Privacy Policy

Data controller: MOYA ANALYTICS PTE. LTD., an Exempt Private Company Limited by Shares incorporated in Singapore.

Registered office: 33A Pagoda Street, Singapore 059192.

Privacy and data protection contact (including DPO/contact point): contact@moya-analytics.com.

This Privacy Policy applies to our website, product, APIs, and related services under the MOYA Cascade brand. It applies to personal data processed when you access our marketing pages, create an account, use workspace features, manage organizations, and interact with our support channels.

• Account data: email address, authentication credentials/tokens managed through our identity provider, and MFA state.
• Profile data: first name, last name, full name, avatar URL/image, and account timestamps.
• Organization and collaboration data: organization names, roles, memberships, invitation records, invitation messages, and membership actions.
• Process and supplier workspace data: operational datasets you provide (for example supplier names, optional supplier contact emails, process/resource information, and emission modelling records).
• Technical and security data: IP address and user-agent information from requests, API request metadata, and rate-limiting identifiers used for abuse prevention.
• Cookie/session data: authentication/session cookies and invitation-flow cookies described in our Cookie Policy.

• Directly from you when you sign up or use the product.
• From your organization administrators or teammates (for example when they invite you).
• From third-party identity providers you choose (for example Google OAuth sign-in).
• Automatically from device/network interactions and security logs.

We process personal data to:

• provide and secure accounts, sessions, and MFA-protected access;
• deliver workspace functionality (organizations, invitations, process modeling, and supplier-link workflows);
• send service communications (for example invitation emails);
• operate, maintain, troubleshoot, and protect platform reliability and security;
• comply with legal, regulatory, and audit obligations.

For GDPR-covered processing, we rely on one or more of:

• Contractual necessity: to provide the service you request (account, authentication, workspace operations).
• Legitimate interests: service security, fraud/abuse prevention, platform stability, and product administration.
• Consent: where required for specific processing activities.
• Legal obligation: where processing is required by applicable law.

For Singapore PDPA, we process personal data on applicable PDPA bases, including consent/deemed consent where relevant, contractual necessity, and statutory exceptions.

We do not sell personal data. We share personal data only where necessary to operate the service or comply with law.

We may also use additional infrastructure providers, including selected services hosted on VPS and/or AWS in the future. This does not necessarily mean a full infrastructure migration. We will update this Privacy Policy when materially relevant providers are added.

Because our providers operate globally, personal data may be processed outside your country (including outside Singapore and/or the EEA). Where required, we use contractual and organizational safeguards for cross-border transfers (for example data processing agreements and transfer clauses).

• We retain personal data for as long as needed for the purposes in this notice, including legal, compliance, and security obligations.
• Invitation cookies (`cascade_invitation_id`, `cascade_invitation_token`) expire after 7 days.
• Invitation records include an expiry timestamp and may be retained longer for security and audit evidence.
• You can request deletion of your personal data through our Data Rights Request process, subject to legal and operational constraints.

We use technical and organizational controls appropriate to the risk, including authenticated access controls, MFA enforcement for protected areas, transport security, origin checks, and role-based authorization controls.

Depending on your jurisdiction, you may have rights to:

• access your personal data;
• correct inaccurate or incomplete personal data;
• request deletion of personal data (subject to legal retention and security requirements);
• restrict or object to certain processing;
• data portability (where applicable);
• withdraw consent where consent is the legal basis.

To exercise rights, contact contact@moya-analytics.com or use our Data Rights Request page.

If you are in the EEA/UK, you may lodge a complaint with your local data protection supervisory authority. If you are in Singapore, you may contact the Personal Data Protection Commission (PDPC).

Our services are intended for business and professional use and are not directed to children under 16. Do not use the service if you are below the age required under your local law to provide valid consent.

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date above and, where required, by providing additional notice.