Skip to main content
Workingless
Sign in

Privacy notice (PDPA)

Last updated 2026-05-08 · Singapore Personal Data Protection Act 2012

1. Who we are

Workingless is operated from Singapore and provides a multi-tenant field-service-scheduling platform. When a tenant operator signs up, they become the data controller for the personal data they put into the system (their customers, their technicians). We act as the data processor under written terms (the Data Processing Addendum). Contact: support@workingless.ai.

2. What data we hold

  • Account data for tenant operators: email, password (hashed by Supabase Auth), business name, sign-in timestamps.
  • Customer data entered by the tenant operator: display name, phone (E.164), email, service address, latitude / longitude (when geocoded), service history.
  • Technician data entered by the tenant operator: name, working hours, optional home base coordinates.
  • Audit events: who did what when, retained for forensic / compliance purposes (target retention 24 months).

3. How we use it

  • To run the booking + dispatch + scheduling features.
  • To compute drive-time-aware slots via Google Routes (origin and destination coordinates are sent to Google; full PII is not).
  • To send transactional email (signup confirmation, password reset). We do not use customer data for marketing.
  • For audit + incident-response purposes — see the Breach notification section.

4. Where it lives

  • Database: Supabase (Postgres) in the Tokyo region (ap-northeast-1).
  • App hosting: Vercel (Singapore + global edge).
  • Error monitoring: Sentry (US region; minimal payload).
  • Rate-limiting: Upstash Redis (Singapore region).
  • Drive-time provider: Google Routes API (request-only; we do not persist Google's PII back).

5. Your rights (PDPA Part IV)

You may at any time:

  • Access a copy of your personal data we hold.
  • Correctdata that's wrong.
  • Withdraw consentfor processing (we'll explain the consequences — usually you can no longer use the service).
  • Erase your data when no longer needed; tenant account deletion enters a 30-day soft-delete grace period before hard-delete.

Submit any request to support@workingless.ai. We respond within 14 calendar days.

6. Breach notification (PDPA s.26B/C/D)

If we detect a data breach affecting your personal data, we notify the tenant operator within 24 hours of confirmation. The tenant then has 3 calendar days to assess notifiability and notify the PDPC (s.26D). If ≥ 500 individuals are affected, notification is mandatory regardless of severity (PDP Notification of Data Breaches Regulations 2021 r.3).

7. Cookies + tracking

We use functional cookies only (Supabase Auth session, active_tenant_selection, CSRF). No third-party marketing pixels. No analytics today; if we add one, we'll update this notice and request consent.

8. Changes to this notice

We update this page as the platform evolves. Material changes will be communicated to tenant operators by email at least 30 days before taking effect.

Questions, complaints, or rights requests: support@workingless.ai · Back to home