AskVAVA
Back to Home

Privacy Policy

Last updated: April 3, 2026

This policy governs the collection, use, and disclosure of personal data by AskVAVA in accordance with the Singapore Personal Data Protection Act 2012 (PDPA) and applicable data protection laws in Malaysia, the Philippines, and Myanmar.

1. Introduction

AskVAVA (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our services. Our primary legal jurisdiction is Singapore and we comply with the Personal Data Protection Act 2012 (PDPA) administered by the Personal Data Protection Commission (PDPC).

By using AskVAVA, you consent to the collection and use of your personal data as described in this policy. If you are an administrator adding employee data to AskVAVA, you are responsible for ensuring that you have obtained the necessary consent from those individuals.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, password, company name, UEN
  • Employee Records: Full name, email, phone number, date of birth, nationality, residential address, job title, department, employment start/end dates, salary information
  • Government Identity Numbers: NRIC (Singapore), IC number (Malaysia) — stored encrypted at rest using AES-256-CBC encryption (see Section 6)
  • Bank Account Details: Bank name, account number — stored encrypted at rest using AES-256-CBC encryption
  • Payroll Data: Salary, CPF/EPF/SSS contributions, tax filings, payslips
  • Communication Data: WhatsApp messages, web chat conversations, support requests
  • Payment Information: Billing address, payment card details (processed by Stripe; we do not store card numbers)

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent on the Service
  • Device Information: Browser type, operating system, IP address
  • Cookies: Session cookies, authentication tokens, preferences

3. Purposes of Collection and Use

We collect and use your personal data for the following purposes:

  • Service Delivery: Providing payroll processing, HR management, compliance tracking, AI assistant, and other core features
  • Statutory Compliance: CPF/EPF/SSS calculations, IR8A tax filing, MOM reporting, and other regulatory obligations
  • WhatsApp Notifications: Shift reminders, compliance alerts, and payroll notifications sent to registered phone numbers (opt-out available — see Section 9)
  • AI Processing: Your documents and queries are processed by our AI assistant using OpenAI's API to generate responses. This processing is solely to provide the Service.
  • Customer Support: Responding to inquiries and resolving issues
  • Service Improvement: Aggregated, anonymised analytics to improve features
  • Legal Compliance: Meeting our obligations under applicable laws

We do not use your personal data for purposes beyond those listed above without obtaining fresh consent. We do not sell your personal data to third parties.

4. Legal Basis for Processing

Under the Singapore PDPA, we rely on the following bases for processing personal data:

  • Consent: Obtained at account registration for payroll processing, AI features, WhatsApp reminders, and marketing communications
  • Contractual Necessity: Processing required to deliver the Service you subscribed to
  • Legal Obligation: Statutory payroll calculations, tax filings, and record-keeping required under Singapore law
  • Legitimate Interests: Fraud prevention, security monitoring, and service reliability

5. Data Sharing and Third-Party Processors

We share your personal data with the following third-party processors under Data Processing Agreements (DPAs):

  • Supabase (PostgreSQL database hosting): All personal data is stored in Supabase-managed infrastructure (Singapore region where available)
  • OpenAI: Documents and messages are sent to OpenAI for AI processing. OpenAI does not use your data to train its models under our enterprise agreement.
  • Twilio: WhatsApp message delivery for notifications and the bot interface
  • Stripe: Payment processing. Stripe is PCI-DSS Level 1 certified. We do not store card numbers.
  • Resend: Transactional email delivery (payslips, invitations, notifications)

We do not share your data with governments or law enforcement except where required by law. All third-party processors are contractually bound to handle your data only for the purposes we specify and to maintain appropriate security standards.

6. Data Security

We implement layered security controls to protect your personal data:

  • Encryption in Transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher
  • Encryption at Rest: NRIC numbers, IC numbers, and bank account numbers are stored using AES-256-CBC application-layer encryption in addition to database-level encryption
  • Access Controls: Role-based access control (RBAC) ensures users only access data relevant to their role. Sensitive fields (NRIC, bank accounts) are restricted to Finance-role users.
  • Row-Level Security: All database tables enforce organisation-level isolation via Supabase Row Level Security (RLS) policies
  • Audit Logging: All create, update, and delete operations on personal data are logged with user ID, timestamp, and action type (Growth and Pro plans)

7. Data Retention Schedule

We retain personal data for the following periods:

  • Employee records (payroll, CPF, IR8A): 7 years from end of employment, as required by the Singapore Income Tax Act and Employment Act
  • Active account data: Retained while your account is active
  • Deleted account data: Soft-deleted immediately; permanently purged within 30 days
  • AI conversation logs: 12 months from conversation date, then anonymised
  • Audit logs: 3 years
  • Payment records: 7 years (statutory accounting requirement)

8. Your Rights Under the PDPA

Under the Singapore PDPA (Sections 21 and 22) and applicable laws in other jurisdictions, you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Correction: Request correction of inaccurate or incomplete personal data
  • Right to Withdrawal of Consent: Withdraw consent for specific processing activities. Note that withdrawal may affect your ability to use certain features.
  • Right to Data Portability: Export your personal data in a machine-readable format via Settings → Export My Data in your account
  • Right to Erasure: Request deletion of your account and associated data via Settings → Delete Account. Statutory records (payroll, tax) required by law are retained for the mandatory period.

To exercise any of these rights, contact us at privacy@askvava.com or use the self-service tools in your account settings. We will respond within 30 days as required by the PDPA.

9. WhatsApp Notifications — Opt-In and Opt-Out

AskVAVA sends automated WhatsApp messages for shift reminders, compliance deadline alerts, and payroll notifications. By providing a phone number and agreeing to this policy, you consent to receiving these messages.

To opt out: Reply STOP to any WhatsApp message from AskVAVA. You will immediately stop receiving automated reminders. You can still use the WhatsApp assistant to ask questions.

To re-subscribe: Reply START to any WhatsApp message from AskVAVA.

Administrators can also manage WhatsApp notification preferences for employees in the Team settings page.

10. Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals, we will:

  • Notify the PDPC within 3 business days of becoming aware of the breach, as required under the PDPA Mandatory Breach Notification Obligation (effective 1 Oct 2022)
  • Notify affected individuals as soon as reasonably practicable if the breach is likely to cause significant harm
  • Contain the breach and conduct a post-incident review to prevent recurrence

To report a suspected data breach or security vulnerability, contact us immediately at security@askvava.com.

11. International Data Transfers

Your data may be processed by our third-party service providers in countries outside Singapore. We ensure that such transfers are subject to contractual protections equivalent to PDPA standards, including standard contractual clauses or processor-specific data protection agreements.

12. Cookies and Tracking

We use essential cookies for authentication and service functionality. You can configure your browser to reject non-essential cookies, though this may affect Service functionality. We do not use cookies for cross-site advertising or tracking.

13. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 14 days before the changes take effect. Your continued use after changes constitutes acceptance of the updated policy.

15. Contact Us — Data Protection Officer

If you have questions about this Privacy Policy, wish to make a data subject request, or want to lodge a complaint, please contact us at:

Email: privacy@askvava.com
Security issues: security@askvava.com
Address: Singapore

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

Related Documents

Terms of Service