Privacy Policy
How CSI Tech collects, uses, and protects your personal information.
CSI Tech Pte. Ltd. is committed to protecting the personal data of everyone who interacts with us — whether you are visiting our website, booking a consultation, or working with us as a managed IT services client. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have under Singapore's Personal Data Protection Act 2012 (PDPA).
Please read this policy carefully. If you have any questions, contact us at hello@csi-tech.sg.
1. Who We Are
CSI Tech is a Singapore-based IT managed services and cybersecurity advisory firm. Our services include IT infrastructure management, Microsoft 365 deployment and support, backup and disaster recovery, endpoint security, and cybersecurity advisory.
2. Scope of This Policy
This Privacy Policy applies to:
- (a) Website visitors — anyone who browses https://csi-tech.com.sg.
- (b) Prospective clients — anyone who submits an enquiry or books a meeting or consultation through our website.
- (c) Managed IT service clients — organisations that have engaged CSI Tech to deliver IT managed services. Where CSI Tech processes personal data on behalf of a client, it does so as a data intermediary acting under that client's instructions.
- (d) Employees and contractors — individuals engaged by CSI Tech in an employment or contracting capacity. A separate Data Protection Notice for Employees and Contractors is issued at the point of engagement.
What this policy does not cover: This policy does not govern the personal data that CSI Tech processes on behalf of its managed IT service clients in its capacity as a data intermediary. That processing is governed by the Data Processing Agreement (DPA) that CSI Tech issues to each client. A summary of CSI Tech's intermediary data practices is included in Section 5.
3. Two Roles: Controller and Intermediary
Under the PDPA, organisations that handle personal data may do so as a data controller or a data intermediary. CSI Tech operates in both capacities, depending on the context.
CSI Tech as Data Controller
CSI Tech is a data controller when it determines the purposes and means of processing personal data. This applies to personal data collected from website visitors and prospective clients (for example, via TidyCal or direct email), and employee and contractor personal data collected for HR and compliance purposes. CSI Tech bears full responsibility under the PDPA for how that personal data is collected, used, protected, and disclosed.
CSI Tech as Data Intermediary
CSI Tech is a data intermediary when it processes personal data on behalf of its managed IT service clients. In this role, CSI Tech acts solely on the instructions of the relevant client organisation (the data controller). The client bears primary responsibility for PDPA compliance in respect of its own data subjects. CSI Tech's obligations — including data security, sub-processor controls, breach notification, and cross-border transfer safeguards — are governed by the DPA issued to each client.
If you are an employee or user of one of CSI Tech's managed services clients: CSI Tech processes your personal data on behalf of your employer (the data controller). To exercise your PDPA rights, please contact your employer directly. CSI Tech will cooperate with your employer's instructions to fulfil those requests.
4. Data We Collect — Controller Capacity
Website Visits
CSI Tech's website is hosted on Ghost via Elestio, a self-hosted deployment located in Singapore. We use Ghost's native analytics to understand how our website is used.
Ghost analytics are cookieless and first-party. They collect only aggregate statistics — page views, referrer sources, and device types. No individual user profiles are created. No IP addresses are logged against individuals. No tracking cookies are placed on your device. No consent banner is required and none is displayed.
The aggregate analytics engine is powered by Tinybird, located in the EU. Because no personal data is transmitted to Tinybird — only anonymised aggregate counts — this does not constitute a transfer of personal data.
Not in use: CSI Tech does not use Google Analytics, Meta Pixel, HubSpot, or any CRM or email marketing platform on this website.
Booking and Enquiries (TidyCal)
If you book a meeting or consultation through our website, you will be directed to a TidyCal scheduling widget operated by AppSumo. TidyCal collects your name, email address, and optionally your phone number. This data is used solely to schedule and conduct the meeting and to follow up on your enquiry. The legal basis is notification and consent under PDPA section 13.
TidyCal is operated by AppSumo, based in the United States. Booking involves a cross-border transfer of your personal data from Singapore to the US — see Section 8. If you prefer not to use TidyCal, contact us directly at hello@csi-tech.sg.
Direct Communications
If you contact CSI Tech by email or any other channel, we collect your name, email address, and the content of your communication. This is used only to respond to your enquiry. If no engagement begins, we retain this correspondence for 12 months from the date of last communication. If an engagement commences, we retain it for the duration of that engagement and any applicable statutory retention period thereafter.
Employee and Contractor Data
CSI Tech collects and processes employment-related personal data for HR administration, payroll processing, and statutory compliance. A separate Data Protection Notice for Employees and Contractors is issued at the point of engagement and sets out the full details of this processing.
5. Data We Process — Intermediary Capacity (Summary)
This section is provided for transparency. The full legal framework governing CSI Tech's data intermediary obligations is set out in the Data Processing Agreement (DPA) issued to each managed services client.
In delivering managed IT services, CSI Tech may process the following categories of personal data on behalf of its clients:
- Names, email addresses, and usernames of the client's employees and authorised users
- Device identifiers and endpoint configuration data
- IP addresses and network access logs
- Communication metadata (for example, email headers processed by email security tools)
- Any other personal data incidentally encountered in the course of managing IT systems
This data is processed only on the instructions of the relevant client and only as necessary to deliver the contracted services. CSI Tech does not use client employee data for its own marketing, analytics, or any purpose beyond service delivery. CSI Tech does not sell, share, or disclose client personal data to any third party except sub-processors acting under binding data processing terms as set out in Schedule G of the DPA.
Sub-processors used in CSI Tech's intermediary capacity are listed in Section 7 and in full detail in the Sub-Processor Register (available to clients and prospective clients on request).
6. How We Use Your Data (Controller Capacity)
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Scheduling and conducting meetings and consultations | Name, email, phone number (via TidyCal) | Notification and consent (PDPA s.13) |
| Responding to direct enquiries | Name, email address, message content | Legitimate interest / consent |
| Website analytics | Aggregate page views, referrers, device types — no personal data | No legal basis required (no personal data processed) |
| Employee administration, payroll, and compliance | HR and employment data | Employment contract obligations and statutory requirements |
7. Sub-Processors and Third-Party Tools
Controller Capacity
The following tools are used by CSI Tech in its controller capacity. Personal data flows are minimal.
| Tool | Provider | Country | Purpose | Personal Data | Transfer Safeguard |
|---|---|---|---|---|---|
| Ghost (website/CMS) | Elestio (self-hosted) | Singapore | Website hosting and CMS | None | N/A — Singapore |
| Ghost Analytics (Tinybird) | Tinybird | EU | Aggregate website analytics | None (no individual tracking) | N/A — no personal data transmitted |
| TidyCal | AppSumo | United States | Meeting booking and scheduling | Name, email, optional phone number | AppSumo standard contractual terms; PDPA s.26(1) and Schedule 10 (contractual safeguard) |
Note: CSI Tech does not use Google Analytics, Meta Pixel, HubSpot, or any email marketing or CRM platform on this website.
Intermediary Capacity
The sub-processors listed below are engaged by CSI Tech to assist in delivering managed IT services to clients. Each sub-processor is bound by data processing terms consistent with PDPA requirements, as set out in Schedule G of CSI Tech's DPA.
| Sub-Processor | Country | Service | Cross-Border Transfer? |
|---|---|---|---|
| AFI.AI (Cloudia Pty Ltd) | Australia | Microsoft 365 backup | Yes — Australian Privacy Act 1988 provides comparable protection; contractual DPA obligations applied |
| Gorelo | Azure region TBC | RMM / PSA platform | Pending — region to be confirmed |
| Microsoft Corporation | APAC (Singapore / Australia) | Microsoft 365 productivity platform | Partial — Microsoft's DPA and Data Protection Addendum apply |
| NAKIVO Inc. | Singapore | Server and VM backup | No |
| Wasabi Technologies | Singapore (ap-southeast-1) | Backup storage | No |
| Vultr | Singapore | Infrastructure hosting (Hudu) | No |
| Cloudflare Inc. | Global (anycast) | DNS, reverse proxy, and tunnel | Yes — Cloudflare DPA and Data Processing Addendum apply |
| DNS filtering provider | TBC | DNS-layer security filtering | TBC — to be confirmed |
| Huntress Labs Incorporated | United States (primary) | Managed EDR and ITDR | Yes — Huntress DPA (19 March 2025); PDPA Schedule 10 contractual safeguard; US-primary storage; UK/AU sub-processors |
| Email security provider | TBC | Email security and filtering | TBC — to be confirmed |
Full sub-processor details — including applicable DPAs, transfer safeguard mechanisms, and data location confirmations — are published in the Sub-Processor Register, available to clients and prospective clients on request. CSI Tech will provide clients with advance notice of any material changes to sub-processors, consistent with the terms of the DPA.
8. Cross-Border Data Transfers
Under PDPA section 26(1), CSI Tech must not transfer personal data outside Singapore unless the recipient country provides a standard of protection at least comparable to Singapore's PDPA, or appropriate contractual safeguards (as described in PDPA Schedule 10) are in place.
Controller Capacity
TidyCal (AppSumo) — Singapore to United States: When you book a meeting through the TidyCal widget, your name and email address (and optionally phone number) are transmitted to AppSumo's servers in the United States. The US does not have a general adequacy determination under the PDPA. CSI Tech relies on AppSumo's standard contractual terms and privacy commitments as the transfer safeguard mechanism under PDPA s.26(1) and Schedule 10. AppSumo's privacy practices are described at appsumo.com/privacy. If you prefer not to have your personal data transferred to the US, contact us at hello@csi-tech.sg.
Intermediary Capacity
- AFI.AI (Australia): Client backup data processed in Australia. Australia's Privacy Act 1988 provides a standard of protection comparable to Singapore's PDPA. Contractual obligations consistent with PDPA Schedule 10 are in place.
- Gorelo (region TBC): Gorelo's data processing region is currently being confirmed. CSI Tech will not transfer client personal data to Gorelo's infrastructure until the region is confirmed and appropriate Schedule 10-compliant safeguards are in place. Clients will be notified and the Sub-Processor Register will be updated when confirmed.
- Huntress Labs Incorporated (United States): Endpoint telemetry and M365 security event data processed in US-based data centres. Huntress is certified to the EU-U.S. Data Privacy Framework (DPF) and publishes a Data Processing Addendum incorporating contractual obligations. CSI Tech relies on Huntress's published DPA as the transfer safeguard under PDPA Schedule 10. Huntress may engage sub-processors in the United Kingdom and Australia; all are contractually bound to equivalent data protection obligations.
- Cloudflare (global): Cloudflare's anycast network may route traffic through points of presence outside Singapore. Cloudflare's Data Processing Addendum imposes binding obligations consistent with PDPA intermediary requirements.
- Microsoft Corporation: Where Microsoft 365 data is processed in Australia as part of Microsoft's APAC region, Microsoft's Data Protection Addendum provides binding safeguards.
CSI Tech applies PDPA Schedule 10-compliant contractual obligations as the standard transfer safeguard for all overseas sub-processors. Current details are maintained in the Sub-Processor Register, available on request.
9. Retention Periods
CSI Tech retains personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law.
| Data Type | Retention Period |
|---|---|
| TidyCal booking data (name, email, phone) | 12 months from the date of booking, or until the relevant engagement is concluded, whichever is later |
| Direct enquiry emails and correspondence | 12 months from the date of last communication, unless an engagement begins — in which case, duration of engagement plus applicable statutory period |
| Website analytics | Aggregate only — no individual records retained |
| Managed service client data (intermediary capacity) | Duration of the MSA plus 30 days post-termination, after which data is securely deleted or returned per the DPA |
| Employee and contractor HR data | Duration of employment or engagement, plus applicable statutory period (typically 5 years under IRAS guidelines) |
When personal data is no longer required, CSI Tech will securely delete or anonymise it in accordance with its data disposal procedures.
10. Your Rights Under the PDPA
If CSI Tech processes your personal data in its controller capacity, you have the following rights under the PDPA.
You can ask CSI Tech what personal data it holds about you and how it is being used. CSI Tech will provide this information within 30 days of your request, subject to any statutory exemptions.
If you believe that personal data CSI Tech holds about you is inaccurate or incomplete, you can ask CSI Tech to correct it. CSI Tech will make the correction as soon as reasonably practicable, or explain why it is not doing so.
You can withdraw consent to CSI Tech's processing of your personal data at any time. Withdrawal of consent may affect CSI Tech's ability to provide certain services. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
If you are a client employee (intermediary capacity): Your PDPA rights should be directed to your employer (the data controller). CSI Tech cannot independently act on access or correction requests for data processed in its intermediary capacity without the client's authorisation.
How to exercise your rights: Email hello@csi-tech.sg with the subject line PDPA Data Request. Please include your full name, the nature of your request, and any relevant details. CSI Tech will acknowledge your request and respond within 30 days.
If you are not satisfied with CSI Tech's response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
11. Data Breach Notification
What is a notifiable data breach?
Under PDPA section 26D, a data breach is notifiable if it is likely to result in significant harm to the affected individuals (for example, financial loss, reputational damage, discrimination, or physical harm), or if it affects 500 or more individuals. A breach that does not meet either threshold is not required to be reported to the PDPC, but CSI Tech will still take prompt remedial action.
Who gets notified and when?
Where CSI Tech determines (in its controller capacity) that a breach is notifiable, it must notify the PDPC within 3 business days of completing its assessment. If a breach affects client personal data processed as a data intermediary, the client (as data controller) bears the obligation to assess and notify the PDPC within 3 business days.
Where a breach is likely to result in significant harm to specific individuals, those individuals must be notified as soon as practicable after the PDPC has been notified, or in some cases simultaneously.
Under the DPA issued to each managed services client, CSI Tech will notify the relevant client within 48 hours of becoming aware of a security incident affecting client personal data. This window is deliberately shorter than the statutory 3-business-day PDPC deadline to give the client sufficient time to conduct its own assessment and meet its regulatory obligations.
Reporting a suspected breach
If you suspect that personal data CSI Tech holds about you has been involved in a data breach, email hello@csi-tech.sg immediately with the subject line Data Breach Report. Please describe what you have observed or suspect. CSI Tech will acknowledge your report within 24 hours and investigate promptly.
12. Cookies
CSI Tech's website does not use tracking cookies and does not place advertising or analytics cookies on your device.
Ghost's native analytics are cookieless and first-party. They collect only aggregate data and do not track individual users. No cookie consent banner is displayed because none is required.
The TidyCal booking widget embedded on this website is operated by AppSumo. CSI Tech does not control TidyCal's or AppSumo's cookie behaviour within their widget. If TidyCal sets cookies on your device, those cookies are governed by the AppSumo Privacy Policy.
13. Contact Us
For any data protection query, PDPA data request, or to report a suspected data breach, contact CSI Tech at:
CSI Tech Pte. Ltd. does not currently have a formally appointed Data Protection Officer (DPO). All data protection queries are handled directly by the management team. Response time: within 30 days for formal PDPA requests, and within 24 hours for breach reports.
If you are not satisfied with how CSI Tech has handled your data protection concern, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
14. Updates to This Policy
CSI Tech may update this Privacy Policy from time to time to reflect changes to our practices, technology stack, legal obligations, or the addition of new sub-processors. When changes are material, CSI Tech will provide at least 30 days' advance notice by:
- Posting a notice on this page at https://csi-tech.com.sg/privacy-policy/; and
- Emailing active managed services clients directly.
Continued use of our website or services after the notice period constitutes acceptance of the updated policy for website visitors. Managed IT service clients will be notified separately in accordance with the terms of their Master Services Agreement (MSA).
For reference, our Terms and Conditions are published separately on our website. The Sub-Processor Register is available to clients on request — contact hello@csi-tech.sg.
This policy was last updated: 21 April 2026. Version: 1.1.