Data Protection Notice

How we handle personal data under Singapore’s Personal Data Protection Act (PDPA)

1. About this notice

This notice explains how [Firm Name](“we”, “us”) collects, uses, discloses and protects personal data in this corporate-secretarial system, in accordance with the PDPA. It applies to personal data of company officers, directors, shareholders, beneficial owners, and our clients and their contacts.

2. Personal data we collect

  • Identity data: full name, NRIC/FIN/passport number, nationality, date of birth
  • Contact data: residential / correspondence addresses, email, phone
  • Corporate role data: directorships, shareholdings, beneficial ownership
  • Due-diligence data: KYC/CDD records, screening and risk-assessment results
  • Communications data: where a mailbox is connected, client email correspondence (sender/recipient, subject, message content and attachments) processed into support tickets

3. Purposes & legal basis

We collect and use this data to provide corporate-secretarial services — incorporation and statutory filings with ACRA, maintaining statutory registers, and meeting our anti-money-laundering (AML/CFT) and customer due-diligence obligations. Collection of NRIC/FIN numbers is limited to where it is required by law or necessary to verify identity to a high degree of fidelity, consistent with the PDPC’s Advisory Guidelines on the NRIC.

4. Disclosure

We disclose personal data only as needed for the above purposes or as required by law — for example to ACRA, regulators, or law-enforcement authorities. We do not sell personal data.

5. Protection & retention

  • Access requires authentication; all data is gated behind sign-in.
  • Encrypted in transit (HTTPS / TLS) and at rest (managed database).
  • NRIC/FIN numbers are masked in the interface, revealing only the last few characters.
  • Changes are recorded in an audit log for accountability.
  • Connected mailboxes authenticate via OAuth tokens or IMAP/SMTP credentials; IMAP/SMTP passwords are encrypted at rest (AES-256-GCM) with the key held outside the database. Disconnecting a mailbox deletes its credentials and the support tickets synced from it.
  • Data is retained only as long as necessary for the purposes above or to meet legal retention requirements, then securely disposed of.

6. Overseas transfer

The primary database is hosted in Singapore (Supabase, ap-southeast-1). The application server and uploaded files are currently hosted in the United States(Railway). Where data is processed or transferred overseas, we rely on the providers’ contractual data-protection commitments to ensure a standard of protection comparable to the PDPA. [The DPO should confirm these regions and, if data residency in Singapore is required, request a Singapore hosting region.]

7. Your rights

You may request access to, or correction of, your personal data, or withdraw consent (subject to legal/contractual restrictions). To do so, contact our Data Protection Officer.

8. Data Protection Officer

Our Data Protection Officer can be reached at dpo@entivault.com.

This notice may be updated from time to time. Last updated: 8 June 2026.

← Back to sign in