RotaBrainLegal

TEMPLATE — NOT LEGAL ADVICE

This document is a template generated by an AI assistant. It is not legal advice and is not a substitute for review by a qualified attorney licensed to practice in your jurisdiction. Multi-jurisdiction privacy law is complex; specific clauses, legal bases, cross-border transfer mechanisms, and DPO obligations vary by country and business model.

Before publishing this document or relying on it: engage qualified legal counsel in each target jurisdiction, particularly for Saudi Arabia (SDAIA/PDPL), UAE (UAEDPD/PDPL), Singapore (PDPC/PDPA), and the Philippines (NPC/RA 10173).

Generated: 2026-05-23 | Last reviewed by counsel: [pending]

Privacy Policy

Effective Date: [YYYY-MM-DD]

This Privacy Policy explains how [COMPANY NAME] ("RotaBrain", "we", "us", or "our") collects, uses, stores, and protects personal data in connection with the RotaBrain service — an AI-powered predictive maintenance platform for industrial rotating equipment.

1. Who We Are

[COMPANY NAME] is a software company registered in the Philippines ([SEC REGISTRATION NUMBER]). RotaBrain is operated by [COMPANY NAME] at [COMPANY ADDRESS].

Data Protection Officer (DPO): [DPO NAME — or self-designation as solo founder] DPO Contact: [CONTACT EMAIL]

We operate as a data controller for personal data you submit through the RotaBrain website and lead capture forms. We act as a data processor for any equipment or operational data you submit for analysis under a separate Data Processing Agreement (DPA).

2. What Personal Data We Collect

We collect only what is necessary to respond to your inquiry and provide the Service.

2.1 Data You Provide Directly

When you submit a lead capture or assessment request form, we collect:

| Data Element | Purpose | Required | |---|---|---| | Contact name | Address communications | Optional | | Work email address | Primary contact channel | Required | | Company / organization name | Business context | Optional | | Equipment description / message | Scoping the assessment | Optional | | Submission source / channel | Internal analytics | Automatic |

We do not collect:

  • Government-issued ID numbers
  • Financial information or payment card data
  • Passwords or authentication credentials (no user accounts at this stage)
  • Sensitive personal data (health, biometric, political, religious, or racial data)
  • Personal data of minors

2.2 Data Collected Automatically

When you visit the RotaBrain website, our hosting provider (Vercel) may collect:

  • IP address (used for rate limiting; last octet truncated before any logging)
  • HTTP request metadata (method, path, timestamp, response code)
  • Browser type and operating system (from standard HTTP headers)

We do not currently use third-party analytics cookies or marketing trackers. If this changes, we will update this policy and implement a cookie consent mechanism before doing so.

3. Legal Basis for Processing

We process personal data on the following legal bases:

| Jurisdiction | Basis | Explanation | |---|---|---| | Philippines (RA 10173) | Consent (§12(a)) + Legitimate interest (§12(f)) | You provided data voluntarily; we have a legitimate business interest in responding to B2B inquiries | | Saudi Arabia (PDPL Art. 6) | Consent + Legitimate interest | Consent recorded at point of submission; legitimate interest for B2B follow-up | | UAE (PDPL Art. 6) | Consent + Legitimate interest | Same basis | | Qatar (PDPL Art. 4) | Consent + Contractual necessity | Responding to an assessment request constitutes pre-contractual interaction | | Singapore (PDPA s.13) | Consent | Provided at form submission | | Malaysia (PDPA 2010 s.6) | Consent | Provided at form submission | | Indonesia (UU PDP Art. 20) | Consent | Provided at form submission | | Australia (APP 3) | Consent + Legitimate interests | As above |

Consent record: We record the fact of consent at the time of form submission (timestamp, source page). We do not yet store IP addresses with consent records — this will be added when account registration is implemented. You may withdraw consent at any time by contacting us at [CONTACT EMAIL]; withdrawal does not affect the lawfulness of processing before withdrawal.

4. How We Use Your Data

We use your personal data solely to:

  1. Respond to your inquiry — contact you to discuss an equipment assessment
  2. Scope a proposed engagement — understand your equipment environment before a call
  3. Send follow-up communications — schedule calls, share assessment results
  4. Internal analytics — aggregate (non-personal) counts of inquiry volume and source channels
  5. Legal compliance — respond to lawful requests from regulatory authorities

We do not:

  • Sell personal data to third parties
  • Use personal data for advertising or behavioral profiling
  • Share personal data with unrelated third parties
  • Use personal data to train AI models

5. Third-Party Processors

We share data only with the following service providers, under data processing terms:

| Processor | Role | Data Shared | Location | Safeguard | |---|---|---|---|---| | Supabase | Database hosting (PostgreSQL) | All form data | [TBD — confirm region before KSA/UAE launch] | Supabase DPA + SOC 2 Type II | | Anthropic | AI diagnostic generation (Claude API) | Equipment context from form message (no contact PII by design) | United States | Anthropic API Terms + zero data retention option for API | | Vercel | Web hosting and edge network | IP address metadata (HTTP logs) | United States | Vercel DPA + SOC 2 Type II |

Important note on Supabase region: The region where your data is stored in Supabase has not yet been determined. If you are a client in Saudi Arabia, UAE, or another jurisdiction with data residency requirements, please contact us before submitting data. We will confirm the applicable region and cross-border transfer mechanism before engaging.

Important note on Anthropic: Equipment context text submitted via the assessment form may be included in the prompt sent to the Claude API for pre-call preparation. We do not include your name, email, or company name in API prompts. Anthropic's API operates under a zero-data- retention policy for API customers by default — inputs are not used to train models. See Anthropic's Privacy Policy for current terms.

6. Cross-Border Data Transfers

Your personal data may be transferred to and processed in countries other than your own. Specifically:

  • Philippines → United States (Vercel hosting, Anthropic API)
  • Philippines → Supabase region ([TBD])
  • Any jurisdiction → United States (same)

We implement the following safeguards for cross-border transfers:

  • Contractual safeguards: Standard data processing agreements with each processor requiring appropriate data protection standards
  • Consent-based transfer: For jurisdictions requiring explicit consent for cross-border transfer, consent is obtained at the point of form submission
  • Saudi Arabia (PDPL Art. 29): Cross-border transfer of KSA residents' personal data requires either SDAIA approval, a KSA-region processing arrangement, or a qualifying exemption. We have not yet obtained SDAIA approval. Until resolved, we do not accept data from KSA clients through this form. KSA clients should contact us directly to discuss a compliant arrangement.

7. Data Retention

We retain personal data for the following periods:

| Data | Retention Period | Basis | |---|---|---| | Lead form submissions (name, email, company, message) | 24 months from submission, or until erasure request | Legitimate interest in maintaining a business contact record | | Email correspondence | 24 months from last contact | Same | | HTTP server logs (IP metadata) | 30 days (Vercel default) | Operational necessity | | Consent records | Duration of retention + 1 year | Legal compliance |

After the applicable retention period, data is deleted or anonymized. If we enter into a services agreement with you, a separate retention schedule applies under that agreement.

8. Your Rights

8.1 Universal Rights (All Jurisdictions)

Regardless of where you are located, you may:

  • Access — request a copy of personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your personal data (subject to legal retention obligations)
  • Restriction — request that we limit processing while a dispute is resolved
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interest
  • Withdraw consent — withdraw consent at any time without affecting prior lawful processing

To exercise any of these rights, contact us at [CONTACT EMAIL] with the subject line "Privacy Rights Request — [Right]". We will respond within 30 days (or sooner where required by applicable law — see jurisdiction-specific notes below).

We may need to verify your identity before processing a request. For email-verified requests, we will send a confirmation to the email address on file.

8.2 Philippines — Additional Rights (RA 10173)

Under the Data Privacy Act of 2012 (RA 10173):

  • You have the right to file a complaint with the National Privacy Commission (NPC): www.privacy.gov.ph | info@privacy.gov.ph
  • In the event of a personal data breach that may harm you, we will notify the NPC within 72 hours and affected individuals within a reasonable time, as required by NPC Circular 16-03
  • You have the right to damages for unauthorized use of your personal data

8.3 Saudi Arabia — Additional Rights (PDPL)

Under the Saudi Personal Data Protection Law (Royal Decree M/19):

  • You have the right to request correction or deletion within 30 days of our receipt of your request (Art. 4)
  • Breach notification to SDAIA required within 72 hours of discovery
  • Complaints may be filed with the Saudi Data and Artificial Intelligence Authority (SDAIA): sdaia.gov.sa

8.4 UAE — Additional Rights (PDPL)

Under UAE Federal Decree-Law No. 45 of 2021 (PDPL):

  • You have the right to withdraw consent and request deletion
  • Breach notification to the UAE Data Office required as soon as practicable
  • Complaints may be filed with the UAE Data Office (UAEDPD)

8.5 Singapore — Additional Rights (PDPA)

Under Singapore's Personal Data Protection Act 2012 (as amended 2020):

  • You have the right to access and correction under Parts V and VI
  • Breach notification to PDPC required within 3 business days if the breach affects 500 or more individuals or causes significant harm
  • Our designated Data Protection Officer contact: [CONTACT EMAIL]
  • Complaints may be filed with the Personal Data Protection Commission (PDPC): www.pdpc.gov.sg

8.6 Malaysia — Additional Rights (PDPA 2010)

Under Malaysia's Personal Data Protection Act 2010:

  • You have the right to access and correction of your personal data
  • You have the right to withdraw consent at any time
  • Complaints may be filed with the Department of Personal Data Protection (JPDP): www.pdp.gov.my

8.7 Indonesia — Additional Rights (UU PDP)

Under Indonesia's Personal Data Protection Law (Law No. 27 of 2022):

  • You have the right to access, correction, termination of processing, and deletion of personal data
  • Breach notification to the authorized government institution and affected individuals required no later than 14 working days after discovery
  • Complaints may be filed with the Komisi Informasi or relevant supervisory authority

8.8 Australia — Additional Rights (Privacy Act / APPs)

Under the Privacy Act 1988 and Australian Privacy Principles:

  • You have the right to access and correction under APPs 12 and 13
  • We must respond to access requests within 30 days
  • Eligible data breaches must be notified to the Office of the Australian Information Commissioner (OAIC) and affected individuals under the Notifiable Data Breaches scheme
  • Complaints may be filed with the OAIC: www.oaic.gov.au

9. Cookies and Tracking

RotaBrain does not currently use advertising, analytics, or tracking cookies. The website may use strictly necessary session-level browser storage for UI state only.

If we add analytics or marketing cookies in the future, we will update this policy and implement a cookie consent banner before any non-essential cookies are set.

10. Security

We implement the following technical and organizational measures to protect your data:

  • Encryption in transit: TLS 1.2+ on all connections (enforced by Vercel)
  • Encryption at rest: AES-256 at the database layer (Supabase default)
  • Access control: Row-Level Security (RLS) on all database tables; service role keys never exposed to the browser
  • Rate limiting: API endpoints are rate-limited to prevent abuse
  • Access minimization: Personal data is accessible only to [COMPANY NAME] personnel with a need to know (currently: sole founder)
  • Vendor screening: All sub-processors are screened for SOC 2 compliance or equivalent

No system is perfectly secure. If you believe your data has been compromised, contact us immediately at [CONTACT EMAIL].

11. Children's Privacy

RotaBrain is a B2B industrial software product. It is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.

12. Data Protection Officer

[COMPANY NAME] has designated the following individual as Data Protection Officer (DPO), as required under Singapore PDPA s.11(3) and as good practice under other applicable laws:

DPO: [DPO NAME — for a solo founder, this may be the founder themselves] Email: [CONTACT EMAIL] Address: [COMPANY ADDRESS]

The DPO is responsible for ensuring compliance with applicable privacy laws, handling data subject requests, and serving as the point of contact for regulatory authorities.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. Material changes will be communicated by posting the updated policy on our website with a revised Effective Date. Where required by law, we will provide advance notice or seek renewed consent.

The current version of this policy is always available at: [WEBSITE URL]/legal/privacy-policy

14. How to Contact Us

For privacy-related requests, questions, complaints, or to exercise your rights:

Email: [CONTACT EMAIL] Mail: [COMPANY NAME] Attn: Privacy / DPO [COMPANY ADDRESS] Philippines

We will acknowledge your request within 5 business days and provide a substantive response within 30 days (or sooner where required by law).

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (see §8 for jurisdiction-specific regulator contacts).

TEMPLATE — NOT LEGAL ADVICE. This document requires review by qualified legal counsel before publication — particularly for Saudi Arabia (SDAIA/PDPL cross-border transfer provisions), UAE (UAEDPD registration requirements), Singapore (PDPC DPO notification), and the Philippines (NPC registration obligations for personal information controllers processing data of more than 1,000 individuals).

Replace all [PLACEHOLDER] fields before publishing:

  • [COMPANY NAME] — registered legal entity name
  • [SEC REGISTRATION NUMBER] — Philippines SEC registration
  • [COMPANY ADDRESS] — registered business address
  • [CONTACT EMAIL] — privacy / DPO monitored inbox
  • [DPO NAME] — designated Data Protection Officer
  • [WEBSITE URL] — your public domain (e.g. rotabrain.com)
  • [YYYY-MM-DD] — actual publication date
  • [TBD — confirm region before KSA/UAE launch] — Supabase project region

Last reviewed by counsel: [pending]