Critical Mass Cloud
Privacy Policy
Last updated: 30 May 2026. This policy describes how Critical Mass Cloud collects, uses and discloses personal data in accordance with the Singapore Personal Data Protection Act 2012 (PDPA).1. Who we are
Critical Mass Cloud ("we", "us") is operated by Epyphite Pte Ltd, Singapore. Contact: privacy@criticalmass.cloud.
2. What data we collect
Account data: name, email, password hash, two-factor enrolment status.
Workspace data: business records you upload or enter into the HR, Accounting and Sign modules - employees, payroll, invoices, contracts, signed documents, audit trail.
Operational data: log records, IP address and user-agent at sign-in, audit events for security-relevant actions.
3. Purposes
We collect personal data only to: (a) provide the contracted SaaS service; (b) meet our and your statutory record-keeping obligations (IRAS, MOM, CPF, IMDA); (c) detect and prevent fraud or abuse; (d) communicate service notices to administrators.
4. Retention
Workspace data is retained for the period configured by the workspace owner (default: 7 years, covering the longest Singapore record-keeping requirements). Deleted records enter a soft-delete state and are hard-deleted by an automated sweep at the end of the retention window.
5. Disclosure
We do not sell personal data. We disclose it only to: (a) our infrastructure sub-processors (Postgres-managed hosting, Stripe for billing, the Peppol access point for e-invoicing) under written confidentiality terms; (b) lawful requests from Singapore regulators (IRAS, IMDA, PDPC, courts).
6. Your rights
Under PDPA you may: access a copy of your personal data; correct inaccuracies; withdraw consent (which may terminate the service); and request erasure subject to overriding statutory record-keeping requirements.
Use the self-service tools at /account/data or email privacy@criticalmass.cloud.
7. Security
We use TLS in transit, salted password hashes (PBKDF2 / ASP.NET Identity), per-tenant data isolation, optional second-factor authentication, audit logging of security events, and brute-force lockout on PIN / password attempts.
8. Updates
We will notify workspace administrators by email at least 14 days before any material change to this policy.