Privacy Policy

1. Who we are

DiligenceWorks Pte. Ltd. (“DiligenceWorks”, “we”, “us”) is a Singapore-registered company (UEN 202622083N) that builds and manages AI operations infrastructure for regulated industries. Our registered address is 7 Temasek Boulevard #12-07, Suntec Tower One, Singapore 038987.

We are the data controller for the personal data described in this policy. Our Data Protection Officer can be contacted at dpo@diligenceworks.online.

This policy explains what personal data we collect when you interact with us through our website at diligenceworks.online, through email, or through our support channels. It also explains how we use, store, and protect that data, and what rights you have.

This policy does not cover how we process data on behalf of our clients through our managed platform products. That processing is governed by the Data Processing Addendum in each client’s service agreement.

2. What data we collect and why

2.1 Discovery call form

When you submit the form on our website to request a discovery call, we collect your name, email address, company name, team size, and the industries you select. We use this information to contact you, schedule the call, and prepare for the conversation. Your data is stored in our self-hosted list management system on servers in Germany (see Section 6).

2.2 Email correspondence

When you email us at any @diligenceworks.online address, we receive and store your email address, name (if provided), and the content of your message. We use this to respond to your inquiry and manage our business correspondence.

2.3 Sales and prospecting

If you engage with us through a sales conversation, a referral, or a business introduction, we may record your name, email address, job title, company name, and notes about our business discussions in our customer relationship management system. We use this information to manage the business relationship and follow up on opportunities.

We may also collect business contact information from publicly available professional sources such as LinkedIn for the purpose of B2B outreach. If we contact you on this basis and you ask us to stop, we will do so and add you to our suppression list (see Section 2.7).

2.4 Support inquiries

If you contact us through our support channel, we collect your name, email address, and the content of your inquiry. We use this to resolve your issue and may retain a record of the interaction for quality and continuity purposes.

2.5 Newsletter and marketing emails

If you subscribe to our newsletter (when available), we collect your email address and any preferences you provide. Newsletter subscriptions require your explicit consent, and every email includes a one-click unsubscribe link. If you unsubscribe, we retain a hashed version of your email address on a suppression list to ensure we do not contact you again. All other personal data associated with your subscription is deleted.

2.6 Website analytics

We use Umami, a privacy-focused analytics tool that we host on our own servers in Germany. Umami does not use cookies, does not collect personal data, and does not track individual visitors across sessions. We use aggregate, anonymised data (page views, referral sources, browser type, country) to understand how our website is used. This data cannot be linked to any individual.

2.7 Suppression lists

If you ask us not to contact you, or if you unsubscribe from marketing communications, we retain the minimum information necessary (typically a hashed email address) on a permanent suppression list. The sole purpose of this list is to honour your request. This data is not used for any other purpose.

3. Legal basis for processing

We process personal data on the following legal bases, depending on the activity.

Consent. We rely on your consent for newsletter subscriptions and marketing communications. You can withdraw your consent at any time by clicking the unsubscribe link in any email or by contacting us at dpo@diligenceworks.online. Withdrawal of consent does not affect the lawfulness of processing that took place before the withdrawal.

Contractual necessity. We process personal data where it is necessary to take steps at your request before entering into a contract or to perform a contract with you. This includes processing discovery call form submissions to schedule and conduct the call, and processing contact details to deliver services you have agreed to.

Legitimate interest. We rely on legitimate interest for B2B sales prospecting, managing business relationships through our CRM, responding to inquiries, and operating our support channels. Our legitimate interest is in conducting our business and responding to people who engage with us. We balance this against your rights by limiting the data we collect to what is necessary, providing easy opt-out mechanisms, and maintaining a suppression list for anyone who asks us to stop.

Legal obligation. We may retain certain records (such as financial transaction records) where required by Singapore law.

4. Who we share data with

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We share personal data only with the service providers listed below, who process it on our behalf and under our instructions.

Hetzner Online GmbH (Germany, EU). Our hosting provider. All self-hosted systems (list management, CRM, support, analytics) run on Hetzner servers in Falkenstein, Germany. Hetzner is ISO 27001 certified.

Brevo (Sendinblue GmbH, EU). Our email delivery provider. When we send you a newsletter, a transactional email, or a support notification, your email address and the email content pass through Brevo’s servers for delivery. Brevo is based in the EU (Paris/Berlin) and is ISO 27001 certified. We are evaluating alternative providers and will update this policy if we change email delivery services.

Migadu (Switzerland). Our business email provider. When you email us at any @diligenceworks.online address, your correspondence is processed through Migadu’s servers in Switzerland. Switzerland is recognised as providing an adequate level of data protection by both the EU and Singapore’s PDPC.

Authorised personnel. Our team members may access personal data stored on our systems from locations outside the EU as part of normal business operations. All remote access is protected by encrypted connections (TLS 1.2 or higher), multi-factor authentication, and role-based access controls. Access is limited to personnel who need it for their specific responsibilities.

We may also share personal data where required by law, regulation, or court order.

5. How long we keep data

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. When the retention period expires, data is securely deleted or anonymised.

• Discovery call form submissions and general inquiries are retained for as long as the business relationship or sales conversation remains active, and for a reasonable period afterward to allow for follow-up.
• Newsletter subscriber data is retained until you unsubscribe. After unsubscribe, all personal data is deleted except a hashed email address on our suppression list.
• Support inquiry records are retained for as long as needed to resolve the matter and for a reasonable period afterward for quality and continuity purposes.
• Financial records (such as invoices and payment records) are retained for a minimum of five years as required by Singapore law.
• Suppression list entries are retained permanently to ensure we continue to honour your opt-out request.

Our internal data retention policy sets specific retention periods for each category of data. If you would like to know the retention period that applies to your data, contact us at dpo@diligenceworks.online.

6. International transfers

DiligenceWorks is a Singapore-registered company. Our infrastructure is hosted in Germany (EU) by Hetzner. This means that if you are located in Singapore, your personal data is transferred to and stored in Germany.

Germany, as part of the European Union, provides a level of data protection recognised by Singapore’s Personal Data Protection Commission as comparable to Singapore’s standards.

Where personal data is transferred to service providers in other jurisdictions, we use the following safeguards:

• EU (Germany, France). Hetzner and Brevo operate within the EU under the GDPR. No additional transfer mechanism is required for EU-to-EU transfers.
• Switzerland. Migadu operates in Switzerland, which is recognised as having adequate data protection by both the EU and Singapore.

AI-assisted processing of operational data (such as compliance tracking and internal task management) is performed using a locally hosted language model running on our own EU-based infrastructure. This processing does not involve transferring personal data to any third-party AI provider.

7. How we protect your data

We protect personal data with technical and organisational measures appropriate to the risk. These include:

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest is protected by full-disk encryption (AES-256) on our servers.
• Access to systems containing personal data is restricted to authorised personnel and protected by strong authentication controls including multi-factor authentication.
• All systems are self-hosted on dedicated infrastructure, giving us direct control over security configuration, patching, and access.

No system is perfectly secure. If you believe your personal data has been compromised, contact us immediately at dpo@diligenceworks.online.

8. Your rights

Depending on your location and the laws that apply, you may have rights regarding your personal data, including the right to access, correct, delete, restrict, or port your data, to withdraw consent, and to object to processing. We respect these rights under all applicable data protection laws, including the Singapore Personal Data Protection Act (PDPA), the EU General Data Protection Regulation (GDPR), and other relevant legislation.

You can also unsubscribe from marketing communications at any time using the link in any email, or by contacting us. If you ask us to stop processing your data for prospecting purposes, we will do so.

To exercise any of these rights, contact our Data Protection Officer at dpo@diligenceworks.online. We will acknowledge your request within a few working days and aim to respond substantively within 10 working days. If we need more time due to the complexity of a request, we will let you know within that initial period and explain why. Requests to withdraw consent will be actioned within 5 days.

9. Cookies and tracking technologies

Our website does not use cookies. We do not use tracking pixels, fingerprinting, or any other technology that identifies or follows individual visitors.

Our analytics tool (Umami) operates without cookies and without collecting personal data. It provides us with aggregate statistics (total page views, referral sources, browser types, visitor countries) that cannot be linked to any individual.

10. Children

Our services are designed for businesses and professionals. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have collected data from a minor, contact us at dpo@diligenceworks.online and we will delete it.

11. Changes to this policy

We may update this policy from time to time. When we make changes, we will update the “Last updated” date at the top of this page. If we make material changes that affect how we process your personal data, we will notify you by email (if we have your email address) or by posting a notice on our website.

12. How to contact us and how to complain

For any questions about this policy or about how we handle your personal data, contact our Data Protection Officer:

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority. This may include:

• Singapore: Personal Data Protection Commission (PDPC), pdpc.gov.sg
• European Union: Your local data protection authority. A list is available at edpb.europa.eu.

If you are located in another jurisdiction with a data protection supervisory authority, you may also have the right to lodge a complaint with that authority.