Privacy Policy

Last updated: 2026-05-07 Version: 1.0 (draft for legal review)

1. Who we are

AI Job Redesign Toolkit is provided by Elitez Corp Pte Ltd (Singapore). We are the data controller for personal data processed through the toolkit. Questions about this policy should be directed to our Data Protection Officer (see §8).

2. What information we collect

We collect the following categories of personal data:

  • Account data — email, company name, optional UEN.
  • User-generated content — free-text trainee context, generated plans, generated logbooks, chat transcripts.
  • Technical data — IP address, browser user-agent, session cookie.
  • Audit data — action timestamps with hashed identifiers (email, IP, and user-agent are one-way hashed before being persisted).

We do not collect NRIC, salary, or sensitive personal data (race, religion, health). Users are instructed in onboarding not to paste these fields.

3. How we use your information

We map data categories to specific purposes:

  • Account data → authenticate you via magic-link sign-in; identify which company you belong to.
  • User-generated content → generate AI-assisted OJT plans, trainee logbooks, and ground chat answers in BCA Code of Practice / OJT Blueprint sources.
  • Technical data → maintain your sign-in session, enforce per-IP rate limits, and detect abuse.
  • Audit data → satisfy statutory access-trail obligations and assist with incident investigation.

4. Legal basis under PDPA

We rely on PDPA §13 (consent + performance of contract) and §17 deemed-consent for legitimate business purposes such as audit logging. Where you provide free-text trainee context, you confirm that you have an appropriate basis under PDPA to share that data with us as a processor on your behalf for the purpose of generating personalised training material.

5. Third-party processors and cross-border transfers

| Processor | Purpose | Region | Training on inputs? | |---|---|---|---| | Anthropic | LLM narrative generation (Claude) | US | No | | Voyage AI | Embeddings for retrieval (voyage-3) | US | No | | Resend | Transactional email (magic links only) | US | N/A — transactional only | | Cloudflare R2 | PDF / XLSX artefact storage | Global edge with APAC origin | N/A | | Fly.io | Application hosting | Singapore region | N/A | | Neon (Postgres) | Primary datastore (Postgres + pgvector) | Singapore region (asia-southeast1) | N/A | | Sentry (EU) | Error tracking; receives stack traces and sanitised request metadata. PII fields (request bodies, cookies, Authorization headers) explicitly scrubbed before send. | EU (sentry.io, Frankfurt) | No | | Upstash (Singapore) | Redis cache for rate limits + ephemeral session data. | Singapore | No | | Cloudflare (global) | DNS + DDoS / WAF proxy in front of Vercel + Fly. May terminate TLS. | Global edge (Singapore PoP serves SG users) | No | | Vercel (Singapore edge) | Frontend hosting and edge CDN. Static assets and SSR pages. | Singapore (sin1) | No |

Cross-border transfers to US-based processors rely on standard contractual clauses incorporated into each processor's Data Processing Addendum.

6. Data retention

  • Plans + logbooks: 3 years from CCP completion
  • Audit log: 1 year
  • Magic-link tokens: 30 days
  • Chat threads: 1 year

Soft-deleted records are hard-deleted after 30 days unless cancellation is requested within that grace window.

7. Your rights under PDPA

  • Access (PDPA §21): contact the DPO with proof of identity. We respond within 30 days.
  • Correction (§22): request correction of factual inaccuracies via the DPO.
  • Withdrawal of consent (§22A): withdraw consent at any time; note that withdrawal may make the toolkit unusable.
  • Deletion (§23): request via the DPO; deletion completes after a 30-day grace window during which the request can be cancelled.

8. Data Protection Officer

DPO: Derrick Teo. Email: derrick@elitez.asia. Postal: to be inserted by legal review — Elitez Corp Pte Ltd registered office address.

9. Security

We use HTTPS, signed JWT cookies (http-only), Redis-backed rate limits, audit logging with hashed PII, and S3 server-side encryption. We commission an annual external penetration test.

10. Changes to this policy

We will post material changes on this page. Continued use of the toolkit after changes constitutes acceptance.

11. Contact

Questions? Email derrick@elitez.asia. To complain to the regulator: visit pdpc.gov.sg.