Privacy Policy

1. What we collect

• Email address — collected at sign-up via magic-link authentication. Used only for account access; never shown publicly.
• Tenancy agreement / Stamp Certificate — uploaded by you to verify your tenancy. Stored encrypted in private storage. Never published. Never shown to other users or landlords.
• Extracted property data — address, unit number, and tenancy dates extracted from your document by Claude AI (Anthropic). We explicitly exclude names, NRIC numbers, signatures, deposit amounts, and landlord contact details from extraction.
• Review content — your structured ratings and optional free-text comment, published anonymously. No identifying information is published.
• Session and usage data — anonymous session identifiers stored in your browser’s sessionStorage for aggregate platform analytics (e.g. how many searches happen per day). We do not collect IP addresses, device fingerprints, or individual browsing histories.
• Recently viewed properties — stored in your browser’s localStorage on your device only. Not transmitted to our servers.

2. Why we collect it

• To verify that you were a tenant at the property you are reviewing (legitimate interest / contractual necessity).
• To authenticate your account and protect the integrity of reviews.
• To run automated content moderation on free-text comments before publication.
• To generate anonymised aggregate statistics for the admin dashboard (sign-ups, searches, review activity). These are not linked to individual identities in any public display.

3. Who we share it with

• Supabase — database and encrypted storage provider. Data is processed in their Singapore/US regions per their Data Processing Agreement.
• Anthropic (Claude AI) — used to extract address and tenancy data from lease documents and to moderate review text for safety. Document content is sent to their API and is subject to Anthropic’s privacy policy. We do not send names, NRIC, or financial data.
• Cloudflare — edge network and hosting. Traffic passes through Cloudflare’s network infrastructure.
• We do not sell personal data. We do not share it with third parties for advertising or marketing.

4. Retention periods

• Lease documents — retained for the duration of your account and for up to 12 months after account deletion to allow dispute resolution. After that period they are permanently deleted.
• Published reviews — retained indefinitely while your account is active, unless you request removal or they are taken down following a moderation decision. If your account is deleted, reviews may remain published in anonymised form (no account link) unless you specifically request full removal.
• Email addresses — retained for as long as your account exists and deleted within 30 days of an account deletion request.

5. Anonymity — what it means in practice

Published reviews are publicly anonymous: your name, email, account handle, and NRIC are never displayed. Only the tenancy year and your structured ratings appear.

Internally, our moderation team can link a review to your account for fraud prevention, legal compliance, and dispute resolution. This internal record is never disclosed to landlords, agents, property managers, or other users. If compelled by a valid Singapore court order, we would notify you before disclosure where legally permitted.

6. Internal access controls

Access to personal data (lease documents, email addresses, account records) is restricted to authorised administrators only, authenticated via verified accounts with role-based access control. We do not grant third parties or contractors access to raw personal data without a specific, documented purpose.

7. Your rights under PDPA

Under the PDPA you have the right to:

• Access — request a copy of personal data we hold about you.
• Correction — request correction of inaccurate personal data.
• Withdrawal of consent — withdraw consent and request deletion of your account and associated data.
• Portability — request your data in a machine-readable format.
• Opt-out of marketing — we do not send marketing emails, but you can unsubscribe from any transactional emails.

To exercise any of these rights, leave an enquiry via the feedback form (the "Share feedback" button in the navigation). We will respond within 10 business days in line with PDPC guidelines.

8. Security incidents

We take reasonable technical and organisational measures to protect your data. In the event of a data breach that affects your personal data, we will notify you by email within 72 hours of becoming aware of the incident (where feasible), and will notify the PDPC as required under the Mandatory Data Breach Notification obligation (effective 1 October 2021). You can report security concerns via the feedback form (the "Share feedback" button in the navigation).

9. Cookies and local storage

We use Supabase Auth which stores your authentication session in localStorage. We store recently viewed property IDs in localStorage for your convenience. Anonymous session IDs are stored in sessionStorage (cleared when you close the tab). We do not use third-party advertising cookies or tracking pixels.

10. Changes to this policy

We will update this policy as our practices change and notify registered users by email of material changes. Continued use of the platform after a policy change constitutes acceptance of the updated policy.

11. Data Protection Officer

Inkwise has appointed a Data Protection Officer (DPO) as required under the Singapore Personal Data Protection Act 2012. The DPO is responsible for ensuring Inkwise complies with the PDPA and for handling data protection enquiries.

To contact the DPO — including to exercise your rights under section 7, report a suspected data breach, or raise any data protection concern — email: dpo@inkwise.club. We will respond within 10 business days.

12. Contact

General enquiries: leave a message via the feedback form (the "Share feedback" button in the navigation).