Legal · Privacy Policy
Privacy
Policy
Effective date: 6 April 2026 · Version 1.0 · Singapore PDPA · Thailand PDPA · GDPR
SpaceNerv is built on a founding principle: data belongs to the people and organisations that generate it. This policy describes what we collect, why, and how we protect it.
Data controller
DWNTWN Global Pte Ltd
UEN 202608530M
160 Robinson Road #14-04
Singapore Business Federation Centre
Singapore 068914
data@spacenerv.io
1. Who this policy covers
This policy applies to three categories of people who interact with SpaceNerv:
- Clients — businesses and individuals who subscribe to the SpaceNerv platform.
- Operators — staff members who tap QR codes or NFC nodes as part of their work at a Client's location.
- Visitors — people who visit spacenerv.io or interact with SpaceNerv's marketing communications.
2. What data we collect
| Data type |
What it contains |
Who it relates to |
Legal basis |
| Tap events |
Timestamp, node ID, zone, form responses submitted by the Operator |
Operators |
Legitimate interests of the Client (operational monitoring) |
| Account data |
Business name, email address, deployment configuration |
Clients |
Contract performance |
| Device identifiers |
Activation code stored in browser localStorage on Operator devices |
Operators |
Legitimate interests (authentication) |
| Website analytics |
Page visits, referral source, browser type via Netlify Analytics |
Visitors |
Legitimate interests (improving the service) |
| Payment data |
Processed by Stripe. SpaceNerv does not store card numbers. |
Clients |
Contract performance |
3. What we do not collect
SpaceNerv does not collect:
- Names of individual Operators — tap events are not linked to named individuals.
- Location data beyond the node identifier — we know which node was tapped, not where the Operator physically was beyond that node's location.
- Biometric data of any kind.
- Data from children — the Platform is not directed at persons under 18.
- Sensitive personal data as defined under Singapore PDPA or Thailand PDPA.
4. How we use data
Tap event data is used exclusively to:
- Display the node health grid and tap event feed on the Client's dashboard.
- Compute the Spatial Baseline Engine — learning each node's expected operational rhythm.
- Generate anomaly scores and trigger LINE Notify alerts when nodes are overdue.
- Produce operational analytics for the Client's own review.
Anonymised and aggregated data across all Deployments is used to improve the Platform and generate industry-level spatial intelligence benchmarks. No individual Client's data is identifiable in these aggregates.
5. Data storage and security
All data is stored in Supabase PostgreSQL databases hosted in the Singapore region (ap-southeast-1). A Data Processing Agreement is in place with Supabase Inc.
Data is protected by:
- Row Level Security — each Client can only access their own Deployment's data.
- TLS encryption in transit on all connections.
- Supabase-managed encryption at rest.
- Access controls limiting SpaceNerv staff access to operational necessity only.
6. Data retention
Tap event data is retained in three tiers:
- Tier 1 — Hot (0–24 months): Full individual tap event records, accessible on the dashboard.
- Tier 2 — Warm (24 months–7 years): Anonymised records. Individual Operator identifiers removed. Retained for operational trend analysis.
- Tier 3 — Cold (7 years+): Aggregate models only. No individual records retained.
Account data is retained for the duration of the subscription plus 12 months. Payment records are retained for 7 years as required by Singapore accounting law.
7. Data sharing
SpaceNerv does not sell personal data. Data is shared only with:
- Supabase Inc. — database hosting and infrastructure. DPA in place.
- Stripe Inc. — payment processing. Stripe's privacy policy applies to payment data.
- LINE Corporation — anomaly alert delivery via LINE Notify API. Only the alert message content is transmitted, not raw tap event data.
- Netlify Inc. — website hosting and analytics.
All sub-processors are required to maintain data protection standards consistent with this policy.
8. Your rights
Clients and Operators have the following rights under Singapore PDPA, Thailand PDPA, and where applicable GDPR:
- Access: Request a copy of data held about you or your Deployment.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your data subject to legal retention requirements.
- Portability: Request an export of your Tap Event data in a machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdrawal: Withdraw consent where processing is consent-based.
To exercise any of these rights, contact data@spacenerv.io. Requests will be acknowledged within 3 business days and fulfilled within 30 days.
9. Operator notice — information for staff
If you are a staff member using SpaceNerv at your workplace: when you scan a QR code or tap an NFC chip and submit a form, a record is created showing which node was tapped, when, and the form responses you submitted. This record is visible to your employer's designated supervisor on the SpaceNerv dashboard. Your individual name is not stored by SpaceNerv unless your employer has configured the comply form to include an inspector name field. For questions about how your data is used, contact your employer or email data@spacenerv.io.
หากคุณเป็นพนักงานที่ใช้ SpaceNerv ในที่ทำงาน: เมื่อคุณสแกน QR โค้ดหรือแตะชิป NFC และส่งฟอร์ม ระบบจะบันทึกว่าโหนดใดถูกแตะ เมื่อไหร่ และคำตอบในฟอร์ม บันทึกนี้จะปรากฏให้หัวหน้างานที่นายจ้างกำหนดเห็นบนแดชบอร์ด SpaceNerv ชื่อส่วนตัวของคุณไม่ถูกจัดเก็บโดย SpaceNerv
10. Cookies and local storage
The SpaceNerv tap form uses browser localStorage to store your Deployment activation code on your device. This is not a cookie and is not transmitted to any server. It persists until you clear your browser data or the code is rotated by your employer.
spacenerv.io uses Netlify Analytics which collects anonymised page view data without cookies or personal identifiers.
11. International transfers
Data is stored in Singapore. Where data is processed by sub-processors in other jurisdictions (Stripe in the United States, LINE Corporation in Japan), appropriate safeguards including data processing agreements and standard contractual clauses are in place.
12. Changes to this policy
This policy may be updated from time to time. Material changes will be communicated to registered Client email addresses with at least 30 days notice. The current version is always available at spacenerv.io/privacy.
13. Contact
Data protection enquiries: data@spacenerv.io
Legal correspondence: legal@spacenerv.io
DWNTWN Global Pte Ltd · 160 Robinson Road #14-04 · Singapore 068914