PropVault← Back to home

Privacy Policy

Version 1.0 · Effective 19/05/2026 · Last updated 19/05/2026

1. Introduction & Data Controller

This Privacy Policy describes how Veridico Pte Ltd (UEN: 202505745R; registered address: 21 Tan Quee Lan Street, #02-04 Heritage Place, Singapore 188108) collects, uses, discloses, and protects your personal data. PropVault is the consumer-facing product brand operated by Veridico Pte Ltd.

This Policy is issued in compliance with the Personal Data Protection Act 2012 (PDPA) of Singapore and covers all personal data processed through the propvault.biz web application, the PropVault mobile application, and any associated APIs.

2. Scope

This Policy applies to all users of the PropVault service, including the propvault.biz web application, the PropVault React Native mobile app, and any associated APIs. By creating an account you confirm that you have read this Policy and consent to the collection and use of your personal data as described herein.

3. What Personal Data We Collect

We collect the following categories of personal data:

  • Account data: email address, full name, hashed password (managed by Supabase Auth), and — once Stripe billing is activated — your Stripe customer ID. We never store raw card numbers.
  • Property data: addresses, land titles, ownership names, MCST fees, property tax amounts, and related financial figures. These records may indirectly identify you via title-deed information.
  • Document data: PDFs and images of tenancy agreements, loan letters, insurance policies, tax bills, and option-to-purchase documents that you upload. These documents may contain tenant PII (name, email, phone), agent PII (name, CEA licence number), and financial counterparty names.
  • AI-extracted data: key fields parsed by Anthropic Claude from your uploaded documents — such as tenant names, lease dates, and loan amounts. Personal identifiers (NRIC, phone numbers, email addresses, postal codes, person names) are stripped before the document reaches the Claude API via a two-layer regex redaction process. Extraction requires your explicit per-upload consent.
  • Usage data: server-side logs including request timestamps, IP addresses truncated to the /24 prefix, and error traces. These are used only for debugging and security monitoring — not for product analytics or advertising.

4. Purposes of Collection and Use

We collect and use your personal data for the following purposes:

  • To deliver the PropVault property-management service to you;
  • To generate lease-expiry and loan-maturity alerts;
  • To compute portfolio cashflow summaries;
  • To perform AI-based document extraction — always gated on your explicit per-upload consent;
  • To process billing and subscription management via Stripe (once billing is activated);
  • For security monitoring, fraud prevention, and abuse prevention.

These purposes are notified to you at the point of collection (account sign-up and per-upload consent) in compliance with the PDPA Notification and Consent obligations.

5. Third Parties We Share Data With

We share personal data only with the following service providers, for the purposes stated:

  • Anthropic PBC (United States) — Claude API for AI document extraction. Anthropic does not use API inputs or outputs to train their models and is bound by their Privacy Policy and Commercial Terms. AI extraction is consent-gated; see §3 above.
  • Supabase / AWS ap-southeast-1 (Singapore) — primary database, authentication, and document storage. Supabase holds a SOC 2 Type II certification. All data remains in the Singapore region under normal operation.
  • Stripe, Inc. (United States) — payment processing once billing is activated. Subject to Stripe's Privacy Policy. Raw card numbers are never transmitted to or stored by Veridico.
  • Vercel, Inc. (United States) — application hosting and global CDN. The primary compute region is Singapore.

We do not sell personal data, share it with advertisers, or disclose it to data brokers. PropVault carries no third-party analytics or advertising trackers.

6. Data Retention

  • Active accounts: personal data is retained for as long as your account remains active and you continue to use the service.
  • Deleted accounts: upon an account deletion request, a 30-day grace period applies during which you may cancel the request. After 30 days, all account data — properties, documents, photos, expenses, tenancies, loans, valuations, transactions, and alerts — is permanently deleted. Your Supabase Auth login is removed. Storage objects are explicitly purged. No personal tombstone record is retained by Veridico beyond any billing records that Stripe is legally required to keep on their own systems.
  • Operational backups: Supabase point-in-time recovery retains up to 7 days of database backups in the Singapore region on a rolling basis. We do not selectively excise individual users from backup snapshots; deleted user data will naturally age out of backups within 7 days of the hard-delete completing.

7. Your Rights Under the PDPA

As a data subject under the PDPA, you have the following rights:

  • Right of Access: request a copy of the personal data we hold about you. In-app: your property records and documents are visible at /portfolio and /properties.
  • Right of Correction: request correction of inaccurate personal data. In-app: use the Edit Property, Edit Loan, Edit Tenancy, and Edit Valuation forms to correct your records directly.
  • Withdrawal of Consent: withdraw consent to AI extraction at any time by unchecking the consent checkbox on the next document upload. Withdrawal does not affect prior extractions.
  • Right to Erasure (Account Deletion): request deletion of your account and all associated data. In-app: navigate to Account → “Delete your PropVault account.” The 30-day grace period applies (§6 above).

To exercise any right not available through the in-app interface, contact our Data Protection Officer at privacy@propvault.biz. We will respond within 10 business days.

8. International Data Transfers

When you consent to AI extraction, document content is transmitted to Anthropic's API outside Singapore for processing. Personal identifiers are redacted before transmission (§3). Payment-method tokens are transmitted to Stripe in the United States once billing is activated. All other data — database records, uploaded documents, application logs — remains in the Singapore region (AWS ap-southeast-1) under normal operation.

9. Security Measures

PropVault implements the following technical and organisational measures to protect your personal data:

  • TLS 1.2+ encryption for all data in transit;
  • AES-256 encryption for all data at rest;
  • Supabase Row Level Security (RLS) enforced at the database level — each landlord can only access their own records;
  • SOC 2 Type II certified infrastructure (Supabase / AWS);
  • Two-layer regex redaction of personal identifiers before AI API calls;
  • Short-lived signed URLs for document access (1-hour expiry).

For full technical detail see the Security & Privacy page inside the PropVault dashboard.

10. Children

PropVault is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us at privacy@propvault.biz and we will delete it promptly.

11. Changes to This Policy

Material changes to this Policy (changes that affect how we collect, use, or share your personal data) will be notified to you by email and via an in-app banner on your next login, at least 14 days before they take effect. Non-material changes (corrections, clarifications, formatting) will update the “Last updated” date silently. Your continued use of PropVault after a material change takes effect constitutes acceptance of the revised Policy.

12. Contact Us

Data protection enquiries: privacy@propvault.biz

General enquiries: hello@propvault.biz

Postal address: Veridico Pte Ltd, 21 Tan Quee Lan Street, #02-04 Heritage Place, Singapore 188108