Privacy Policy

1. Our Role

Ima Collective Pte Ltd (UEN: 202601337E) ("the Provider") operates the SalesDojo platform as a data intermediary under the PDPA. Our customers (insurance agencies, sales teams, and other organisations) are the data controllers responsible for the personal data of their own prospects and clients. We process this data solely on their behalf and in accordance with their written instructions.

2. Data We Collect

Account Data (collected directly from Customers):

• Name, email address, phone number, and company name
• Login credentials (passwords stored using industry-standard hashing)
• Billing and payment information

End-User Data (uploaded by Customers):

• Contact information of Customer's prospects and clients
• Screenshots of conversations (processed by AI to extract structured data — see Section 4 for details)
• Activity logs, interaction records, and notes

Technical Data (collected automatically):

• IP address, browser type, device information
• Usage analytics (pages visited, features used, session duration)
• Cookies and similar tracking technologies (see Section 11)

3. How We Use Data

• To provide, operate, and improve the Service
• To process screenshots using AI for contact and data extraction
• To communicate with Customers about their accounts and service updates
• To provide technical and customer support
• To comply with legal obligations under Singapore law
• To generate anonymised, aggregated analytics to improve the Service (no personal data is used for this purpose without anonymisation)

We do not sell personal data. We do not use Customer Data or End-User Data for advertising or marketing purposes unrelated to the Service.

4. AI Processing

SalesDojo uses third-party AI services to process screenshots uploaded by Customers. This processing extracts structured contact information and conversation data. The following applies:

• AI processing is performed via APIs provided by OpenAI (based in the United States) and Anthropic (based in the United States).
• Screenshots and extracted data are transmitted to these providers solely for processing and are not retained by these providers beyond the time required to complete the request, in accordance with their respective data processing terms.
• Customer Data is not used to train third-party AI models. Both OpenAI and Anthropic's API terms exclude API inputs from model training.
• Customers should ensure that any screenshots uploaded do not contain personal data for which the necessary consent has not been obtained.

5. Third-Party Services & Cross-Border Data Transfers

We use the following categories of third-party services to operate the platform:

• Cloud hosting: Supabase, hosted on Amazon Web Services (AWS) in the Asia Pacific (Singapore) region (ap-southeast-1). Customer Data at rest is stored in Singapore.
• AI processing: OpenAI and Anthropic APIs (United States). Data is transmitted for processing only and not stored beyond the processing request.
• Payment processors: Stripe or equivalent, for billing purposes only.

Where personal data is transferred outside Singapore (specifically to the United States for AI processing), we ensure that the receiving organisation provides a standard of protection comparable to the PDPA, through contractual obligations including data processing agreements with each provider. This is in compliance with the PDPA's Transfer Limitation Obligation.

6. Data Security

We implement reasonable security measures appropriate to the nature of the personal data, including:

• Encrypted data transmission (TLS/HTTPS) for all data in transit
• Encryption at rest for stored data
• Industry-standard password hashing (bcrypt or equivalent)
• Role-based access controls and multi-factor authentication for administrative access
• Regular security reviews and vulnerability assessments

No system is 100% secure, and we cannot guarantee absolute security. However, we are committed to promptly addressing any vulnerabilities or incidents that may arise.

7. Data Breach Notification

In the event of a data breach that results in, or is likely to result in, significant harm to affected individuals, we will:

• Notify affected Customers without undue delay, and in any event within 72 hours of becoming aware of the breach;
• Notify the Personal Data Protection Commission (PDPC) as required under the PDPA (where the breach affects 500 or more individuals, or is of a significant scale);
• Provide Customers with sufficient information to enable them to assess the impact and fulfil their own notification obligations;
• Take reasonable steps to contain and remediate the breach.

8. Data Retention

We retain Customer Data for the duration of the service relationship. Upon termination or expiry of the Agreement:

• Customer Data is available for export for 30 days following termination.
• After the 30-day export period, Customer Data is permanently deleted from production systems within 30 days.
• Backup copies are purged within 60 days of the deletion from production systems.
• Written confirmation of deletion is available upon request.

We may retain anonymised or aggregated data (from which no individual can be identified) indefinitely for analytics and service improvement.

9. Customer Responsibilities

Customers are responsible for:

• Obtaining proper consent from individuals before uploading their personal data to the Service, in accordance with the PDPA
• Responding to access, correction, and withdrawal-of-consent requests from their end-users
• Complying with the PDPA and any other applicable data protection laws in their jurisdiction
• Ensuring that uploaded content (including screenshots) does not violate any laws or third-party rights
• Notifying Provider promptly of any data subject requests that require Provider's assistance

10. Your Rights

Under the PDPA, you have the following rights in respect of your personal data:

• Access: You may request to know what personal data we hold about you and how it has been used or disclosed.
• Correction: You may request correction of any personal data that is inaccurate, incomplete, or outdated.
• Withdrawal of consent: You may withdraw consent for the collection, use, or disclosure of your personal data at any time, subject to legal or contractual restrictions. Withdrawal of consent may affect our ability to provide the Service.

For Account Data, Customers may exercise these rights by contacting us directly. For End-User Data, individuals should contact the Customer (organisation) who uploaded their data, as the Customer is the data controller under the PDPA.

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at https://www.pdpc.gov.sg.

11. Cookies & Tracking Technologies

SalesDojo uses cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Analytics cookies: Used to understand how the Service is used and to improve performance. These may be disabled by the Customer in their account settings.

We do not use third-party advertising cookies. We do not engage in cross-site tracking.

12. Data Protection Officer

For data protection inquiries, requests, or complaints, contact:

We will respond to all legitimate requests within 30 days, or inform you if we require additional time.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Customers of material changes at least 30 days in advance via email or through the Service. The latest version will always be available to Customers. Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.