Privacy Policy

Last updated: May 2026

1. Introduction

Sovraine Pte. Ltd. (UEN: 202603000A) ("Sovraine", "we", "us") is committed to protecting your personal data in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore and applicable international data protection laws.

2. Data We Collect

Account data: Name, email address, company name when you sign up or request a demo.

Usage data: Pages visited, features used, performance metrics. Collected via privacy-respecting analytics.

Sovraine Guard (Community and Pro): The desktop application processes all data locally on your device. AI tool calls, governance evaluations, privacy classifications, and audit records never leave your machine. No telemetry, analytics, or usage data is collected by the desktop software. License validation is performed locally using cryptographic verification — no phone-home mechanism.

3. How We Use Your Data

  • To provide and maintain our services
  • To respond to your inquiries and support requests
  • To improve the platform based on usage patterns
  • To send service-related communications
  • To comply with legal obligations

We do not sell your personal data to third parties.

Legal Basis for Processing (GDPR Art. 6)

For individuals in the EU/EEA, we process personal data on the following legal bases:

  • Performance of Contract (Art. 6(1)(b)): account creation, license delivery, billing, and support communications.
  • Legitimate Interests (Art. 6(1)(f)): website analytics to improve our services; fraud detection and security monitoring. Our legitimate interests do not override your fundamental rights — you may object to this processing at any time.
  • Legal Obligation (Art. 6(1)(c)): retention of transaction records for tax and accounting purposes.
  • Consent (Art. 6(1)(a)): marketing communications and any optional analytics. You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

5. Data Security

We implement industry-standard security measures including encryption in transit and access controls appropriate to the data we hold.

6. Third-Party Service Providers

We share limited personal data with the following service providers who process data on our behalf:

  • Stripe, Inc. (United States) — payment processing. We share your name, email, billing address, and payment method. Stripe's Privacy Policy governs their processing.
  • Resend, Inc. (United States) — transactional email delivery (license keys, receipts). We share your email address.
  • Cloudflare, Inc. (United States) — website infrastructure and DDoS protection. IP addresses and browser metadata may be processed.

For EU/EEA data transfers to these providers, EU Standard Contractual Clauses (SCCs) apply. We do not authorize sub-processors to use your personal data for any purpose other than providing services to us.

7. International Transfers

Your data may be processed in jurisdictions outside Singapore, including the United States. Where this occurs, we ensure appropriate safeguards are in place: EU Standard Contractual Clauses for EU/EEA transfers, and contractual protections compliant with the PDPA for other jurisdictions.

8. Your Rights

Under the PDPA, you have the right to:

  • Access your personal data held by us
  • Request correction of inaccurate data
  • Withdraw consent for data processing
  • Request deletion of your data (subject to legal retention requirements)

For EU/EEA residents, additional rights under GDPR apply, including:

  • Data portability (Art. 20)
  • Right to object (Art. 21): you may object at any time to processing based on legitimate interests. We will cease that processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Right to lodge a complaint with a supervisory authority in your member state

9. Data Breach Notification

In the event of a data breach affecting your personal data, we will notify affected individuals and the Personal Data Protection Commission of Singapore (PDPC) in accordance with PDPA s.26D (within 3 business days of assessment). For EU/EEA residents, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33.

10. Enterprise Data Processing

For enterprise customers subject to GDPR, Sovraine will enter into a Data Processing Agreement (DPA) governing our processing of personal data on your behalf, incorporating EU Standard Contractual Clauses (Module 2: Controller to Processor). To request a DPA, contact legal@sovraine.com.

11. Data Protection Officer

For data protection inquiries or to exercise your rights, contact our DPO at dpo@sovraine.com.

12. Changes

We may update this Privacy Policy periodically. Material changes will be communicated via our website or email.