Privacy Policy
This page explains our privacy policy, in plain English. It describes what data we collect, when we collect it, why we collect it, and how we protect it. If you want to see your data, or change it, delete it, receive a copy of it, or complain about it, you can. We want you to understand what we do, and the ethical principles that guide what we do.
1. Who we are and what we do
So How Pte Ltd, a company incorporated in Singapore.
- UEN: 202537090K
- Registered office: 1 Wallich Street, #14-01 Guoco Tower, Singapore 078881
- Privacy correspondence: contact@sohow.sg
We provide tools, assessments, learning experiences, and coaching services for personal and professional development. Here, we refer to them as 'products'. Our direct-to-consumer products are purchased and delivered online at sohow.sg and its subdomains. When you interact with our products we will create, and then add to or modify, a unique Development Profile just for you. It will contain some personal data.
We are the data controller for the personal data described here. Our primary obligation is to Singapore's Personal Data Protection Act 2012 (PDPA) pdpc.gov.sg. If you reach us from the EU or UK, we also recognise your rights under the GDPR.
2. The design principle that protects you
We have designed our technology stack so that no single system can identify you AND read your Development Profile at the same time.
In plain terms: the system that knows your real name and email is separate from the system that knows about your work with us — conversations, check-ins, learning progress, assessment results etc. The systems share only an anonymous customer identifier that is meaningless without crossing a strict access boundary.
This separation is our primary privacy control. It's stronger than any single contract or policy could be because even if one part of our stack were compromised, your real identity and your Development Profile would not be exposed together.
The same principle applies when we use AI to help generate responses (see §5).
3. What data we collect, and why
When you create an account
| Data | Why | Lawful basis |
|---|---|---|
| Your display name (can be a pseudonym) | To personalise your experience | Consent |
| Your email address | Account access, receipts, service communication | Contract |
| Your Google or Apple OAuth identifier | To authenticate you | Contract |
| Your purchased product(s) or subscription tier and status | To deliver what you've paid for | Contract |
| Your payment processor customer reference | To link receipts and renewals | Contract |
When you use a product
| Data | Why | Lawful basis |
|---|---|---|
| Birth date, time, and town of birth (Untangle symbolic lens only) | To derive a report we call 'The Pattern' for use in active imagination exercises | Consent |
| Keyed responses to tools & assessments (e.g. 12Tones, 24Six, Big5 Aspects) | To create insights you may want to include in your development work | Consent |
| Summaries of your conversations with our AI chatbot (we keep the summary, not the raw conversation) | To identify specific focus areas for development and maintain continuity across sessions | Consent |
| Invoice and payment history | For Singapore accounting and tax record-keeping purposes | Legal obligation |
What we deliberately do not collect
- Your surname (we work with your display name, which can be a pseudonym)
- Your home address (we don't ship anything)
- Your phone number, unless you choose to give it for one-to-one phone coaching
- Your IP address beyond standard Google Cloud infrastructure logs
- Device fingerprinting: your device has a technical signature which could be used to identify and track you across the internet. We don't do that.
- We don't run third-party trackers on our sites — no Google Analytics, no ad networks, no social media pixels watch what you do.
4. Who we share data with
We don't sell your data. We don't share it with advertisers or researchers. We don't have an internal "data team" looking for patterns to monetise. The only reason we store your data at all is because it's needed to deliver our products to you.
We use a small number of service providers. Each is bound to handle your data on our behalf only, and not for their own purposes.
| Category | What they do | Notes |
|---|---|---|
| Infrastructure | Our database and application hosting (Google Cloud Platform) | Singapore (asia-southeast1) |
| Authentication | Sign-in via Google or Apple (Firebase Authentication) | Global Google infrastructure — OAuth tokens only, no profile data |
| AI processing | Assessment tool processing and conversational responses for Seanish | Per the architectural separation in §5 — pseudonymised content only |
| Payment processing | Cards, bank transfers, and local payment methods | PCI-DSS compliant; we never see card numbers |
| Transactional and marketing email delivery | EU-hosted | |
| Email validation | Periodic deliverability check on list operations | Email addresses only |
Some of the categories above involve service providers whose specific identity may change from time to time (AI processing, payment processing, email). We maintain a current list of named providers in our operational documentation. We'll share it on request, and we'll notify active customers if a provider in the list changes.
5. AI processing — what we send and what we don't
Many of our interfaces use an AI chatbot called Seanish. The chatbot can do different things in different contexts and uses third-party AI processing services to help generate conversational responses. The chatbot is trained in our frameworks but it is not a coach, therapist, or adviser, and we do not describe what it does as coaching. (See our Terms of Service for what Seanish is and isn't.)
The important part: our architecture deliberately keeps your real identity out of every AI request.
| What the AI service may receive | What it never receives |
|---|---|
| Your chosen display name (can be a pseudonym) | Never your real full name |
| Your derived Untangle symbolic lens pattern | Never your date, time or place of birth |
| Parts of your Development Profile | Never your payment details |
| An anonymous customer identifier | Never your phone number, address, or contact information |
Re-linking AI-facing data to a real person would require access to a separate accounts system that the AI service cannot reach. This architectural separation is our primary control under PDPA's data-minimisation principle. It travels with us if we change AI providers.
The AI services we use operate under commercial API terms and do not use your conversation content to train their models.
6. International data transfer
Our infrastructure is in Singapore. Some service providers process data in other jurisdictions.
Under PDPA, we must ensure overseas service providers handle your data responsibly. For the AI processing providers, the architectural separation in §5 does that work — what we send isn't personally identifying in the first place. For other providers, we use processors that operate under GDPR or equivalent standards.
7. How long we keep your data
We keep data for as long as we need it to deliver the products to you — or as long as we are legally required to keep it. When that ends, we delete it. Not archive it, delete it.
| Data | Retention |
|---|---|
| Active session conversations | Kept only while the session is active. Once the session ends, we summarise and delete the raw conversation. |
| Per-session summaries and accumulated session memory | Duration of your subscription, plus 90 days |
| Coaching notes (face-to-face coaching only) | 12 months from the session date |
| 12Tones check-ins (raw) | 24 months rolling |
| Goals and longer-arc records | Duration of your subscription, plus 90 days |
| Account record (email, sign-in identifier) | Duration of your account, plus 90 days |
| Invoices and payment records | 7 years from last transaction (Singapore regulations) |
When you close your account, we delete your platform-side data within 30 days — or immediately if you ask. Invoice records are retained for the legally required period and then deleted.
8. Your rights
You have the right to:
- Access — request a readable copy of what we hold about you
- View accumulated memory — see what the chatbot has summarised across your sessions
- Correct anything that's wrong
- Withdraw consent for any specific processing purpose, at any time
- Delete your account and platform-side data
- Export your data in a portable format (JSON)
To exercise any of these, email contact@sohow.sg. We respond within 30 days, usually faster. There's no fee for the first request in any 12-month period.
If you believe we've mishandled your data and we can't resolve it together, you can complain to Singapore's Personal Data Protection Commission. EU/UK customers can complain to their national authority.
9. Security
All data is encrypted at rest (Google Cloud default) and in transit (TLS). Production credentials are held in Google Cloud Secret Manager with audit logging and least-privilege access. Administrative access requires multi-factor authentication. Production and development environments are strictly separated. We don't share credentials between people or systems.
No security is perfect. If we have a data breach involving your data, you'll hear from us — quickly, within the periods PDPA and (where applicable) GDPR require. We'll tell you what happened, what we know, what we did, and what (if anything) you need to do.
10. Cookies and analytics
Many sites treat you as the product. Tracking pixels, advertising IDs, behavioural profiles sold to networks you've never heard of. We don't do that.
The only cookies we set are the ones strictly needed to keep you signed in. Our website analytics are first-party only (i.e. we run it ourselves, we don't use a service) — they tell us which pages people visit, not who visited them, and they don't set tracking cookies or follow you anywhere else. We don't run third-party advertising trackers on any customer-facing surface.
We make creative use of technology — including AI — but we want your experience with us to feel like a human experience.
11. Age
You must be 18 or older to create an account or buy anything from us. Singapore's age of contractual capacity is 18; below that age, we cannot lawfully contract with you for paid products.
We do not knowingly accept signups from anyone under 18. If we discover an account belongs to someone under 18, we will close it and delete the data — write to contact@sohow.sg if you believe this has happened.
GDPR (EU/UK) has stricter rules for under-16s around parental consent. Because we don't accept under-18s at all, those rules rarely apply to us — but if a younger user has somehow signed up, we close the account and delete the data, same as any under-18 account.
12. Changes to this policy
We update this page when something material changes. The Last updated date at the top says when. For changes that affect existing customers — a new AI provider, a new sharing relationship, a change of jurisdiction — we also email you.
13. Contact
For anything to do with your data, write to contact@sohow.sg.
Postal: So How Pte Ltd, 1 Wallich Street, #14-01 Guoco Tower, Singapore 078881.