Data Controller: Gates-AI / Gates Digital Pte. Ltd., Singapore
Contact: [privacy@gates-ai.com] | Attn: Data Protection Officer (DPO)

1. What this covers

This Policy explains how we handle personal data for: (i) our website, marketing, and sales; (ii) service delivery; (iii) certification operations.

2. What we collect

• Website & marketing: identifiers (name, email), device/usage data (IP, headers, pages viewed), cookies/analytics preferences.
• Client engagement: business contact data, role/title, project correspondence, access logs (for secure environments).
• Service operations (as processor): limited personal data may appear within datasets or logs you provide for testing/audits. We process strictly under your instructions (DPA/SOW).

3. How we use data (lawful bases)

• Provide services & support (contract).
• Secure our systems (legitimate interests; legal obligation).
• Communicate updates (consent or legitimate interests, with opt-out).
• Comply with law (legal obligation).
  We do not use client-provided data to train our generic models without a separate, written agreement.

4. Sharing & subprocessors

We use vetted providers (hosting, security tools, analytics) under DPAs and confidentiality. We maintain a current subprocessor list and will give notice of material changes where required.

5. International transfers

Where data is transferred internationally, we use recognized safeguards: Standard Contractual Clauses (SCCs) for EU/EEA data; PDPA transfer limitation measures for Singapore; and other lawful transfer mechanisms as applicable. 

6. Security

We apply administrative, technical, and physical controls aligned to ISO/IEC 27001 (e.g., encryption in transit/at rest, access control, MFA, logging/monitoring, vulnerability management, incident response, regular penetration testing). 

7. Retention

We retain personal data only as long as needed for services, legal obligations, or dispute resolution—then delete or irreversibly anonymize it.

8. Your rights

Depending on your jurisdiction (e.g., GDPR, UK GDPR, Singapore PDPA, California CCPA/CPRA), you may have rights to access, correct, delete, restrict, port, or object to certain processing, and to opt out of certain uses or sales/sharing. You can exercise rights by contacting our DPO. 

9. Cookies & analytics

We use essential cookies and optional analytics. A banner will allow you to manage preferences. See our Cookie Notice.

10. Children

Our services are not directed to children. We do not knowingly collect children’s personal data.

11. Data for testing/audits (processor stance)

When we handle your datasets/logs for testing or certification, we act under your documented instructions, implement confidentiality and security controls, restrict access to need-to-know personnel, and delete data at project end unless law requires retention.

12. Breach notification

We investigate security incidents and will notify affected clients and authorities without undue delay and in accordance with applicable law (e.g., GDPR/PDPA timelines). 

13. Changes to this Policy

We’ll post updates here and adjust the “Last updated” date. Material changes will be communicated where required.