Privacy Policy

For the purposes of the PDPA and the GDPR, the controller of your personal data is:

• Entity: Vorsal Pte. Ltd.
• Registration (UEN): [Company/UEN No.]
• Registered address: [Registered address, Singapore]
• Data Protection Officer (DPO): [Name / title], reachable at dpo@vorsal.com
• General privacy contact: privacy@vorsal.com
• EU representative (GDPR Art. 27, if applicable): [Name and EU address, or "not currently appointed — confirm with counsel"]

2.1 Information you give us. When you submit a demo, contact, or waitlist form, or otherwise correspond with us, we collect: your name, work email address, company/organisation, role or industry, your deployment interest, and any message or details you choose to provide.

2.2 Information collected automatically. We keep the Site deliberately light on tracking:

• Analytics: we use Plausible Analytics, a cookieless, privacy-first tool that produces aggregate statistics (such as page views and referrers). It does not set cookies, does not track you across sites, and does not store identifying data for this purpose.
• Server and security logs: our hosting infrastructure may process technical data (such as IP address, browser type, and timestamps) on a transient basis to deliver and secure the Site.
• We do not use advertising cookies, ad pixels, or cross-site behavioural tracking.

2.3 Syndicated content. The Resources page links out to content we publish on Substack and Medium. When you click through, those third-party platforms process your data under their privacy policies, not this one.

2.4 We do not knowingly collect special categories of data (e.g. health, biometric, political views) through the Site, and ask that you not submit them in free-text fields.

Where we rely on consent, you may withdraw it at any time (see §8); withdrawal does not affect processing already carried out. Where we rely on legitimate interests, we have balanced those interests against your rights and will provide our assessment on request.

Form handling. Form submissions are delivered by email to our team's designated address and stored within our business email and productivity systems. We do not currently load this data into a separate CRM; if that changes, we will update this policy.

No solely automated decisions. We do not make decisions producing legal or similarly significant effects about you based solely on automated processing through the Site.

We do not sell personal data. We disclose it only to:

• Service providers (processors) who help us run the Site and our business — for example website hosting, email and productivity tools, and our analytics provider (Plausible) — under contracts requiring appropriate protection and use only on our instructions.
• Professional advisers (legal, accounting, insurance) where reasonably necessary.
• Authorities or third parties where required or permitted by law, to comply with legal process, or to protect our rights, users, or the public.
• Successors in connection with a merger, acquisition, financing, or asset sale, subject to this policy and applicable law.

We are based in Singapore and may process personal data in, or transfer it to, countries outside Singapore and the European Economic Area (EEA), including where our service providers operate.

• PDPA: we comply with the Transfer Limitation Obligation, taking steps to ensure the recipient provides a standard of protection comparable to the PDPA.
• GDPR: where we transfer EEA personal data to a country without an EU adequacy decision, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (SCCs), together with any supplementary measures required.

A copy of the relevant safeguards is available on request via privacy@vorsal.com.

We retain personal data only as long as necessary for the purposes above, including to respond to your enquiry, manage the waitlist, meet legal or accounting requirements, and resolve disputes. When data is no longer needed, we delete or anonymise it. Indicative periods: enquiry/correspondence data — [e.g. 24 months] after last contact; waitlist data — until launch and onboarding or your withdrawal; aggregate analytics — retained in non-identifying form.

We maintain reasonable technical and organisational security measures appropriate to the risk, including encryption in transit (TLS), access controls and least-privilege access, and supplier due diligence. This reflects our PDPA Protection Obligation and GDPR Art. 32. No method of transmission or storage is perfectly secure, and we encourage you not to send sensitive information through free-text fields.

In the event of a data breach that meets the applicable threshold, we will notify the relevant authority and affected individuals as required — under the PDPA's mandatory breach notification regime and GDPR Arts. 33–34.

Under the GDPR, subject to conditions and exemptions, you may: access your data; have it rectified; have it erased; restrict or object to processing (including processing based on legitimate interests and any direct marketing); request portability; and withdraw consent. You also have the right to lodge a complaint with a supervisory authority.

Under the PDPA, you may: request access to and correction of your personal data; and withdraw any consent you have given (we will tell you the likely consequences of withdrawal). Data portability rights apply as and when they come into force.

To exercise any right, contact dpo@vorsal.com or privacy@vorsal.com. We will respond within the timeframes required by applicable law (generally within one month under the GDPR; without undue delay under the PDPA). We may need to verify your identity, and some requests are subject to legal limits.

The Site uses only essential cookies needed for it to function (if any), and a cookieless analytics tool. Because we do not use advertising or cross-site tracking cookies, we do not display a tracking-consent banner. If our use of cookies changes, we will update this policy and our [Cookie Policy].

The Site is intended for business audiences and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@vorsal.com and we will take appropriate steps.

The Site links to third-party sites and platforms (including Substack and Medium). We are not responsible for their content or privacy practices. Please review their policies before providing personal data.

We may update this Privacy Policy from time to time. We will post the revised version here with a new "Last updated" date and, where required, take additional steps to notify you.

Questions, requests, or complaints: privacy@vorsal.com / dpo@vorsal.com, or write to [Vorsal Pte. Ltd., registered address].

You may also complain to a regulator:

• Singapore: Personal Data Protection Commission (PDPC) — www.pdpc.gov.sg
• EEA: your local data protection supervisory authority. [If a lead authority applies, name it here.]