TorchcastTorchcast.ai
← Back to home

Privacy Policy

Effective 2026-05-01

Torchcast Pte. Ltd. (“Torchcast”, “we”, “us”, “our”), a company incorporated in Singapore, is the controller of personal data processed in connection with the Torchcast service (the “Service”). This Privacy Policy describes how we collect, use, share, and protect your personal data, and the rights you have over it.

We comply with the Singapore Personal Data Protection Act 2012 (“PDPA”) and, where applicable, with the EU/UK General Data Protection Regulation, the California Consumer Privacy Act (as amended by the CPRA), and other data-protection laws of jurisdictions where our users are located.

1. Data Protection Officer

We have appointed a Data Protection Officer (“DPO”) in accordance with section 11 of the PDPA. You may contact the DPO by email at contact@torchcast.ai.

2. Information We Collect

We collect the following categories of personal data:

  • Account data — name, email address, organisation name, role, password hash, and authentication tokens (including OAuth identifiers from any single-sign-on provider you choose to use).
  • Billing data — billing contact, billing address, tax identifiers, and payment-method tokens issued by our payment processor. We do not store full card numbers or bank-account credentials.
  • Customer Content — the data, prompts, files, and instructions you submit to the Service, and the Output generated for you. Customer Content may contain personal data about you or about third parties whose data you choose to submit.
  • Usage and telemetry data — request metadata, feature interactions, evidence-trail metadata, model and parameter selections, latency, error events, and similar diagnostic information.
  • Device and log data — IP address, browser type and version, operating system, device identifiers, referring URLs, and timestamps.
  • Communications — the content of emails, support tickets, and chat messages you send us.
  • Cookies and similar technologies — see Section 11.

Sources. We collect personal data (a) directly from you when you register, configure, or use the Service or contact us; (b) automatically through your use of the Service; and (c) from third parties such as your single-sign-on provider, our payment processor, and fraud-prevention services.

3. How We Use Your Information

We use personal data for the following purposes:

  • Provide, operate, secure, and support the Service. Legal basis: performance of contract; consent (PDPA); contract / legitimate interest (GDPR).
  • Authenticate users and prevent fraud and abuse. Legal basis: legal obligation; legitimate interest.
  • Process payments and meet tax, accounting, and audit obligations. Legal basis: legal obligation.
  • Send transactional communications (service notices, security alerts, billing). Legal basis: performance of contract.
  • Send product or marketing communications. Legal basis: consent (you may withdraw at any time).
  • Improve and develop the Service using aggregated and de-identified data. Legal basis: legitimate interest.
  • Comply with law and respond to lawful requests. Legal basis: legal obligation.
  • Establish, exercise, or defend legal claims. Legal basis: legitimate interest.

We will not use personal data for materially new purposes without first obtaining your consent or another lawful basis.

4. AI Training Statement

We do not use Customer Content or Output to train, fine-tune, or improve our or any third party's foundation or general-purpose machine-learning models, except where you give us prior, opt-in, written consent (for example, by enrolling in a model-customisation programme).

We may use aggregated and de-identified telemetry (such as request counts, latency, error rates, and feature usage) to operate, secure, and improve the Service. Aggregated data is created in a way that does not permit re-identification of any individual or customer.

5. How We Share Information

We share personal data only as described below. We do not sell personal data, and we do not share personal data for cross-context behavioural advertising.

  • Service providers (Subprocessors). With vendors who process personal data on our behalf under written agreements that require them to protect the data and use it only for our instructions. See Section 6.
  • With your direction. With third parties when you instruct us to (for example, by configuring an integration).
  • Affiliates. With our group companies, subject to this Policy.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and to this Policy continuing to apply.
  • Legal and safety. Where required by law, lawful request, or court order, or where necessary to protect the rights, property, or safety of Torchcast, our users, or the public.

6. Subprocessors

We engage the following Subprocessors to process personal data on our behalf:

  • Google Cloud Platform — cloud infrastructure, storage, and compute. Data: all categories at rest and in transit. Location: Singapore (primary region), with regional fail-over.
  • OpenAI — AI model inference. Data: Customer Content submitted to OpenAI-backed features. Location: United States.
  • Anthropic — AI model inference. Data: Customer Content submitted to Anthropic-backed features. Location: United States.
  • Google Gemini — AI model inference. Data: Customer Content submitted to Gemini-backed features. Location: United States / global.
  • Paddle — payment processing (merchant of record). Data: billing contact, payment-method tokens, transaction history, tax data. Location: United Kingdom / global.
  • Resend — transactional email delivery. Data: email address, message content. Location: United States.

We will provide at least 30 days' notice of material changes to this list where you have an active paid subscription, by in-Service notification or email.

7. International Data Transfers

The Service is operated from Singapore, and personal data may be processed in countries other than the one in which you reside, including the United States and the European Economic Area. When we transfer personal data outside Singapore, we comply with section 26 of the PDPA by ensuring that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA. For transfers from the EU/UK to a country without an adequacy decision, we use the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum) together with supplementary measures where appropriate.

8. Data Retention

We retain personal data only as long as needed for the purpose for which it was collected, including to satisfy legal, accounting, audit, and reporting requirements. Indicative retention periods:

  • Account data — for the life of the account, plus up to 12 months after closure for dispute and security purposes.
  • Customer Content — for the life of the account; deleted or de-identified within 90 days of account termination, subject to legal-hold and the ordinary backup-expiry cycle.
  • Billing and tax records — at least 5 years to comply with Singapore tax and accounting law (Income Tax Act, GST Act).
  • Security and access logs — typically 12 months.
  • Marketing data — until you withdraw consent, plus a suppression record to honour the withdrawal.

9. Security and Breach Notification

We maintain technical and organisational measures appropriate to the risk of the processing, including encryption in transit and at rest, role-based access control, least-privilege provisioning, audit logging, vendor due diligence, and regular review.

If we become aware of a data breach that is likely to result in significant harm to affected individuals, or that meets the notifiability threshold under the PDPA (including a breach affecting 500 or more individuals), we will notify the Personal Data Protection Commission within 72 hours of assessing the breach as notifiable, and we will notify affected individuals as soon as practicable in the manner required by law.

10. Your Rights

You have the following rights, exercisable by emailing contact@torchcast.ai. We will verify your identity before responding to a request.

Under the PDPA (Singapore)

  • Access — request information about the personal data we hold about you and how it has been used or disclosed within the preceding year. We will respond within 30 days or notify you in writing if more time is required.
  • Correction — request correction of inaccurate or incomplete personal data.
  • Withdrawal of consent — withdraw any consent you have given. We will inform you of likely consequences, including any impact on Service availability.

Additional rights (where applicable under GDPR / UK GDPR / CPRA and similar laws)

  • Erasure, restriction of processing, objection, data portability, the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, and the right to lodge a complaint with your local supervisory authority.
  • California residents: the right to know, delete, correct, and opt out of “sale” or “sharing” of personal information (we do not sell or share for cross-context behavioural advertising), and the right to non-discrimination for exercising these rights.

We may charge a reasonable fee for an access request where permitted by law and will notify you in advance.

11. Cookies and Similar Technologies

We use a small number of first-party cookies and similar technologies to keep you signed in, remember your preferences, and measure how the Service is used. We do not use third-party advertising cookies. You can control cookies through your browser settings; disabling strictly necessary cookies may impair the Service.

12. Marketing and the Do Not Call Registry

We send marketing communications only with your consent. Every marketing email contains a one-click unsubscribe link. We comply with the Singapore Do Not Call Registry under the PDPA: we will not send telemarketing voice calls, SMS, or fax messages to a Singapore telephone number that is registered on the relevant DNC register, unless you have given clear and unambiguous consent in writing or its equivalent.

13. Children

The Service is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.

14. Region-Specific Disclosures

  • EU / UK (GDPR). Where GDPR applies, the legal bases for our processing are set out in Section 3. You have the rights listed in Section 10 and may complain to your local supervisory authority.
  • California (CPRA). Categories of personal information collected, disclosed, and the purposes are described in Sections 2–5. We do not sell or share personal information for cross-context behavioural advertising. We retain personal information for the periods in Section 8.
  • Mainland China (PIPL). Where PIPL applies, separate consent is obtained for cross-border transfers of personal information, and a separate notice describes the recipient, purpose, types of data, and your rights with the overseas recipient.

15. Changes to This Policy

We may update this Policy from time to time. For changes that materially affect your rights, we will give at least 30 days' prior notice by email to the address on your account or by in-Service notification, and where required by law we will obtain fresh consent. Prior versions are available on request to contact@torchcast.ai.

16. Complaints

If you believe we have not handled your personal data in accordance with the PDPA, please contact our DPO at contact@torchcast.ai. We will investigate and respond within 30 days. If you remain dissatisfied, you may complain to the Personal Data Protection Commission (Singapore) at www.pdpc.gov.sg. Individuals in other jurisdictions may complain to their local data-protection authority.

17. Contact

Torchcast Pte. Ltd.
Data Protection Officer
Email: contact@torchcast.ai

Questions? Email contact@torchcast.ai.