1. Information we collect
We collect the minimum information needed to operate Hiva and meet our legal obligations. Specifically:
- Account details — email address and (optionally) name, supplied by you via Auth0 when you sign up or log in.
- Subscription and billing data — handled by Paddle, our Merchant of Record. Hiva never sees or stores your full card number, CVV, or expiry. Paddle returns anonymised tokens we use to recognise your plan.
- Product usage — pages viewed, searches run, projects you favourite, and similar interactions. This is used to operate the service and improve features.
- Support correspondence — emails and messages you send us, retained so we can follow up and improve future support.
- Technical metadata — IP address, browser type, device type, approximate location (city level) inferred from IP. Used for security, abuse prevention, and to distinguish bots from humans.
2. Where our property data comes from
The property intelligence Hiva presents — projects, transactions, rentals, scores — is built from public and government-licensed sources. We do not scrape private listings, harvest agent inventories, or buy resale lead lists. Specifically:
- URA — caveat transaction history and median rental data, redistributed under URA's open-data terms.
- data.gov.sg — planning-area boundaries, school locations, and government-published datasets.
- OneMap — geocoding and Singapore base mapping.
- MAS — published interest rate data used for mortgage calculations.
- Google Places — amenity, school, and review data via the Places API under Google's licence.
Scores, sleeves, and rankings are computed by Hiva from these inputs. Methodology is proprietary, but the input layer is transparent and verifiable.
3. How we use your information
We use the information collected to:
- Operate the service — authenticate you, render the right pages, save your settings.
- Handle billing through Paddle and meet tax-reporting obligations in your jurisdiction.
- Improve the product — diagnose bugs, monitor performance, prioritise features.
- Communicate operationally — service updates, security notices, plan-related emails.
- Send marketing or newsletter content only if you've subscribed; you can unsubscribe at any time using the link in any such email.
- Meet legal obligations and respond to lawful requests from Singapore authorities.
4. How AI is used at Hiva
Hiva uses large language models (currently Anthropic Claude) for two scoped purposes:
- Content generation — our editorial blog articles are drafted with AI assistance and reviewed before publication.
- AI shortlist — paid-tier users can describe their property goals in natural language; the model returns a ranked shortlist with reasoning, using only project metadata and public scoring data as input.
Your personal information is not used to train any AI model. Prompts to third-party model providers do not include identifying information. Anthropic operates under a zero-data-retention API agreement for our usage tier.
5. Who we share data with
We do not sell, rent, or share your personal data with third parties for their marketing. Hiva does work with a small number of subprocessors required to deliver the service. Each is bound by a data processing agreement.
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Auth0 (Okta) | User authentication | Email, name, login activity | United States |
| Paddle | Payment processing and tax | Billing details, transaction history | United Kingdom / EU |
| Anthropic | AI summarisation and shortlist | Anonymised prompts; no PII | United States |
| Railway | Application hosting and database | All application data at rest (encrypted) | United States |
| Cloudflare | CDN, DDoS protection, DNS | IP address, request metadata | Global edge network |
We may also disclose information when required by law, court order, or to protect the rights, property, or safety of Hiva, our users, or the public.
6. Data security
Hiva runs on encrypted infrastructure with industry-standard controls:
- TLS 1.2+ in transit; encryption at rest on hosted databases.
- Role-based access controls limit which team members can access production systems.
- Auth0 handles password hashing, session management, and multi-factor support.
- Production secrets are stored in Railway's encrypted environment, never in source control.
- Database backups are encrypted and retained per provider policy.
- We log access to sensitive systems and review logs for anomalies.
No system is perfectly secure. In the event of a confirmed breach affecting your data, we will notify you and the Singapore PDPC within the timeframes required by PDPA.
7. Your rights under PDPA
Under Singapore's Personal Data Protection Act, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correct — request updates to inaccurate or outdated information.
- Withdraw consent — for processing that relies on consent (e.g., marketing).
- Deletion — request that we delete your account and associated personal data.
- Portability — request your data in a machine-readable format.
To exercise any of these rights, email hiva.sg@gmail.com with the subject "PDPA Request". We respond within 30 days. You may also lodge a complaint with the Singapore Personal Data Protection Commission (PDPC) if you believe we have mishandled your data.
8. Data retention
We retain personal data for as long as your account is active and as needed to provide the service. When you delete your account:
- Identifying information is removed from our active systems within 30 days.
- Encrypted backups containing residual data are rotated out within 90 days.
- We may retain billing records for up to 7 years where required by Singapore tax law, and aggregated, non-identifying usage analytics indefinitely.
9. Cookies and analytics
Hiva uses a small set of strictly necessary cookies for authentication (session tokens via Auth0), security (CSRF protection), and remembering your settings. We do not run third-party advertising trackers, fingerprinting scripts, or behavioural ad pixels. If we ever add product analytics, we will list the provider here and respect your browser's Do Not Track signal.
10. International data transfers
Some of our subprocessors are based outside Singapore (see table above). Where personal data is transferred internationally, we rely on the recipient's enforceable contractual obligations to provide protections comparable to PDPA, including standard data protection clauses where applicable.
11. Children's privacy
Hiva is intended for users aged 18 and over. Property investment in Singapore is a regulated adult activity. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time to reflect changes in our practices, our subprocessor list, or the law. When we make material changes, we will update the "Last updated" date at the top of this page and, for changes that meaningfully expand how we use your data, give you advance notice by email before the change takes effect.
13. Contact us
Questions about this policy, privacy practices, or data-related requests:
hiva.sg@gmail.com
We respond within 30 days.
For partnership, integration, or DPA (Data Processing Agreement) requests, please mention "Partnership" in the subject line so it gets routed to the right person.