Indexed Pte Ltd is in the process of being incorporated in Singapore. Pending completion of incorporation, Indexed* is operated by Han Studios (Phnom Penh, Cambodia). References to "Indexed" in this Policy refer to the current operator and its incorporated successor interchangeably. Personal data collected under this Policy will be transferred to Indexed Pte Ltd on incorporation in accordance with the Personal Data Protection Act 2012 of Singapore (the "PDPA").
This Privacy Policy explains how Indexed Pte Ltd ("Indexed", "we", "us", "our") collects, uses, discloses, transfers, retains, and protects personal data in connection with the Indexed website at beindexed.ai and the Indexed service (collectively, the "Service").
This Policy is part of our Terms of Service and is governed by the PDPA. Where you submit personal data of any individual other than yourself, you warrant that you have lawful basis to do so and that you have informed that individual of the matters covered by this Policy.
1. Who We Are and Data Protection Officer
The data controller (or, under the PDPA, the organisation) responsible for personal data collected under this Policy is Indexed, with contact details set out in Section 13.
Our Data Protection Officer (DPO) under section 11(3) of the PDPA can be reached at privacy@beindexed.ai.
2. Personal Data We Collect
2.1 From the Client at signup and during onboarding
- Identification: name, role/title, business name, business registration number (where provided).
- Contact: email address, phone number, Telegram handle, business postal address.
- Business operations data: business hours, menu or service list, brand assets (logo, photos), business descriptions.
- Account credentials: the email and salted-hashed password used to access the client portal.
2.2 From payment processing
- Payment metadata: Stripe customer ID, billing address, card brand, last 4 digits of card, expiry, transaction status, refund history.
- We do not collect or store full card numbers, CVV codes, or magnetic-stripe data. These are processed and held exclusively by Stripe under its own privacy and security obligations.
2.3 From your use of the Service
- Site usage: pages viewed, actions taken, edit requests submitted, preview confirmations, log-in events, session metadata.
- Communications log: emails, Telegram messages, and support tickets exchanged with Indexed.
2.4 Automatically (analytics)
- Visitor data: anonymised page views, referrers, browser type, approximate location (country/city level), and aggregated session data on beindexed.ai and on Deployed Sites — collected via Cloudflare Analytics, which does not use third-party tracking cookies.
- Operational logs: server-side request, error, and audit logs necessary to operate and secure the Service.
2.5 From third parties
- Stripe: transaction events, billing status.
- Publicly available information: for onboarding speed, we may augment your submission with publicly available business information (Google Business listings, public Telegram presence, etc.).
2.6 Customer Data on your Deployed Site
Where your Deployed Site includes a contact form, Customer Data (the personal data of your end-customers) flows through that form into our operational systems and is forwarded to you. The roles and responsibilities of Indexed and the Client in respect of Customer Data are addressed in our Data Processing Addendum.
3. Purposes of Collection and Use
We collect, use, and disclose personal data for the following purposes:
(a) To deliver the Service: build, deploy, and maintain your Site; register and operate your domain; run monthly Kenji audits.
(b) To bill, charge, refund, and otherwise administer payment under the Terms.
(c) To communicate with you about your account, the Service, security, billing, and material changes to terms or policies.
(d) To provide customer support and resolve incidents.
(e) To improve, secure, and operate the Service, including reviewing Agent performance, refining internal prompts, and detecting fraud or abuse.
(f) To comply with applicable law, court order, lawful regulatory request, and our legal obligations.
(g) To enforce or defend our legal rights, including in respect of disputes.
(h) To facilitate any actual or proposed merger, acquisition, restructuring, or sale of all or part of our business.
Personal data will be used only for purposes that the individual would reasonably consider appropriate in the circumstances, in accordance with section 18 of the PDPA.
4. Legal Basis (Consent under the PDPA)
Where required by the PDPA, we collect, use, and disclose personal data with the consent of the individual (deemed or express). For most processing described in this Policy, consent is given by:
(a) Accepting our Terms of Service at signup (a clickwrap action that records the acceptance);
(b) Voluntarily providing information through the client portal or in communications with us;
(c) Continuing to use the Service after being notified of this Policy.
Where consent cannot be relied upon, we rely on other legal bases permitted under the PDPA, including legitimate interests, performance of contract, and compliance with legal obligations.
5. Withdrawal of Consent
You may withdraw your consent to our collection, use, or disclosure of your personal data at any time by emailing privacy@beindexed.ai.
Withdrawal of consent may prevent us from continuing to provide the Service to you and may result in termination of your Subscription under Section 13 of the Terms. We will inform you of the likely consequences of withdrawal within a reasonable period after receiving your request and will give effect to the withdrawal within a reasonable period thereafter.
6. AI Processing
The Service is operated by autonomous AI Agents. Personal data you submit (including Client Content) may be processed by:
| Provider | Role | Location |
|---|---|---|
| Anthropic (Claude models) | Design and content generation, agent reasoning | United States |
| OpenAI (GPT models) | Content generation, classification, translation | United States |
| Google (Gemini models) | Translation, audit research | United States / Singapore region |
| Cloudflare Workers AI | Lightweight inference at edge | Cloudflare global edge |
We have entered into data processing terms with each AI provider that:
(a) Restrict the use of submitted data to delivering the Service;
(b) Prohibit, where the provider's terms permit such opt-out, the use of submitted data to train the provider's general-purpose models; and
(c) Require appropriate security and confidentiality safeguards.
We do not authorise any AI provider to use your personal data for purposes outside delivering the Service, to the extent we can exclude such use under the provider's terms.
7. How We Share Personal Data
We share personal data only with:
(a) Service providers that operate the Service on our behalf, including Cloudflare (hosting, CDN, registrar, analytics, email routing), Stripe (payment processing), Airtable (operational database), Telegram (messaging), and the AI providers listed in Section 6;
(b) Indexed personnel on a strict need-to-know basis for delivering and supporting the Service;
(c) Professional advisors (lawyers, accountants, auditors) under duties of confidentiality;
(d) Government and law enforcement authorities where required by law, court order, or other lawful process;
(e) Acquirers or successors in connection with any merger, acquisition, restructuring, or sale of all or part of our business, subject to ongoing confidentiality and equivalent privacy protections.
We do not sell personal data to any third party.
8. Cross-Border Transfers
Personal data collected under this Policy is transferred outside Singapore and stored, processed, or accessed in jurisdictions including but not limited to:
- The United States (Cloudflare, Stripe, Airtable, Anthropic, OpenAI, Google);
- The European Union (some Cloudflare edge locations, some Stripe processing);
- Cambodia (Han Studios operations, pending incorporation);
- Other regions where Cloudflare's global edge or our AI providers operate.
In accordance with section 26 of the PDPA and the Personal Data Protection Regulations 2021, before transferring personal data overseas we take reasonable steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection at least comparable to the PDPA, including through:
(a) Written contractual obligations imposing equivalent protections;
(b) Use of providers that have publicly demonstrated compliance with internationally recognised privacy frameworks (e.g. SOC 2, ISO 27001, GDPR-aligned data processing agreements);
(c) Reliance on the provider's own binding corporate rules where applicable.
By using the Service, you consent to these cross-border transfers.
9. Data Retention
We retain personal data only for as long as reasonably necessary for the purposes for which it was collected or as required by law:
| Category | Retention period |
|---|---|
| Active account data | Duration of Subscription |
| Account data after cancellation | 90 days for restoration, then deleted |
| Financial records (invoices, payment events) | 7 years (statutory tax/accounting retention) |
| Operational logs | 12 months rolling |
| Communications (email, Telegram, support tickets) | 36 months |
| Data subject to a hold for legal claim or investigation | Duration of the hold + 12 months |
| Cookies | As stated at Section 14 |
After the applicable retention period, we will delete, anonymise, or return the personal data, except where retention is required by law or to defend a legal claim.
10. Security
We implement reasonable security arrangements to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, and similar risks, including:
(a) HTTPS / TLS encryption in transit;
(b) Cloudflare edge security including WAF and DDoS protection;
(c) Encrypted storage for sensitive fields and secrets;
(d) Access control, role-based permissions, and audit logging for operational systems;
(e) Salted, hashed password storage with industry-standard algorithms;
(f) Regular security review of the Agent and Worker systems.
No system is perfectly secure. If we become aware of a data breach that has or is likely to have a significant impact on individuals or that affects 500 or more individuals, we will notify the Personal Data Protection Commission of Singapore and the affected individuals as soon as practicable and within the timeframes required by sections 26C–26E of the PDPA.
11. Your Rights
Subject to limitations under the PDPA, you have the right to:
| Right | What it means |
|---|---|
| Access | Obtain confirmation of, and a copy of, personal data we hold about you, together with information about how it has been or may have been used or disclosed in the preceding 12 months (section 21, PDPA) |
| Correction | Request correction of inaccurate or incomplete personal data (section 22, PDPA) |
| Withdrawal of consent | Withdraw consent for collection, use, or disclosure (section 16, PDPA — see Section 5 above) |
| Data portability | Request a copy of your data in a commonly used machine-readable format, where applicable under sections 26F–26J of the PDPA once in force |
| Complaint | Lodge a complaint with us, and if unresolved, with the Personal Data Protection Commission of Singapore (pdpc.gov.sg) |
To exercise any of these rights, email privacy@beindexed.ai. We will respond within 30 days of receiving a verifiable request. We may charge a reasonable fee for access requests in accordance with the PDPA.
12. Children
The Service is not directed to, and we do not knowingly collect personal data from, individuals under the age of 18. If we become aware that we have collected personal data from a person under 18, we will delete it as soon as practicable. If you believe a minor has provided us with personal data, contact us at privacy@beindexed.ai.
13. Contact
For any matter relating to this Policy or the personal data we hold about you, including access, correction, withdrawal of consent, or complaints:
- Data Protection Officer: privacy@beindexed.ai
- General: hello@beindexed.ai
- Mail: [Indexed Pte Ltd registered office to be confirmed on incorporation]. Operations: Han Studios, Phnom Penh, Cambodia.
If you are not satisfied with our response, you may make a complaint to the Personal Data Protection Commission of Singapore at pdpc.gov.sg.
14. Cookies and Similar Technologies
We use only the following categories of cookies and similar technologies:
(a) Strictly necessary cookies — required for session management in the client portal and for Cloudflare's security and CDN functions;
(b) Functional cookies — to remember your language preference and other display settings;
(c) First-party analytics — via Cloudflare Analytics, which does not use third-party tracking cookies.
We do not use third-party advertising cookies, cross-site tracking, or browser fingerprinting.
You can configure your browser to refuse cookies, but parts of the Service (including the client portal) may not function correctly without them.
15. Changes to This Policy
We may update this Policy from time to time to reflect changes in law, our Service, or our practices. The "Last updated" date at the top reflects the most recent change.
Where changes are material, we will notify you by email or through the client portal at least 14 days before the change takes effect.
16. Language
This Policy is made in English, which is the controlling language. Any translation is provided for convenience only.