicas are trained with ethical considerations in mind, including fairness and bias mitigation.

15.18. Transparency in Limitations

• We are clear about the current limitations of digital replica technology to manage user expectations.
• Users are informed that digital replicas are simulations and may not perfectly replicate human behavior or decision-making.

By adhering to these ethical principles, we aim to ensure that our digital cloning technology is developed and used in a way that respects individual rights, promotes transparency, and contributes positively to society. We recognize that ethical considerations in this field are complex and evolving. We are committed to ongoing dialogue with users, experts, and stakeholders to continually refine our approach to these important issues.

Ethical Considerations of Digital Cloning (continued)

In this field are complex and evolving. We are committed to ongoing dialogue with users, experts, and stakeholders to continually refine our approach to these important issues.

As a data subject under the General Data Protection Regulation (GDPR), you have several rights concerning your personal data. At Sensay, we are committed to facilitating the exercise of these rights. Here's a detailed explanation of your rights and how you can exercise them:

16.1. Right to be Informed

• You have the right to be informed about the collection and use of your personal data.
• We provide this information through this privacy policy and additional notices where necessary.
• If we decide to use your data for a new purpose, we will provide you with additional information.

16.2. Right of Access

• You have the right to request a copy of your personal data that we hold.
• We will provide this information free of charge (for the first request) within one month of your request.
• To request access, use the "Data Access Request" feature in your account settings or contact our Data Protection Officer.

16.3. Right to Rectification

• You have the right to have inaccurate personal data rectified, or completed if it is incomplete.
• You can update most of your information directly through your account settings.
• For data you can't update yourself, contact our support team, and we'll make the changes within one month.

16.4. Right to Erasure (Right to be Forgotten)

• You have the right to request the deletion of your personal data in certain circumstances (e.g., when the data is no longer necessary for the purposes it was collected).
• To request erasure, use the "Delete My Data" option in your account settings or contact our Data Protection Officer.
• We will comply with your request within one month unless there's a legal reason to retain some data.

16.5. Right to Restrict Processing

• You can request that we limit the way we use your personal data.
• This right applies in specific circumstances, such as when you contest the accuracy of your data.
• To exercise this right, contact our Data Protection Officer with details of your request.

16.6. Right to Data Portability

• You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• You can also request that we transfer this data directly to another controller.
• Use the "Export My Data" feature in your account settings to exercise this right.

16.7. Right to Object

• You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing.
• To object to marketing, use the unsubscribe link in our emails or adjust your communication preferences in your account settings.
• For other objections, contact our Data Protection Officer with details of your request.

16.8. Rights Related to Automated Decision Making and Profiling

• You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
• While we use automation in our services, we do not make solely automated decisions with significant effects. If this changes, we will inform you and provide ways to request human intervention or challenge the decision.

16.9. Right to Withdraw Consent

• Where we process data based on consent, you have the right to withdraw that consent at any time.
• You can withdraw consent for specific processing activities in your account settings or by contacting our Data Protection Officer.

To exercise any of these rights, please use the relevant features in your account settings or contact our Data Protection Officer using the information provided in the "Contact Details" section of this policy. We will respond to all requests within one month. In complex cases, we may extend this period by two months, but we will inform you of any such extension within the first month.

Please note that while we will always strive to accommodate your rights, there may be situations where we are legally obligated to retain certain data. We will explain any such limitations when responding to your requests.

16.10. Rights under Singapore PDPA

We will respond within 30 calendar days or explain why more time is needed.

16.11. Additional Rights for EEA/UK Residents under GDPR

If you reside in the EEA or UK you also have the GDPR rights to erasure, restriction of processing, objection, and data portability in accordance with Articles 17–22 GDPR. Requests may be sent to the same DPO contact.

Sensay operates globally, which means that your personal data may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

We are headquartered in Singapore but use cloud infrastructure and service providers around the world. Whenever we transfer personal data outside Singapore, we will ensure that:

17.1. Comparable Protection

The recipient country or organisation provides a standard of protection that is comparable to the PDPA, for example through:

• a legally enforceable data‑transfer agreement;
• binding corporate rules;
• certification to PDPC‑approved standards; or
• reliance on a specific statutory exemption.

17.2. Additional Measures for EEA/UK Data

For data originating from the EEA or UK we rely on the EU‑approved Standard Contractual Clauses ("SCCs")or the UK Addendum, together with supplementary measures where necessary, to ensure GDPR‑level protection.

17.3. Onward Transfers

Third‑party recipients must obtain our written consent before making any onward transfer unless required by law.

We do not participate in the (now‑invalid) EU‑U.S. Privacy Shield framework. A copy of our standard data‑transfer agreement is available on request.

Here's how we handle international data transfers:

17.4. Adequacy Decisions

• Where possible, we transfer data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.

17.5. Standard Contractual Clauses

• For transfers to countries without an adequacy decision, we implement Standard Contractual Clauses (SCCs) approved by the European Commission.
• These clauses ensure that your personal data receives an adequate level of protection in the recipient country.

17.6. Privacy Shield

• While the EU-U.S. Privacy Shield is no longer valid for EU-U.S. transfers, we continue to comply with Privacy Shield principles as a demonstration of our commitment to data protection.

17.7. Binding Corporate Rules

• For intra-group transfers, we are in the process of implementing Binding Corporate Rules to ensure consistent protection of personal data across our global operations.

17.8. Consent

• In some cases, we may transfer your data based on your explicit consent to the transfer, after informing you of the possible risks.

17.9. Necessary for Contract Performance

• We may transfer your data if it's necessary for the performance of a contract between you and Sensay, or for pre-contractual measures taken at your request.

17.10. Data Localization Options

• For enterprise clients with specific data residency requirements, we offer options to keep data within specified geographical regions.

17.11. Transparency

• We are transparent about where your data is processed. You can find information about our data centers and processing locations in your account settings.

17.12. Third-Party Transfers

• We ensure that any third parties we share data with also comply with appropriate data transfer mechanisms.

17.13. Data Transfer Impact Assessments

• We conduct regular assessments of our data transfer mechanisms to ensure they provide adequate protection in light of any changes in law or circumstances.

17.14. Encryption in Transit

• All data transfers are encrypted using industry-standard protocols to protect data during transmission.

17.15. Right to Information

• You have the right to obtain information about the safeguards we use for international data transfers. Contact our Data Protection Officer for more details.

17.16. EU Representative

• We have appointed a representative in the EU to act as a point of contact for EU data subjects and supervisory authorities.

17.17. Monitoring of International Transfer Laws

• We closely monitor changes in international data transfer laws and adjust our practices accordingly.

If you have any questions or concerns about our international data transfer practices, please contact our Data Protection Officer using the information provided in the "Contact Details" section.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. When we do, we will update the "last updated" date at the top of this policy. If we make significant changes to this policy, we will notify you through a prominent notice on our Service or by sending you a direct communication.

18.1. Notification of Changes

• For material changes, we will provide notification via email, in-app notifications, or prominent notices on our website at least 30 days before the changes take effect.
• For minor changes, we may update the policy without prior notification, but we will always indicate the last updated date.

18.2. Review of Changes

• We encourage you to review this policy periodically to stay informed about how we protect your personal data.

18.3. Consent to Changes

• Your continued use of our Service after any changes to this policy constitutes your acceptance of the new terms.
• If you do not agree with the changes, you should discontinue using our Service and contact us to close your account.

18.4. Archive of Previous Versions

• We maintain an archive of previous versions of this policy, which you can request by contacting our Data Protection Officer.

18.5. Explanation of Changes

• When we make significant changes, we will provide a summary of what has changed along with the updated policy.

18.6. Regulatory Compliance

• We update this policy to ensure ongoing compliance with applicable data protection laws and regulations.

18.7. User Rights

• If changes to this policy affect your rights or the way we use your data, we will obtain your consent where required by applicable law.

18.8. Third-Party Notifications

• If changes affect our relationships with third-party processors, we will notify and update agreements with these parties as necessary.

18.9. Staff Training

• Our staff receives training on any significant changes to this policy to ensure consistent implementation across our organization.

18.10. Feedback Mechanism

• We welcome your feedback on any changes to this policy. You can provide feedback through our support channels or by contacting our Data Protection Officer.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please don't hesitate to contact us. Here are the ways you can reach us:

19.1. Data Protection Officer

• Name: Marco Bettiolo
• Email: gdpr@sensay.io

19.2. General Privacy Inquiries

• Email: gdpr@sensay.io

19.3. Customer Support

• For general inquiries or support related to your account:
• Email: contact@sensay.io
• Live Chat: Available through our website and telegram channel

19.4. Social Media

• While we monitor our social media channels, please do not share personal information or account details through these public platforms. Use the secure methods above for privacy-related communications.

19.5. Response Times

• We aim to respond to all privacy-related inquiries within 72 hours.
• For formal data subject requests under GDPR, we will respond within one month as required by law.

19.6. Availability

• Our support team is available 9am - 5pm SGT.
• For urgent privacy matters outside of these hours, please use the emergency contact number provided in your account settings.

19.7. Verification Process

• To protect your privacy, we will verify your identity before discussing or acting on any privacy-related requests.