Privacy policy
Last updated: 29 April 2026
This policy explains what FirmWorks (“we”, “us”) collects, how we use it, and the choices you have. It applies to FirmWorks Pte. Ltd., the operator of firmworks.com and all related products and services (the “Service”).
We’re a small B2B SaaS company. We collect the minimum we need to run the Service, and we don’t sell data.
Data we collect
Account data. Name, email, password (stored as a salted hash, never plaintext), organization name, and role.
Workspace data. Documents, contacts, expenses, projects, tasks, notes, chat messages, files, and other content you put into the Service. You own this content.
Billing data. When you subscribe, our payment processor Stripe collects your card details directly. We never see or store your card number; we receive only a customer ID, the last four digits, and the subscription state.
Usage logs. IP address, user agent, request path, and timestamps for security and debugging. Retained for 90 days, then deleted.
Cookies. A first-party session cookie (firmworks.session_token) for sign-in. We do not use third-party advertising or tracking cookies.
How we use it
- Run the Service (authentication, multi-tenant isolation, audit log).
- Process billing through Stripe.
- Send transactional email (verification, password reset, invoice notifications) through Resend.
- Investigate errors, security incidents, and abuse.
- Comply with legal obligations.
We do not:
- Sell or rent your data.
- Use your workspace data to train AI models.
- Share workspace data with third parties except the sub-processors listed below, all of which are bound by data-protection contracts.
Where data lives
The application and primary database are hosted in Singapore (ap-southeast-1) on Neon and Vercel. Files you upload land in Vercel Blob (also Singapore). Email is dispatched through Resend. Billing runs through Stripe. All transit is over TLS.
Sub-processors
| Processor | Purpose | Region |
|---|---|---|
| Vercel | Hosting, edge functions, file storage | Singapore (ap-southeast-1) |
| Neon | Postgres database | Singapore (ap-southeast-1) |
| Stripe | Payment processing | Global |
| Resend | Transactional email | United States |
We may add or change sub-processors. We will update this list and post a heads-up at least 14 days before changes take effect for existing customers.
Your rights
If you are in Singapore (PDPA), Thailand (PDPA), the EU (GDPR), or the UK (UK GDPR), you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate personal data.
- Delete your personal data, subject to legal retention requirements.
- Export your workspace data in a structured format (CSV or JSON).
- Object to or restrict processing.
Email privacy@firmworks.com and we will respond within 30 days.
Retention
- Account: deleted within 30 days of organization deletion. Billing records may be retained as required by tax law for up to seven years.
- Backups: encrypted, retained for 30 days.
- Audit logs: 1 year.
- Marketing emails: opt-in only; unsubscribe at any time.
Security
- TLS 1.2+ for all transit.
- Passwords stored as salted hashes (handled by Better Auth).
- Multi-tenant isolation enforced at every database query.
- Per-organization audit log of administrative actions.
We do not claim certifications we have not completed. If you need a security questionnaire response, contact security@firmworks.com.
Children
The Service is for organizations and is not directed at children under 16. We do not knowingly collect data from anyone under 16.
Changes
We post material changes here and email organization owners at least 14 days before they take effect.
Contact
FirmWorks Pte. Ltd. (Singapore) · privacy@firmworks.com
See also our Terms of service.