Tangent9 logo
TANGENT 9
Contact DPO
Policy

Data Privacy Policy

How Tangent9 collects, uses, discloses, stores, and protects personal data in connection with our AI-powered products and services.

Version
1.0
Effective date
20 May 2026
Last updated
20 May 2026
Next review
20 May 2027
Contact
dpo@tangent9.com

01 Purpose and commitment

This policy describes how Tangent9 ("we", "us", "our") collects, uses, discloses, stores, and protects personal data in connection with our AI-powered products and services.

We are committed to handling personal data responsibly and in compliance with the Singapore Personal Data Protection Act 2012 (PDPA). Our practices are also informed by the PDPC Advisory Guidelines, the IMDA Model AI Governance Framework, and where applicable, the EU General Data Protection Regulation (GDPR). This policy is designed to satisfy the core obligations under each of these frameworks, including:

  • The PDPA's eleven data protection obligations (consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, transfer limitation, data breach notification, accountability, and openness)
  • The PDPC's expectation of documented governance and human oversight for AI-assisted processing
  • The IMDA Model AI Governance Framework's requirements for transparency, explainability, and human oversight
  • The GDPR's requirements for lawful basis, data subject rights, records of processing activities, and data protection by design (where our products are used in EU-connected contexts)

We review this policy at least annually and update it when our practices or the applicable legal framework materially change.

02 Scope

This policy applies to:

  • All personal data collected, processed, or stored through our AI-powered products and services
  • All customers, end users, and individuals whose data is handled by or through our systems
  • All employees, contractors, and third parties who access or process personal data on our behalf

03 Key definitions

Personal data
Any data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access.
AI system / AI agent
A product or service that uses a Large Language Model (LLM) as its reasoning engine to process inputs, generate outputs, and interact with connected tools or workflows.
Data controller
The organisation that determines the purposes and means of processing personal data. In most customer deployments, the customer is the data controller for data within their systems.
Data processor
An organisation that processes personal data on behalf of the data controller. We act as data processor in most customer deployments.
Prompt data
Inputs submitted by users to the AI system, which may contain personal data.
Output data
Responses generated by the AI system, which may reference or contain personal data.
Audit log
A record of system inputs, outputs, actions, and approval events maintained for governance and accountability purposes.
PII
Personally Identifiable Information: data that can directly or indirectly identify an individual.
LLM provider
A third-party provider of the large language model that powers our AI system (for example, Anthropic or OpenAI).

04 Data protection principles

We apply the following principles to all personal data processed through our systems. These reflect the PDPA's data protection obligations and the PDPC's expectations for AI governance.

4.1 Purpose limitation

Personal data is collected and used only for the specific purpose for which it was provided, or for a purpose that a reasonable person would consider appropriate in the circumstances. Our AI systems are configured to process only the data relevant to the task being performed.

4.2 Data minimisation

Our systems are designed to limit the volume of personal data accessible to the AI reasoning layer. Unrestricted access to full datasets is not permitted by default. Access is designed to be scoped to what is necessary for the specific task or workflow.

4.3 Accuracy

Our AI systems are designed and configured to work from authoritative data sources provided within the system. Because AI systems are probabilistic by nature, meaning the same input may produce different outputs across runs, we do not present AI-generated outputs as verified factual records. All outputs that relate to personal data are intended to be subject to human review before any consequential action is taken. Users are responsible for verifying AI-generated outputs before relying on them.

4.4 Access control

Our systems are designed so that access to personal data is controlled by backend permission mechanisms. User-claimed identities or roles are not intended to be accepted as a basis for granting elevated access within the system. Permission changes are designed to require authorised human action.

4.5 Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, or loss. These measures span input handling, output management, access control, logging, monitoring, and system execution. Security measures are reviewed when the system is materially changed or when an incident warrants reassessment. Our detailed security controls are described in Section 16.

4.6 Accountability

We take responsibility for ensuring that our products are designed and governed in accordance with this policy and the PDPA. Where products are operated by customers or their teams, the customer, as data controller, shares accountability for the personal data processed through their deployment. We maintain records of our data processing activities and can demonstrate compliance on request.

4.7 Transparency

We are transparent about the use of AI in our products. Where our products use AI to process personal data, we disclose this through this publicly available policy, which forms part of our customer agreement. We do not misrepresent AI-generated outputs as verified factual records or authoritative decisions. This reflects our obligations under the PDPA not to mislead individuals about how their personal data is used, and is consistent with the PDPC's Advisory Guidelines on AI transparency.

4.8 Retention limitation

Personal data is retained only for as long as is necessary for the purpose for which it was collected, or as required by applicable Singapore law and regulatory requirements. We maintain an internal data retention schedule that defines retention periods by data category.

05 Personal data we process

5.1 Categories of personal data

Depending on the product or service deployed, the following categories of personal data may be processed:

  • Contact information (names, email addresses, phone numbers, job titles)
  • Business relationship data (account history, interaction records, transaction status)
  • User-submitted inputs to the AI system that reference individuals
  • System access records (user identifiers, login activity, approval actions)
  • Any other personal data that a customer or end user introduces into the system through normal use

5.2 How personal data enters our systems

Personal data typically enters our systems in one of the following ways:

  • Directly submitted by end users as inputs to the AI system
  • Drawn from connected systems (such as CRM platforms) as part of an authorised workflow
  • Provided by the customer organisation as part of system configuration or integration

5.3 Design limitations of our AI systems

Our AI-powered products are built with controls intended to prevent the following. These are design obligations, not absolute guarantees, and their effectiveness depends on appropriate configuration, authorised use, and the human oversight requirements described in Section 8:

  • Accessing personal data outside the authenticated user's authorised scope
  • Reproducing or exporting personal data in bulk
  • Transmitting personal data externally without human authorisation
  • Retaining personal data between separate user sessions

We believe transparency about the probabilistic nature of AI systems and the limits of technical controls is a more responsible and accurate representation than unconditional warranties. Where any of the above occurs contrary to design intent, it is treated as an incident in accordance with Section 17.

06 Lawful basis for processing

The lawful basis for processing personal data depends on our role and the source of the data.

6.1 Data we process on behalf of customers (processor role)

In most deployments, we process personal data, including data drawn from a customer's existing systems such as CRM platforms, on the instructions of the customer, who is the data controller. In this capacity, we rely on the customer's own lawful basis for collection and processing. The customer is responsible for having obtained any necessary consent from individuals at the point of original collection, and for ensuring their use of our products is consistent with their own data protection obligations. Our processing is governed by our contract with the customer.

6.2 Data we collect and control directly (controller role)

For personal data we collect in our own right, such as contact details of customer representatives, account registration information, and marketing communications, we rely on the following lawful bases:

  • Contractual necessity where processing is necessary to deliver a product or service under a contract
  • Legal obligation where processing is required to comply with a legal or regulatory requirement
  • Legitimate interests where processing is necessary for our legitimate business interests, such as system security, service improvement, and fraud prevention, provided those interests are not overridden by the individual's rights
  • Consent where we collect data for purposes such as marketing communications, where consent is the appropriate basis

Where we rely on consent, individuals have the right to withdraw it at any time without affecting the lawfulness of prior processing.

07 How we use personal data

We use personal data only for the following purposes:

  • Delivering the AI-powered product or service requested by the customer or end user
  • Enabling authorised workflows such as drafting, summarising, classifying, or retrieving information
  • Maintaining audit logs and system records for governance, debugging, and incident response
  • Improving system performance and safety, using anonymised or aggregated data where possible
  • Complying with legal and regulatory obligations applicable to us

We do not use personal data to train external AI models without explicit consent. We do not sell or rent personal data to third parties.

08 Human oversight of AI outputs

AI systems are probabilistic. Outputs may be incomplete, inconsistent, or incorrect in ways that cannot always be detected automatically. We treat human oversight as a core safeguard across all our AI-powered products. The following principles apply:

  • AI outputs that relate to personal data are treated as drafts or recommendations, not as authoritative records or decisions
  • Any action that writes to, modifies, sends, or deletes personal data is designed to require explicit human authorisation before execution
  • The AI system is designed so that completing earlier steps in a workflow does not constitute implicit authorisation for subsequent steps
  • Users are responsible for reviewing AI-generated outputs before acting on them
Customer responsibility for oversight configuration

Where a customer configures or deploys our products in a manner that reduces or removes human oversight controls, including approval workflows, the customer assumes responsibility for the risks arising from that configuration. We strongly recommend that human review be maintained for any AI-generated output that informs decisions about individuals.

09 Automated decision-making

Our AI products are designed to support human decision-making, not to replace it. We do not deploy fully automated decision-making that produces legal or similarly significant effects on individuals without human review, except where:

  • The individual has given explicit informed consent to automated processing
  • Automation is required or permitted by applicable law, with appropriate safeguards in place

Where a customer deploys our products in a manner that introduces automated decision-making affecting individuals, the customer, as data controller, is responsible for ensuring that deployment is lawful, appropriately disclosed, and compliant with the PDPA and any other applicable law. Individuals subject to automated decisions have the right to request human review.

10 Disclosure of personal data

We do not sell, rent, or trade personal data. We may disclose personal data in the following circumstances:

10.1 LLM providers

Our products rely on third-party LLM APIs (such as those provided by Anthropic or OpenAI) to provide AI reasoning capabilities. Personal data submitted as prompt input is transmitted to the relevant LLM provider as part of normal system operation. We select providers whose data handling practices meet appropriate standards and enter into data processing agreements where required. Customers are responsible for reviewing the applicable LLM provider's data policies before deploying personal data through our products.

10.2 Cloud and infrastructure providers

We use third-party cloud infrastructure to host and operate our systems. These providers process personal data on our behalf under data processing agreements that require them to maintain appropriate security and confidentiality.

10.3 Customer-directed disclosures

Where an authorised user directs the system to share data with a third party as part of a workflow, that disclosure is made at the customer's direction and under the customer's accountability as data controller.

10.4 Legal requirements

We may disclose personal data where required by law, court order, or a regulatory authority, including the PDPC.

11 Cross-border data transfers

Our systems may process or store data in jurisdictions outside Singapore, including through LLM provider APIs and cloud infrastructure. Where personal data is transferred outside Singapore, we take steps to ensure that the receiving organisation provides a comparable standard of protection, consistent with the PDPA's transfer limitation obligation. This may be achieved through contractual arrangements, the recipient country's comparable legal framework, or other permitted mechanisms under the PDPA.

12 Data retention

Personal data is retained only for as long as is necessary for the purpose for which it was collected, or as required by applicable Singapore law and regulatory requirements, and for no longer than is necessary.

  • The AI reasoning layer is designed not to retain personal data between user sessions
  • Audit logs containing personal data are retained in accordance with our internal data retention schedule and applicable legal requirements, and are subject to the access controls described in Section 16
  • Where a customer has taken over full operation of the system, the customer is responsible for managing retention of personal data within systems under their control
  • Requests for deletion of personal data are handled in accordance with Section 14

13 Cookies and tracking

Where our products include web-based interfaces, we may use cookies or similar tracking technologies for the following purposes:

  • Session management and authentication
  • System performance monitoring
  • Usage analytics (aggregated and anonymised where possible)

Users may manage cookie preferences through their browser settings or our cookie consent interface. Essential cookies required for system operation cannot be disabled without affecting core functionality. A detailed list of cookies used is available on request.

14 Data subject rights

14.1 Who is the data controller for your personal data?

In most deployments of our products, the customer organisation is the data controller for personal data within their systems. We act as data processor on the customer's behalf. This means that data subject rights requests relating to personal data held within a customer's deployment should be directed to that customer organisation in the first instance.

We act as data controller for personal data we hold independently, such as contact details of customer representatives, marketing communications, and our own operational records.

14.2 Rights available to individuals

Access
Request a copy of personal data held about you.
Correction
Request correction of inaccurate or incomplete personal data.
Withdrawal of consent
Withdraw consent for processing where consent is the lawful basis.
Data portability
Request transfer of your data in a machine-readable format (where applicable under GDPR).
Erasure
Request deletion of personal data where it is no longer necessary for the original purpose.
Human review of automated decisions
Request human review of any decision made solely by automated means that significantly affects you.

14.3 How to submit a request

For personal data for which we are the data controller, contact our Data Protection Officer:

RoleTangent9, Data Protection Officer
Emaildpo@tangent9.com

We will respond within 30 calendar days of receipt. For complex or multiple requests, we may extend this by a further 30 days with prior notice.

15 Personal data of minors

Our products are general-purpose AI-powered business tools and are not specifically directed at children. Where a customer deploys our products in a context that involves the personal data of individuals below the age of 18, such as educational platforms or student-facing services, the customer, as data controller, is responsible for:

  • Obtaining appropriate consent from a parent, guardian, or the relevant institution as required by applicable law
  • Ensuring the deployment complies with any sector-specific requirements governing the processing of minors' data
  • Configuring the system appropriately for the age group and context of use

We do not knowingly collect personal data directly from minors in our own operations. If we become aware that personal data of a minor has been submitted in a context where parental or guardian consent has not been obtained, we will take steps to address this promptly.

16 Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures are designed to be proportionate to the nature of the data processed and the risks associated with AI-assisted processing, and include:

  • Role-based access controls limiting data access to authorised personnel
  • Logging and monitoring of system activity for anomaly detection
  • Input screening designed to detect attempts to extract or misuse personal data
  • Output controls designed to prevent unauthorised reproduction of personal data in bulk
  • Masking of sensitive fields in audit and operational logs
  • Human authorisation requirements for write, send, and delete actions on personal data
  • Encryption of data in transit and at rest where appropriate

No security measure can guarantee absolute protection. We will notify affected parties promptly in the event of a data breach in accordance with Section 17.

17 Incident response and breach notification

17.1 Internal response

When a privacy incident is identified or reported, we will:

  1. Contain the affected capability where personal data may have been exposed or incorrectly processed
  2. Assess whether the incident constitutes a notifiable data breach under the PDPA
  3. Notify affected parties and the PDPC as required
  4. Identify and remediate the root cause before restoring affected capabilities
  5. Document the incident, response actions, and outcome

17.2 PDPA breach notification

Under the PDPA, we are required to notify the PDPC of a data breach that is, or is likely to be, of a significant scale, or that results, or is likely to result, in significant harm to affected individuals. Where notification is required:

  • We will notify the PDPC within 3 calendar days of assessing that notification is required
  • We will notify affected individuals where the breach is likely to result in significant harm to them
  • We will maintain a record of all data breaches assessed, whether or not they meet the notification threshold

17.3 Customer-operated systems

Where a customer's team operates or maintains the system, the customer is responsible for their own incident detection and reporting processes. Where a reported incident may have originated in our system design or infrastructure, we will cooperate in investigation and remediation.

18 Governance and policy review

We treat data privacy as a continuous obligation. This policy is reviewed:

  • At least once every 12 months
  • When a new integration, data category, or processing purpose is introduced
  • When applicable regulations or regulatory guidance materially change
  • When a High or Critical privacy incident is reported

Changes to this policy are approved by the Data Protection Officer and Policy Owner before publication. The version history of this policy is maintained internally and available on request.

19 Records of processing activities

We maintain internal records of our data processing activities in accordance with our accountability obligations under the PDPA. These records document the categories of data processed, the purposes and lawful bases for processing, data flows, retention periods, and third parties to whom data is disclosed. They are available to the PDPC on request.

Where our products are used in EU-connected contexts that engage the GDPR, these records also satisfy the requirements of Article 30 of the GDPR, which requires both data controllers and data processors to maintain a written register of processing activities. As a data processor under the GDPR, our records include the name and contact details of each controller on whose behalf we act, the categories of processing carried out, and details of cross-border transfers where applicable.

20 Contact and complaints

For any questions about this policy or how we handle personal data, contact our Data Protection Officer:

RoleTangent9, Data Protection Officer
Emaildpo@tangent9.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC): www.pdpc.gov.sg.

This policy is effective as of the date stated above. Prior versions are maintained by the Policy Owner and available on request.