Privacy Notice
How we collect, use, store and protect personal data under Singapore's Personal Data Protection Act 2012 (PDPA).
1. Who we are
This service ("Elitez EOR", "we", "us") is operated by Elitez Group of Companies, a Singapore-incorporated entity. Our Data Protection Officer (DPO) can be reached at [email protected].
2. Scope
This notice covers personal data we process when:
- A representative of a business signs up at
eor.elitez.ai; - A business uploads KYC documents (ACRA bizfile, NRIC scans);
- A business onboards employees onto our employer-of-record service;
- We administer payroll, CPF, WICA, IR8A and statutory filings on behalf of a client business.
3. Personal data we collect
| Category | Examples | Source |
|---|---|---|
| Business representative | Name, work email, mobile, role, IP address | You |
| Company identifiers | UEN, registered address, contact phone | You + ACRA records you upload |
| KYC documents | ACRA bizfile (PDF), director's NRIC scan | You |
| Employee personal data | NRIC/FIN, full name, DOB, address, bank, CPF, salary | The client business (acting as authorised employer) |
| Operational logs | Audit log (sign-in events, document uploads, admin actions), IP, user-agent | Automatic |
4. How we use it
- Service delivery: verifying your business, running payroll, filing CPF, WICA, IR8A.
- Account security: sign-in (OTP), session management, fraud and abuse prevention.
- Audit & compliance: keeping an immutable audit log for regulator-facing readiness (PDPA, MOM, IRAS).
- Service communication: transactional notices (invoices, document status, payroll cut-off) sent to your registered email.
5. Legal basis under PDPA
We rely on consent (explicit at signup), legitimate interests (account security and fraud prevention), and statutory obligations (CPF Act, Income Tax Act, Employment Act). Your consent can be withdrawn — see Section 9.
6. Sharing
We disclose personal data only to:
- Singapore statutory bodies (CPF Board, IRAS, MOM, ACRA) where the law requires;
- Payment + email infrastructure (Resend for transactional email, Supabase Singapore for database/storage, Cloudflare for CDN/edge);
- Banking partners for salary disbursement (only the fields the bank requires);
- Regulator-authorised auditors if presented with a valid notice.
We do not sell personal data. We do not transfer data outside Singapore for marketing or analytics.
7. Cross-border transfers
All primary data is stored in Singapore (Supabase region ap-southeast-1). Some sub-processors (e.g. Resend) may transit data across regions for email delivery — these processors are contractually bound to PDPA-equivalent protections under our Data Processing Agreement.
8. Retention
| Data class | Retention |
|---|---|
| Active account data (profile, tenant, employees) | For the life of the contract + 7 years (statutory) |
| KYC documents | 7 years from contract end (AML/PDPA) |
| Payroll records (CPF, IR8A, payslips) | 5 years from year-end (IRAS) |
| Audit logs (sign-in, admin actions) | 3 years |
| OTP codes (transient) | 10 minutes (auto-purged) |
9. Your rights (data subject)
Under PDPA you may request:
- Access to the personal data we hold about you;
- Correction of inaccurate or out-of-date data;
- Withdrawal of consent (this may end your ability to use the service);
- Erasure of data we are not legally required to retain.
Email [email protected] with subject line "PDPA data request". We respond within 30 calendar days.
10. Security
- Singapore-region encrypted-at-rest storage (Supabase Postgres + Storage).
- Per-tenant Row-Level Security: a client's data cannot be read by another client.
- Magic-link / OTP authentication; no static passwords.
- Immutable audit log of admin actions for forensic review.
- Annual penetration testing; quarterly dependency scans.
11. Breach notification
If a notifiable data breach occurs (per PDPA s.26B), we notify affected users and the PDPC within 72 hours of confirming the breach.
12. Changes
Material changes to this notice are emailed to the registered address of every active tenant 14 days before they take effect.
13. Contact
Data Protection Officer
Elitez Group of Companies
Email: [email protected]
If you are not satisfied with our response, you may contact the Personal Data Protection Commission of Singapore: pdpc.gov.sg.