Privacy Policy

Last Updated: 28 February 2026

1. Introduction

Welcome to B.O.S. (Business Operating System), an AI-powered platform operated by KDA Capabilities Pte Ltd ("we", "us", or "our"), a company incorporated in Singapore. B.O.S. is designed to unify project management, finance, contracts, CRM, strategy, and AI-driven automation into a single intelligent platform for businesses.

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you access or use our platform, website, and related services (collectively, the "Services"). It applies to all users including account holders, team members, and visitors to our website.

We are committed to complying with the Personal Data Protection Act 2012 ("PDPA") of Singapore and other applicable data protection laws. By using our Services, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

Personal Information

When you create an account or use our Services, we may collect the following personal information:

  • Name, email address, and contact details
  • Company or organization name and business information
  • Job title and role within your organization
  • Account credentials and authentication data
  • Billing and payment information (processed by our third-party payment provider)
  • Profile preferences, working hours, and notification settings

Usage Data

We automatically collect certain information about how you interact with our Services:

  • Pages visited, features used, and actions taken within the platform
  • Timestamps of access, session duration, and frequency of use
  • Search queries and navigation paths
  • Error logs and performance data to improve service reliability

Device and Technical Information

  • IP address, browser type, and operating system
  • Device identifiers and screen resolution
  • Referring URLs and landing pages
  • Language and timezone settings

Content and Business Data

In the course of using B.O.S., you may upload or create data within the platform, including:

  • Projects, tasks, and work stream information
  • Financial records, invoices, receipts, and expense data
  • Contracts, documents, and uploaded files
  • Contact and CRM data about your clients and partners
  • Chat conversations and messages exchanged with AI agents
  • Meeting recordings and transcriptions
  • Strategic plans, goals, and milestones

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery and Improvement

  • Providing, operating, and maintaining the B.O.S. platform and its features
  • Managing your account, authentication, and workspace settings
  • Processing transactions and managing billing
  • Improving our platform based on usage patterns and feedback

AI Processing

  • Powering our multi-agent AI system to provide task management, scheduling, analysis, content creation, and planning assistance
  • Processing uploaded documents such as receipts and invoices using AI-powered parsing
  • Generating insights, recommendations, and automated workflows
  • Training and improving our AI models using aggregated and anonymized data

Analytics and Communication

  • Analyzing platform usage to understand trends and improve user experience
  • Sending service-related communications such as account notifications, security alerts, and product updates
  • Providing customer support and responding to inquiries

Security and Compliance

  • Detecting, preventing, and responding to security incidents, fraud, and abuse
  • Enforcing our Terms of Service and other policies
  • Complying with applicable legal obligations and regulatory requirements

4. Legal Basis for Processing

Under the Personal Data Protection Act 2012 (PDPA) of Singapore and other applicable data protection laws, we process your personal data on the following legal bases:

  • Consent: Where you have given us clear consent to process your personal data for specific purposes, such as receiving marketing communications or enabling optional AI features.
  • Contractual Necessity: Where processing is necessary to perform our contract with you, including providing the B.O.S. platform, managing your account, and delivering the features you have subscribed to.
  • Legitimate Interests: Where processing is necessary for our legitimate business interests, such as improving our Services, conducting analytics, ensuring platform security, and preventing fraud, provided these interests are not overridden by your rights and interests.
  • Legal Obligations: Where processing is required to comply with applicable laws, regulations, court orders, or governmental requests, including obligations under the PDPA and other Singapore legislation.

You may withdraw your consent at any time by contacting us or adjusting your account settings. Withdrawal of consent will not affect the lawfulness of processing carried out prior to the withdrawal.

5. AI and Automated Processing

B.O.S. employs a multi-agent AI system consisting of specialized AI agents (including manager, analyst, scheduler, content writer, critic, chart maker, and monthly planner agents) that process your data to deliver intelligent automation and decision support.

How AI Agents Process Your Data

  • AI agents analyze your tasks, projects, and business data to provide recommendations, scheduling suggestions, and strategic insights
  • Document parsing agents extract structured information from uploaded receipts, invoices, and other documents
  • Content agents assist in drafting plans, reports, and communications based on your project context
  • Agent workflows follow a structured process (propose, review, refine, execute, complete) with activity logging for transparency

Decision-Support Nature

Our AI agents are designed to support and augment your decision-making, not replace it. All AI-generated recommendations, plans, and outputs are presented as suggestions for your review and approval. No automated decision with legal or similarly significant effect is made without human oversight and intervention.

Human Oversight

You retain full control over your data and decisions at all times. AI-generated outputs can be reviewed, modified, accepted, or rejected before any action is taken. Our platform provides full transparency into AI agent activity through detailed activity logs and audit trails.

6. Data Sharing and Disclosure

We do not sell your personal data. We may share your information in the following circumstances:

Service Providers

We engage trusted third-party service providers who assist us in operating and improving our Services. These providers are contractually obligated to protect your data and may only use it for the purposes we specify. Key service providers include:

  • Supabase for database hosting, authentication, and real-time data services
  • Payment processors for handling billing and subscription transactions
  • Cloud infrastructure providers for hosting and content delivery

AI Service Providers

To power our AI features, certain data may be processed by third-party AI providers, including:

  • Anthropic: For natural language processing and AI agent capabilities via the Claude API
  • Google: For document parsing, content analysis, and AI model services via the Gemini API

Data sent to these providers is transmitted securely and processed in accordance with their respective data processing agreements. We carefully evaluate the privacy and security practices of our AI providers.

Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal processes, such as court orders, subpoenas, or government requests. We will notify you of such requests where legally permitted.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of the transaction. We will notify you of any such change and ensure the receiving entity is bound by comparable data protection obligations.

7. International Data Transfers

KDA Capabilities Pte Ltd is incorporated in Singapore. While we primarily store data in Singapore and the Asia-Pacific region, your data may be transferred to and processed in countries outside of Singapore when necessary for the operation of our Services.

Such transfers may occur when we engage service providers or AI providers located in other jurisdictions. When we transfer personal data internationally, we implement appropriate safeguards to ensure your data remains protected, including:

  • Ensuring the receiving jurisdiction provides a comparable standard of data protection
  • Entering into data processing agreements with contractual protections for your personal data
  • Implementing technical security measures such as encryption during transit and at rest
  • Complying with the PDPA's requirements for overseas data transfers under Section 26

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our Services. Our retention practices are guided by the following principles:

  • Active accounts: We retain your data for the duration of your account and active use of the platform, including all projects, tasks, financial records, and AI interaction history.
  • Account deletion: Upon your request to delete your account, we will remove or anonymize your personal data within 30 days, except where retention is required by law.
  • Legal requirements: Certain data, such as financial records and transaction history, may be retained for longer periods as required by applicable accounting, tax, or regulatory obligations.
  • Aggregated data: We may retain anonymized and aggregated data that can no longer identify you for analytical and improvement purposes indefinitely.

9. Your Rights

Under the PDPA and other applicable data protection laws, you have the following rights regarding your personal data:

  • Right of Access: You may request a copy of the personal data we hold about you and information about how it is being used and disclosed.
  • Right to Correction: You may request that we correct any inaccurate or incomplete personal data we hold about you. You can also update much of your information directly through your account settings.
  • Right to Deletion: You may request the deletion of your personal data, subject to any legal obligations that require us to retain certain information.
  • Right to Data Portability: Where technically feasible, you may request that your personal data be provided to you or transferred to another service provider in a structured, commonly used, and machine-readable format.
  • Right to Withdraw Consent: Where we process your data based on consent, you may withdraw that consent at any time. This will not affect the lawfulness of processing carried out before the withdrawal.
  • Right to Complain: If you believe your personal data has been mishandled, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.

To exercise any of these rights, please contact us at privacy@kdacapabilities.com. We will respond to your request within 30 days.

10. Children's Privacy

B.O.S. is a business platform designed for professional use and is not directed at individuals under the age of 16. We do not knowingly collect or solicit personal data from children under 16 years of age.

If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information as promptly as possible. If you believe a child under 16 has provided us with personal data, please contact us at privacy@kdacapabilities.com.

11. Security Measures

We take the security of your personal data seriously and implement a range of technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction:

  • Encryption: All data is encrypted in transit using TLS 1.2 or higher. Sensitive data at rest is encrypted using industry-standard encryption algorithms.
  • Access Controls: We enforce strict role-based access controls and the principle of least privilege. Row-level security (RLS) policies ensure users can only access data within their authorized scope.
  • Regular Audits: We conduct regular security assessments and vulnerability testing to identify and remediate potential risks.
  • Incident Response: We maintain a documented incident response plan to promptly detect, investigate, and mitigate security breaches. In the event of a data breach that poses a risk to your rights, we will notify you and the relevant authorities as required by law.
  • Infrastructure Security: Our Services are hosted on enterprise-grade cloud infrastructure with built-in redundancy, automated backups, and disaster recovery capabilities.

12. Cookies and Tracking

We use cookies and similar tracking technologies to enhance your experience on our platform. The types of cookies we use include:

  • Essential Cookies: Required for the operation of our platform, including authentication tokens, session management, and security features. These cookies cannot be disabled as they are necessary for the Services to function.
  • Analytics Cookies: Help us understand how visitors interact with our platform by collecting information about pages visited, time spent, and navigation patterns. This data is used in aggregate to improve our Services.
  • Preference Cookies: Remember your settings and preferences, such as language selection, theme choices, and dashboard configurations, to provide a personalized experience.

You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our Services.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Notify you through a prominent notice on our platform or via email for significant changes
  • Where required by law, seek your consent before applying material changes to how your data is processed

Your continued use of our Services after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. We encourage you to review this policy periodically to stay informed about how we protect your data.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

KDA Capabilities Pte Ltd

Email: privacy@kdacapabilities.com

We will endeavour to respond to all legitimate requests within 30 days. If your request is particularly complex or you have made multiple requests, we may require an additional 30 days and will notify you accordingly.