PRIVACY POLICY

1.1 About This Policy

INFINISPHERE CONSULTING PTE. LTD. (“Company”, “we”, “us”, or “our”) is committed to protecting your privacy and handling your personal data responsibly, in full compliance with the Singapore Personal Data Protection Act 2012 (“PDPA”) as amended in 2021, and all applicable Personal Data Protection Commission (“PDPC”) advisory guidelines.

1.2 Scope of This Policy

This Privacy Policy explains how we collect, use, disclose, protect, and retain your personal data when you access or use our IKIGAI Career Assessment Platform and related coaching services (collectively, “Services”). It applies to all users who interact with us through our website, platform, or any other channel through which we provide Services. When a mobile application becomes available, this Policy will be updated accordingly and you will be notified as described in Section 14.

1.3 Consent

By accessing our Services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a legal basis for processing (see Section 4), we will obtain your explicit, informed, and freely given consent through a clear, affirmative action (e.g., ticking a checkbox). You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

1.4 Age Restriction — 18 Years and Older Only

Our Services are strictly intended for individuals who are 18 years of age or older. We do not knowingly collect personal data from persons under 18. At the point of registration, you will be required to confirm your age by ticking a mandatory checkbox: “I confirm I am 18 years of age or older.” We do not collect your date of birth. This checkbox confirmation is logged with a timestamp for compliance purposes. If we discover we have inadvertently collected data from a person under 18, we will delete it within 3 business days. Parents or guardians who believe their child has provided us with personal data should contact us immediately at contact@infinisphere.tech.

Legal basis: PDPA Section 14 — Consent of Minors; PDPC Advisory Guidelines on Consent (2021)

We apply the PDPA principle of data minimisation — we collect only the personal data that is necessary for the specific purposes stated in this Policy.

2.1 Information You Provide Directly

Account and Identity Information

• Full name and contact details
• Email address (used as primary identifier)
• Phone number (for paid coaching sessions only)
• Date, time, and confirmation of your 18+ age declaration (logged for compliance)

IKIGAI Assessment Data

• Your responses to career assessment questions (passions, strengths, values, frustrations, growth areas, and career aspirations)
• Career history and professional background voluntarily provided
• Goals and aspirations shared during the assessment process

While the PDPA does not define a formal category of ‘sensitive’ personal data, we treat career-aspiration and professional-vulnerability data as higher-risk and apply enhanced safeguards accordingly.

Payment Information

• Payment method details processed exclusively and securely through Stripe, Inc. (a PCI DSS Level 1 compliant payment processor)
• Billing address
• Transaction history and receipts

We do not store, process, or have access to your full credit card numbers. All payment data is tokenised and handled entirely by Stripe.

Communication and Coaching Data

• Messages and correspondence with our team
• Feedback and survey responses
• Coaching session notes — collected only with your explicit, separate written consent at the start of each session

2.2 Information We Collect Automatically

Technical Information

• IP address — hashed (one-way encrypted) immediately upon collection and used solely for rate-limiting and abuse prevention. Raw IP addresses are never stored.
• Device type, browser, and operating system (for service compatibility)
• Date and time of access
• Pages visited and features used

Usage Analytics (Optional — Consent Required)

• Service performance metrics
• Assessment completion rates
• Feature engagement patterns

These analytics cookies are only activated after you provide explicit consent through our cookie consent banner. You may withdraw this consent at any time through our in-app Cookie Preferences panel.

Legal basis: PDPA Section 13 — Consent; PDPC Advisory Guidelines on the PDPA for Selected Topics (Analytics)

We process your personal data only for the specific, explicit, and legitimate purposes described below. We do not use your data for any purpose incompatible with the original purpose for which it was collected.

3.1 Service Delivery

• Generating your personalised IKIGAI analysis and career recommendations
• Creating and delivering PDF reports via email
• Providing AI-assisted career coaching conversations
• Scheduling and conducting 1:1 human coaching sessions
• Sending essential service notifications and updates

Legal basis: PDPA Section 15 — Contractual Necessity

3.2 Automated Decision-Making Disclosure

Our platform uses artificial intelligence (via Anthropic's Claude API) to generate career assessment outputs and recommendations. These AI-generated outputs are assistive tools only — they do not constitute professional career advice and are not binding determinations about your career or employment eligibility.

You have the right to:

• Request that a human coach reviews and provides an independent assessment of your results
• Ask questions about how your AI assessment was generated
• Decline AI processing entirely (in which case only the human coaching tier of our service will be available to you)

Legal basis: PDPC Advisory Guidelines on AI — Accountability, Transparency, and Human Oversight

3.3 Payment Processing

• Processing payments through Stripe (our designated payment processor)
• Maintaining transaction records for 7 years (Singapore Income Tax Act and Accounting Standards requirements)
• Issuing receipts and invoices
• Managing refund requests where applicable

Legal basis: PDPA Section 18 — Legal Obligation

3.4 Abuse Prevention and Security

• Preventing multiple free assessments from the same email address (limit: 1 free assessment per email per 90 days)
• Detecting and preventing fraudulent activities
• Maintaining platform security and integrity

Legal basis: PDPA Section 18(c) — Legitimate Interests (fraud prevention)

3.5 Service Improvement

We may analyse aggregated, anonymised usage patterns to improve user experience, enhance AI algorithm relevance, and develop new features. We will never analyse individual user data for this purpose without your separate, explicit consent.

Legal basis: PDPA Section 18(c) — Legitimate Interests (service improvement with anonymisation safeguards)

Under the PDPA, we may collect, use, or disclose your personal data on one or more of the following grounds:

5.1 Service Providers We Share Data With

We share your personal data only with vetted third-party service providers who are contractually required to protect your data, use it solely for specified and agreed purposes, and comply with applicable data protection laws. All providers are subject to data processing agreements (DPAs) with us.

* Assessment data transmitted to Anthropic's Claude API is processed solely to generate your personalised report. As of the effective date of this Policy, Anthropic does not use API-submitted data to train AI models. This is subject to our current DPA with Anthropic (effective February 2026). We will notify you of any material changes to this arrangement.

5.2 We Do NOT Share Your Data With

• Marketing or advertising companies
• Data brokers or data aggregators
• Social media platforms (unless you explicitly connect them)
• Any third party for their own independent commercial purposes
• Any party not listed in Section 5.1 without your prior explicit consent

5.3 Lawful Disclosures

We may disclose personal data when required by Singapore law or a competent court order to: comply with judicial or government requests, enforce our Terms and Conditions, protect rights, property, or safety, or prevent fraud and illegal activities. We will, to the extent permitted by law, notify you of such a request before disclosure.

Legal basis: PDPA Section 17 — Disclosure required or authorised under applicable law

Several of our service providers are located outside Singapore (primarily in the United States). When we transfer your personal data internationally, we ensure appropriate safeguards are in place in accordance with PDPA Section 26 — Transfer Limitation Obligation.

Safeguards we apply include:

• Binding contractual clauses (Data Processing Agreements / Standard Contractual Clauses) with all overseas providers
• Confirmation that recipient countries or organisations provide a standard of protection at least comparable to the PDPA
• Encryption of all data in transit (HTTPS/TLS 1.3 or higher) and at rest (AES-256)
• Restricting data transferred to the minimum necessary for the stated purpose

Legal basis: PDPA Section 26 — Transfer Limitation Obligation; PDPC Guide on Cross-Border Data Transfers (2021)

We retain personal data only for as long as is necessary for the stated purpose and as required by applicable law. Upon expiry of the retention period, data is securely deleted or anonymised.

PDPA Compliance Note: ‘Last interaction’ is defined as the most recent of: account login, assessment submission, payment transaction, or coaching session booking. Our system will send you an automated dormancy notification by email at 18 months of inactivity, giving you 60 days to reactivate your account before data deletion commences.

8.1 Technical Safeguards

• Encryption in transit: HTTPS/TLS 1.3 on all data transmission channels
• Encryption at rest: AES-256 encryption for all stored personal data, including assessment responses and coaching notes
• Payment security: PCI DSS Level 1 compliant payment processing via Stripe — we never store raw card data
• IP address hashing: Raw IP addresses are cryptographically hashed before storage; they cannot be reversed to identify individuals
• Access controls: Role-based access control (RBAC) — data is accessible only by personnel with a documented, business-justified need
• Authentication: Multi-factor authentication (MFA) required for all administrative access
• Regular security updates and vulnerability assessments

8.2 Enhanced Protections for Assessment Data

Given the sensitive nature of your IKIGAI assessment data (which may reveal personal values, professional vulnerabilities, and career aspirations), we apply additional protections beyond our baseline:

• Assessment data is processed and stored in a segregated database with additional access controls
• Assessment data sent to Anthropic's API is transmitted over encrypted channels (HTTPS/TLS). In accordance with Anthropic's API Terms of Service applicable to our account, Anthropic does not use data submitted via the API to train its AI models. We do not share assessment data with Anthropic beyond what is necessary to generate your personalised report. Anthropic retains API inputs and outputs for up to 30 days for trust and safety purposes, after which they are deleted. Anthropic does not use this data to train AI models.
• Coaching session notes are stored encrypted and accessible only to the coaching team member assigned to your session
• Reports are delivered as PDF documents to your registered email address via Resend, our encrypted transactional email delivery provider. Email transmission is secured using TLS encryption in transit.

8.3 Organisational Safeguards

• Data access is limited to personnel on a strictly need-to-know basis, documented and reviewed quarterly
• All personnel with data access are bound by confidentiality obligations
• We conduct periodic reviews of our data handling practices
• We maintain an incident response procedure tested at least annually

8.4 Data Breach Notification — PDPA Compliant Procedure

In accordance with PDPA Sections 26C and 26D (Mandatory Data Breach Notification, effective 1 October 2021), our breach notification procedure is as follows:

1. Upon becoming aware of a potential personal data breach, we will conduct an assessment, in a reasonable and expeditious manner (target: within 30 calendar days), to determine whether the breach meets the notifiable thresholds.
2. If the breach is assessed as notifiable, we will notify the PDPC using the prescribed form within 3 calendar days after completing that assessment. In complex cases where full details are not yet available, we will submit an initial notification within the 3-day window and provide supplementary information as soon as practicable.
3. We will notify affected individuals if the breach is likely to result in significant harm (as defined in the Second Schedule), as soon as practicable and normally at the same time as or immediately after PDPC notification.
4. We will maintain an internal breach register documenting all incidents (including non-notifiable ones) for accountability purposes.

Legal basis: PDPA Sections 26C and 26D — Mandatory Data Breach Notification; PDPC Guide on Data Breach Management (2021)

As a data subject under the PDPA, you have the following rights. To exercise any of these rights, please contact us at contact@infinisphere.tech. We will respond within 30 calendar days of receiving a valid request.

9.1 Right of Access

You may request: (a) confirmation of whether we hold your personal data; (b) a copy of your personal data in our possession; and (c) information about how your data has been used or disclosed within the past 12 months.

PDPA Section 21 — Access Obligation

9.2 Right of Correction

You may request correction of any inaccurate or incomplete personal data that we hold about you. We will correct or update data within 30 days and notify relevant third parties to whom the data was disclosed where required.

PDPA Section 22 — Correction Obligation

9.3 Right to Withdraw Consent

You may withdraw your consent to our processing of your personal data at any time by contacting us or using the in-app consent settings. Please note that:

• Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal
• Withdrawal may limit or prevent our ability to continue providing you with certain Services
• We will inform you of the likely consequences of withdrawal before processing your request

PDPA Section 16 — Withdrawal of Consent

9.4 Right to Data Portability

You may request a copy of your personal data (including your assessment responses and generated reports) in a portable, machine-readable format (JSON or CSV), where technically feasible. This enables you to transfer your data to another service provider.

9.5 Right to Erasure

You may request deletion of your personal data at any time. We will action such requests within 30 days, subject to our legal obligation to retain certain data (e.g., financial records for 7 years). We will inform you which data, if any, must be retained and why.

9.6 Right to Object to Automated Decision-Making

You have the right to object to being subject to automated decision-making (including AI-generated assessments) that produces effects concerning you. Upon objection, we will arrange for a human coach to review and provide an independent assessment.

9.7 How to Exercise Your Rights

Email us at: contact@infinisphere.tech

Phone: +65 83136034

Please include your full name, email address, and a clear description of your request. We may ask you to verify your identity before processing the request. We will respond within 30 calendar days. If we are unable to comply with your request, we will provide written reasons.

We use cookies and similar tracking technologies. In compliance with PDPA consent requirements, non-essential cookies are only deployed after you provide explicit consent through our cookie consent banner, which appears on your first visit to our platform.

10.1 Essential Cookies (No Consent Required)

• Session management and secure authentication
• Payment processing security (required by Stripe)
• Core service functionality (assessment progress saving)

These cookies are strictly necessary for the platform to function and cannot be disabled without rendering the Service inoperable.

10.2 Analytics Cookies (Explicit Consent Required)

• Usage statistics and service improvement metrics
• Feature engagement tracking
• Assessment completion analytics

These cookies are only activated after you explicitly accept them via our Cookie Consent Banner. You may withdraw your consent at any time by clicking the Cookie Preferences link in the footer of any page. Withdrawal will take effect within 24 hours.

10.3 Managing Your Cookie Preferences

In addition to our in-app Cookie Preferences panel, you may control cookies through your browser settings. Please note that disabling essential cookies will prevent you from using the Service.

Legal basis: PDPA Section 13 — Consent; PDPC Advisory Guidelines on Cookies (2021)

Our IKIGAI Career Assessment Platform uses artificial intelligence, specifically Anthropic's Claude AI model, to analyse your assessment responses and generate personalised career guidance.

You should be aware that:

• AI-generated outputs are tools to assist your reflection and decision-making — they are not professional career counselling, psychological assessment, or employment advice
• AI models may have limitations, biases, or inaccuracies in their outputs
• We do not use AI outputs to make automated decisions about your employment eligibility or suitability for specific roles
• All paid coaching tiers include human oversight — a qualified coach reviews your AI-generated assessment before your coaching session
• You may request human-only processing at any time by contacting us before your assessment is submitted

Our AI-generated assessments should be considered as one of several inputs when making significant career decisions. We recommend consulting qualified career professionals or counsellors for major career transitions.

Legal basis: PDPC Model AI Governance Framework (2nd Edition, 2020); PDPC AI Verify Foundation Standards

This Privacy Policy is governed by and construed in accordance with the laws of Singapore, including the Personal Data Protection Act 2012 (No. 26 of 2012) as amended, without regard to conflict of laws principles.

Any dispute, controversy, or claim arising out of or relating to this Privacy Policy, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of Singapore.

If you are an international user (including users based in the European Union, United Kingdom, or United States), please note that your personal data is processed in Singapore and by our service providers in accordance with Singapore law. By using our Services from outside Singapore, you acknowledge that your data may be transferred to and processed in Singapore.

While appointment of a DPO is not mandatory for organisations of our current size under the PDPA, INFINISPHERE CONSULTING PTE. LTD. has designated a Privacy Officer responsible for overseeing data protection compliance, in accordance with the PDPC's recommended accountability framework.

Privacy Officer: Nataliya Polyakova, Director INFINISPHERE CONSULTING PTE. LTD.

Email: contact@infinisphere.tech

Phone: +65 83136034

The Privacy Officer is responsible for:

• Ensuring compliance with the PDPA and this Privacy Policy
• Overseeing data breach response and notification procedures
• Responding to data subject rights requests
• Reviewing and updating data protection practices annually
• Liaising with the PDPC on regulatory matters

PDPC Accountability Guide — Appointing a Data Protection Officer (2017, updated 2021)

We may update this Privacy Policy periodically to reflect changes in our practices, services, technology, or legal requirements. When we make material changes, we will:

• Notify you via email to your registered email address at least 14 days before changes take effect
• Display a prominent notice on our platform homepage
• Update the “Last Updated” and “Effective Date” at the top of this Policy
• Where required by law, seek fresh consent for any materially new processing activities

Your continued use of our Services after the effective date of an updated Privacy Policy constitutes acceptance of the revised terms, unless you have objected to the changes within the 14-day notice period.

We will always maintain the previous version of the Privacy Policy accessible on our website for reference.

15.1 For Privacy-Related Inquiries

15.2 Personal Data Protection Commission (PDPC)

If you are not satisfied with our response to your privacy concerns, you may direct your complaint to the PDPC: