Privacy policy
Updated · 5th May 2025
1. Introduction
We are committed to protecting your privacy and ensuring the security of your personal data. This policy is designed to provide you with detailed information about how we collect, use, process, and protect your personal information when you use our web app and mobile application (collectively referred to as our "Service").
We understand that your privacy is important, and we want you to feel confident about the use of your personal data when engaging with our Service. This policy aims to be transparent, comprehensive, and easily understandable, ensuring that you are fully informed about your privacy rights and how we handle your data.
This policy applies to all users of Sensay's Service, including individuals using our public features and enterprise clients utilizing our advanced security measures. We encourage you to read this policy carefully to understand our practices regarding your personal data.
Sensay is a private company limited by shares, registered in Singapore under the name Sensay Pte Ltd, Number 202516659M, and address: 6A Shelton Way, Downtown Gallery, Singapore, 068815.
This Policy is governed by the laws of Singapore and you agree to submit to the exclusive jurisdiction of the Singapore courts.
2. Definitions
To help you better understand this policy, we've defined some key terms:
Personal data:
Any information relating to an identified or identifiable natural person ('data subject'). This includes, but is not limited to, names, identification numbers, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Data Controller:
The entity that determines the purposes and means of processing personal data. In this context, Sensay acts as the Data Controller for the personal data you provide to us.
Data Processor:
A person or entity that processes personal data on behalf of the Data Controller. This may include third-party service providers that we engage to perform certain functions.
Data Subject:
Any living individual whose personal data is being processed. If you use Sensay's services, you are a Data Subject.
Processing:
Any operation performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Consent:
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Digital Replica:
A digital representation or clone of an individual created using personal data and AI technology, capable of simulating aspects of that person's behavior, knowledge, or personality.
3. Principles for Processing Personal Data
At Sensay, we adhere to the following principles when processing your personal data:
3.1. Lawfulness, Fairness, and Transparency
We process personal data lawfully, fairly, and in a transparent manner. We ensure that you are informed about how your data will be used and that we handle your data with integrity.
3.2. Purpose Limitation
We collect personal data for specified, explicit, and legitimate purposes. We do not process your data in ways that are incompatible with these purposes.
3.3. Data Minimization
We ensure that the personal data we collect is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We strive to minimize the amount of data we collect and retain.
3.4. Accuracy
We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. We have processes in place to address inaccurate or incomplete data.
3.5. Storage Limitation
We keep personal data in a form that permits identification of data subjects for no longer than necessary for the purposes for which the data is processed.
3.6. Integrity and Confidentiality
We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.
3.7. Accountability
We are responsible for and can demonstrate compliance with the above principles.
4. Data We Collect and Process
Sensay collects and processes various types of personal data to provide and improve our Service. The categories of data we collect include:
4.1. Personal Identifiers
Email address
Full name
Phone number
User account credentials
Postal address (if provided)
Date of birth (if provided)
Profile picture (if uploaded)
4.2. Technical Data
IP address
Device type and model
Operating system and version
Browser type and version
Mobile device identifiers (e.g., IDFA, AAID)
Time zone setting
Geolocation data (if permitted by you)
Internet service provider
4.3. Usage Data
Pages or features accessed
Time spent on different parts of the Service
Interaction patterns (e.g., clicks, scrolls)
Search queries
Content created or uploaded
Preferences and settings
Frequency and timing of Service use
4.4. Communication Data
Email correspondence
Chat logs
Customer support tickets and interactions
Survey responses
Feedback provided
4.5. Profile Data
User preferences
Interests
Skills and expertise
Professional background
Educational information
Social media profiles (if linked)
4.6. Financial Data (for paid services)
Payment card details (processed securely through third-party payment processors)
Billing address
Transaction history
4.7. Content Data
4.8. Metadata
4.9. Third-party Data
4.9. Third-party Data
We collect this data through various means, including:
It's important to note that while we collect this range of data, we only process what is necessary for the specific purposes outlined in this policy. You have control over much of the data you provide and can manage your privacy settings within our Service.
5. How We Use Your Data
Sensay uses your personal data for various purposes to provide, maintain, and improve our Service. Here's a detailed breakdown of how we use your data:
5.1. Providing and Improving Our Service
Creating and managing your account
Authenticating your identity and providing access to our Service
Personalizing your experience based on your preferences and usage patterns
Developing new features and functionalities
Conducting research and analysis to improve our Service
Troubleshooting issues and bugs
Training and improving our AI models and algorithms
5.2. Communicating with You
Sending service-related notifications and updates
Providing customer support and responding to your inquiries
Sending newsletters, promotional materials, and marketing communications (with your consent)
Inviting you to participate in surveys or provide feedback
Notifying you about changes to our Service or policies
If we send marketing messages to Singapore telephone numbers, we will check the Do‑Not‑Call Registry or rely on the 'ongoing relationship' exemption in accordance with the PDPA's DNC provisions.
5.3. Enhancing User Experience
Customizing content and recommendations based on your preferences and behavior
Remembering your settings and preferences
Providing a seamless experience across different devices
Analyzing usage patterns to optimize our user interface and features
5.4. Ensuring Security and Compliance
Detecting and preventing fraud, spam, abuse, and security incidents
Verifying your identity for security purposes
Conducting security audits and risk assessments
Complying with legal obligations and responding to lawful requests from public authorities
Enforcing our terms of service and other policies
5.5. Creating and Managing Digital Replicas
Processing your data to create digital representations or clones
Training AI models to simulate aspects of your behavior, knowledge, or personality
Storing and managing the data associated with your digital replicas
Providing access controls for your digital replicas
5.6. Analytics and Business Intelligence
Generating aggregated, anonymized data for statistical analysis
Measuring the effectiveness of our marketing campaigns
Analyzing user engagement and retention
Producing internal reports on Service usage and performance
5.7. Financial Transactions (for paid services)
Processing payments and refunds
Maintaining billing records
Preventing fraudulent transactions
5.8. Product Development and Research
Conducting market research and analysis
Testing new features and functionalities
Developing and improving our AI technologies
Collaborating with research partners (using anonymized data)
5.9. Legal and Regulatory Compliance
Maintaining records for regulatory purposes
Responding to legal requests and subpoenas
Establishing, exercising, or defending legal claims
5.10. Customization and Advertising
Tailoring content and advertisements to your interests (with your consent)
Measuring the performance of advertising campaigns
Providing relevant offers and promotions
It's important to note that we always strive to use the minimum amount of data necessary to accomplish these purposes. We also provide you with controls to manage how your data is used, as detailed in the "User Levels of Control" section of this policy.
6. Legal Bases for Collection, Use and Disclosure of Personal Data
We collect, use and disclose your Personal Data only where permitted under Singapore's Personal Data Protection Act 2012 ("PDPA") or (for users located in the European Economic Area or United Kingdom) the GDPR.
6.1. Consent
You have given clear consent for a specific purpose (e.g. when you tick a box or connect a social‑media account).
6.2. Deemed Consent
Your consent is deemed when:
you voluntarily provide the data for a particular transaction; or
the collection, use or disclosure is reasonably necessary to conclude or perform that transaction.
6.3. Deemed Consent by Notification
Where we notify you of a new purpose and give you a reasonable opportunity to opt‑out before proceeding (PDPA s.15A).
6.4. Legitimate Interests Exception
We may rely on the statutory "legitimate interests" exception where the benefits to you or us outweigh any adverse effect on you, and we implement appropriate safeguards (PDPA Second Schedule, Para 1(e); s.13(1)(d)). AGC Singapore
6.5. Other Statutory Exceptions
Including:
Business Improvement (PDPA Schedule 2, Para 1(f));
Research (Para 1(g));
Vital Interests / Emergencies (Para 1(b));
Investigations and Legal Proceedings (PDPA Part 4).
Withdrawal of consent. You may withdraw your consent at any time by emailing info@sensay.ai. We will process the request within a reasonable period and inform you of any likely consequences (e.g. loss of service functionality).
Note for EEA/UK users. Where GDPR applies, we will continue to rely on the GDPR legal bases (Art. 6 & 9) in parallel and you retain all GDPR rights described in Section 16 below.
7. Disclosure of Your Data
Sensay may disclose your personal data to various parties under specific circumstances. We ensure that any third parties with whom we share your data are contractually bound to protect your data with the same level of care and security that we provide. Here's a detailed overview of how we may disclose your data:
7.1. Subsidiaries and Affiliates:
We may share your data with our subsidiaries and affiliated companies for purposes consistent with this privacy policy.
This sharing helps us provide integrated services across our organization and may include data transfers to different jurisdictions where our affiliates operate.
7.2. Service Providers and Contractors:
We engage third-party service providers to perform certain business functions on our behalf. These may include:
Cloud storage providers
Payment processors
Customer support services
Analytics providers
Marketing and advertising partners
IT and security services
These service providers are given access only to the personal data they need to perform their specific functions, and they are contractually obligated to maintain the confidentiality and security of your data.
7.3. Business Partners:
With your consent, we may share your data with business partners for joint marketing initiatives or collaborative services.
We ensure that these partners adhere to strict data protection standards and use your data only for the specified purposes.
7.4. Legal Compliance and Law Enforcement:
We may disclose your data to comply with applicable laws, regulations, or legal processes.
This includes responding to court orders, subpoenas, or requests from government or regulatory authorities.
We may also disclose data if we believe it's necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the physical safety of any person.
7.5. Business Transfers:
In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your data may be transferred as part of Sensay's business assets.
We will notify you if such a transfer occurs and outline any choices you may have regarding your data.
7.6. With Your Consent:
We may share your personal data with third parties when you have given us your explicit consent to do so.
We will always ask for your consent before sharing your data for purposes not covered by this privacy policy.
7.7. Aggregated or Anonymized Data:
We may share aggregated or anonymized data that does not directly identify you with third parties for various purposes, including business intelligence, marketing, and research.
7.8. Public Forums:
If you post information in public areas of our Service, such as forums or comment sections, this information may be visible to other users and the public.
We recommend being cautious about what personal information you disclose in these public spaces.
7.9. Social Media Platforms:
If you choose to connect your Sensay account with social media platforms, we may share certain information with those platforms to enable features like single sign-on.
The data shared and how it's used will be governed by the privacy policies of those social media platforms.
7.10. Enterprise Clients:
For our enterprise clients, we may share certain data with the organization that manages your Sensay account, in accordance with our agreement with that organization.
7.11. Professional Advisors:
We may disclose your data to professional advisors, such as lawyers, auditors, and insurers, where necessary in the course of the professional services they render to us.
We take great care to ensure that any disclosures of your personal data are necessary and proportionate. We implement appropriate safeguards to protect your data during any transfers or disclosures, including data encryption and contractual obligations for recipients to protect your data.
If you have concerns about how your data is shared, please contact us using the information provided in the "Contact Details" section of this policy.
8. Data Security
At Sensay, we prioritize the security and privacy of our clients' data. Our robust security measures are designed to protect sensitive information at every stage of the data lifecycle. We continuously update our security protocols to stay ahead of potential threats and meet the evolving needs of our users, including our enterprise clients.
We implement reasonable administrative, physical and technical safeguards to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal of your personal data, and to protect against similar risks, as required by PDPA s.24.
Here's a comprehensive overview of our security measures:
8.1. Data Encryption at Rest
All customer data stored in our systems is encrypted using Advanced Encryption Standard (AES) with 256-bit key length.
This industry-standard encryption ensures that data remains secure even if unauthorized access to our storage systems occurs.
Encryption keys are managed securely and rotated regularly.
8.2. Data Encryption in Transit
We use Transport Layer Security (TLS) to encrypt all data transmitted between our clients and our servers.
This ensures that data cannot be intercepted or tampered with during transmission.
We regularly update our TLS protocols to maintain the highest level of security.
8.3. Regular Security Audits
We conduct regular internal and third-party security audits to identify and address potential vulnerabilities.
These audits include penetration testing, vulnerability assessments, and code reviews.
We promptly address any identified issues and continuously improve our security posture.
8.4. Access Controls
Strict access controls and authentication measures are in place to ensure that only authorized personnel can access sensitive data.
We implement multi-factor authentication for all employee access to our systems.
Access rights are regularly reviewed and updated based on the principle of least privilege.
8.5. Network Security
Our infrastructure is protected by enterprise-grade firewalls and intrusion detection/prevention systems.
We employ network segmentation to isolate sensitive data and systems.
Regular vulnerability scans and patch management ensure our systems are up-to-date and secure.
8.6. Physical Security
Our data centers are protected by multiple layers of physical security measures.
These include 24/7 surveillance, biometric access controls, and environmental controls.
8.7. Employee Training and Awareness
All employees undergo regular security awareness training.
We have strict policies and procedures in place for handling sensitive data.
8.8. Incident Response Plan
We maintain a comprehensive incident response plan to quickly address any potential security breaches.
Our team is trained to detect, respond to, and mitigate security incidents promptly.
8.9. Compliance
Our security measures are designed to comply with industry standards and regulations such as GDPR and CCPA applicable.
We regularly review and update our practices to maintain compliance with evolving regulations.
8.10. Third-Party Risk Management
We carefully vet and monitor all third-party service providers who may have access to our systems or data.
We require our vendors to maintain stringent security standards and undergo regular assessments.
8.11. Data Backup and Recovery
We maintain regular backups of all critical data.
Our backup systems are encrypted and stored securely in geographically separate locations.
We regularly test our data recovery procedures to ensure business continuity.
8.12. Upcoming Security Enhancement: Enterprise Node with FHE
We are excited to announce an upcoming security feature that will provide an unprecedented level of data protection for our enterprise clients:
Enterprise-Run Nodes with Fully Homomorphic Encryption (FHE)
Enterprise clients will soon have the option to run their own Sensay nodes within their own infrastructure.
These nodes will utilize Fully Homomorphic Encryption (FHE), a cutting-edge encryption technology that allows computations to be performed on encrypted data without decrypting it.
Key benefits of this feature include:
Enhanced Data Control: Clients maintain complete control over their data, as it never leaves their infrastructure in an unencrypted form.
Confidentiality of AI Operations: The AI models can process encrypted data, ensuring that even Sensay cannot access the raw data or the specifics of how it's being used.
Regulatory Compliance: This approach can help enterprises meet strict regulatory requirements regarding data locality and privacy.
Customization: Enterprises can customize their node setup to meet specific security and operational requirements.
Future-Proof Security: FHE provides protection against potential future threats, including those from quantum computing.
8.13. Data Breach Reporting
If a data breach occurs that: (a) is likely to result in significant harm to you, or (b) affects 500 or more individuals, we will:
Notify the Personal Data Protection Commission (PDPC) as soon as practicable and in any case no later than three (3) calendar days after establishing that the breach is notifiable (PDPA s.26D).
Notify affected individuals as soon as practicable after notifying the PDPC, providing:
the nature of the data breached;
when it occurred;
actions we have taken or will take;
guidance on what you can do to protect yourself.
We keep an incident register and review our security controls after every reportable event.
We are committed to continuously improving our security measures and providing our clients with the highest level of data protection available. If you have any questions about our security practices or the upcoming Enterprise Node with FHE feature, please contact our security team.
9. Data Management and Privacy Layers
At Sensay, we understand that different types of data require different levels of privacy and protection. To address this, we have implemented a multi-layered approach to data management and privacy:
9.1. Public Replicas
These are digital replicas designed for broad interaction and sharing.
Public replicas can engage with a wide audience, providing general information and experiences.
They do not contain or disclose sensitive personal data.
Users have control over what information is included in their public replicas.
9.2. Private Replicas
Private replicas are restricted to the user and specific whitelisted accounts.
These replicas contain more detailed and personal information.
Access is strictly controlled to ensure that only trusted individuals can interact with private replicas.
Users can manage the whitelist and revoke access at any time.
9.3. Secrets in Public Replicas
Some public replicas include "Secrets", which are pieces of information accessible only to whitelisted accounts.
This feature allows users to share certain details selectively, even within a public setting.
It provides an additional layer of privacy for sensitive information within otherwise public replicas.
9.4. Data Storage and Transfer
All data, regardless of its privacy layer, is stored securely using encryption at rest.
Data transfers between privacy layers or to authorized third parties are conducted using secure, encrypted channels.
We ensure that data storage and transfer processes comply with GDPR and other relevant regulations.
9.5. Access Controls
Each privacy layer has its own set of access controls.
Users can define and manage access permissions for their replicas and data.
Our system enforces these access controls rigorously to prevent unauthorized data access.
9.6. Data Isolation
We maintain strict isolation between different users' data and between different privacy layers.
This ensures that data from one privacy layer or user cannot inadvertently leak into another.
9.7. Audit Trails
We maintain detailed audit trails of all access to and modifications of data across all privacy layers.
Users can review these audit trails to monitor access to their data.
9.8. Data Minimization
We apply the principle of data minimization across all privacy layers.
Only the data necessary for the intended purpose is collected and processed within each layer.
9.9. User Education
We provide clear guidance and education to users about the different privacy layers and their implications.
Users are empowered to make informed decisions about which privacy layer to use for different types of data and interactions.
9.10. Consent Management
Users must provide explicit consent for data to be moved between privacy layers.
Consent is granular, allowing users to control exactly what data is shared and with whom.
9.11. Data Portability
Users can export their data from any privacy layer in a machine-readable format.
This supports data portability rights and allows users to transfer their data between services if desired.
9.12. Deletion and Right to be Forgotten
Users can request deletion of their data from any privacy layer.
We ensure that data is securely and completely erased across all relevant systems and backups.
By implementing these privacy layers and management practices, we aim to provide our users with flexible, powerful tools to control their data while ensuring the highest standards of privacy and security.
10. User Levels of Control
At Sensay, we believe in empowering our users with comprehensive control over their personal data. We provide various tools and settings that allow you to manage your privacy preferences and data usage. Here's a detailed overview of the control you have:
10.1. Account Settings
Modify your profile information at any time
Update your contact details and communication preferences
Change your password and security settings
Manage linked accounts (e.g., social media integrations)
10.2. Privacy Settings
Control the visibility of your profile and content
Manage who can see and interact with your digital replicas
Set default privacy levels for new content you create
Control data sharing with third-party integrations
10.3. Data Access
Request a copy of all personal data we hold about you
Download your data in a machine-readable format
View and manage your data across different privacy layers
10.4. Data Modification
Edit or update any of your personal data
Correct inaccuracies in your information
Request changes to how your digital replicas behave or respond
10.5. Data Deletion
Delete specific pieces of content or data
Request complete deletion of your account and associated data
Understand the implications of data deletion on your service usage
10.6. Consent Management
View and modify your consent settings for various data processing activities
Opt in or out of specific data uses, such as marketing communications or research
Withdraw consent for processing activities at any time
10.7. Digital Replica Control
Create, modify, or delete your digital replicas
Control the data sources used to train your replicas
Manage access permissions for your replicas
Pause or deactivate your replicas temporarily or permanently
10.8. Communication Preferences
Choose which types of communications you want to receive from us
Set preferences for notification frequency and channels
Unsubscribe from marketing communications with a single click
10.9. Third-Party Data Sharing
View which third parties have access to your data
Control what data is shared with these parties
Revoke access for specific third parties at any time
10.10. Data Portability
Export your data in a standard, machine-readable format
Transfer your data to other services or platforms
10.11. Activity Logs
View logs of activities related to your account and data
Monitor access to your digital replicas
Receive notifications for important account activities
10.12. AI Training Opt-Out
Choose whether your data can be used to train our AI models
Opt out of specific types of AI training or usage
10.13. Cookie Control
Manage your cookie preferences through our cookie banner
Choose which types of cookies you accept or reject
Update your cookie settings at any time
10.14. Geographic Restrictions
Set geographic restrictions on where your digital replicas can be accessed
Control data processing locations for compliance with local regulations
10.15. Two-Factor Authentication
Enable or disable two-factor authentication for enhanced account security
Choose your preferred 2FA method (e.g., SMS, authenticator app)
10.16. Account Deactivation
Temporarily deactivate your account without deleting your data
Understand the difference between deactivation and deletion
These controls are accessible through your account settings on our platform. We are committed to continually improving and expanding these controls to give you the utmost transparency and authority over your personal data.
If you need assistance with any of these controls or have questions about managing your data, please contact our support team. We're here to help you understand and exercise your data rights effectively.
11. Company Levels of Control
As a data controller, Sensay implements various organizational and technical measures to ensure the proper handling and protection of user data. These company-level controls are designed to comply with data protection regulations and maintain the trust of our users. Here's an overview of our internal controls:
11.1. Data Processing
Consent-Based Processing: We process personal data primarily based on explicit consent from users. Consent is obtained transparently, and users are informed about the specific purposes for which their data will be used.
Legitimate Business Purposes: In addition to consent, we may process data for legitimate business purposes, such as improving services, conducting research, and ensuring security and compliance. We conduct regular assessments to ensure these purposes are justified and do not override user rights.
11.2. Data Protection
Encryption Protocols: All data, both in transit and at rest, is secured using advanced encryption protocols to prevent unauthorized access and data breaches.
Access Controls: Strict access control measures are implemented to ensure that only authorized personnel can access sensitive data. This includes multi-factor authentication and role-based access controls.
Security Audits: Regular security audits are conducted to identify and mitigate potential vulnerabilities. These audits are performed by internal and external experts to ensure comprehensive security coverage.
11.3. Data Auditing
Regular Audits: We conduct regular audits of our data processing activities to ensure compliance with GDPR and other relevant data protection regulations. These audits assess data handling practices, security measures, and user consent management.
Transparency Reports: We provide transparency reports to users, outlining data processing activities, security measures, and any incidents or breaches that may have occurred. These reports are part of our commitment to transparency and accountability.
11.4. Data Protection Officer (DPO)
We have appointed a Data Protection Officer responsible for overseeing our data protection strategy and implementation.
The DPO ensures that we remain compliant with data protection laws and serves as a point of contact for users and supervisory authorities on privacy matters.
11.5. Employee Training
All employees undergo regular data protection and privacy training.
We maintain a culture of privacy awareness throughout the organization.
11.6. Data Protection Impact Assessments (DPIAs)
We conduct DPIAs for new projects or significant changes that involve processing personal data.
These assessments help us identify and mitigate privacy risks before they occur.
11.7. Vendor Management
We carefully vet and monitor all third-party vendors who may have access to user data.
Data processing agreements are in place with all vendors, ensuring they adhere to our strict data protection standards.
11.8. Incident Response Plan
We maintain a comprehensive incident response plan to address potential data breaches quickly and effectively.
Regular drills and updates ensure our team is prepared to handle any data protection incidents.
11.9. Data Retention Policies
We have implemented clear data retention policies that define how long different types of data are kept.
Automated systems ensure that data is securely deleted when it is no longer needed for the purposes for which it was collected.
11.10. Compliance Monitoring
We continuously monitor changes in data protection laws and regulations.
Our policies and practices are regularly updated to ensure ongoing compliance.
11.11. Privacy by Design
We incorporate privacy considerations into all stages of product development and business operations.
Privacy-enhancing technologies are integrated into our systems and processes.
11.12. Internal Audits
Regular internal audits are conducted to ensure that our data protection practices align with our policies and legal requirements.
Audit findings are reported to senior management and used to drive continuous improvement.
11.13. Documentation
We maintain detailed documentation of all our data processing activities, including purposes, categories of data, recipients, and security measures.
This documentation is regularly reviewed and updated to ensure accuracy and completeness.
11.14. Data Minimization Practices
We implement data minimization techniques to ensure we only collect and process the data necessary for specified purposes.
Regular reviews are conducted to identify and eliminate unnecessary data collection or processing.
These company-level controls demonstrate our commitment to protecting user data and maintaining the highest standards of privacy and security. We continuously evaluate and enhance these controls to adapt to the evolving data protection landscape and to meet the expectations of our users.
12. End-to-End Encryption and Security
At Sensay, we employ advanced encryption technologies to ensure the highest level of data protection for our users. Our approach includes both end-to-end encryption providing robust security for sensitive information.
12.1. Data Encryption
We use end-to-end encryption to protect data from the moment it is collected until it reaches its intended destination.
This ensures that data remains secure during transmission and storage, and can only be decrypted by the intended recipient.
12.2. Secure Channels
All communication between users and Sensay's servers is encrypted using secure channels (e.g., TLS/SSL).
This prevents unauthorized interception and access to sensitive information during transit.
12.3. Encrypted Storage
Data stored on Sensay's servers is encrypted using advanced encryption standards.
Even if data is accessed unlawfully, it remains unreadable and secure without the proper decryption keys.
12.4. Key Management
We implement robust key management practices to ensure the security of encryption keys.
Keys are rotated regularly and stored securely, separate from the encrypted data.
12.5. Client-Side Encryption
Where possible, we implement client-side encryption, meaning data is encrypted on the user's device before being transmitted to our servers.
This ensures that even Sensay cannot access the unencrypted data.
12.6. Perfect Forward Secrecy
We employ perfect forward secrecy in our encryption protocols.
This means that even if a encryption key is compromised in the future, it cannot be used to decrypt past communications.
12.7. Encrypted Backups
All data backups are encrypted to ensure that data remains protected even in backup storage.
13. Data Retention
We retain personal data only for as long as it is reasonably necessary to fulfil the purpose for which it was collected, or as required for legal or business purposes. When retention is no longer necessary, we will destroy or anonymise the data in a secure manner in compliance with PDPA s.25.
Sensay Data Retention and Usage policies are compliant with both PDPA for Singaporean users and GDPR for European users.
13.1. General Retention Periods
Account Information: Retained for the duration of your account's active status. If you haven't used your account for 24 months, we will notify you and may deactivate your account if you don't respond.
Transaction Data: Kept for 7 years to comply with tax and accounting regulations.
Communication Records: Stored for 3 years from the date of last communication for customer support purposes.
Usage Data: Retained for 18 months to improve our services and user experience.
Marketing Data: Kept for 2 years from the last interaction unless you opt-out earlier.
13.2. Data Associated with Digital Replicas
Retained for as long as the digital replica is active.
Users can delete their replicas at any time, which will trigger the deletion of associated data.
Inactive replicas that haven't been accessed for 12 months may be archived or deleted after notifying the user.
13.3. Log Data and Analytics
System logs are retained for 6 months for security and troubleshooting purposes.
Aggregated, anonymized analytics data may be retained indefinitely as it cannot be used to identify individuals.
13.4. Data Backup Retention
We maintain encrypted backups of data for disaster recovery purposes.
Backups are retained for 30 days, after which they are securely deleted.
13.5. Legal Hold
If we receive a legal order or are involved in litigation, we may need to retain certain data beyond our normal retention period.
We will notify affected users of such legal holds unless prohibited by law.
13.6. User-Requested Deletion
When you request deletion of your data, we will delete or anonymize it within 30 days.
Some data may be retained in encrypted backups for up to 30 additional days until those backups are overwritten.
13.7. Archived Data
Some data may be archived for statistical, historical, or research purposes.
Archived data is secured with strong encryption and access controls.
13.8. Retention of Encrypted Data
For data protected by end-to-end encryption or FHE, the encrypted data may be retained, but without the decryption keys, it remains inaccessible and effectively deleted.
13.9. Third-Party Data Retention
We require our third-party service providers to adhere to retention periods compatible with our policies.
We conduct regular audits to ensure compliance.
13.10. Review and Update of Retention Policies
Our data retention policies are reviewed annually and updated as necessary to reflect changes in our services, legal obligations, and user needs.
13.11. User Control Over Retention
Users can request earlier deletion of their data at any time through their account settings or by contacting our support team.
We provide tools for users to export their data before requesting deletion.
13.12. Retention Notifications
We will notify users before deleting their data due to inactivity or the end of a retention period, giving them the opportunity to extend the retention if desired.
13.13. Anonymization
Where possible, we anonymize data instead of deleting it entirely. This allows us to retain useful information for analytics and service improvement without compromising individual privacy.
13.14. Special Categories of Data
Special categories of personal data (e.g., health information) are subject to shorter retention periods unless a longer retention is required by law or explicitly consented to by the user.
We are committed to being transparent about our data retention practices. If you have any questions about how long we retain specific types of data, please contact our Data Protection Officer using the information provided in the "Contact Details" section of this policy.
Remember that even after data is deleted from our active systems, it may persist in backups for a limited time. However, we ensure that all backups are securely deleted according to our retention schedule.
14. Cookie Policy
Cookies are small text files that are placed on your device when you visit our website or use our services. They help us provide you with a better experience and allow certain features to function properly. At Sensay, we use cookies and similar technologies (like web beacons and pixels) for various purposes. Here's a detailed explanation of our cookie usage:
14.1. Types of Cookies We Use
14.1.1. Essential Cookies
These are necessary for the Service to function and cannot be switched off.
They are usually only set in response to actions you take, such as setting your privacy preferences, logging in, or filling in forms.
You can set your browser to block these cookies, but some parts of the site may not work properly.
14.1.2. Performance Cookies
These help us understand how you use our Service by collecting and reporting information anonymously.
They allow us to count visits and traffic sources so we can measure and improve the performance of our site.
If you block these cookies, we won't know when you've visited our site.
14.1.3. Functionality Cookies
These enable the website to provide enhanced functionality and personalization.
They may be set by us or by third-party providers whose services we have added to our pages.
If you block these cookies, some of these services may not function properly.
14.1.4. Targeting Cookies
These may be set through our site by our advertising partners.
They are used to build a profile of your interests and show you relevant ads on other sites.
They don't store personal information directly, but are based on uniquely identifying your browser and device.
By continuing to use this site, you consent to the collection, use and disclosure of cookies data in accordance with the Singapore PDPA.
14.2. How We Use Cookies
To remember your preferences and settings
To keep you logged in to our Service
To understand how you use our Service
To detect and prevent fraud
To analyze the performance and effectiveness of our Service
To display personalized content and advertising
14.3. Third-Party Cookies
Some cookies are placed by third-party services that appear on our pages.
We use third-party analytics services (e.g., Google Analytics) which use cookies to help us analyze how users use the Service.
We have agreements with these third parties ensuring they handle your data in compliance with data protection regulations.
14.4. Cookie Consent
When you first visit our Service, we will ask for your consent to use non-essential cookies.
You can change your cookie preferences at any time through our cookie settings panel.
14.5. Managing Cookies
Most web browsers allow you to control cookies through their settings preferences.
However, limiting cookies may impact your experience and functionality of our Service.
14.6. Cookie Lifespan
Session Cookies: These are temporary and are deleted when you close your browser.
Persistent Cookies: These remain on your device until they expire or you delete them.
14.7. Do Not Track
Some browsers have a "Do Not Track" feature. Our Service does not currently respond to "Do Not Track" signals.
14.8. Updates to Cookie Policy
We may update our Cookie Policy from time to time. We will notify you of any significant changes.
14.9. Cookies and Personal Data
While cookies themselves don't typically contain personal data, they can be linked with personal data you provide in other ways (e.g., when you log in).
We treat information collected by cookies and other technologies as non‑personal information unless applicable law requires otherwise.
14.10. Cookie-Like Technologies
We also use technologies like web beacons, pixels, and local storage, which function similarly to cookies.
Our Cookie Policy applies to these technologies as well.
14.11. Opting Out
You can opt-out of certain cookie-based tracking through industry programs like the Digital Advertising Alliance or Network Advertising Initiative.
14.12. Mobile Devices
If you access our Service through a mobile device, similar data may be collected through other technologies like mobile ad identifiers.
For more detailed information about the specific cookies we use and their purposes, please visit our Cookie Settings panel, accessible through the Service. If you have any questions about our use of cookies, please contact us using the information in the "Contact Details" section.
15. Ethical Considerations of Digital Cloning
At Sensay, we recognize that the creation and use of digital replicas (or "digital clones") raise important ethical considerations. We are committed to addressing these concerns transparently and responsibly. Here's an overview of our approach to the ethical aspects of digital cloning:
15.1. Informed Consent
We obtain explicit, informed consent from individuals before creating their digital replicas.
Users are provided with clear, comprehensive information about the process, potential uses, and implications of their digital replicas.
Consent can be withdrawn at any time, leading to the deactivation and deletion of the digital replica.
15.2. Transparency
We are open about the capabilities and limitations of our digital replica technology.
Users are informed about how their data is used to create and maintain their digital replicas.
We provide clear information about who can access and interact with digital replicas.
15.3. Privacy and Data Protection
Digital replicas are subject to the same stringent privacy and security measures as other personal data.
Users have granular control over what information is included in their digital replicas and how they are used.
15.4. Accuracy and Representation
We strive to ensure that digital replicas accurately represent the individual's knowledge, personality, and values.
Users can review and modify their digital replicas to ensure they align with their current views and preferences.
15.5. Preventing Misuse
We have strict policies against using digital replicas for deception, impersonation, or any malicious purposes.
Technical measures are in place to prevent unauthorized creation or use of digital replicas.
15.6. Emotional and Psychological Impact
We acknowledge the potential emotional impact of interacting with digital replicas, especially of deceased individuals.
Clear labeling ensures that users are always aware they are interacting with a digital replica, not the actual person.
15.7. Intellectual Property Rights
We respect the intellectual property rights of individuals in relation to their digital replicas.
Users retain rights over the content and intellectual property they contribute to their digital replicas.
15.8. Ethical Use in Business and Research
We have guidelines for the ethical use of digital replicas in business, education, and research contexts.
Any use of digital replicas for research purposes is subject to ethical review and approval.
15.9. Child Protection
We have special safeguards and restrictions for the creation and use of digital replicas of minors.
Parental consent is required for any digital replica creation involving individuals under the age of consent.
15.10. Cultural Sensitivity
We respect cultural differences in attitudes towards digital representation and afterlife.
Users can set cultural preferences that affect how their digital replicas operate.
15.11. Transparency in AI Interaction
We clearly disclose when AI is being used in the creation or operation of digital replicas.
Users are informed about the extent of AI involvement in generating responses or behaviors.
15.12. Right to be Forgotten
Users have the right to completely delete their digital replicas and associated data.
We provide clear processes for exercising this right, including posthumous deletion requests.
15.13. Ethical Review Board
We maintain an independent ethical review board to assess and advise on ethical issues related to digital cloning.
This board regularly reviews our practices and policies to ensure they align with ethical standards.
15.14. Ongoing Ethical Assessment
We continuously evaluate the ethical implications of advancements in our digital cloning technology.
We engage with ethicists, policymakers, and the public to address emerging ethical concerns.
15.15. Education and Awareness
We provide resources to help users understand the ethical implications of digital cloning.
We participate in public discussions and academic forums on the ethics of AI and digital representation.
15.16. Posthumous Management
We offer options for users to set preferences for the management of their digital replicas after death.
These include options for deletion, archiving, or continued operation under specified conditions.
15.17. Ethical AI Training
Our AI models used in digital replicas are trained with ethical considerations in mind, including fairness and bias mitigation.
15.18. Transparency in Limitations
We are clear about the current limitations of digital replica technology to manage user expectations.
Users are informed that digital replicas are simulations and may not perfectly replicate human behavior or decision-making.
By adhering to these ethical principles, we aim to ensure that our digital cloning technology is developed and used in a way that respects individual rights, promotes transparency, and contributes positively to society. We recognize that ethical considerations in this field are complex and evolving. We are committed to ongoing dialogue with users, experts, and stakeholders to continually refine our approach to these important issues.
Ethical Considerations of Digital Cloning (continued)
In this field are complex and evolving. We are committed to ongoing dialogue with users, experts, and stakeholders to continually refine our approach to these important issues.
16. Your Rights Under GDPR
As a data subject under the General Data Protection Regulation (GDPR), you have several rights concerning your personal data. At Sensay, we are committed to facilitating the exercise of these rights. Here's a detailed explanation of your rights and how you can exercise them:
16.1. Right to be Informed
You have the right to be informed about the collection and use of your personal data.
We provide this information through this privacy policy and additional notices where necessary.
If we decide to use your data for a new purpose, we will provide you with additional information.
16.2. Right of Access
You have the right to request a copy of your personal data that we hold.
We will provide this information free of charge (for the first request) within one month of your request.
To request access, use the "Data Access Request" feature in your account settings or contact our Data Protection Officer.
16.3. Right to Rectification
You have the right to have inaccurate personal data rectified, or completed if it is incomplete.
You can update most of your information directly through your account settings.
For data you can't update yourself, contact our support team, and we'll make the changes within one month.
16.4. Right to Erasure (Right to be Forgotten)
You have the right to request the deletion of your personal data in certain circumstances (e.g., when the data is no longer necessary for the purposes it was collected).
To request erasure, use the "Delete My Data" option in your account settings or contact our Data Protection Officer.
We will comply with your request within one month unless there's a legal reason to retain some data.
16.5. Right to Restrict Processing
You can request that we limit the way we use your personal data.
This right applies in specific circumstances, such as when you contest the accuracy of your data.
To exercise this right, contact our Data Protection Officer with details of your request.
16.6. Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
You can also request that we transfer this data directly to another controller.
Use the "Export My Data" feature in your account settings to exercise this right.
16.7. Right to Object
You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing.
To object to marketing, use the unsubscribe link in our emails or adjust your communication preferences in your account settings.
For other objections, contact our Data Protection Officer with details of your request.
16.8. Rights Related to Automated Decision Making and Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
While we use automation in our services, we do not make solely automated decisions with significant effects. If this changes, we will inform you and provide ways to request human intervention or challenge the decision.
16.9. Right to Withdraw Consent
Where we process data based on consent, you have the right to withdraw that consent at any time.
You can withdraw consent for specific processing activities in your account settings or by contacting our Data Protection Officer.
To exercise any of these rights, please use the relevant features in your account settings or contact our Data Protection Officer using the information provided in the "Contact Details" section of this policy. We will respond to all requests within one month. In complex cases, we may extend this period by two months, but we will inform you of any such extension within the first month.
Please note that while we will always strive to accommodate your rights, there may be situations where we are legally obligated to retain certain data. We will explain any such limitations when responding to your requests.
16.10. Rights under Singapore PDPA
Right
What it means
How to exercise
Access
Obtain a copy of the personal data we hold about you and information on how we use or disclose it.
Email info@sensay.ai with the subject line "Data Access Request"
Data Portability
Ask us to transmit a copy of your data in machine‑readable form to another organisation (when this obligation comes into force).
Submit a portability request form (available on request)
Withdrawal of Consent
Stop us from using your data for one or more purposes.
See Section 6 above
Opt‑out of Targeted Advertising
Object to the use of your data for targeted ads.
Toggle the preference centre in your account or email us
Complaint to PDPC
Lodge a complaint with Singapore's Personal Data Protection Commission if you believe we have breached the PDPA.
Visit https://www.pdpc.gov.sg
We will respond within 30 calendar days or explain why more time is needed.
16.11. Additional Rights for EEA/UK Residents under GDPR
If you reside in the EEA or UK you also have the GDPR rights to erasure, restriction of processing, objection, and data portability in accordance with Articles 17–22 GDPR. Requests may be sent to the same DPO contact.
17. International Data Transfers
Sensay operates globally, which means that your personal data may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.
We are headquartered in Singapore but use cloud infrastructure and service providers around the world. Whenever we transfer personal data outside Singapore, we will ensure that:
17.1. Comparable Protection
The recipient country or organisation provides a standard of protection that is comparable to the PDPA, for example through:
a legally enforceable data‑transfer agreement;
binding corporate rules;
certification to PDPC‑approved standards; or
reliance on a specific statutory exemption.
17.2. Additional Measures for EEA/UK Data
For data originating from the EEA or UK we rely on the EU‑approved Standard Contractual Clauses ("SCCs")or the UK Addendum, together with supplementary measures where necessary, to ensure GDPR‑level protection.
17.3. Onward Transfers
Third‑party recipients must obtain our written consent before making any onward transfer unless required by law.
We do not participate in the (now‑invalid) EU‑U.S. Privacy Shield framework. A copy of our standard data‑transfer agreement is available on request.
Here's how we handle international data transfers:
17.4. Adequacy Decisions
Where possible, we transfer data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
17.5. Standard Contractual Clauses
For transfers to countries without an adequacy decision, we implement Standard Contractual Clauses (SCCs) approved by the European Commission.
These clauses ensure that your personal data receives an adequate level of protection in the recipient country.
17.6. Privacy Shield
While the EU-U.S. Privacy Shield is no longer valid for EU-U.S. transfers, we continue to comply with Privacy Shield principles as a demonstration of our commitment to data protection
17.7. Binding Corporate Rules
For intra-group transfers, we are in the process of implementing Binding Corporate Rules to ensure consistent protection of personal data across our global operations.
17.8. Consent
In some cases, we may transfer your data based on your explicit consent to the transfer, after informing you of the possible risks.
17.9. Necessary for Contract Performance
We may transfer your data if it's necessary for the performance of a contract between you and Sensay, or for pre-contractual measures taken at your request.
17.10. Data Localization Options
For enterprise clients with specific data residency requirements, we offer options to keep data within specified geographical regions.
17.11. Transparency
We are transparent about where your data is processed. You can find information about our data centers and processing locations in your account settings.
17.12. Third-Party Transfers
We ensure that any third parties we share data with also comply with appropriate data transfer mechanisms.
17.13. Data Transfer Impact Assessments
We conduct regular assessments of our data transfer mechanisms to ensure they provide adequate protection in light of any changes in law or circumstances.
17.14. Encryption in Transit
All data transfers are encrypted using industry-standard protocols to protect data during transmission.
17.15. Right to Information
You have the right to obtain information about the safeguards we use for international data transfers. Contact our Data Protection Officer for more details.
17.16. EU Representative
We have appointed a representative in the EU to act as a point of contact for EU data subjects and supervisory authorities.
17.17. Monitoring of International Transfer Laws
We closely monitor changes in international data transfer laws and adjust our practices accordingly.
If you have any questions or concerns about our international data transfer practices, please contact our Data Protection Officer using the information provided in the "Contact Details" section.
18. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. When we do, we will update the "last updated" date at the top of this policy. If we make significant changes to this policy, we will notify you through a prominent notice on our Service or by sending you a direct communication.
18.1. Notification of Changes
For material changes, we will provide notification via email, in-app notifications, or prominent notices on our website at least 30 days before the changes take effect.
For minor changes, we may update the policy without prior notification, but we will always indicate the last updated date.
18.2. Review of Changes
We encourage you to review this policy periodically to stay informed about how we protect your personal data.
18.3. Consent to Changes
Your continued use of our Service after any changes to this policy constitutes your acceptance of the new terms.
If you do not agree with the changes, you should discontinue using our Service and contact us to close your account.
18.4. Archive of Previous Versions
We maintain an archive of previous versions of this policy, which you can request by contacting our Data Protection Officer.
18.5. Explanation of Changes
When we make significant changes, we will provide a summary of what has changed along with the updated policy.
18.6. Regulatory Compliance
We update this policy to ensure ongoing compliance with applicable data protection laws and regulations.
18.7. User Rights
If changes to this policy affect your rights or the way we use your data, we will obtain your consent where required by applicable law.
18.8. Third-Party Notifications
If changes affect our relationships with third-party processors, we will notify and update agreements with these parties as necessary.
18.9. Staff Training
Our staff receives training on any significant changes to this policy to ensure consistent implementation across our organization.
18.10. Feedback Mechanism
We welcome your feedback on any changes to this policy. You can provide feedback through our support channels or by contacting our Data Protection Officer.
19. Contact Details
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please don't hesitate to contact us. Here are the ways you can reach us:
19.1. Data Protection Officer
Name: Marco Bettiolo
Email: gdpr@sensay.io
19.2. General Privacy Inquiries
Email: gdpr@sensay.io
19.3. Customer Support
Email: contact@sensay.io
Live Chat: Available through our website and telegram channel
19.4. Social Media
While we monitor our social media channels, please do not share personal information or account details through these public platforms. Use the secure methods above for privacy-related communications.
19.5. Response Times
We aim to respond to all privacy-related inquiries within 72 hours.
For formal data subject requests under GDPR, we will respond within one month as required by law
19.6. Availability
Our support team is available 9am - 5pm SGT.
For urgent privacy matters outside of these hours, please use the emergency contact number provided in your account settings.
19.7. Verification Process
To protect your privacy, we will verify your identity before discussing or acting on any privacy-related requests.
We are committed to addressing your concerns and respecting your privacy rights. If you are unsatisfied with our initial response, please let us know, and we will escalate your concern to the appropriate team for further review.
Thank you for trusting Sensay with your personal data. We are committed to protecting your privacy and ensuring a secure, enjoyable experience with our Service.
