Privacy Policy

Effective date: 18 March 2026

Clerq Pte Ltd ("Clerq", "we", "us") is committed to protecting the personal data of our users in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore, as amended, and all applicable data protection regulations.

Clerq has appointed a Data Protection Officer (DPO) who is responsible for ensuring our compliance with the PDPA. For DPO contact details, please see Section 13 below.

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use the Clerq platform and related services (the "Services").

1. Personal Data We Collect

1.1 Data You Provide

Account information: Name, email address, phone number, and login credentials when you register for an account.
Company information: Company name, Unique Entity Number (UEN), registered address, financial year end, and industry classification.
Financial data: Bank statements, transaction records, invoices, receipts, financial statements, and tax computations uploaded or generated through the Services.
Documents: Corporate documents uploaded to the document vault, including filings, resolutions, and agreements.
Signing data: Electronic signatures (drawn or typed), IP addresses, browser information, and timestamps collected during the e-signing process.
Sensitive identifiers: Documents uploaded to the platform may contain NRIC numbers, passport numbers, or other government-issued identifiers of directors, shareholders, or signatories. Such data is stored securely and processed only for the purpose of providing the Services.

1.2 Data Received from Third-Party Integrations

When you connect third-party services (e.g., Xero, banking APIs), we receive financial data from those platforms on your behalf, including chart of accounts, bank transactions, contact details, and invoice records. This data may contain personal data about individuals other than you (e.g., employee names on payroll records, counterparty details on invoices). Such data is processed solely for the purpose of providing the Services.

1.3 Data Relating to Non-Users

In the course of providing the Services, we may process personal data about individuals who are not direct users of Clerq - for example, directors, shareholders, employees, or business counterparties whose information appears in documents or financial records uploaded by our users. If you upload data about third parties, you represent that you have the lawful authority to share that data with us and that you have informed those individuals of this Privacy Policy where reasonably practicable.

1.4 Data Collected Automatically

Usage data: Log data, browser type, device information, pages visited, and interaction patterns collected automatically.

2. How We Use Your Personal Data

We use your personal data for the following purposes:

To provide, maintain, and improve the Services, including bookkeeping, financial reporting, compliance filing, document management, and e-signatures.
To process and verify electronic signatures and maintain legally compliant audit trails.
To generate AI-powered insights, financial analysis, and document drafts using third-party AI services (see Section 5).
To perform OCR (optical character recognition) on uploaded documents to extract financial data.
To communicate with you about your account, service updates, and compliance deadlines.
To comply with legal and regulatory obligations, including ACRA and IRAS filing requirements.
To detect and prevent fraud, security incidents, and unauthorised access.
To conduct internal analytics and product development using aggregated, anonymised data that does not identify individual users.

We do not currently send marketing communications. If we introduce marketing emails in the future, we will obtain your consent and provide a clear opt-out mechanism in compliance with the PDPA and the Spam Control Act (Cap. 311A).

3. Legal Basis for Processing

Under the PDPA, we process your personal data based on:

Consent: Obtained through the account registration process when you actively create an account and agree to these terms. You may withdraw your consent at any time (see Section 8).
Contractual necessity: Processing required to deliver the Services you have subscribed to.
Legal obligation: Processing required to comply with Singapore laws, including the Companies Act and Income Tax Act.
Legitimate interests: Processing for fraud prevention, security, and service improvement, where our interests do not override your data protection rights.
Business improvement exception: Where applicable, we may rely on the PDPA 2020 business improvement exception for internal analytics using anonymised data.

4. Disclosure of Personal Data

We may share your personal data with:

Third-party service providers: Cloud hosting (Microsoft Azure, Southeast Asia region), AI services (Azure OpenAI), and email delivery services, who process data on our behalf under Data Processing Agreements with appropriate confidentiality and data protection obligations.
Regulatory authorities: ACRA, IRAS, or other government bodies when required for compliance filings you initiate through the Services, or when required by law.
Integration partners: Third-party services you connect (e.g., Xero, banking APIs) to sync financial data, only with your explicit authorisation.
Signing counterparties: When you send a document for signing, the recipient will see the document content and your company name.
Professional advisors: Our lawyers, auditors, and accountants where necessary for legal proceedings, regulatory compliance, or audits, subject to professional confidentiality obligations.

4.1 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of Clerq's assets, your personal data may be transferred to the acquiring entity. We will notify you via email or prominent notice on the platform before any such transfer, and your data will remain subject to this Privacy Policy (or a successor policy with equivalent protections) following the transfer.

We do not sell your personal data to third parties.

5. AI and Automated Processing

5.1 How We Use AI

Clerq uses AI services (powered by Azure OpenAI, hosted in the United States) to:

Extract data from receipts and invoices (OCR).
Categorise financial transactions.
Generate corporate document drafts (resolutions, agreements).
Provide financial Q&A through the AI Assistant.

5.2 Data Handling

Your financial data is sent to Azure OpenAI for processing. We do not use your data to train, fine-tune, or improve any AI models. Data sent to Azure OpenAI is processed under Microsoft's Data Processing Agreement and is not retained by Microsoft beyond the immediate API request.

5.3 Automated Decisions

Clerq's AI features assist with document drafting, data extraction, and transaction categorisation. These features are advisory only and do not make binding decisions about you. All AI-generated outputs require your review and approval before use. If you believe an AI-generated output contains an error, you may report it to support@clerq.sg and we will investigate and assist with correction.

6. Data Retention

Data Type	Retention Period	Trigger Event
Account data	Duration of account + 6 years	Date of account closure
Financial records	Minimum 5 years	End of the relevant Year of Assessment
Signing records & audit trails	7 years	Date of last signature on the document
Usage logs	12 months	Date of log entry

At the end of the applicable retention period, personal data will be securely deleted or irreversibly anonymised. Anonymised data (which can no longer identify any individual) may be retained indefinitely for aggregate analytics and product improvement purposes.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption in transit (TLS 1.2+) and at rest.
Role-based access controls within the platform.
Internal access restricted to authorised Clerq personnel on a need-to-know basis, with access logging.
Comprehensive audit logging of all data access and modifications.
Regular security assessments and vulnerability monitoring.
Hosting on Microsoft Azure with SOC 2 Type II and ISO 27001 certified infrastructure in the Southeast Asia (Singapore) region.

7.1 Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals or is of a significant scale, Clerq will:

Notify the Personal Data Protection Commission (PDPC) within 3 business days of becoming aware of the breach, as required by the PDPA.
Notify affected individuals as soon as practicable if the breach is likely to result in significant harm.
Take immediate steps to contain the breach, assess its impact, and implement measures to prevent recurrence.

8. Your Rights Under the PDPA

You have the right to:

Access your personal data held by us.
Correct any inaccurate or incomplete personal data.
Withdraw consent for the collection, use, or disclosure of your personal data.
Request deletion of your personal data, subject to our retention obligations.
Data portability: Request a copy of your data in a commonly used, machine-readable format (e.g., CSV, JSON). We will fulfil portability requests within 30 business days.

8.1 Consequences of Withdrawing Consent

You may withdraw your consent for the collection, use, or disclosure of your personal data at any time by contacting us at privacy@clerq.sg. Please note that withdrawing consent may result in our inability to continue providing some or all of the Services to you. For example, if you withdraw consent for processing your financial data, we will be unable to generate financial statements or track filings on your behalf. We will inform you of the specific consequences before processing your withdrawal request.

8.2 Complaints

If you are not satisfied with our response to your data protection request, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg.

To exercise any of the above rights, contact us at privacy@clerq.sg. We will respond within 30 business days.

9. Cookies

We use essential cookies for session management and authentication. We do not use third-party tracking cookies or advertising cookies.

Cookie	Purpose	Type	Duration
`sessionid`	Maintains your login session	Essential	Session (expires on browser close or after 2 weeks of inactivity)
`csrftoken`	Prevents cross-site request forgery attacks	Essential / Security	1 year
`messages`	Displays one-time status messages (e.g., "Document uploaded")	Essential	Session

10. International Data Transfers

Your data is primarily stored and processed in Microsoft Azure's Southeast Asia (Singapore) region.

For AI processing (OCR, document generation, financial analysis), your data is transmitted to Azure OpenAI services hosted in the United States. These transfers are made under Microsoft's Data Processing Agreement, which incorporates Standard Contractual Clauses and complies with the PDPA's transfer limitation obligation (Section 26). Microsoft is contractually bound not to retain or use your data beyond the immediate API request.

We do not transfer your data to any other jurisdictions.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes that affect data collection purposes, disclosure recipients, or your rights, we will notify you via email or a prominent notice on the platform at least 30 days before the changes take effect, and may require your affirmative re-consent (e.g., by clicking "I Agree" upon your next login). For minor or administrative changes, continued use of the Services after the effective date constitutes acceptance.

12. Severability

If any provision of this Privacy Policy is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights:

Data Protection Officer
Clerq Pte Ltd
Registered Address: [Insert Full Registered Office Address, Singapore]
UEN: [Insert UEN]
Email: privacy@clerq.sg