Skip to main content
Legal

Privacy Policy

Effective Date: 1 May 2026

Jump to section
  1. 1 Introduction
  2. 2 Data We Collect
  3. 3 How We Collect Data
  4. 4 Purposes of Collection
  5. 5 Consent
  6. 6 Disclosure to Third Parties
  7. 7 Cross-Border Transfers
  8. 8 Data Retention
  9. 9 Security
  10. 10 Your Rights
  11. 11 Data Breach Notification
  12. 12 Cookies & Tracking
  13. 13 Children
  14. 14 Policy Updates
  15. 15 Contact & DPO

Introduction

RedSwarm Security Pte. Ltd. ("RedSwarm", "we", "us", or "our") is committed to protecting the personal data of individuals who interact with our website and automated penetration testing platform. This Privacy Policy describes how we collect, use, disclose, and protect personal data in accordance with the Singapore Personal Data Protection Act 2012 (PDPA), as amended by the Personal Data Protection (Amendment) Act 2020.

This Policy applies to all personal data collected through our website at redswarm.io, our platform, and any related communications. By using our Services, you acknowledge you have read and understood this Policy.

Data Protection Officer (DPO): Our DPO can be reached at legal@redswarm.io. All data-related requests will be responded to within 30 calendar days.

Data We Collect

We collect only the personal data necessary to provide our Services. The categories we may collect include:

Identity & Contact Data

  • Full name, job title, company name
  • Business email address and phone number
  • Business mailing address

Account & Platform Data

  • Login credentials (email and hashed password)
  • Account preferences and subscription tier
  • Scan configuration settings

Usage & Technical Data

  • IP address, browser type, operating system
  • Pages visited, timestamps, referral source
  • API call logs and session identifiers

Communication Data

  • Emails, support ticket contents, and demo request submissions

Scan and vulnerability data processed by the RedSwarm Security platform (e.g., HTTP request/response pairs, discovered endpoints, vulnerability findings) relates to your systems and is treated as Customer Data under our Terms of Service. It is not used for any purpose other than delivering your contracted scan results.

How We Collect Data

We collect personal data through the following means:

  • Directly from you: via contact forms, demo request submissions, account registration, and email correspondence.
  • Automatically: through server logs, analytics tools, and session cookies when you visit our website.
  • From third parties: where you connect via LinkedIn or where a third party refers you to RedSwarm Security with your knowledge and consent.

Purposes of Collection

Under the PDPA Notification Obligation (Section 20), we collect, use, and disclose your personal data for the following specific purposes:

  • To process and respond to demo requests and sales inquiries
  • To provision, operate, and maintain your RedSwarm Security platform account
  • To deliver scan results and vulnerability reports
  • To send transactional communications (account alerts, invoices, security notices)
  • To send product updates and security advisories (with your consent, withdrawable at any time)
  • To comply with applicable laws and regulatory obligations
  • To detect, investigate, and prevent fraud or unauthorized access
  • To generate anonymized, aggregated usage analytics to improve the platform
  • To fulfil contractual obligations under enterprise customer agreements

We will not use your personal data for any purpose not listed above without obtaining your separate consent.

We rely on the following legal bases to process personal data:

  • Express consent: obtained at point of collection (e.g., ticking a checkbox on our contact form for marketing communications).
  • Deemed consent: where you voluntarily provide personal data in a B2B context and it is reasonable to use that data for the purpose of the provision.
  • Contractual necessity: where processing is required to fulfil a subscription agreement with your organisation.
  • Legal obligation: where we are required by law to process data (e.g., tax records, regulatory requests).

Withdrawing consent: You may withdraw consent at any time by contacting our DPO at legal@redswarm.io. Withdrawal will be processed within 30 calendar days. Withdrawal may limit our ability to provide certain services. It does not affect the lawfulness of processing prior to withdrawal.

Disclosure to Third Parties

We may disclose your personal data to the following categories of recipients only for the purposes described in Section 4:

  • Cloud infrastructure providers (e.g., Amazon Web Services — Singapore and US regions) for platform hosting and data storage
  • Email delivery providers (Resend, Inc.) for transactional email delivery
  • Analytics providers (Plausible Analytics — cookieless, EU-hosted) for aggregate website analytics
  • Professional advisors (legal counsel, accountants) under confidentiality obligations
  • Regulatory authorities where required by law or court order

We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes.

All third-party processors are bound by data processing agreements ensuring equivalent levels of data protection.

Cross-Border Transfers

Some of our third-party service providers are located outside Singapore. Under the PDPA Transfer Limitation Obligation (Section 26), we transfer personal data internationally only where we have ensured that the recipient provides a standard of protection comparable to the PDPA, through:

  • Contractual Data Processing Agreements incorporating PDPC-approved transfer mechanisms
  • APEC Cross-Border Privacy Rules (CBPR) certification of the recipient, where applicable
  • Adequacy determinations recognised by the PDPC

Key transfer destinations: United States (AWS, Resend), European Union (Plausible Analytics). No prior PDPC approval is required where adequate contractual safeguards are in place.

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

  • Account and identity data: duration of the subscription agreement, plus 3 years after termination
  • Contact inquiry and demo request data: 2 years from date of inquiry
  • Scan and vulnerability data (Customer Data): as specified in the enterprise customer agreement; default 1 year after contract termination
  • Financial and billing records: 7 years (Singapore Companies Act, Cap. 50)
  • Server and access logs: 90 days rolling
  • Backup copies: deleted within 30 days of the standard retention expiry

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized so that it can no longer identify any individual.

Security

We implement reasonable security arrangements to protect personal data from unauthorized access, collection, use, disclosure, copying, modification, or disposal, including:

  • Encryption in transit using TLS 1.3 for all data communications
  • Encryption at rest using AES-256 for stored data
  • Role-based access controls and principle of least privilege
  • Multi-factor authentication for all platform and infrastructure access
  • Regular automated penetration testing of our own systems (using RedSwarm Security)
  • Employee training on data protection obligations under the PDPA
  • Documented incident response and data breach procedures

No method of electronic transmission or storage is 100% secure. If you believe your data has been compromised, please contact us immediately at legal@redswarm.io.

Your Rights

Under the PDPA, you have the following rights with respect to your personal data:

  • Right of Access: Request confirmation of whether we hold your personal data and a copy of that data, along with information on how it has been used or disclosed in the past 12 months.
  • Right of Correction: Request correction of any inaccurate or incomplete personal data we hold about you.
  • Right to Withdraw Consent: Withdraw consent to collection, use, or disclosure of your personal data for any purpose (see Section 5).
  • Right to Data Portability: Request that we transmit your personal data to another organisation in a machine-readable format, where technically feasible (PDPA 2020 Amendment).

To exercise any of these rights, submit a written request to legal@redswarm.io. We will respond within 30 calendar days. We may charge a reasonable fee for access requests as permitted by the PDPA.

If you are dissatisfied with our handling of your personal data, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals, or that involves 500 or more individuals, we are required under the PDPA (as amended in 2020) to:

  • Notify the PDPC within 3 calendar days of determining the breach is notifiable
  • Notify affected individuals as soon as reasonably practicable

Affected individuals will be notified via their registered email address or, where that is not possible, via a prominent notice on our website. Notifications will include the nature of the breach, categories of data affected, and steps being taken to address the incident.

Cookies & Tracking

Our website uses Plausible Analytics, a privacy-first analytics tool that is cookieless — it does not set any cookies, does not track individuals across websites, and does not collect any personally identifiable information. Aggregate visit statistics are stored on EU-based servers.

We may also use essential session cookies strictly necessary to operate the platform (authentication tokens, CSRF protection). These are not used for tracking or profiling.

You can disable cookies through your browser settings at any time. Disabling essential session cookies may affect platform functionality.

Children

Our Services are intended for business professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that personal data from a minor has been collected without appropriate consent, we will delete it promptly. If you believe we have collected such data, please contact legal@redswarm.io.

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Effective Date" at the top of this page
  • Notify active platform users via email or in-platform notification at least 14 days before the changes take effect
  • Where required by law, seek fresh consent

We encourage you to review this Policy periodically. Continued use of our Services after the effective date constitutes acceptance of the updated Policy.

Contact & DPO

If you have any questions, concerns, or requests relating to this Privacy Policy or our data protection practices, please contact our Data Protection Officer:

Data Protection Officer
RedSwarm Security Pte. Ltd.
Email: legal@redswarm.io
Response time: within 30 calendar days

For escalation, you may contact the Personal Data Protection Commission of Singapore:
www.pdpc.gov.sg