Privacy Policy
Your privacy matters. This policy explains what information we collect, how we use it, and your choices.
Updated: January 2025
1. Overview
Thinking Notes Pte. Ltd. ("Company", "we", "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy complies with Singapore's Personal Data Protection Act 2012 (PDPA) and explains how we collect, use, disclose, and safeguard your personal data when you use our AI-powered forms platform ("Service").
By using our Service, you consent to the collection and use of your personal data as described in this policy.
2. What Personal Data We Collect
Account Information
- Email address (required for registration and login)
- Display name and avatar (optional)
- Password (securely hashed, we never store plain text passwords)
- Account creation date and login timestamps
- Subscription tier and billing information
Content and Usage Data
- Notes you create, including titles, descriptions, AI prompts, and form fields
- Form submissions and responses from users interacting with your Notes
- Files uploaded to Notes (processed securely, with size and content safeguards)
- URLs parsed through our URL parsing feature
- AI-generated responses and feedback
- Analytics data: views, submissions, favorites, and interaction patterns
Technical Information
- IP address, browser type, and device information
- Session data and authentication tokens
- Error logs and performance metrics
- Feature usage patterns and preferences
Financial Information
- Credit card details (processed securely through third-party payment processors)
- Billing address and payment history
- Credit usage and transaction records
3. How We Use Your Personal Data
Service Provision (PDPA Purpose: Performance of Contract)
- Create and manage your account
- Process AI requests and generate personalized responses
- Enable sharing and collaboration features
- Track credit usage and enforce subscription limits
- Provide analytics and insights on your Notes' performance
Service Improvement (PDPA Purpose: Legitimate Interests)
- Analyze usage patterns to enhance features and user experience
- Optimize AI response quality and performance
- Develop new features based on user behavior
- Conduct research and analytics (anonymized where possible)
Communication (PDPA Purpose: Legitimate Interests/Consent)
- Send important service updates and security notifications
- Respond to support inquiries and technical issues
- Share product announcements and feature updates (with consent)
- Provide billing and subscription-related communications
Legal Compliance (PDPA Purpose: Legal Obligation)
- Comply with applicable laws and regulations
- Respond to legal requests and government inquiries
- Enforce our Terms of Service and prevent abuse
- Protect against fraud and security threats
4. How We Share Your Personal Data
We do not sell, rent, or trade your personal data. We only share your data in the following circumstances:
Service Providers (Data Processors)
- AI Providers: OpenAI, Anthropic (Claude), Google (Gemini) - to generate AI responses
- Cloud Infrastructure: Supabase, Vercel - for hosting, database, and application services
- Payment Processing: Stripe or similar - for subscription billing
- Analytics: Privacy-focused analytics providers (anonymized data only)
All service providers are contractually bound to protect your data and use it only for the specified purposes.
Public Content
Content in public Notes is visible to other users by design. This includes Note titles, descriptions, and form fields, but never includes private submission data or AI prompts.
Legal Requirements
We may disclose personal data if required by law, court order, or government request, or to protect our rights, property, or safety, or that of our users or others.
5. Data Security and Protection
We implement industry-standard security measures to protect your personal data:
- Encryption: Data encrypted in transit (HTTPS/TLS) and at rest
- Access Controls: Row-level security (RLS) and role-based access permissions
- Authentication: Secure login with password hashing and session management
- Infrastructure: SOC 2 compliant cloud providers with regular security audits
- Monitoring: Continuous monitoring for security threats and anomalies
- Data Minimization: We collect only necessary data and retain it for appropriate periods
While we strive to protect your personal data, no security system is completely impenetrable. We encourage you to use strong, unique passwords and report any security concerns immediately.
6. Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this policy:
- Account Data: Until account deletion or 3 years after last login
- Content Data: Until content deletion or account termination
- Usage Analytics: Aggregated data retained indefinitely (anonymized)
- Financial Records: 7 years as required by Singapore tax laws
- Support Communications: 2 years for quality assurance purposes
You can request deletion of your data at any time, subject to our legal retention obligations.
7. Your Rights Under the PDPA
Under Singapore's Personal Data Protection Act, you have the following rights:
Access and Portability
- Request a copy of your personal data we hold
- Export your Notes and submissions in standard formats
- Receive information about how your data is being processed
Correction and Update
- Update your account information and preferences
- Correct inaccurate or incomplete personal data
- Modify or delete your Notes and content
Withdrawal of Consent
- Opt out of marketing communications
- Disable optional features that process personal data
- Delete your account and associated data
Objection and Restriction
- Object to processing based on legitimate interests
- Request restriction of processing in certain circumstances
- File complaints with the Personal Data Protection Commission (PDPC)
To exercise these rights, contact our Data Protection Officer at privacy@thinkingnotes.com. We will respond within 30 days of receiving your request.
8. International Data Transfers
Your personal data may be transferred to and processed in countries outside Singapore, including:
- United States (AI providers, cloud infrastructure)
- European Union (service providers with adequacy decisions)
- Other jurisdictions with appropriate safeguards
We ensure appropriate safeguards are in place, including contractual clauses and adequacy decisions, to protect your data during international transfers.
9. Cookies and Tracking
We use cookies and similar technologies to enhance your experience:
- Essential Cookies: Required for authentication and core functionality
- Analytics Cookies: Help us understand usage patterns (anonymized)
- Preference Cookies: Remember your settings and customizations
You can manage cookie preferences through your browser settings. Disabling essential cookies may affect Service functionality.
10. Children's Privacy
Our Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete such information promptly.
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. Material changes will be notified through:
- Email notification to registered users
- Prominent notice on our website
- In-app notifications for significant changes
Continued use of the Service after changes indicates acceptance of the updated policy.
12. Contact Information
Data Protection Officer
Thinking Notes Pte. Ltd.
Singapore
Email: privacy@thinkingnotes.com
Response time: Within 30 days
General Support
Email: support@thinkingnotes.com
For technical issues and general inquiries
Singapore Personal Data Protection Commission (PDPC)
If you are not satisfied with our response to your privacy concerns, you may file a complaint with the PDPC:
Website: https://www.pdpc.gov.sg
Email: info@pdpc.gov.sg