Privacy Policy

This Privacy Policy is issued by Byterix Labs Pte. Ltd., a company incorporated in Singapore, the data controller responsible for the personal data collected through the Byterix Secure application and associated website.

This Privacy Policy applies to:

• All users of the Byterix Secure mobile application (iOS and Android).
• Visitors to the Byterix Labs website (www.byterixlabs.com) and users of the Byterix Secure web app (app.byterixsecure.com).
• Any person whose personal data is processed by Byterix in connection with the Service.
• Authorised recipients of documents shared via Secure Share who interact with the platform.

This Policy does not apply to:

• Third-party services, websites, or applications linked from within Byterix Secure.
• Data processed by recipient organisations when documents are shared with them.
• Anonymous or fully de-identified data that cannot be linked to any individual.

This policy is designed to align with Singapore PDPA 2012 (as amended), the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and EU GDPR (Regulation 2016/679) where users are located in the EEA. Where applicable law differs, the more protective standard is applied.

Byterix processes personal data only where a lawful basis exists. The following table identifies the lawful basis applicable to each category of processing. Where processing relies on consent, you may withdraw that consent at any time.

Byterix collects personal data through the following means. We apply data minimisation principles at every collection point and do not collect data for speculative or undefined purposes.

4.1 Information you provide directly

• Identity information: full name, email address.
• Authentication credentials: password (stored as a salted cryptographic hash; never in plaintext).
• User content: documents, images, certificates, and files you upload to your vault.
• Support communications: messages, attachments, and information you submit to our support team.
• Account preferences: language, notification settings, and display preferences.

4.2 Information collected automatically

• Device identifiers: device model, operating system version, app build number.
• Session data: login timestamps, session duration, geographic region (country-level only).
• Usage data: feature interactions, in-app navigation events (not document contents).
• Performance data: API response times, error rates, crash reports (anonymised).
• Audit events: document access timestamps, Secure Share events, authentication actions.

4.3 Information we do not collect

• Biometric data. Face ID and fingerprint data is processed exclusively by your device's secure enclave and is never transmitted to Byterix.
• Document content for any purpose beyond encrypted storage and retrieval. We cannot read your documents.
• Precise GPS or real-time location data.
• Contacts, call logs, SMS messages, or device communication data.
• Cross-app or cross-website browsing history.
• Sensitive personal data (e.g., racial origin, political opinions, health data) beyond what you voluntarily upload to your own vault.

We apply data minimisation in line with GDPR Article 5(1)(c) and Singapore PDPA §18. We collect only what is adequate, relevant, and limited to what is necessary for the stated processing purpose.

Personal data collected is used exclusively for the following defined purposes. We do not repurpose data for uses incompatible with the original collection purpose without obtaining fresh consent or establishing a new lawful basis.

Byterix does not sell, rent, license, or trade your personal data or user content to any third party for advertising, marketing, behavioural profiling, or any commercial purpose. Your data is never used to build advertising profiles or shared with data brokers.

Byterix does not sell or share personal data for commercial purposes. Data is disclosed to third parties only in the strictly limited circumstances described below.

6.1 Service providers (data processors)

Byterix engages trusted third-party service providers who process data strictly on our behalf:

• Cloud infrastructure providers: for encrypted storage and compute services only.
• Authentication services: for identity verification and secure login.
• Crash reporting and analytics: using anonymised, non-personally-identifiable data only.
• Customer support platforms: for managing support ticket workflows.

All service providers are bound by written Data Processing Agreements (DPAs) that prohibit them from using Byterix data for their own purposes, from selling or sharing the data, and require them to implement equivalent security standards.

6.2 Legal & regulatory disclosure

We may disclose personal data where required or permitted by law, including:

• In response to a valid court order, subpoena, or other lawful legal process.
• To comply with regulatory requirements or mandatory reporting obligations.
• To a government authority or law enforcement agency where required under applicable law.
• Where disclosure is necessary to prevent or investigate a serious threat to public safety.

To the extent permitted by law, Byterix will notify any affected user of a legally compelled disclosure request before complying. Where notification is prohibited (for example, under a gag order), Byterix may publish a transparency report as an alternative mechanism.

6.3 Business transfers

In the event of a merger, acquisition, asset sale, or corporate restructuring, personal data may be transferred to the acquiring entity as part of the transaction. Affected users will be notified at least 30 days in advance and provided with options to delete their accounts before the transfer takes effect.

6.4 User-directed sharing (Secure Share)

Where you choose to share documents with third parties using Secure Share:

• Sharing is entirely user-initiated and user-controlled; Byterix does not share your documents on your behalf.
• Recipients receive time-bound, encrypted access to only the specific documents you designate.
• You may revoke recipient access at any time before expiry via the in-app Shared Documents panel.
• Byterix is not responsible for the actions of recipients after content has been voluntarily shared with them.

Byterix uses a minimal set of tracking technologies on its website and mobile application. We do not use advertising cookies, cross-site tracking pixels, or behavioural retargeting.

7.1 Website cookies (www.byterixlabs.com and app.byterixsecure.com)

7.2 Mobile application tracking

The Byterix Secure mobile app uses the following limited tracking:

• Crash reporting: device model, OS version, and anonymised stack traces with no personal identifiers.
• Feature analytics: anonymised session-level interaction events for UX improvement.
• Performance monitoring: API latency and error rates with no user-identifiable data.

7.3 Your choices

• Website: a consent banner allows you to accept or reject non-essential cookies on first visit. Non-essential cookies are set only after affirmative consent.
• Mobile app: navigate to Settings > Privacy & Analytics > Disable Analytics to opt out of in-app analytics.
• Browser settings: you may configure your browser to block or delete cookies at any time.
• Do Not Track: Byterix honours DNT signals from browsers where technically feasible.

Byterix is headquartered in Singapore and stores user data on cloud infrastructure that may be located in or span multiple jurisdictions. Where personal data is transferred outside your home country, Byterix ensures that appropriate safeguards are in place.

Safeguards for international transfers include:

• Standard Contractual Clauses (SCCs): for transfers from EEA countries to countries without an adequacy decision.
• Data Processing Agreements: with all cloud infrastructure and third-party service providers.
• Equivalent protection standard: Byterix only transfers data to jurisdictions or providers offering data protection standards equivalent to those required under PDPA and applicable law.
• Encryption in transit: all cross-border data transmissions are encrypted using TLS 1.3.

Singapore PDPA §26 requires organisations transferring personal data outside Singapore to ensure the receiving party provides a standard of protection comparable to the PDPA. This is implemented through our contractual frameworks with all data recipients and infrastructure providers. For EEA users, GDPR Chapter V requirements (SCCs or adequacy decisions) are applied.

Byterix retains personal data only for as long as is necessary for the stated purpose or as required by applicable law. The following retention schedule applies:

You can delete your account directly from in-app account settings. Upon account deletion:

• Your account information and vault files are removed from active production systems when the deletion workflow completes.
• Byterix does not retain residual copies of your account information or vault files in active systems after account deletion.
• Residual data in encrypted backup systems is purged within 30 days.
• Audit logs are anonymised (personal identifiers stripped) and retained per the schedule above.
• A deletion confirmation email is sent to your registered address upon completion.

GDPR Article 5(1)(e) (storage limitation) and PDPA §25 (retention limitation obligation) require that personal data be retained no longer than necessary. The retention schedule above reflects both obligations and applicable statutory minimum retention periods for each data type.

Byterix implements a defence-in-depth security model with multiple independent layers of technical and organisational controls to protect personal data against unauthorised access, disclosure, alteration, and destruction.

Technical controls

• End-to-end encryption: AES-256-GCM for data at rest; TLS 1.3 for all data in transit.
• Zero-knowledge architecture: encryption and decryption occur on-device; Byterix cannot read your documents.
• Key backup: optional backup keys are derived from user-supplied recovery material and are never stored in plaintext. Derived keys are used only for recovery, not for routine session authentication.
• Biometric authentication: processed exclusively by the device's secure enclave; no biometric data is transmitted to Byterix.
• Multi-factor authentication: TOTP-based optional MFA for additional account protection.
• Session management: short-lived JWT tokens with configurable automatic expiry.
• Access controls: role-based access and principle of least privilege across all internal systems.

Organisational controls

• Infrastructure: hosted on cloud data centres operated by providers that maintain SOC 2 Type II attestation, with network segmentation and WAF in place.
• Vulnerability management: continuous automated scanning and periodic third-party penetration testing.
• Responsible disclosure: a public vulnerability disclosure programme is maintained.
• Employee access: background checks, mandatory security training, and quarterly access reviews.
• Incident response: a documented incident response plan with defined RTO/RPO and post-incident review.

While Byterix implements industry-standard and leading-practice controls, no digital system can guarantee absolute immunity from all security threats. In the event of a confirmed security incident materially affecting your personal data, Byterix will notify you promptly and in compliance with applicable breach notification law.

GDPR Article 32 requires implementation of appropriate technical and organisational measures to ensure a level of security appropriate to the risk. PDPA §24 imposes a comparable Protection Obligation. The controls described above are designed to satisfy both obligations. Note: Byterix has not yet completed independent third-party certification of these controls (e.g., SOC 2, ISO 27001). References to industry frameworks describe the standards our controls are designed against, not certifications currently held by Byterix.

Byterix respects and upholds your rights as a data subject under applicable privacy law. The rights below are available to you through in-app account settings where supported, including self-service account deletion, or by contacting privacy@byterixlabs.com.

How to exercise your rights

• Use in-app account settings to access, correct, export, or delete supported account data directly.
• Use Delete Account in your account settings to remove your account information and vault files from active systems.
• Email privacy@byterixlabs.com with the subject line "Data Subject Request: [Your Right]".
• Include your registered email address and a brief description of the request.
• You may be asked to verify your identity before the request is processed.
• We will acknowledge receipt within 2 business days and respond within 30 days (or as required by law).
• For complex requests, this period may be extended by up to 60 days with prior notice.

Byterix Secure is not directed to children under the age of 16 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data without verified parental consent, we will delete that data promptly. Parents or guardians who believe a child has provided personal data to Byterix should contact privacy@byterixlabs.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Byterix Secure service. Material changes will be notified to registered users by email and posted on this page at least 30 days before taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy. The "Effective date" and "Version" shown at the top of this page indicate the current revision.

For privacy enquiries, data subject requests, or complaints about how Byterix handles your personal data, contact:

If you are not satisfied with our response, you may also lodge a complaint with the relevant data protection authority in your jurisdiction, for example, the Personal Data Protection Commission (PDPC) in Singapore, the Office of the Australian Information Commissioner (OAIC) in Australia, or your national supervisory authority within the EEA.