Skip to main content
← AcctTen

Privacy Policy

Version 1.0 · Updated 2026-04-21 · Operator: AcctTen (acctten.com)

1. How We Process Your Data

To provide our intelligent payroll services, we utilise state-of-the-art AI technologies, including Google Cloud's Vertex AI, alongside deterministic statutory calculation engines. Payroll processing and storage are performed within our Supabase Southeast Asia region (Singapore); specific AI inference steps are routed to global endpoints as described below.

2. Overseas Data Processing (PDPA §26)

While we prioritise local data residency where possible, some processing of your personal data occurs at locations outside Singapore (Global Endpoints for AI providers and regional processing for payment, telemetry, and authentication providers). We ensure that any cross-border data processing is conducted in strict accordance with the Singapore Personal Data Protection Act (PDPA).

  • Comparable Protection: We only engage service providers who provide a standard of protection comparable to the PDPA.
  • Certified Providers: We prioritise service providers who hold the APEC Cross-Border Privacy Rules (CBPR) or Privacy Recognition for Processors (PRP) certifications, recognised by the PDPC as valid mechanisms for overseas data transfer.
  • Zero Retention: Our AI processing is configured with a zero-retention policy — your sensitive payroll data is processed in-memory and not stored by the AI provider for training or other purposes.

3. Types of Personal Data We Process

  • Employee identity data — full name, NRIC/FIN, date of birth, citizenship, residency status.
  • Employment data — job title, employment type, start/end dates, salary, hours, overtime.
  • Financial data — bank account number (for GIRO salary disbursement), CPF contribution history.
  • Tax data — income, deductions, IR8A/IR21 filings, reliefs.
  • Contact data — email, mobile, residential address, postal code.
  • Family data — children (for Gov-Paid Parental Leave eligibility): minimal child name, date of birth, citizenship.
  • Account data — login email, last-active tenant, session state.

We do not collect medical diagnosis or condition data. Sick-leave records contain only the leave-type classifier and an optional certificate file reference — no illness description.

4. Data Residency

ComponentRegionPurpose
Supabase (Postgres + Auth + Storage)ap-southeast-1 (Singapore)Primary data store — employees, payroll, audit logs
Vercel (edge + serverless)Global edge networkApplication compute, rendered pages
Stripe (payment processing)United StatesSubscription + billing (card data stays on Stripe)
Google Vertex AIGlobal EndpointAgentic payroll assistance (zero-retention)
Anthropic API (via Vertex router)United StatesBackup model for high-tier agent calls (zero-retention)
Sentry (error monitoring)Configurable (default US)Diagnostic telemetry — PII scrubbing hook applied
OneMap (SG Land Authority)SingaporePostal-code → address lookup (non-PII)
ACRA Open DataSingaporeUEN → entity lookup (SG Open Data Licence, attribution displayed)
Google OAuthUnited StatesOptional social sign-in

Full sub-processor register available at /privacy-policy/subprocessors.

5. Data Retention

Data classRetentionBasis
Payroll records (pay runs, CPF filings)2 years minimumEmployment Act §96
Income tax records (IR8A, IR21)5 years minimumIncome Tax Act §67
Audit logs7 yearsRegulatory defensibility
Session + auth state30 daysSupabase Auth default
Account (on erasure request)7-day grace + purge of non-statutory rowsPDPA §25 balanced against §96/§67

Statutory retention obligations (MOM §96, IRAS §67) override individual erasure requests for the specified data classes.

6. Your Rights (PDPA §21 & §25)

  • Right of access — request a copy of the personal data we hold about you.
  • Right of correction — request correction of inaccurate data.
  • Right of erasure — subject to statutory retention obligations above.
  • Right to withdraw consent — contact the DPO; withdrawal may terminate your ability to use the service.

Email dpo@acctten.com to exercise any of these rights. We aim to respond within 30 calendar days.

7. Technical & Organisational Safeguards

  • Encryption at rest (AES-256, Supabase managed); in transit (TLS 1.2+).
  • Row-level security policies enforce tenant isolation at the database level.
  • Role-based access control (OWNER / ADMIN / ACCOUNTANT_ADMIN / EDITOR / VIEWER / EMPLOYEE).
  • Forensic audit log captures every AI-assisted action (tamper-evident, append-only).
  • PII-scrubbing hook on error telemetry redacts NRIC, bank account, and salary fields before ingestion.

8. Breach Notification

In the event of a notifiable data breach (as defined by PDPA §26D), we will notify the PDPC within 72 hours of assessment, and affected individuals as soon as practicable. Our internal breach runbook details detection, assessment, notification, and post-incident review procedures.

9. Contact

Data Protection Officer: dpo@acctten.com

10. Changes

We may update this policy as our processing practices evolve. The version pinned at your organisation's signup is retained for your reference. Material changes will be communicated via in-app notification and email to registered OWNER/ADMIN contacts.

11. Early Access Waitlist Data Processing

If you submit a request via the /early-access waitlist form, AcctTen Pte Ltd (UEN 202616044C) collects and processes the following personal data:

  • Name and work email address.
  • Firm / company name.
  • Your role (e.g. Founder, Bookkeeper, Accountant).
  • Current accounting tool in use.
  • How you heard about us (acquisition channel: accountant referral, search, LinkedIn, etc.).
  • Biggest accounting or payroll pain point (free-text response).
  • Submission metadata: submission timestamp and source IP address (anti-abuse purposes only; not disclosed externally).

Purpose: Early-access communications, design-partner outreach, and product development. We will not use your data for any other purpose without your explicit consent.

Legal basis: Your freely given, specific, informed, and unambiguous consent under PDPA §13, collected via the consent checkbox on the form.

Retention: We retain waitlist data until the product reaches general availability, and for up to 90 days thereafter. You may request deletion at any time (see §16 below).

Data controller: AcctTen Pte Ltd (UEN 202616044C). Contact: dpo@acctten.com.

§26D notification: In the event of a notifiable data breach affecting waitlist data, we will notify the PDPC within 72 hours of assessment and affected individuals as soon as practicable.

Withdrawal of consent (PDPA §16): You may withdraw consent at any time by emailing dpo@acctten.comwith subject line "Waitlist consent withdrawal." We will process your request within 30 calendar days and delete your data subject to any lawful retention obligations.

Return to AcctTen