Privacy Policy

This Privacy Policy (the “Policy”) describes how Whalefin Vision Enterprises Limited (“we,” “us,” or “our”) handles personal information in connection with our websites, products, applications, dashboards, and related services (collectively, the “Services”).

This Policy explains what we collect, why we collect it, how we use it, with whom we share it, and the choices available to you. Please read it together with our Terms of Service and any product-specific notices we may provide.

By creating an account, visiting our websites, or otherwise using the Services, you confirm that you have read, understood, and accepted this Policy and consented to our collection, use, disclosure, and other processing of your personal information as described herein. If you do not agree with any part of this Policy, you must immediately stop accessing or using the Services. We reserve the right to update this Policy at any time in accordance with Section 15.

This Policy applies to:

• Account holders and authenticated users, including individuals who register for, sign in to, or otherwise access the Services;
• Visitors to our public-facing websites, marketing pages, and documentation; and
• End users of customer applications, only to the limited extent that their data is processed by us on behalf of a customer.

Where you use the Services to build or operate a product that is offered to your own users, you act as the controller (or equivalent) of that data and we act as your processor (or equivalent). In that case, your own privacy notice governs your relationship with your end users, and our processing is described in our Terms of Service.

3.1 Account and Identification Data

When you register for the Services, we collect the information you submit, which typically includes your name, email address, password (stored in hashed form), organization or company name, role or job title where relevant, and any verification information required for compliance, fraud-prevention, or know-your-customer purposes.

3.2 Payment and Billing Data

If you purchase a product, subscribe to a paid plan, or are otherwise charged in connection with the Services, we collect billing information necessary to process the transaction. Card numbers and similar payment instruments are handled by our payment processors and are not stored on our systems in their original form; we typically retain only tokenized references, the last four digits, brand, expiry, and country of issuance.

3.3 Content You Provide (“User Content”)

In the course of using the Services, you may submit content to us — for example, text, files, images, audio, configuration data, or other materials. We refer to this as “User Content.” The nature of User Content depends on which features you use.

You decide what to submit as User Content. You are responsible for ensuring that you have the necessary rights and legal bases to submit any personal information, confidential information, or other regulated data through the Services, and for complying with the data-handling commitments you have made to your own users.

3.4 Usage and Technical Data

We collect technical information generated through your use of the Services, such as access timestamps, features used, IP addresses (including approximate geolocation derived from them), session identifiers, browser and device characteristics, operating system, referring pages, and similar diagnostic information.

3.5 Communications

When you contact our support team, respond to a survey, participate in a community forum operated by us, or otherwise communicate with us, we collect the contents of those communications and any metadata associated with them.

3.6 Information from Third Parties

We may receive information about you from third parties, including identity-verification vendors, fraud-prevention services, sanctions and watchlist screening providers, payment processors, and analytics partners. Where you sign in through a single-sign-on or OAuth provider, we receive the profile fields you authorize that provider to share with us.

We process the information described above for the following purposes:

• Service delivery — to register and authenticate your account, provide the features you have requested, and otherwise operate the Services;
• Billing and finance — to charge for usage, issue invoices, recover debts, and maintain accounting records;
• Service operation and improvement — to monitor availability, debug errors, investigate incidents, perform capacity planning, and develop new features. We aggregate, de-identify, or anonymize data wherever doing so still meets the operational purpose;
• Safety, security, and abuse prevention — to detect, investigate, and respond to fraud, abuse, unauthorized access, denial-of-service activity, content that violates our Terms of Service, and other risks to you, to us, or to third parties;
• Compliance and legal obligations — to comply with laws, court orders, regulatory requests, sanctions and anti-money-laundering obligations, tax filings, and lawful requests from public authorities;
• Customer support — to respond to your questions, troubleshoot issues, and follow up on tickets;
• Communications — to send service announcements, security alerts, billing notices, and (where you have not opted out) product updates and marketing material;
• Research and analytics — to understand how the Services are used, in aggregate or de-identified form, in order to make product decisions; and
• Corporate transactions — to evaluate, negotiate, and complete mergers, acquisitions, financings, reorganizations, or asset transfers involving us.

We will only process your personal information where we have a valid legal basis to do so under applicable law — for example, performance of the contract under which we provide the Services to you, our legitimate interests in operating and improving a secure platform, compliance with legal obligations to which we are subject, or your consent where required.

We share personal information with the following categories of recipients:

• Affiliates — within our corporate group, where they support the operation of the Services or perform shared back-office functions;
• Service providers and processors — that we engage to operate infrastructure and deliver functionality, including cloud hosting, content-delivery networks, observability tooling, error reporting, communications platforms, payment processors, identity verification, fraud screening, customer-support tooling, and similar vendors. Each is bound by written terms restricting their use of the information to the services we have engaged them to perform;
• Functionality partners — whose technology is integrated into the Services to deliver a feature you have requested, in which case the data necessary to perform that feature is transmitted to the partner and may be processed under that partner’s own terms;
• Professional advisors — including legal, audit, tax, and insurance advisors, subject to duties of confidentiality;
• Public authorities — where we are required to disclose information by applicable law, valid legal process, or where disclosure is necessary to protect rights, safety, or property;
• Acquirers and counterparties — in connection with a corporate transaction of the type described in Section 4; and
• Other parties with your consent — or at your direction.

We do not sell or share personal information in any manner that would require an opt-out right or other specific consent under applicable law, except as permitted by applicable law or with your consent.

We will not use User Content for purposes materially unrelated to providing, operating, securing, and improving the Services, and otherwise as permitted under this Policy, our Terms of Service, or applicable law. Where a feature requires User Content to be processed by an integrated partner in order to be delivered, the relevant partner’s terms and privacy practices will apply to that processing in addition to ours, and we will identify the partner in our documentation or in the relevant feature.

We are headquartered in Singapore and operate infrastructure in multiple jurisdictions. Personal information that we collect may be transferred to, stored in, or processed in countries other than the country in which you are located, including locations where our service providers and partners operate.

Where such transfers are subject to data-export rules in your jurisdiction, we will implement appropriate safeguards as required by applicable law, which may include standard contractual clauses, adequacy decisions, or other legally recognized transfer mechanisms. By using the Services, you acknowledge and, where required by applicable law, consent to the transfer, storage, and processing of your personal information outside your country of residence, including in jurisdictions whose data-protection laws may differ from those in your jurisdiction. You may contact us using the details in Section 13 to obtain further information about the safeguards in place.

We retain personal information for the period necessary to fulfill the purposes for which it was collected, including to provide the Services, satisfy legal, accounting, audit, tax, regulatory or law-enforcement obligations, resolve disputes, and enforce our agreements.

Indicative retention periods include:

• Account records — for the duration of the account, plus a reasonable period after closure to handle wind-down, dispute resolution, and statutory record-keeping;
• Billing records — for the period required by applicable tax and accounting law (commonly several years);
• Operational logs — for the period necessary to support debugging, abuse investigation, billing reconciliation, and security monitoring;
• Support communications — for the period necessary to maintain a service history and assess product quality.

When retention is no longer required for the purposes described above, we will delete, anonymize, or aggregate the data, or otherwise restrict its further processing, in accordance with our internal data-lifecycle procedures and applicable law.

We maintain technical and organizational measures designed to protect personal information against unauthorized access, accidental loss, alteration, disclosure, and other unlawful forms of processing. These measures include encryption of data in transit, encryption of sensitive fields at rest, network segmentation, access controls based on the principle of least privilege, logging and monitoring of administrative activity, secure software-development practices, vendor due diligence, and regular review of our security posture.

No system is perfectly secure, and we do not warrant or guarantee that the Services or your personal information will be free from unauthorized access, loss, or alteration. To the maximum extent permitted by applicable law, we are not liable for any security incident that is not directly caused by our gross negligence or willful misconduct. You are solely responsible for keeping your account credentials confidential, rotating them when compromised or suspected to be compromised, restricting access to the devices you use with the Services, and notifying us promptly at the contact address in Section 13 if you become aware of any actual or suspected unauthorized use of your account. Any delay in such notification may aggravate the resulting loss, and you bear the consequences of that delay.

Subject to applicable law, verification of your identity, and the reasonable conditions and limits set out below or otherwise permitted by law (including limits to prevent manifestly unfounded or excessive requests), you may have rights with respect to your personal information, which may include rights to access, correct, delete, restrict or object to processing, port, or withdraw consent, as well as the right to opt out of marketing communications and to lodge a complaint with the competent data-protection authority. The scope and availability of these rights depend on the law applicable to you. Opting out of marketing does not affect service, security, billing, legal, or other transactional communications, which you will continue to receive while you use the Services.

For your requests, please contact us using the details in Section 13. We will use reasonable efforts to respond within the timeframe required by applicable law. Before acting on a request, we may take steps to verify your identity, and we reserve the right to decline or charge a reasonable fee for requests that are manifestly unfounded, excessive, repetitive, or that we are not legally required to fulfill. Where we cannot honor a request in whole or in part, we will explain the reasons to the extent required by applicable law (for example, an overriding legal obligation to retain the information).

Our websites and dashboard use cookies, local storage, and similar technologies to keep you signed in, remember your preferences, protect against fraudulent access, measure traffic, and improve the product. Some of these technologies are strictly necessary for the Services to function; others are used only with your consent where required.

You can control non-essential cookies through your browser settings or, where presented, through our cookie banner. Disabling certain cookies may affect the availability of some features.

The Services are intended for use by individuals who are at least the age of majority in their jurisdiction and, in any event, not younger than 18. We do not knowingly collect personal information from children. If you believe that a child has provided personal information to us, please contact us and we will take appropriate steps to delete it.

If you have questions, concerns, or requests in connection with this Policy or our processing of your personal information, please contact us at support@athenaai.ac.

The Services may contain links to, or integrations with, third-party websites, applications, and tools that we do not operate or control. We do not endorse and are not responsible or liable for the availability, content, privacy practices, or security of those third parties, and your access to and use of any third-party website or tool is at your own risk and subject to that third party’s own terms and privacy notices. We strongly encourage you to review the privacy notices of any third-party service you choose to access through the Services.

We may update this Policy from time to time to reflect changes to the Services, to our practices, or to applicable law. If this Policy is updated, we may notify you by email, SMS, in-product or portal message, platform notice, or an announcement on our website. To ensure that you receive such notifications in a timely manner, you should promptly notify us of any update to your contact information. The “Last updated” date at the top of this Policy indicates when it was most recently revised. If you continue to use the Services after the updated Policy becomes effective, you are deemed to have fully read, understood, and accepted the updated Policy and to have agreed to be bound by it.

For ease of reference:

• “Customer” means the legal or natural person who has entered into an agreement with us to access the Services.
• “Personal information” or “personal data” has the meaning given to it under the data-protection law applicable to the processing in question, and generally refers to information that identifies or can reasonably be linked to an identifiable individual.
• “Process” or “processing” means any operation performed on personal information, whether automated or not.
• “User Content” has the meaning given to it in Section 3.3.