Privacy Policy

Last updated: 13 April 2026

1. Who We Are

impactnet Pte. Ltd. (“we”, “us”, “our”) operates the Empower platform (“Service”), a dashboard that helps Singapore charities and non-profit organisations manage volunteer programmes.

For data protection enquiries, contact us at privacy@impactnet.sg.

2. What Data We Collect

We collect the following categories of personal data:

Data type	What it is	Purpose
Account	Email address, password (hashed)	Creating and securing your account
Organisation profile	Organisation name, UEN, description, contact person name, contact email, address, logo image	Displaying your public profile to student volunteers
Volunteer records	Full name, school/organisation, age of volunteers you add manually	Managing your volunteer programme
Usage analytics	Pseudonymous user ID, page visits, feature interactions	Improving the platform (PostHog)
Error reports	Error stack traces, user ID	Diagnosing technical issues (Sentry)

We do not collect sensitive personal data (NRIC numbers, financial details, health information) and do not knowingly collect data from persons under 18 years old through this platform.

3. How We Use Your Data

We use personal data only for the purposes for which it was collected:

Providing and operating the Empower Service
Sending transactional emails (e.g. application status notifications to volunteers via Resend)
Powering in-app AI features — your account context (organisation name, postings, volunteer list) is sent to Anthropic's Claude API to generate relevant responses
Diagnosing errors and improving platform reliability (Sentry)
Analysing aggregate feature usage (PostHog — pseudonymous)

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

4. Third-Party Service Providers

We engage the following processors to operate the Service. Each is bound by contractual data protection obligations:

Provider	Purpose	Location	Data shared
Supabase Inc.	Database and authentication	United States	Core infrastructure
Anthropic PBC	AI language model	United States	Minimised account context (organisation name, description, contact, postings, volunteer first names/schools/hours, pending applications, events, reflections) per chat request. UEN and full address are never sent.
Sentry Inc.	Error monitoring	United States	Stack traces with PII fields filtered via `beforeSend`; user identified by opaque UUID only
PostHog Inc.	Product analytics	United States	Pseudonymous user ID only; `autocapture: false`, input masking enabled
Resend Inc.	Transactional email	United States	Recipient email + notification content
Upstash Inc.	Rate limiting	United States / EU	Pseudonymous user ID only

Data transferred overseas is covered by standard contractual clauses or the processor's participation in equivalent frameworks. By using Empower you acknowledge these transfers.

5. Data Retention

We retain personal data only for as long as your account is active, unless a longer period is required by law. When you delete your account — either from your profile page or by emailing us — we hard-delete all your data immediately. There is no cooling-off window, so please use the “Download my data” option in your profile first if you want a copy.

Data type	What it is	Purpose
Account & organisation profile	Until you delete your account — then erased immediately	Hard delete, no recovery
Uploaded images (logo, cover photo)	Until you delete your account — then erased immediately	Removed from object storage on account deletion
Volunteer records, applications, reflections	Until you delete your account — then erased immediately	Cascading hard delete
Events, check-ins, hours log	Until you delete your account — then erased immediately	Cascading hard delete
Error logs (Sentry)	90 days	Managed by Sentry retention settings
Analytics events (PostHog)	1 year	Managed by PostHog retention settings
Email delivery logs (Resend)	30 days	Managed by Resend retention settings

6. Your Rights Under the PDPA

Under the Singapore Personal Data Protection Act 2012 (PDPA) you have the right to:

Access — request a copy of the personal data we hold about you
Correction — request that we correct inaccurate or incomplete data
Withdrawal of consent — withdraw consent to collection/use, though this may prevent us from providing the Service
Erasure — request deletion of your account and associated data
Data portability — request an export of your data in a machine-readable format

To exercise any of these rights, email privacy@impactnet.sg with the subject line “PDPA Data Request”. We will respond within 30 days.

You may also download a full machine-readable export of your data, or delete your account and all associated data, directly from the “Danger Zone” section on your profile page. Deletion is immediate and irreversible.

7. Cookies and Tracking

We use essential session cookies (via Supabase Auth) to keep you logged in. We do not use advertising cookies or cross-site tracking cookies. Analytics events (PostHog) are tied to a pseudonymous ID, not your email or name.

8. Security

We implement industry-standard safeguards including TLS encryption in transit, row-level security on all database tables, and role-based access controls. Passwords are never stored in plain text (hashed by Supabase Auth). Despite these measures, no system is completely secure — please use a strong, unique password.

9. Changes to This Policy

We may update this policy periodically. When we make material changes we will notify you by email or by a prominent notice in the app at least 14 days before the change takes effect. The “Last updated” date at the top of this page always reflects the current version.

10. Contact

Questions or complaints about how we handle your data should be directed to:

Data Protection Officer
impactnet Pte. Ltd.
privacy@impactnet.sg

If you are unsatisfied with our response you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

Back to dashboard