Privacy Policy · ExpertDesk

Plain English summary

We minimise the personal data needed for cross-border matters. Identifiers can be redacted at intake. Where PRC data is involved, China PIPL transfer mechanisms may apply. We do not sell personal data and we do not use it for third-party advertising.

1. Scope and controller

This Privacy Policy explains how ExpertDesk collects, uses, discloses, stores and protects personal data when you visit our website, create an account, use Flash Q&A, submit a quote request, upload materials, pay for services or communicate with us. It is designed around Singapore Personal Data Protection Act considerations and, where PRC personal information is involved, China Personal Information Protection Law considerations.

The applicable data controller or responsible platform operator may be identified in the relevant quote, invoice, checkout record or engagement confirmation. For privacy requests, use the contact form linked at the end of this Policy.

2. Personal data we collect

Account and contact data: name, email, company, role, country, preferred language, login status and communication preferences.
Question and intake data: chat prompts, facts, legal or business questions, matter descriptions, deadlines, jurisdictions, service selections and expected outputs.
Document data: files, excerpts, attachments, metadata and content you upload for quote review or scoped work.
Payment data: checkout status, invoice references, transaction identifiers, billing country and limited card or payment metadata provided by our payment processor. We do not store full card numbers.
Usage, device and security data: pages viewed, actions taken, timestamps, IP address, browser type, device information, session cookies, error logs and security audit records.
Communications: emails, support messages, quote discussions, meeting notes and feedback you send to us.

3. Sources of personal data

We collect personal data directly from you, from your authorised team members, from uploaded documents, from payment and authentication providers, from platform logs and, where relevant to a matter, from public or licensed sources used to verify legal, regulatory or commercial context.

4. How we use personal data

We use personal data to:

create and secure accounts, authenticate users and send login links;
provide Flash Q&A, quote review, scoped services and matter coordination;
classify questions, route submissions and prepare anonymised or minimised expert briefs;
process payments, invoices, refunds, credits, tax records and fraud checks;
communicate about quotes, deliverables, deadlines, service updates and support requests;
maintain security, troubleshoot errors, prevent abuse and audit access;
improve platform reliability, product design, internal workflows and user experience; and
comply with legal, regulatory, tax, accounting and dispute-resolution obligations.

5. Legal bases and consent

Where a specific legal basis is required, we generally process personal data to perform a contract with you, to take steps at your request before entering a contract, to comply with legal obligations, to protect legitimate business and security interests, or with your consent. If you provide personal data about another person, you are responsible for ensuring that you have the authority, notice and consent required to do so.

6. Singapore-first intake and minimisation

For quote requests and professional matter intake, our operating model is to minimise unnecessary disclosure of raw client information. Depending on the matter, we may use redaction, de-identification, anonymised summaries, access controls, encrypted storage, role-based review and audit records before sharing materials with reviewers or service providers.

You should not upload more personal data than is needed for the question or matter. Where possible, remove unnecessary names, ID numbers, addresses, phone numbers, personal financial information and unrelated documents before submission.

7. Cross-border transfers

ExpertDesk is built for cross-border China matters, so personal data may be accessed, stored or processed in jurisdictions outside your country, including Singapore and, where necessary for a matter, by reviewers or service providers in other jurisdictions. We use contractual, technical and organisational measures intended to protect personal data during these transfers.

Where PRC personal information is involved, we assess whether China PIPL transfer mechanisms may apply, including the mechanisms under Article 38 such as security assessment, personal information protection certification, standard contractual clauses or other mechanisms provided by law or regulation. The appropriate route depends on the data type, volume, sensitivity, role of the parties and purpose of processing.

8. Service providers and reviewers

We may disclose personal data to vendors and reviewers who need it to provide the service, including hosting and database providers, authentication and email providers, payment processors, analytics or error monitoring providers, AI assistance services, security tooling, professional reviewers, legal, tax, finance, IP or compliance experts and operational contractors. We do not sell personal data or use it for third-party advertising.

9. Security

We use administrative, technical and organisational measures designed to protect personal data, including access controls, encryption where appropriate, least-privilege permissions, audit logs, environment separation and operational review. No internet service can be guaranteed completely secure, so you should use a strong email account, protect login links and avoid submitting unnecessary sensitive data.

10. Retention

We keep personal data only as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required or permitted by law, tax rules, audit needs, professional recordkeeping, fraud prevention or dispute handling.

Account and authentication records: generally up to 24 months after account closure.
Flash Q&A history: generally up to 24 months unless deleted earlier by product settings.
Quote requests, intake records and matter files: generally up to 7 years after completion or last activity.
Payment, tax and accounting records: generally up to 10 years where required.
Security, error and access logs: generally 12 to 24 months unless needed for investigation.

11. Your rights

Subject to applicable law, you may request access, correction, deletion, withdrawal of consent, portability where available, restriction or objection to processing. We may need to verify your identity and may retain information where required for legal, accounting, security or dispute-resolution purposes.

If you are acting on behalf of a company, some records may be retained as company service records even if an individual contact changes roles or requests deletion.

12. Cookies and analytics

We use cookies and similar technologies for authentication, session continuity, security, preferences, diagnostics and limited analytics. We do not use third-party advertising cookies. You can control cookies through your browser, but disabling essential cookies may prevent login or checkout from working.

13. Business users and minors

ExpertDesk is intended for business and professional users. It is not directed to children, and we do not knowingly collect personal data from children.

14. Changes and contact

We may update this Privacy Policy as our services, vendors, legal requirements and operating model develop. Material changes will be notified to active users where reasonably practicable.

Privacy questions: contact our team.
Account and access requests: use the account email associated with your ExpertDesk login so we can verify the request.