Privacy Policy & PDPA Notice

This Privacy Policy explains how the Nas Group — comprising Nas Chartered Accountants, Astana Pte. Ltd., and Nas BizAdvisory Pte. Ltd. (collectively, "Astana", "we", "us", "our") — collects, uses, discloses, and protects your personal data when you use the Astana SME Portal (the "Portal") at astana.nasbizadvisory.com. We comply with Singapore's Personal Data Protection Act 2012 (PDPA) and its subsidiary legislation. Data is shared within the Nas Group on a need-to-know basis to deliver the services described below.

1. What personal data we collect

We collect only the personal data necessary to deliver the Portal's accounting, tax, and compliance services:

• Account data: full name, email address, phone (optional), password hash, marketing opt-in preference.
• Company data: entity legal name, UEN, entity type, registered address, principal activity, incorporation date.
• Director & shareholder data: names, dates of appointment, shareholding (no NRICs are collected).
• Financial data: bank statement data you upload, management accounts, trial balances, tax computations, and generated financial statements.
• Security / audit data: IP address, user-agent, timestamps of sign-in, OTP verification, and e-signature events.
• Feedback data: anything you submit through the feedback / bug report form.

2. How we use your personal data

• To provide, operate, and maintain the Portal's bookkeeping, tax, and SFRS modules.
• To authenticate you (password hashing via argon2, one-time codes delivered to your email).
• To generate, store, and deliver financial statements and tax computations.
• To deliver accountant reviews and related compliance services you engage us for.
• To respond to support queries, feedback, and bug reports.
• To send transactional emails (sign-up confirmation, password reset, OTP, service updates). We will only send marketing emails if you have explicitly opted in.
• To comply with our legal, tax, and regulatory obligations in Singapore.

3. Legal bases for processing

We process your personal data on the basis of the consent you provide when creating your account and uploading data, and for our legitimate interests in operating the Portal, preventing fraud, and improving the service. You may withdraw consent at any time by writing to us (see Section 10).

4. Sharing & disclosure

We do not sell your personal data. We disclose it only when necessary:

• Nas Group staff: qualified accountants at Nas Chartered Accountants, platform engineers at Astana Pte. Ltd., and corporate secretaries / filing agents at Nas BizAdvisory Pte. Ltd. who deliver the services you engage us for.
• Service providers: transactional email (SMTP), AI providers (Anthropic / OpenAI) for extraction and categorisation — only when you enable AI on your Profile — and Stripe for payment processing (post-beta only). These providers are bound by their own privacy commitments.
• Government authorities: ACRA, IRAS, MAS, or law enforcement when required by Singapore law or valid legal process.
• Successor entities: in the event of a merger, acquisition, or transfer of assets. You will be notified and given a choice to delete your account before any transfer.

5. AI providers & your data

If you enable AI on your Profile using your own Anthropic or OpenAI API key, your financial data is sent to that provider according to their terms. If you choose our managed AI (when available), data is sent using our firm's API key; monthly call caps apply to protect against runaway billing. AI providers do not retain your data for model training under their API plans. You can disable AI at any time on the Profile page.

6. Data retention

• Active accounts: we retain your data for as long as your account is active.
• Closed accounts: 7 years after closure to meet ACRA / IRAS record-keeping requirements, then deleted.
• OTP codes, password reset tokens, session data: expire within minutes to hours as described in the relevant flow.
• Uploaded bank statements: never persisted to disk; parsed in memory, results written to the database, raw file discarded.

7. Security measures

• Passwords hashed with argon2id.
• Optional API keys encrypted at rest using AES-256-GCM.
• One-time codes hashed before storage; 10-minute expiry; rate-limited verification.
• CSRF protection on all state-changing requests; session-based authentication with secure cookies.
• TLS in transit for all production traffic.
• Least-privilege access inside the firm — only assigned staff see the data relevant to your engagement.

8. Cross-border transfers

Our infrastructure is hosted in Singapore. AI provider APIs (Anthropic, OpenAI) and Stripe process data outside Singapore; where this happens we rely on each provider's contractual safeguards (DPAs, Standard Contractual Clauses) in accordance with Section 26 of the PDPA.

9. Your rights under PDPA

You have the right to:

• Access the personal data we hold about you.
• Correct inaccuracies in your personal data.
• Withdraw consent to our processing (note: some withdrawals will require us to close your account, since we can't deliver the Portal without the underlying data).
• Request deletion of your account and data, subject to statutory retention.
• Lodge a complaint with the Personal Data Protection Commission Singapore (PDPC).

To exercise any of these rights, email the Data Protection Officer at legal@nasbizadvisory.com.

10. Contact & Data Protection Officer

Data Protection Officer
Nas Group (Nas Chartered Accountants · Astana Pte. Ltd. · Nas BizAdvisory Pte. Ltd.)
Email: legal@nasbizadvisory.com
General enquiries: nas@nasbizadvisory.com

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to all active account holders at least 14 days before taking effect. The "Last updated" date at the top of this page always reflects the current version.