Legal

Privacy Policy

Last updated: 10 May 2026

This Privacy Policy describes how Bulk & Energy Pte Ltd ("we", "us", or "our") collects, uses, discloses, and protects personal data in connection with the Card Scanner service ("Service"), available at card-reader.bulkenergy.app.

We are committed to protecting personal data in accordance with the Singapore Personal Data Protection Act 2012 (PDPA), and, where applicable, the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Who We Are

Data controller: Bulk & Energy Pte Ltd, registered in Singapore.
Contact: [email protected]

2. Personal Data We Collect

We collect the following categories of personal data:

Account data: name, email address, company name, hashed password, and (if signing in with Google) your Google account ID and profile information.
Business card data (Cloud Library users only): contact information extracted from scanned business cards, including names, phone numbers, email addresses, job titles, company names, and addresses.
Usage data: log data, device type, browser type, IP address, and pages visited, collected automatically when you use the Service.

Private mode users: If you selected "Private Scanning" during registration, business card images and extracted contact data are processed in real time and are not stored on our servers after your session ends.

3. How We Use Your Personal Data

We use your personal data for the following purposes:

To provide, operate, and maintain the Service.
To verify your identity and manage your account.
To process and display business card information you scan.
To send transactional emails (account approval, password setup).
To ensure the security and integrity of the Service.
To comply with our legal obligations.

We do not use your data for advertising or sell it to third parties.

4. Legal Basis for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

Contract performance: processing necessary to provide the Service.
Legitimate interests: service security, fraud prevention, and product improvement.
Legal obligation: compliance with applicable law.
Consent: where you have given explicit consent (e.g., Cloud Library feature).

5. Data Sharing and Third Parties

We share personal data only with the following categories of third-party service providers, and only to the extent necessary to provide the Service:

Supabase Inc. (database hosting) — stores account data and, for Cloud Library users, scanned contact data. Data may be processed in the United States. Supabase is SOC 2 Type II certified.
Anthropic PBC (AI processing) — receives business card images for text extraction. Images are processed but not retained by Anthropic beyond the API call. Data may be processed in the United States.
Resend Inc. (email delivery) — used to send transactional emails. Email addresses are shared for delivery purposes only.
Railway Corp. (application hosting) — hosts the application server. Data may be processed in the United States.

All third-party providers are contractually obligated to process data only as instructed and to implement appropriate security measures.

6. International Data Transfers

Some of our service providers are located outside Singapore and the EEA. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses or adequacy decisions, in compliance with PDPA and GDPR requirements.

7. Data Retention

Account data: retained for as long as your account is active, and for up to 7 years after account closure for legal compliance purposes.
Scanned contact data (Cloud Library): retained until you delete your account or request deletion.
Private mode scans: not stored; no retention applies.
Usage logs: retained for up to 90 days.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.
Correction: request correction of inaccurate personal data.
Erasure: request deletion of your personal data (subject to legal obligations).
Portability: receive your data in a machine-readable format.
Withdrawal of consent: withdraw consent at any time where processing is based on consent.
Objection / Restriction: object to or request restriction of certain processing activities.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If you are in the EEA or UK, you also have the right to lodge a complaint with your local supervisory authority.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include TLS encryption in transit, hashed password storage, and access controls restricted to authorised personnel. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

10. Cookies and Tracking

The Service does not use tracking or advertising cookies. We use browser localStorage solely to store your authentication token on your device. No third-party analytics or advertising scripts are loaded.

11. Children's Privacy

The Service is intended for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact

For privacy-related inquiries, data access requests, or complaints, please contact:

Bulk & Energy Pte Ltd
Email: [email protected]
Website: bulkenergy.global