Privacy Policy.

This Privacy Policy is issued by HRTG PTE. LTD.(UEN 202539439D), a private company limited by shares incorporated in Singapore (“HRTG”, “we”, “us”, or “our”). HRTG is registered under SSIC 62021 (Information technology consultancy, except cybersecurity). Our registered office address is on file with the Accounting and Corporate Regulatory Authority of Singapore (ACRA) and is available on request.

This policy explains how we collect, use, disclose, and protect personal data in accordance with the Personal Data Protection Act 2012 of Singapore (the “PDPA”) and applicable subsidiary legislation, advisory guidelines, and codes issued by the Personal Data Protection Commission of Singapore (the “PDPC”).

We have designated a Data Protection Officer (DPO) responsible for overseeing compliance with this policy and the PDPA. The DPO and our general privacy team can be reached at hello@hrtg.me.

This policy applies to personal data we collect through our website at www.hrtg.me, our applications, and any service we provide that links to this policy (collectively, the “Services”).

By creating an account or otherwise using the Services, you consent to the collection, use, and disclosure of your personal data as set out in this policy. Where the law allows us to rely on deemed consent, legitimate interests, contractual necessity, or another lawful basis under the PDPA, we will do so without further notice unless required.

You may withdraw your consent at any time by writing to us using the contact details set out below. We will inform you of the likely consequences of withdrawal, which may include our inability to continue providing some or all of the Services.

We collect the following categories of personal data:

• Account data: name, email address, password hash, account authentication factors (e.g. one-time passcodes, recovery codes), and profile preferences.
• Encrypted user content:the memories, documents, messages, references, and instructions you store in the vault. This content is encrypted on your device before it reaches our servers (see “End-to-end encryption” below).
• Cryptographic material: public keys and wrapped key material required to operate end-to-end encryption. We never see, store, or transmit your unwrapped private keys.
• Payment data: billing name, billing address, and transaction references. Card and bank details are collected and processed by our payment service provider; we do not store full payment instrument details on our systems.
• Device and log data: IP address, device identifiers, browser type, operating system, time-zone, referring URL, pages accessed, timestamps, and crash diagnostics.
• Communications data: correspondence with our support team, feedback, and survey responses.
• Marketing data: email address and preferences submitted through subscription forms on our website.

The vault is built on end-to-end encryption (“E2EE”). All user content is encrypted on your device using keys that never leave your control. As a matter of architecture, HRTG cannot read, decrypt, analyse, scan, index, or recover your content.

What this means in practice:

• We cannot see: the plaintext of your memories, documents, messages, instructions, or any file you upload to the vault.
• We can see: account data, billing data, sign-in metadata, device and log data, the size and timing of encrypted uploads, and the technical metadata required to route, store, and replicate encrypted objects.
• What we will produce on lawful order: account data, billing data, sign-in metadata, and other non-content data that we hold. We cannot produce the plaintext of your content because we do not possess the keys required to decrypt it.

We use personal data for the following purposes:

• To create, authenticate, and maintain your account.
• To deliver, operate, and support the Services.
• To process payments and manage subscriptions.
• To detect, investigate, and prevent fraud, abuse, security incidents, and unlawful activity.
• To respond to your enquiries, complaints, and support requests.
• To send transactional and service messages (e.g. security alerts, billing notices, policy updates).
• To send marketing communications where you have given us consent, and to manage your communication preferences.
• To improve, test, and develop the Services and to conduct internal analytics.
• To comply with our legal, regulatory, accounting, and reporting obligations, including under the PDPA, the Income Tax Act, the Goods and Services Tax Act, the Companies Act, and orders of competent authorities or courts.

We do not sell your personal data. We disclose personal data only to the following categories of recipients, and only to the extent necessary for the purposes set out above:

• Service providers acting as our data intermediaries under written contracts requiring PDPA-equivalent protection: cloud hosting and storage providers, content-delivery networks, payment processors, email delivery providers, analytics providers, customer-support tooling, and security and anti-abuse providers.
• Professional advisers such as our auditors, accountants, lawyers, and insurers, under duties of confidentiality.
• Government, regulators, law enforcement, and courts where disclosure is required by law, court order, or in good faith to comply with a legal process or to protect the rights, property, or safety of HRTG, our users, or the public.
• A successor entity in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to the recipient assuming obligations no less protective than this policy.
• Persons you authorise, including any recipients, executors, or personal representatives you designate through future inheritance or access-control features.

Some of our service providers process personal data outside Singapore. Where we transfer personal data outside Singapore, we comply with section 26 of the PDPA and the Personal Data Protection Regulations 2021 by ensuring the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA, including through contractual clauses, specified certifications, or applicable laws of the recipient jurisdiction. You may contact our DPO for further information on the safeguards in place for specific transfers.

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, regulatory, or reporting obligation, and to resolve disputes and enforce our agreements.

Indicative retention periods:

• Account data and encrypted user content: for as long as your account is active, and for a reasonable period thereafter to allow account recovery, billing reconciliation, and legal compliance.
• Billing and tax records: at least five (5) years from the relevant transaction, as required by Singapore tax legislation.
• Security, audit, and log data: typically up to twelve (12) months, unless a longer period is required for security investigations or legal compliance.
• Marketing data: until you unsubscribe or withdraw consent.

When personal data is no longer required for any legal or business purpose, we will anonymise or securely delete it.

We implement reasonable technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include client-side end-to-end encryption of user content, transport-layer encryption (TLS), access controls, audit logging, vendor due diligence, and a written information security programme.

No method of transmission over the Internet or method of electronic storage is one hundred per cent secure. We cannot guarantee absolute security.

In the event of a data breach that is notifiable under sections 26A to 26E of the PDPA, we will notify the PDPC within three (3) calendar days and affected individuals as soon as practicable, in accordance with our incident response procedures.

Subject to the conditions and exceptions set out in the PDPA, you have the right to:

• Access the personal data we hold about you and information about how it has been used or disclosed in the past one (1) year (section 21 PDPA). A reasonable fee may be charged.
• Correct any error or omission in your personal data (section 22 PDPA).
• Withdraw consent to our continued collection, use, or disclosure of your personal data (section 16 PDPA), subject to legal and contractual restrictions and reasonable notice.
• Lodge a complaint with us or with the PDPC at www.pdpc.gov.sg if you believe your rights under the PDPA have not been respected.

To exercise any of these rights, contact our Data Protection Officer using the contact details set out below. We will respond within thirty (30) days of a verified request, or notify you within that period of the reason for any delay.

Because the vault is end-to-end encrypted, your encryption keys are essential to access your content. If you lose your keys, recovery factors, and any backup mechanism we make available, HRTG cannot recover the affected content for you. We may permanently lose access to encrypted user content as a result. By using the Services, you acknowledge this limitation, which is a deliberate consequence of the privacy architecture.

We use a limited number of first-party cookies and similar technologies that are strictly necessary to operate the Services (e.g. session management, security, load balancing, and preference storage). Where we use any non-essential cookies (for example, for analytics), we will obtain your consent first and provide controls to manage your preferences. You can also control cookies through your browser settings.

The Services are not directed at, and are not intended for use by, individuals under the age of eighteen (18) without the consent of a parent or legal guardian. We do not knowingly collect personal data from a child without verifying that the necessary consent has been given. If you believe a child has provided us with personal data without proper consent, please contact us and we will take reasonable steps to delete it.

We will only send marketing communications by email or other electronic means where you have given us consent or where we are otherwise permitted to do so by law. We comply with the Do Not Call Provisions in Parts 9 and 9A of the PDPA in respect of telephone, SMS, and fax marketing to Singapore numbers. You may unsubscribe from marketing communications at any time using the link in any marketing email, or by contacting us.

We may disclose personal data to law enforcement, regulators, or other public authorities where we are required to do so by Singapore law, including under the Criminal Procedure Code, the Income Tax Act, the Goods and Services Tax Act, the Companies Act, and other statutes; or in response to a valid order of a court or tribunal. We will assess the lawfulness and scope of each request and, where permitted, will narrow disclosure to the minimum required. As stated above, end-to-end encryption means we cannot produce the plaintext of user content.

We may update this Privacy Policy from time to time. The current version, marked with a last-updated date, is always available on this page. Where changes are material, we will give you reasonable advance notice by email or through the Services before they take effect. Your continued use of the Services after the effective date of any update constitutes acceptance of the updated policy.

HRTG PTE. LTD. (UEN 202539439D), Singapore. For all privacy enquiries, including matters addressed to our Data Protection Officer, contact hello@hrtg.me. Website: www.hrtg.me.