Legal

Privacy Policy

How Buooy collects, uses, and protects your personal data in compliance with Singapore’s Personal Data Protection Act (PDPA).

Effective: 6 April 2026Last updated: 6 April 2026

1. Introduction

This Privacy Policy describes how 0xBuooy Pte Ltd (“Buooy,” “we,” “us,” or “our”) collects, uses, discloses, and protects your personal data when you use our website, software-as-a-service products, and related services (collectively, the “Services”).

0xBuooy Pte Ltd is a company incorporated in Singapore (UEN 202244810D), with its registered address at 68 Circular Road, #02-01, Singapore 049422. We are committed to complying with the Personal Data Protection Act 2012 (“PDPA”) of Singapore and its subsidiary legislation.

This policy applies to all individuals who interact with our Services, including visitors to our website, registered users of our products, and clients of our consulting and advisory services.

2. Definitions

“Personal Data”: Data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access. This definition is consistent with Section 2 of the PDPA.
“Processing”: Any operation performed on personal data, including collection, use, disclosure, storage, modification, and deletion.
“Services”: Our website, software-as-a-service products, consulting engagements, and advisory services.
“LLM”: Large Language Model, a type of artificial intelligence system trained on large datasets to generate text, analyse content, and perform language-related tasks.
“AI Features”: Features within our Services that use LLMs or other artificial intelligence technologies to process user inputs and generate outputs.
“Input Data”: Text, files, prompts, and other content you submit to our AI Features for processing.
“Output Data”: Text, analysis, and other content generated by our AI Features in response to Input Data.
“Sub-processor”: A third-party service provider that processes personal data on our behalf to deliver our Services.
“DPO”: Data Protection Officer.

3. Data We Collect

3.1 Account Data

Information you provide when creating an account or engaging our services:

Full name
Company name
Email address
Contact information (including Telegram handle, if provided)
Billing address
Job title or role
Timeline and project details submitted through our communication channels

3.2 Usage Data

Information about how you use our Services:

Features accessed and frequency of use
Actions taken within the platform
Session duration and activity patterns
Error logs and performance data

3.3 Content and Input Data

Data you submit to our Services for processing:

Text prompts and queries submitted to AI Features
Documents and files uploaded for AI processing
Conversation histories within AI-powered features
Feedback and ratings on AI outputs

3.4 Technical Data

Information collected automatically when you access our Services:

IP address
Browser type and version
Operating system
Device identifiers
Referring URLs
Pages visited and navigation paths

3.5 Communication Data

Information from your communications with us:

Emails and messages sent to our support channels
Messages sent through Telegram and other channels
Records of consultations and advisory sessions
Feedback and survey responses

4. Legal Basis for Collection and Use

We collect and use your personal data for the following purposes. Under the PDPA, we rely on your consent (Sections 13–18), deemed consent (Sections 15 and 15A), or applicable exceptions where indicated:

Purpose	Data Categories	PDPA Basis
Providing and operating the Services	Account, Usage, Content, Technical	Consent (Section 13); deemed consent by conduct (Section 15)
Processing AI/LLM requests	Content/Input Data, Technical	Consent (Section 13)
Account creation and management	Account Data	Deemed consent (Section 15)
Billing and payment processing	Account Data	Deemed consent (Section 15); legal obligation
Customer support	Account, Communication Data	Deemed consent (Section 15)
Service improvement and analytics	Usage, Technical Data	Consent (Section 13); business improvement exception (Section 17(1)(f)) for anonymised data
Security monitoring	Technical, Usage Data	Section 17(1)(a) PDPA
Legal obligations	All categories as required	Section 13(d) PDPA
Marketing (opt-in only)	Account Data	Express consent under Section 14 PDPA

4.1 Deemed Consent

Under Section 15 of the PDPA, your consent may be deemed in circumstances where:

You voluntarily provide personal data to us for a purpose that is reasonable and evident from the circumstances (deemed consent by conduct).
You have been notified of a purpose and given a reasonable opportunity to opt out but have not done so (deemed consent by notification under Section 15A).

4.2 Business Contact Information

We may collect, use, and disclose business contact information (such as your business name, title, email, and telephone number) under Section 4(5) of the PDPA without consent, solely for the purpose of contacting you in your capacity as an officer or employee of an organisation.

4.3 Purpose Limitation and Proportionality

We do not collect more personal data than is necessary for the purposes stated above. We apply the principle of data minimisation and review our collection practices periodically to ensure proportionality.

5. How We Use LLMs and AI

This section explains how your data interacts with artificial intelligence systems when you use our AI Features. We consider transparency about AI data handling to be a core obligation.

5.1 LLM Providers We Use

Our Services integrate with third-party LLM providers, including but not limited to:

OpenAI (OpenAI, L.L.C.) — provider of GPT-series models, headquartered in San Francisco, United States.
Anthropic (Anthropic, PBC) — provider of Claude-series models, headquartered in San Francisco, United States.

We may integrate additional LLM providers and update the specific models used as technology evolves. Regardless of provider or model version, the data handling commitments in this policy apply to all LLM integrations. A current list of LLM providers in use is available on request from our DPO.

5.2 What Data Is Sent to LLM Providers

When you use AI Features, the following data may be transmitted to our LLM providers for processing:

The text prompts, queries, and instructions you submit to AI Features.
Contextual content you provide or upload for AI analysis.
System-level instructions configured by Buooy to guide AI behaviour (these do not contain your personal data).

The following data is not sent to LLM providers:

Your name, email address, or account credentials.
Your billing or payment information.
Your IP address or device identifiers.
Any personal data beyond what is contained within the content you actively submit to AI Features.

5.3 How We Minimise Personal Data Sent to LLMs

Input isolation: Only the content you submit to an AI Feature is transmitted. Account metadata and technical data are not included in LLM requests.
No enrichment: We do not append your profile information, usage history, or other personal data to LLM queries.
Prompt engineering: Our system prompts are designed to instruct AI models to handle data responsibly and avoid unnecessary retention of personal information.
User responsibility advisory: We advise users to avoid including unnecessary personal data (such as national identification numbers, financial account details, or health information) in content submitted to AI Features.

5.4 Data Retention by LLM Providers

Our agreements with LLM providers govern data retention. Key terms include:

OpenAI: Under our enterprise/API agreements, OpenAI does not use data submitted through the API to train or improve their models. API input and output data is retained for up to 30 days for abuse monitoring and then deleted.
Anthropic: Under our API agreements, Anthropic does not use data submitted through the API to train their models. API data is retained for a limited period for safety monitoring, then deleted.
Other providers: Any additional LLM providers we integrate will be bound by substantially equivalent data handling terms before integration. Specific retention details for each provider are available on request.

5.5 Opt-Out Options for AI Processing

Do not use AI Features: You may use our non-AI Services without submitting data to AI Features.
Withdraw consent: You may withdraw your consent for AI processing at any time by contacting our DPO at dpo@buooy.com. We will process your withdrawal within 10 business days. This will not affect the lawfulness of processing performed before withdrawal.
Request deletion: You may request deletion of your stored conversation histories and AI interaction logs. We will action such requests within 30 days.
Request information: You may request information about whether your Input Data was transmitted to a specific LLM provider and the applicable retention period.

Withdrawing consent for AI processing may affect your ability to use certain features of our Services. We will inform you of the likely consequences before effecting the withdrawal, as required under Section 16(3) of the PDPA.

5.5A Automated Decision-Making

Where our AI Features are used to generate outputs that inform decisions affecting you, we will:

Inform you that automated processing is being used.
Provide a meaningful explanation of the logic involved, to the extent commercially feasible.
Ensure that a human review mechanism is available for decisions with significant impact on your rights or interests.

We do not make solely automated decisions that produce legal effects or similarly significant effects on individuals without human oversight.

5.6 No Training on Customer Data

We do not use your Input Data or Output Data to train, fine-tune, or improve any AI or machine learning models — whether our own or those of third parties.

Our API agreements with all LLM providers, including OpenAI and Anthropic, contractually prohibit the use of data submitted through our Services for model training purposes. This commitment applies to all current and future LLM integrations. We review these contractual commitments at least annually and whenever a sub-processor updates its terms of service. If any sub-processor materially alters its data training practices in a manner inconsistent with this commitment, we will:

Notify affected users within 14 days.
Suspend transmission of Input Data to the affected provider until the issue is resolved.
Update this policy to reflect the current status.

5.7 Sub-Processor Agreements

We maintain Data Processing Agreements (or equivalent contractual instruments) with all LLM providers, including OpenAI and Anthropic, that include:

Restrictions on data use beyond the scope of providing the service.
Obligations to maintain appropriate security measures.
Data deletion commitments upon termination of the agreement.
Incident notification requirements.
Restrictions on onward sub-processing without our approval.

6. Data Sharing and Third Parties

6.1 Sub-Processors

Category	Purpose	Location
LLM providers (including OpenAI, Anthropic)	AI processing of user content	United States and other jurisdictions
Cloud infrastructure providers	Hosting and data storage	Disclosed on request
Payment processors	Billing and subscription management	Varies by provider
Analytics providers	Aggregated service usage analytics	Varies by provider
Communication tools	Customer support and notifications	Varies by provider

A current list of sub-processors is available on request by contacting our DPO.

6.2 Legal and Regulatory Disclosure

We may disclose personal data where required by a court order, applicable law, or a request from a regulatory authority, including the Personal Data Protection Commission (“PDPC”) of Singapore.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity, subject to the commitments in this policy.

6.4 No Sale of Data

We do not sell your personal data to any third party.

7. Cross-Border Transfers

Our LLM providers, including OpenAI and Anthropic, are primarily based in the United States. When you use our AI Features, your Input Data may be transferred overseas for processing.

In accordance with Section 26 of the PDPA and the PDPC’s Advisory Guidelines on Key Concepts in the PDPA, we ensure that overseas recipients of your personal data are bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA. Specifically:

Our contracts with overseas sub-processors include data protection clauses requiring them to protect your personal data to a standard comparable to the PDPA.
We assess the data protection frameworks and practices of our sub-processors before engagement and periodically thereafter.
Where possible, we select sub-processors that are subject to comprehensive data protection laws or internationally recognised certifications.

Our primary safeguard for cross-border transfers is the contractual data protection obligations imposed on overseas recipients. We rely principally on these contractual safeguards (rather than consent alone) to satisfy Section 26 of the PDPA, consistent with PDPC guidance that contractual obligations are the preferred mechanism for overseas transfers.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

Data Category	Retention Period	Basis
Account Data	Account duration + 2 years after closure	Legal record-keeping
Usage Data	24 months from collection	Service improvement and analytics
Content/Input Data (AI)	12 months from submission	Service delivery; quality assurance
AI Output Data	12 months from generation	Service delivery
Technical Data (logs)	6 months from collection	Security; troubleshooting
Communication Data	3 years from last communication	Relationship management; legal
Billing Records	7 years from transaction	Singapore tax and company law
Marketing Consent Records	Consent duration + 1 year	PDPA consent compliance

After the applicable retention period, personal data is securely deleted or anonymised.

8.1 Retention Limitation Obligation

In accordance with Section 25 of the PDPA, we cease to retain personal data (or remove the means by which it can be associated with particular individuals) as soon as it is reasonable to assume that the purpose for which the data was collected is no longer being served by its retention, and retention is no longer necessary for any legal or business purpose.

9. Data Security

We implement technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, and alteration, in accordance with Section 24 of the PDPA.

Technical Measures

Encryption of data in transit using TLS 1.2 or higher.
Encryption of data at rest using industry-standard algorithms.
Access controls and authentication mechanisms.
Regular security assessments and vulnerability scanning.
Logging and monitoring of access to personal data.
Secure software development practices.

Organisational Measures

Access restricted to authorised personnel on a need-to-know basis.
Staff training on data protection obligations and security procedures.
Incident response procedures for personal data breaches.
Periodic review of data protection practices and policies.
Contractual data protection obligations imposed on sub-processors.

9.1 Data Breach Notification (Part VIA of the PDPA)

In the event of a notifiable data breach — being a breach that (a) results in, or is likely to result in, significant harm to affected individuals, or (b) is of a significant scale (affecting 500 or more individuals) — we will:

Notify the PDPC as soon as practicable but no later than 3 calendar days after completing our assessment of the breach, in accordance with Section 26D of the PDPA.
Notify affected individuals as soon as practicable if the breach is likely to result in significant harm.
Include in notifications: the nature of the breach, types of personal data affected, remedial actions taken, and how affected individuals can protect themselves.

We maintain a documented data breach response plan tested and reviewed at least annually. Our LLM sub-processor agreements require that sub-processors notify us of breaches within 48 hours of becoming aware.

9.2 Data Intermediary Obligations

To the extent that Buooy processes personal data on behalf of another organisation (acting as a data intermediary within the meaning of the PDPA), Buooy will comply with its obligations under Sections 24 and 25 of the PDPA and will process the data only in accordance with the instructions of the relevant organisation.

10. Your Rights Under the PDPA

10.1 Access (Section 21 PDPA)

You have the right to request access to your personal data in our possession or control, and information about the ways in which your personal data has been or may have been used or disclosed in the past year.

10.2 Correction (Section 22 PDPA)

You have the right to request the correction of any personal data that is inaccurate, incomplete, or misleading.

10.3 Withdrawal of Consent (Section 16 PDPA)

You may withdraw your consent for any purpose for which we have collected and are using your personal data. We will process your withdrawal request within a reasonable time and inform you of the likely consequences.

10.4 Data Portability

Where applicable under the PDPA’s data portability provisions, you have the right to request that we transmit your personal data to another organisation in a commonly used machine-readable format.

10.5 How to Exercise Your Rights

Contact our Data Protection Officer:

Email: dpo@buooy.com
Telegram: @buooy
Post: Data Protection Officer, 0xBuooy Pte Ltd, 68 Circular Road, #02-01, Singapore 049422

We will respond within 30 days. We may charge a reasonable fee for access requests that require significant effort, in accordance with the PDPA.

11. Cookies and Tracking

11.1 Essential Cookies

Necessary for the website to function, including session cookies, authentication tokens, and security cookies.

11.2 Analytics Cookies

We may use analytics services to collect aggregated data about website usage. Where analytics cookies are used, we will obtain your consent before setting them.

11.3 No Third-Party Advertising Cookies

We do not use third-party advertising cookies or tracking pixels. We do not serve targeted advertising.

11.4 Managing Cookies

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect website functionality.

12. Children’s Data

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Post the updated policy on our website with a revised “Last Updated” date.
Notify registered users by email at least 14 days before the changes take effect.
Where required under the PDPA, obtain fresh consent for any new purposes of data collection or use.

14. Data Protection Officer

Data Protection Officer

0xBuooy Pte Ltd

68 Circular Road, #02-01, Singapore 049422

Email: dpo@buooy.com

Telegram: @buooy

15. Complaints

If you are not satisfied with our response, you may lodge a complaint with:

Personal Data Protection Commission (PDPC)

10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438

Phone: +65 6377 3131

We encourage you to contact our DPO first so that we can attempt to resolve your concern directly.

16. Do Not Call Registry

We respect the Singapore Do Not Call (“DNC”) Registry provisions under Part IX of the PDPA. We will:

Check the DNC Registry before sending any marketing messages to Singapore telephone numbers via voice calls, text messages, or fax.
Not send marketing messages to any number registered on the DNC register, unless we have obtained your clear and unambiguous consent.
Maintain records of consent obtained for marketing purposes.
Honour all opt-out requests within 10 business days.

17. Spam Control Act

We comply with the Spam Control Act 2007 of Singapore. All commercial electronic messages sent by us will:

Clearly identify 0xBuooy Pte Ltd as the sender.
Include a valid and functioning unsubscribe mechanism.
Include our business contact information.
Be sent only to recipients who have consented or where an applicable exception applies.

18. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Singapore, including the Personal Data Protection Act 2012 and its subsidiary legislation.