Privacy Policy

Effective Date: 22 April 2026

Columns Pte. Ltd. ("Columns," "we," "us," "our") is committed to protecting the personal data entrusted to us in the course of providing our insurance policy aggregation and analysis platform (the "Platform"). We take our responsibilities under Singapore's Personal Data Protection Act 2012 (the "PDPA") seriously and have designed our practices to safeguard the personal data of our clients and the individuals whose information passes through our systems.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have in relation to your data. It applies to all users of the Platform, including the financial advisory firms that subscribe to our services ("Clients") and the individuals authorised by those firms to access the Platform ("Authorised Users").

1. Personal Data We Collect

We collect and process personal data in the following categories:

1.1 Account and Contact Information

When a Client subscribes to the Platform and creates accounts for its Authorised Users, we collect registration details such as names, business email addresses, job titles, contact numbers, and firm details. This information is necessary to set up and administer your account.

1.2 Insurance Policy Data

Clients and Authorised Users may upload insurance policy documents and related information to the Platform for aggregation and analysis. These documents may contain personal data relating to policyholders and other individuals, such as names, identification numbers, dates of birth, coverage details, premium amounts, and beneficiary information.

Clients are responsible for ensuring that they have obtained all necessary consents from the relevant individuals before uploading their personal data to the Platform, and that such uploads comply with applicable data protection laws, including the PDPA.

1.3 Meeting Recordings and AI-Generated Notes

The Platform includes an optional meeting assistant feature that, when activated by an Authorised User, captures audio from client meetings ("Meeting Recordings"), generates transcripts, and produces AI-generated notes and summaries ("Meeting Data"). Meeting Data may contain personal data relating to Authorised Users and their clients, including names, financial details, insurance information, and any other information discussed during the meeting.

Client Responsibilities for Meeting Recordings: Before activating the meeting assistant in any meeting, the Client and its Authorised Users are solely responsible for: (a) obtaining valid informed consent from all meeting participants to the recording, transcription, and processing of the meeting by Columns; (b) providing meeting participants with any notices required under the PDPA or other applicable laws; and (c) ensuring that the use of the meeting assistant complies with all applicable confidentiality, professional conduct, and regulatory obligations. Columns does not activate meeting recording automatically and relies on the Client to manage participant consent.

1.4 Usage and Technical Data

We automatically collect certain technical information when you use the Platform, including login timestamps, feature usage patterns, browser type, device identifiers, IP addresses, and system logs. We use this data to operate, maintain, and improve the Platform.

1.5 Cookies

Our Platform uses cookies and similar technologies to facilitate your use of the Platform, remember your preferences, and collect usage analytics. You may manage your cookie preferences through your browser settings.

1.6 Google Account and Calendar Data

When an Authorised User signs in to the Platform using their Google account, we receive basic profile information (name, email address) and, with the user's explicit consent via Google's OAuth consent screen, a read-only view of their Google Calendar events.

Specifically, we request the https://www.googleapis.com/auth/calendar.events.readonly scope and use it to read the following fields for events on the currently-viewed day only: event title, start time, end time, and attendee list. We do not read calendar metadata (list of calendars, access control lists, sharing settings), and we never write, modify, or delete calendar events.

Calendar event data is fetched live from Google on each request and is not persisted to our servers. We do not transfer calendar data to any third party, do not use it to train AI models (whether ours or our providers'), and do not use it for advertising or marketing.

Users may revoke Columns' access to their Google Calendar at any time by visiting Google Account → Security → Third-party apps with account access (https://myaccount.google.com/connections). Revocation takes effect immediately. Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

2. How We Use Your Personal Data

We use personal data only for the purposes for which it was collected or for purposes that are directly related and reasonably expected. Specifically, we use your personal data for the following purposes:

• Providing the Platform: To aggregate, organise, and analyse insurance policy information on behalf of our Clients, and to generate transcripts, notes, and summaries from Meeting Recordings.
• Account Administration: To create and manage Client accounts, verify user identities, and process subscription payments.
• Platform Improvement: To monitor Platform performance, diagnose technical issues, and develop new features and functionality.
• Communication: To send service-related notices, respond to enquiries, and provide technical support.
• Security: To detect, prevent, and respond to fraud, security incidents, and unauthorised access.
• Legal and Regulatory Compliance: To comply with applicable laws, regulations, and lawful requests from authorities.

We do not use your personal data for direct marketing purposes without your prior consent. We do not sell your personal data to any third party.

3. AI Processing

The Platform uses artificial intelligence to analyse insurance policies, identify coverage gaps, and generate transcripts and notes from Meeting Recordings. Our AI features are designed to assist licensed financial advisors in managing their workflows. They are decision-support tools for qualified professionals and do not constitute financial advice, insurance advice, or any form of regulated advice to end consumers.

When you use AI-powered features, your data may be processed by third-party AI service providers. We currently use Google Gemini and are evaluating Anthropic Claude for certain features. These providers operate under commercial agreements that contractually prohibit the use of your data for their own model training. Specifically:

• No Third-Party Training: Your input data and the outputs generated by the AI are not used by our third-party AI providers to train, fine-tune, or improve their models.
• Data in Transit: Data transmitted to AI providers for processing is encrypted in transit and is not retained by the provider beyond the duration required to generate a response.

4. Use of Data to Improve Columns' Models and Services

Columns reserves the right to use de-identified and aggregated data derived from Platform usage to improve the accuracy, performance, and functionality of our proprietary models and services. This may include improving our AI-generated meeting notes, coverage gap analysis, and other Platform features.

4.1 Scope and Limitations

Where Columns uses data for model improvement, we apply the following strict limitations:

• Data is de-identified and aggregated before being used for model improvement. Direct identifiers (such as names, identification numbers, contact details, and account numbers) are removed or masked.
• Raw Meeting Recordings (audio files) are not used for model training. Where data derived from Meeting Data is used for improvement, it is limited to de-identified and aggregated data only.
• Sensitive categories of personal data (including health information, medical records, and information relating to minors) are excluded from model improvement activities.
• Data used for model improvement is not shared with third-party AI providers for their own training purposes.
• Model improvement activities are conducted solely for the purpose of improving the Platform and related services.

4.2 Your Right to Opt Out

Clients may opt out of the use of their data for model improvement at any time. Opting out applies prospectively to all Authorised Users of the Client and to all data uploaded or generated after the opt-out takes effect. To opt out, Clients may:

• Adjust the relevant setting in the Platform's administrative console; or
• Contact our Data Protection Officer at the address in Section 12.

We will give effect to opt-out requests within a reasonable period and in any event no later than 14 days after receipt. Opt-out does not affect the lawfulness of any processing carried out before the opt-out took effect. Opting out does not affect the Client's access to or use of the Platform.

5. How We Protect Your Data

5.1 Encryption

Files uploaded to the Platform are encrypted such that Columns personnel cannot access the contents of your documents in unencrypted form. Data is encrypted both in transit (using TLS) and at rest.

5.2 Access Controls

We implement role-based access controls and require two-factor authentication (2FA) for all administrative accounts. Access to production systems is limited to authorised personnel on a need-to-know basis. Environment variables and API credentials are secured and are not exposed in application code.

5.3 Data Isolation

The Platform operates on a multi-tenant architecture. Each Client's data is logically isolated through unique identifiers and database-level row-level security policies. All database queries are filtered to ensure that no Client or Authorised User can access the data of another Client.

5.4 Infrastructure

The Platform is hosted on infrastructure located in the Southeast Asia region (Singapore). Our primary infrastructure providers are Supabase (PostgreSQL database and file storage), Railway (application hosting), and Amazon Web Services. Our code repository is maintained on GitHub.

6. Disclosure of Personal Data

We do not sell, rent, or trade your personal data. We may disclose personal data to the following categories of recipients, solely for the purposes described in this Privacy Policy:

• Infrastructure and Service Providers: Third-party providers who host, support, or maintain the Platform on our behalf, including Supabase, Railway, Amazon Web Services, and GitHub. These providers are contractually obligated to protect your data and may only process it in accordance with our instructions.
• AI Service Providers: Google (Gemini) and, where applicable, Anthropic (Claude), solely for the purpose of providing AI-powered analysis and transcription features. These providers are contractually prohibited from using your data to train their own models.
• Professional Advisors: Our legal, accounting, and compliance advisors, where necessary for us to obtain professional advice or to protect our legal rights.
• Regulatory and Legal Authorities: Where required by law, regulation, court order, or a request from a competent regulatory authority.

We will notify Clients before disclosing their data to any new category of recipient not described above, except where prohibited by law.

7. Cross-Border Transfers

Our infrastructure is located in the Southeast Asia region (Singapore). However, some of our third-party service providers may process data outside of Singapore. Where personal data is transferred outside Singapore, we take reasonable steps to ensure that the recipient provides a standard of protection comparable to that under the PDPA, including through contractual safeguards and due diligence on the recipient's data protection practices.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Specific retention periods are as follows:

• Account Data: Retained for the duration of the subscription and deleted or anonymised within 30 days of account termination, unless retention is required by law.
• Policy Data and Meeting Data: Retained for the duration of the subscription. Upon termination, Client Data is deleted or returned to the Client within 30 days in accordance with the Terms and Conditions of Use.
• Meeting Recordings: Audio recordings are retained only for so long as necessary to generate transcripts and notes.
• Usage and Technical Data: Retained for up to 12 months for platform improvement and security purposes, after which it is anonymised or deleted.

Clients may request an export of their data at any time during the subscription period.

9. Your Rights Under the PDPA

Under the PDPA, you have the following rights in relation to your personal data:

• Access: You may request access to the personal data we hold about you and information about how it has been used or disclosed in the past year.
• Correction: You may request that we correct any personal data that is inaccurate, incomplete, or out of date.
• Withdrawal of Consent: You may withdraw your consent for us to collect, use, or disclose your personal data at any time by contacting us. Please note that withdrawal of consent may affect our ability to provide you with the Platform services, and we will inform you of the likely consequences.
• Data Portability: Where applicable, you may request that we transmit your personal data to another organisation in a commonly used, machine-readable format.
• Opt-Out of Model Improvement: You may opt out of the use of your data for model improvement as described in Section 4.2.

To exercise any of these rights, please contact us using the details in Section 12. We will respond to your request within 30 days. We may charge a reasonable fee to cover the cost of responding to a data access request.

10. Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals or is of a significant scale, we will:

• Notify the Personal Data Protection Commission ("PDPC") as soon as practicable, and in any case no later than 3 calendar days after we have assessed that the breach is notifiable under the PDPA.
• Notify affected Clients without undue delay so that they may take appropriate steps to inform their own clients and data subjects.
• Take immediate steps to contain the breach, investigate its cause, and implement measures to prevent recurrence.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable laws. Where changes are material, we will notify you by email or through a notice on the Platform at least 14 days before the changes take effect. Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, opt out of model improvement, or would like to make a complaint, please contact our Data Protection Officer:

If you are not satisfied with our response, you may contact the Personal Data Protection Commission of Singapore at https://www.pdpc.gov.sg.