DAOStreet Labs Pte. Ltd. ("DAOStreet," "we," "us") is committed to protecting your privacy. This Policy explains what data we collect, why, where we store it, and the rights you have.
If you disagree with any part of this Policy, please do not create an account or use the Platform.
Relationship to Other Documents
This Policy governs DAOStreet’s handling of personal data and prevails over the Terms of Service and any Pod Operating Agreement solely on matters of data protection and privacy. All other contractual matters follow the hierarchy set out in the Terms of Service.
1. Scope & Key Terms
- Platform: The DAOStreet website, APIs and related services that let you create or join a Pod.
- User Account Data: First name, last name, username / email, salted‑hash password, profile photo (optional).
- Pod Data: All content inside a Pod workspace, including chats, Missions, Effort Estimates, strategy docs, uploads, e-signature data (such as a signature image/hash, timestamp, and the signed document), and audit logs.
- Sub‑processor: A third-party service provider that processes data on our behalf.
- Tool Chat Logs: Prompts and AI replies generated when anyone uses our public tools without logging in. IP addresses are stored only transiently (≤ 30 days) for abuse prevention, then discarded.
2. What We Collect
- User Account Data
- Pod Data for each Pod you create or join
- Tool Chat Logs (prompts + AI outputs) — with IP addresses retained ≤ 30 days for abuse prevention, then deleted or irreversibly anonymised
- Usage & Device Data — IP (transient), browser, device, referrer URL, cookie IDs
- Support & Correspondence — emails or other messages you send us
We do not collect payment information at this time.
3. How & Why We Use Your Data
(Spoiler‑free version: we use your data to run DAOStreet, improve it, and talk to you — nothing sneaky.)
We use your data for the following purposes:
To Run & Secure the Platform
Data Used: Account, Pod, and Usage data.
PDPA Legal Basis: Contractual necessity.
To Debug, Improve UX & Invent New Features
Data Used: Pod and Usage data.
PDPA Legal Basis: Legitimate Interests.
Balancing‑Test Summary: We rely on Legitimate Interests because Users expect continuous improvement; we minimise privacy impact by stripping direct identifiers where possible, using role‑based access control, and limiting data retention.
To Produce Anonymised Insights & Improve Public Tools
Data Used: De‑identified Pod and Tool data.
PDPA Legal Basis: Legitimate Interests.
Balancing‑Test Summary: We rely on Legitimate Interests because insights are statistical, not individual. The processes of de‑identification and aggregation eliminate any material privacy impact.
To Send Occasional Product Updates (Opt‑in)
Data Used: Account email.
PDPA Legal Basis: Consent.
We never sell or rent your personal data. We share it only with the Sub‑Processors named in Section 6, all bound by confidentiality and data‑protection terms. Our legal basis for processing is the Personal Data Protection Act 2012 (Singapore), as amended in 2021.
4. Your Rights & How to Exercise Them
Email Loading email... at any time to exercise the following rights:
- Access: Request a copy of your personal data.
- Correct: Update inaccurate data.
- Delete: Close your account or, if you are the last remaining Co-founder, request Pod deletion.
- Portability: Receive a machine‑readable export (JSON/CSV) of the personal data you provided (this includes your Account Data and the personal elements of your Tool Chat Logs). Pod Data is excluded because it belongs collectively to the Pod, not to an individual.
- Withdraw consent: Opt‑out of product‑update emails or any future AI‑training programme at any time.
Note on Pod Data Exports: Full Pod-level exports can be requested by the active Co-founders by emailing Loading email.... Once all active Co-founders confirm the request, we will provide a JSON export of the workspace. These exports are governed by the Pod’s internal collaboration rules and are not covered by individual portability rights under data protection law.
We may ask you to verify your identity before processing a request. We will respond to all requests within 30 calendar days.
5. Retention
Account & Pod Data
Typical Retention: Kept while your account is active and the Pod operates. If you leave a multi‑founder Pod, your contributions stay visible to remaining partners. After all partners agree to dissolve a Pod, the workspace is deleted 30 days later.
Exception: Any Pod Data that constitutes a contractual record (e.g., e-signature data) will be retained for up to 7 years to defend against potential legal claims.
Disposal / Anonymisation: Secure deletion from primary and backup systems.
Tool Chat Logs
Typical Retention: The prompt and output text are kept indefinitely without IP addresses. The IP address is truncated or deleted after 30 days or less.
Disposal / Anonymisation: Irreversible anonymisation or deletion.
Encrypted Back‑ups
Typical Retention: We maintain a 90‑day rolling window of encrypted backups.
Disposal / Anonymisation: Data expires and is deleted automatically.
Aggregated, De‑identified Metrics
Typical Retention: Kept indefinitely, as re‑identification is mathematically impractical.
Disposal / Anonymisation: Not applicable.
6. Where We Store Data & Our Sub‑processors
Supabase — Mumbai (India)
Purpose: Primary database & storage.
Safeguard: We have a Data Processing Addendum (DPA) with Supabase that includes Standard Contractual Clauses (SCCs) ensuring a level of data protection comparable to Singapore's.
Mailgun — EU
Purpose: Transactional email delivery.
Safeguard: We have a DPA with Mailgun that includes SCCs.
OpenAI — USA
Purpose: Generating responses from AI tools. No data is used for training their models.
Safeguard: We have SCCs in place and have enabled their no-training data policy.
Advance Sub‑processor Notice: We will email all account holders 14 days before onboarding a new Sub‑processor. If you object during that window for reasonable privacy grounds, you may terminate your account before the new provider goes live.
7. Security
- We use encryption‑at‑rest and TLS 1.3 for data in transit.
- We enforce role‑based access control, and all administrative actions are logged.
- Breach Notification: If a data breach is likely to result in significant harm to you or affects 500 or more individuals, we will notify the Singapore Personal Data Protection Commission (PDPC) and affected users within 72 hours of confirming the breach.
8. Cookies & Tracking
We use essential cookies for session management and Cross-Site Request Forgery (CSRF) protection. We also set first‑party analytics cookies to gather aggregated, de‑identified usage data. You can block these analytics cookies in your browser settings without losing core platform functionality.
9. Children’s Privacy
DAOStreet is strictly for users 18 years or older, whether or not they create an account. We do not knowingly collect data from minors. Our Terms of Service and all sign‑up flows enforce this age gate.
10. Changes to This Policy
Minor clarifications will be posted here. Your continued use of the Platform after a change constitutes acceptance.
Material changes (e.g., adding AI model‑training) will be communicated with at least 14 days’ advance notice by email or an in-app notification. We will seek fresh, explicit consent before using any of your personal data to train a model.
11. Contact & Data‑Protection Officer
DAOStreet Labs Pte. Ltd.
68 Circular Road, #02-01, 049422, Singapore
Loading email...