Critical Mass Cloud

Privacy Policy

Last updated: 30 May 2026. This policy describes how Critical Mass Cloud collects, uses and discloses personal data in accordance with the Singapore Personal Data Protection Act 2012 (PDPA).
1. Who we are

Critical Mass Cloud ("we", "us") is operated by Epyphite Pte Ltd, Singapore. Contact: privacy@criticalmass.cloud.

2. What data we collect

Account data: name, email, password hash, two-factor enrolment status.

Workspace data: business records you upload or enter into the HR, Accounting and Sign modules - employees, payroll, invoices, contracts, signed documents, audit trail.

Operational data: log records, IP address and user-agent at sign-in, audit events for security-relevant actions.

3. Purposes

We collect personal data only to: (a) provide the contracted SaaS service; (b) meet our and your statutory record-keeping obligations (IRAS, MOM, CPF, IMDA); (c) detect and prevent fraud or abuse; (d) communicate service notices to administrators.

4. Retention

Workspace data is retained for the period configured by the workspace owner (default: 7 years, covering the longest Singapore record-keeping requirements). Deleted records enter a soft-delete state and are hard-deleted by an automated sweep at the end of the retention window.

5. Disclosure

We do not sell personal data. We disclose it only to: (a) our infrastructure sub-processors (Postgres-managed hosting, Stripe for billing, the Peppol access point for e-invoicing) under written confidentiality terms; (b) lawful requests from Singapore regulators (IRAS, IMDA, PDPC, courts).

6. Your rights

Under PDPA you may: access a copy of your personal data; correct inaccuracies; withdraw consent (which may terminate the service); and request erasure subject to overriding statutory record-keeping requirements.

Use the self-service tools at /account/data or email privacy@criticalmass.cloud.

7. Security

We use TLS in transit, salted password hashes (PBKDF2 / ASP.NET Identity), per-tenant data isolation, optional second-factor authentication, audit logging of security events, and brute-force lockout on PIN / password attempts.

8. Updates

We will notify workspace administrators by email at least 14 days before any material change to this policy.

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.