Privacy Policy

1. Introduction

ZYT Pte. Ltd. ("ZYT", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect personal data when you use TavaSIS (the "Platform"). It is to be read alongside our Terms of Service.

This Policy is governed by the Personal Data Protection Act 2012 (PDPA) of Singapore and any amendments thereto.

2. Data We Collect

2.1 Account and Identity Data

• Full name and email address (collected at account creation)
• Job title (optional, provided by users)
• Role and access level within the Platform
• Authentication credentials (passwords stored in encrypted form via Supabase Auth; we do not store plaintext passwords)

2.2 Project and Assessment Data

• Self-assessment responses, notes, and scores entered by users
• Consultant observations and validation records
• Evidence documents and files uploaded by users
• Assignment records (which sub-criteria are assigned to which staff members)
• Sign-off records (who signed off and when)
• Notification and activity logs

2.3 Usage Data

• Page views and feature interactions (via standard server logs)
• Timestamps of actions taken within the Platform
• Browser and device type (for compatibility purposes only)

3. How We Use Your Data

We use your personal data only for the following purposes:

• To provide and operate the Platform and its features
• To authenticate your identity and manage your account
• To send in-platform notifications related to your certification projects
• To generate PDF reports containing your assessment data
• To respond to your enquiries and provide support
• To maintain the security and integrity of the Platform
• To comply with applicable legal obligations

We do not use your personal data for advertising, profiling, or marketing to third parties. We do not sell your personal data.

4. Data Sharing

We share personal data only in the following circumstances:

• Within your organisation: Users within the same consulting firm or client organisation can see each other's names, roles, and activity as required by the Platform's collaborative features
• Between consulting firm and client: Consulting firm users can see client users' names and submission activity on shared projects, and vice versa
• Service providers: We use Supabase (database and file storage) and Netlify (hosting) as our primary infrastructure providers. These providers process data on our behalf under appropriate data processing agreements
• Legal requirements: We may disclose data if required to do so by law, court order, or government authority

Our infrastructure providers (Supabase, Netlify) may process data in data centres outside Singapore. We ensure that such transfers are subject to appropriate safeguards consistent with the PDPA.

5. Data Retention

We retain personal data for as long as your account is active or as required to provide the Platform services. Upon account termination:

• Project assessment data and evidence files are retained for 12 months after termination to allow for data export, unless earlier deletion is requested
• Authentication data is deleted within 30 days of account termination
• Activity logs may be retained for up to 3 years for security and audit purposes

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit using TLS
• Encrypted password storage (bcrypt hashing via Supabase Auth)
• Row-level security policies controlling data access at the database level
• Signed URLs for evidence file access (files are not publicly accessible)
• Role-based access control — each user sees only the data relevant to their role

No method of data transmission or storage is completely secure. If you become aware of any security vulnerability or incident, please notify us immediately at service@tavasis.com.

7. Your Rights

Under the PDPA, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete personal data
• Withdrawal of consent: Withdraw consent to the collection or use of your personal data (note this may affect your ability to use the Platform)
• Data portability: Request your assessment data in a portable format where technically feasible

To exercise any of these rights, contact us at service@tavasis.com. We will respond within 30 days of receiving a verifiable request.

8. Cookies

The Platform uses session cookies solely to maintain your authenticated session. We do not use advertising cookies, tracking cookies, or third-party analytics cookies. Session cookies are deleted when you close your browser or log out of the Platform.

9. Children

The Platform is intended for business use by professionals aged 18 and above. We do not knowingly collect personal data from individuals under the age of 18.

10. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email and will update the effective date above. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

11. Contact Us