Privacy Policy

Zeng Book(the “Service”, “we”, “us”, or “our”) is a software-as-a-service platform operated by Zeng Book (operator details to be confirmed before paid launch) for construction, renovation, and interior design firms in Singapore.

This policy describes how we collect, use, disclose, and protect personal data in connection with your use of the Service. We comply with the Personal Data Protection Act 2012 (PDPA) and other applicable Singapore laws.

This policy applies to:

• Personal data of users who sign up for and use the Service (“Users”)
• Personal data uploaded or entered into the Service by customer organisations about their own clients, sub-contractors, employees, or third parties (“Customer Content”)

For Customer Content, your organisation is the data controller. We process it on your behalf as a data intermediary under PDPA. Your organisation must have its own privacy notice with the individuals whose data it stores in the Service.

Account & profile data

• Name, email address, password (hashed)
• Organisation name, slug, optional UEN, optional GST registration number
• Role within your organisation (admin, member)

Customer Content

• Client records (name, email, phone, address, notes)
• Project details, including site addresses, dates, budgets
• Quotations and invoices, including line items, GST snapshots, and payment status
• Documents you upload (drawings, contracts, BCA permits, MOM forms, photos, etc.)
• Workspace configuration (templates, branding)

Billing data

• Stripe customer ID and subscription status
• Card details are handled directly by Stripe and are never stored on our servers

Technical data

• IP address, browser type, device info, and request logs (limited; for security and diagnostics)
• Authentication cookies and session tokens
• File metadata and storage paths

• To provide and operate the Service
• To authenticate users and protect accounts
• To process payments and manage subscriptions
• To send transactional emails (account, billing, document delivery to clients you nominate)
• To improve and secure the Service
• To comply with legal obligations (e.g. tax records, court orders, IRAS audits)

We share data only with vendors who help us run the Service, under data-processing terms:

We do not sell your personal data. We do not share Customer Content with third parties except (a) sub-processors above, (b) when you direct us to (e.g. emailing a client), or (c) when required by law.

Primary storage is in Supabase's Singapore region (ap-southeast-1). Some sub-processors (Stripe, email delivery) may process data outside Singapore. Where personal data is transferred out of Singapore, we ensure appropriate contractual safeguards are in place as required by PDPA s.26.

• Active accounts: while your subscription is active, and for up to 12 months after cancellation to allow account recovery.
• Cancelled accounts: deleted within 30 days of a written deletion request from an organisation admin.
• Billing records: retained for up to 5 years per IRAS record-keeping requirements.
• Audit and login logs: 90 days.
• Deleted records and documents: removed from primary storage on deletion; backups expire within 30 days thereafter.

You may request to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Withdraw consent for further use (note: withdrawal may prevent us from continuing to provide the Service)
• Be informed about disclosures of your personal data in the past year

For Customer Content, please direct requests to your organisation's admin first; we will assist as a data intermediary. To exercise rights, contact our DPO (Section 13).

We use strictly necessary cookies for authentication and session management (via Supabase). These are set when you sign in and cannot be turned off without breaking the Service.

With your explicit opt-in via our cookie consent banner, we also use Google Analytics 4 (delivered through Google Tag Manager) to understand which pages visitors view and how they move through the Service. You can decline analytics on the banner or change your choice at any time by clearing cookies for this site. We do not use advertising cookies or cross-site trackers.

If you are using the Service as a construction or renovation firm:

• Your firm decides what client and project data to enter into the Service
• Your firm is responsible for obtaining consent from clients (homeowners, project owners, MCSTs, and similar) before entering their data
• Your firm should provide its own privacy notice to those clients
• We process such data only as your firm instructs and per these terms

If you are an end-client whose contractor uses Zeng Book to manage your project, please contact your contractor directly with privacy queries about your data. We will support reasonable requests forwarded by the contracting firm.

We implement reasonable technical and organisational measures, including:

• Encryption in transit (TLS) and at rest (storage-level)
• Password hashing (handled by Supabase Auth)
• Role-based access within organisations
• Audited authentication logs
• Regular dependency updates

No system is perfectly secure. If we become aware of a data breach affecting your personal data, we will notify you and the Personal Data Protection Commission (PDPC) where required by law (notifiable data-breach regime, in force since 1 February 2021).

The Service is for business users. We do not knowingly collect personal data from anyone under 16. If you believe we have done so, contact us and we will delete it.

Data Protection Officer
Zeng Book (operator details to be confirmed before paid launch)
Email: [email protected]
Address: Registered Singapore address to be confirmed before paid launch

You may also lodge a complaint with the Personal Data Protection Commission of Singapore at pdpc.gov.sg.

We may update this policy. Material changes will be notified via email or in-product notice at least 14 days before they take effect. Continued use of the Service after changes take effect constitutes acceptance.