Privacy Policy & Data Protection Notice
Last updated: March 2026
Sleek Pte. Ltd. ("Sleek", "we", "us") operates the Sleek Cap Table platform ("the Platform"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data in compliance with Singapore's Personal Data Protection Act 2012 ("PDPA").
1. Data We Collect
| Category | Data Types | Purpose |
|---|---|---|
| Identity & Contact | Full name, email address, investor type | Account creation, authentication, shareholder identification |
| Financial Data | Share counts, ownership percentages, investment amounts, transaction history, secondary proceeds | Cap table management, equity tracking, reporting |
| Authentication Data | Password hash (bcrypt), TOTP secret (encrypted), session tokens | Secure access, two-factor authentication |
| Activity Data | Login timestamps, audit trail entries, chat conversations | Security monitoring, compliance, platform support |
| Investor Profile | Individual or corporate profile details (address, ID type, representative info) | Regulatory compliance, shareholder records |
2. How We Use Your Data
We use your personal data for the following purposes:
- Providing and maintaining the cap table management platform
- Authenticating your identity and securing your account
- Displaying your shareholding information and transaction history
- Processing AI-powered Help Chat queries (see Section 5)
- Sending transactional emails (invitations, password resets, ticket responses)
- Maintaining audit trails for regulatory compliance
- Improving platform functionality and security
3. Data Disclosure to Third Parties
We may disclose your personal data to the following categories of third parties:
- OpenAI (AI processing): When you use the Help Chat feature, your query and relevant cap table data are sent to OpenAI's API for processing. See Section 5 for details.
- Resend (email delivery): Transactional emails are sent via Resend. Only email addresses and message content are shared.
- Replit (hosting): The Platform is hosted on Replit's infrastructure. Data is stored on Replit's servers.
We do not sell your personal data to any third party.
4. Cross-Border Data Transfer
Your data may be transferred to and processed in countries outside Singapore:
- OpenAI API: AI processing occurs on servers primarily located in the United States. We ensure comparable data protection through contractual safeguards and API configurations that prevent data retention by OpenAI (requests are sent with
store: false). - Hosting infrastructure: The Platform is hosted on cloud infrastructure that may span multiple jurisdictions.
By using the Platform, you consent to these cross-border transfers. We take reasonable steps to ensure your data receives adequate protection in accordance with the PDPA.
5. AI Help Chat — Data Processing
The Help Chat feature uses OpenAI's API to provide AI-powered assistance. When you use Help Chat:
- Your question and relevant cap table data (based on your access level) are sent to OpenAI for processing
- Viewers/shareholders: only your own shareholding data is included in the AI context
- Admins/staff: broader cap table data may be included
- We configure API calls with
store: falseto prevent OpenAI from retaining your data - Conversation history is stored in our database and subject to our retention policy
- AI responses may contain errors — always verify critical figures against the Cap Table
You must explicitly consent to AI data processing before your first Help Chat interaction. You can review your consent status in your account settings.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Active shareholder records | Retained while shareholder is active |
| Deactivated shareholder records | 7 years (financial record-keeping per Companies Act) |
| Chat conversations | Configurable; default 90 days, then auto-purged |
| Audit trail | 7 years minimum (financial compliance) |
| Session data | Purged on logout or after 24 hours |
| Authentication data | Retained while account is active |
7. Your Rights Under PDPA
Under the PDPA, you have the right to:
- Access: Request information about what personal data we hold about you and how it has been used or disclosed in the past year
- Correction: Request correction of any inaccurate or incomplete personal data
- Withdrawal of consent: Withdraw your consent for specific data processing activities (note: withdrawing consent for core platform functions may limit your access)
To exercise these rights, contact our Data Protection Officer (see Section 9).
8. Security Measures
We implement the following security measures to protect your data:
- Passwords are hashed using industry-standard algorithms (PBKDF2-SHA256)
- Mandatory two-factor authentication (TOTP) on production
- Session management with idle timeout (2 hours) and absolute expiry (24 hours)
- CSRF protection on all state-changing requests
- Rate limiting on authentication and API endpoints
- Content Security Policy (CSP) with nonce-based script control
- Role-based access control (RBAC) with server-side data scoping
- Comprehensive audit logging of all data modifications
9. Data Protection Officer
For any questions, concerns, or requests relating to your personal data, please contact:
Data Protection Officer
Sleek Pte. Ltd.
Email: [email protected]
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform or email. The "Last updated" date at the top indicates when the policy was last revised.
11. Governing Law
This Privacy Policy is governed by the laws of Singapore, including the Personal Data Protection Act 2012.