AgentSure
← Back to Legal
AgentSure Legal · v0.1

Privacy Policy

Effective 2026-05-13 · AgentSure Pte. Ltd. (UEN 202620442W)

This policy explains how AgentSure Pte. Ltd. ("AgentSure", "we", "us") handles personal data. It applies to our website (agentsure.tech), Quantify (AI risk audit), Pulse (regulatory intelligence), and related services.

1. Who is the data controller

AgentSure Pte. Ltd. (UEN 202620442W), 160 Robinson Road #14-04 SBFC, Singapore 068914. Contact our Data Protection Officer at dpo@agentsure.tech.

2. What data we collect

2.1 When you sign up

  • Email address (required)
  • Name (optional)
  • Company name and role (optional)
  • Business type (optional, to route the right Vertical Pack of controls)

2.2 When you use the Services

  • LLM endpoint URLs and API credentials you provide for testing (encrypted at rest, see Security)
  • Prompts and model outputs generated during Assessments (typically synthetic; you control whether real data is submitted)
  • Assessment Reports and associated metrics
  • Audit log entries (who did what, when)

2.3 Technical telemetry

  • IP address (hashed with SHA-256 + salt for analytics; full IP not retained)
  • User agent string
  • Page views and clicks (PostHog Cloud EU, pseudonymised)
  • Application errors and stack traces (Sentry, no PII)

3. Why we collect it (legal basis)

PurposeLegal basis (PDPA)Legal basis (GDPR)
Provide the Services (deliver Assessment Reports, send notifications)Consent + contractual necessityArt. 6(1)(b) — contract
Improve product (aggregated, anonymised analytics)Legitimate interestArt. 6(1)(f) — legitimate interest
Send transactional emails (sign-up, scan-ready)Consent + contractual necessityArt. 6(1)(b)
Marketing newsletters (Pulse / Quantify product updates)Consent (opt-in checkbox)Art. 6(1)(a) — consent
Comply with legal obligations (audit log retention)Legal obligationArt. 6(1)(c)

4. Where data lives

  • Primary database and report storage: Supabase Singapore (ap-southeast-1)
  • Application hosting: Vercel (SG / HKG edge) + Railway (SG region migration in progress; see Subprocessors)
  • Email transactional: Resend
  • Product analytics: PostHog Cloud EU
Cross-border transfers (PDPA s.26 / GDPR Chapter V): where data crosses Singapore borders, we ensure recipients are bound by contractual protections equivalent to PDPA / GDPR. EU customers' data is governed by the EU Standard Contractual Clauses (2021/914 Module 2).

5. Who we share data with

  • Subprocessors: see the full list at /legal/subprocessors. Each is bound by data protection obligations no less protective than this policy.
  • Regulators: only when legally compelled (e.g., MAS audit power under FSMA, PDPC investigation). We notify the affected customer where legally permitted.
  • Successors: in the event of a merger, acquisition, or asset sale, data may transfer to the acquiring entity, bound by this policy or a successor with no less protection.

We do not sell personal data, ever. We do not use it for advertising.

6. How long we keep it

  • Account data: while your account is active + 90 days after closure
  • Assessment Reports + audit log: 7 years (target, subject to legal-hold)
  • Customer API credentials: 90 days post-Assessment, then automatic purge
  • Marketing email subscription: until you unsubscribe
  • Backups: up to 35 days post deletion (encrypted backups rotate)

7. Your rights

7.1 Under PDPA (Singapore)

  • Right to access your personal data (Part IV)
  • Right to correct your personal data
  • Right to withdraw consent (with reasonable notice; may end the Services)
  • Right to be notified of a notifiable breach affecting you (s.26D, 72-hour PDPC notification)

7.2 Under GDPR (where applicable)

  • Access (Art. 15) · Rectification (Art. 16) · Erasure (Art. 17)
  • Restriction (Art. 18) · Portability (Art. 20) · Object (Art. 21)
  • Withdraw consent (Art. 7(3))
  • Lodge a complaint with your supervisory authority

To exercise any of these rights, email dpo@agentsure.tech. We respond within 30 days.

8. Cookies

Our website uses minimal cookies:

  • Session (Supabase Auth): required for sign-in
  • PostHog: anonymous analytics, opt-out available via browser DNT or via in-app toggle
  • Sentry: error session-replay (no PII captured)

We do not use third-party advertising cookies.

9. Children

Our Services are not intended for individuals under 18. We do not knowingly collect data from children.

10. Changes

We update this policy when our practices change. Material changes are notified by email to active customers at least 14 days before taking effect, plus a banner on agentsure.tech. The current version date is at the top of this page.

11. Contact

Data Protection Officer: dpo@agentsure.tech
General privacy queries: privacy@agentsure.tech
Postal: 160 Robinson Road #14-04 SBFC, Singapore 068914

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission of Singapore at pdpc.gov.sg or your relevant EU supervisory authority.

AgentSure Pte. Ltd. · UEN 202620442W · 160 Robinson Road #14-04 SBFC, Singapore 068914

Questions: legal@agentsure.tech

Version v0.1 · Last updated 2026-05-13