Privacy Policy

This Privacy Policy explains how CommitCraft (we, our, us) collects, uses, discloses, and protects personal data in connection with our cybersecurity advisory, monitoring, and incident response services. We operate in Singapore and manage personal data in accordance with the Personal Data Protection Act 2012 (PDPA) and other applicable laws. This Policy applies to information we process about clients, website visitors, prospective clients, partners, and individuals who interact with our services.

Data we collect. We may collect contact details (such as name, email address, phone number), professional information (such as job title, company, team), technical data (including IP address, device identifiers, system logs, telemetry necessary for security operations), and business records relevant to providing services. Where incident response is performed, we may process limited forensic artifacts and security events required to investigate, contain, and document incidents. We collect information directly from you, through our website forms, through service integrations you authorise, and from third parties where lawful.

Purposes of processing. We use personal data to deliver and improve services, manage client relationships, configure and tune security controls, investigate and respond to threats, provide reporting, operate our website, manage billing and compliance, and communicate updates that relate to services you use or request. Marketing communications are sent with appropriate consent or as permitted by law, and you can opt out at any time using provided mechanisms.

Legal basis and consent. We process personal data with consent, to perform a contract, to comply with legal obligations, and for legitimate interests such as improving service reliability and security. Where consent is required, we request it in a clear manner and you may withdraw consent at any time, subject to legal and operational limitations. Withdrawal will not affect processing that occurred before the withdrawal.

Disclosure and transfers. We may share personal data with service providers that support delivery (for example, hosting, communications, and security tooling), strictly under appropriate contractual safeguards. Where data is transferred outside Singapore, we take reasonable steps to ensure that the recipient provides a standard of protection comparable to PDPA requirements. We may disclose data where required by law or in connection with disputes, audits, or corporate transactions, using minimisation and access controls.

Retention. We retain personal data only for as long as necessary for the purposes described, including recordkeeping, compliance, and dispute resolution. Retention periods vary by data category and contractual requirements. When data is *** longer needed, we take reasonable steps to securely delete or anonymise it.

Security. We implement administrative, technical, and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or loss. Measures include access controls, encryption in transit where appropriate, network segmentation, monitoring, and staff training. While safeguards reduce risk, *** method of transmission or storage is entirely risk free; we regularly review and improve our controls.

Your choices. You may submit requests to access, correct, or delete personal data, or to withdraw consent for processing, subject to applicable law. We will respond within a reasonable time. Requests can be sent to [email protected]. For marketing messages, follow unsubscribe instructions included in each message.

Cookies and analytics. Our website may use cookies and similar technologies to enable core features, remember preferences, and understand usage. You can manage cookies in your browser settings. Our cookie banner lets you accept or decline optional cookies. See this Policy for details on categories and purposes.

Third-party links. Our website may contain links to internal resources such as Legal. Where other websites are referenced for context, their policies and practices apply and we encourage reviewing them before providing personal data.

Updates. We may update this Policy to reflect changes in law, technology, or our practices. The effective date appears at the top of this page. Material changes will be communicated through reasonable channels.

Contact. Questions about this Policy or our data practices can be directed to: CommitCraft, 30 Cecil Street, Singapore 049712, phone + (65) 9 478-25-13, email [email protected].

Effective date: 01 Jan 2026.