This Privacy Policy explains how Daysun Labs Pte. Ltd.("Daysun Labs", "we", "our", or "us"), the company behind Astate, collects, uses, stores, and protects personal data when you use the Astate web application and related services ("Astate" or the "Service"), or when your message is processed through an agent's Astate-powered WhatsApp workflow. If you have any questions, write to us at hello@astate.sg.
1. Who we are
Daysun Labs Pte. Ltd. is a company incorporated in Singapore (UEN 202522106R). Registered address: 152 Beach Road, #23-02, Gateway East, Singapore 189721. For purposes of Singapore's PDPA, our Data Protection Officer can be contacted at hello@astate.sg.
2. Our core data promises
Before going into the legal detail, here is what we commit to in plain terms.
- We do not train AI models on your data.Your conversations, contacts, and listings are never used to train any AI model — ours or any third party's.
- We do not sell your data or use it for unrelated marketing. We only share data with contracted service providers where needed to deliver Astate.
- Your data is isolated to your account. Other Astate users cannot see, search, or learn from your conversations, contacts, or listings.
- Your data lives in Singapore. Our primary database is hosted in the Singapore region.
- You can export or delete your data at any time. No lock-in. No leftover copies.
- The language model that drafts your replies operates under a no-training contract. Whether we use one provider or rotate between providers, the operating terms always include: no use of your data for model training, and processing-only retention. We do not directly or indirectly use WhatsApp message content to create, develop, train, or improve any machine learning or artificial intelligence system, model, or technology, including large language models.
- Astate is not a WhatsApp API reseller. Astate is a workflow tool that you use with your own WhatsApp Business Account. Your number is onboarded through the official WhatsApp Business Platform, and you remain the account holder. We do not resell, rent, or repackage WhatsApp Business Services.
- We do not request sensitive identifiers through WhatsApp.Astate does not ask clients or agents to send full payment card numbers, financial account numbers, government ID numbers (NRIC, FIN, passport, driver's licence), or other sensitive identifiers through WhatsApp. Document workflows that genuinely need those identifiers happen outside WhatsApp through secure channels.
The rest of this policy explains how we deliver on those promises.
3. Data we collect
We collect only what we need to deliver the Service.
3.1 Account data
- Your name and email address (used to log you in via magic link).
- Your business identifiers, if you choose to provide them (e.g., CEA registration number, agency name).
3.2 Service-generated content
- WhatsApp messages received by your connected business number ("Inbound Messages").
- Your draft and final replies sent through Astate ("Outbound Messages").
- Edits you make to AI-generated drafts (used only to personalize your future drafts within your own account).
- Listings, notes, and other content you upload or enter into Astate.
3.3 Contact data of your clients
- Phone numbers and display names of WhatsApp contacts who message your business number.
- Any personal data your clients voluntarily share in their messages.
Important: When your clients message your WhatsApp business number, their personal data may flow through Astate so we can organise enquiries, prepare agent-reviewed reply drafts, and record approvals. As an agent, you represent and warrant that you have the legal basis, notices, and permissions required to process this data through Astate. We act as your service provider/data processor for this content unless we separately agree otherwise in writing.
3.4 Usage and technical data
- Device, browser, operating system, IP address, and similar technical metadata.
- Feature usage events (e.g., "draft generated", "reply sent") used for product analytics — never tied to message content.
3.5 What we do not collect
- We do not access your WhatsApp account beyond the messages routed to your connected business number through our authorized BSP (360dialog).
- We do not access your phone's contacts, photos, or any data outside the Service.
- We do not collect financial information unless you become a paying customer (handled by our payment processor at that time).
4. Client messages, agent responsibility, and AI assistance
Astate is built for agent-led client communication. The agent, not Astate, is the customer-facing party that receives the client's WhatsApp enquiry and decides what final response to send. We process client messages on the agent's behalf for the limited purpose of managing property enquiries, preparing agent-reviewed drafts, sending approved replies where enabled, and keeping an audit trail.
When a client voluntarily sends a WhatsApp message to an agent about a property enquiry, that message may be used by the agent and by Astate as the agent's service provider to respond to that enquiry and closely related follow-up. This does not mean the client has agreed to unrelated marketing, bulk campaigns, future listing alerts, or use of their message content to train AI models.
Agents are responsible for giving any client-facing privacy notices and obtaining any consents required by applicable law. We provide this Privacy Policy, contractual data-processing terms, and suggested privacy wording that agents can link from their WhatsApp Business profile, listing pages, or other client-facing channels.
If you are a client of an Astate-powered agent, you can ask that agent to stop WhatsApp follow-ups or to reply without AI-assisted drafting where feasible. You may also contact us at hello@astate.sg, and we will coordinate with the relevant agent where needed.
5. How we use your data
| Purpose | Legal basis (PDPA) | Examples |
|---|---|---|
| Deliver the Service | Performance of contract / agent instructions / consent or deemed consent where applicable | Organise enquiries, generate agent-reviewed drafts, send approved replies, store conversations |
| Process client enquiries on behalf of agents | Agent responsibility and instructions / applicable client consent basis | Receive WhatsApp messages, classify enquiry context, prepare draft responses for agent review |
| Personalize your drafts | Performance of contract | Learn from agent edits and approved replies to improve future drafts within that agent account |
| Service security & fraud prevention | Legitimate interest | Detect abuse, prevent unauthorized access |
| Customer support | Performance of contract | Respond to your questions |
| Product improvement (aggregate) | Legitimate interest | Track which features are used (never tied to message content) |
| Legal compliance | Legal obligation | Respond to lawful government requests |
We do not use agent or client message content for advertising, profiling for third parties, unrelated marketing, or training AI models.
6. Subprocessors
We use the following subprocessors to deliver the Service. Each is bound by a written agreement requiring confidentiality, security, and purpose-limited processing at least equivalent to what we promise you.
| Subprocessor | Purpose | Region |
|---|---|---|
| Current LLM provider (currently Anthropic, PBC) | LLM inference for drafting replies. We may rotate providers with 30 days' notice. All providers we use are bound by equivalent no-training terms. | United States |
| Vercel Inc. | Application hosting | Singapore region |
| Turso (ChiselStrike Inc.) | Primary database (libSQL) | Singapore region |
| 360dialog GmbH | WhatsApp Business API provider | EU / regional |
| Resend, Inc. | Transactional email (magic link login) | United States |
| Upstash, Inc. | Rate limiting and caching (no message content stored) | Singapore region |
| Sentry (Functional Software, Inc.) | Error monitoring (no message content) | United States |
| PostHog Inc. | Product analytics (no message content) | United States / EU |
| Google LLC (Workspace) | Business email | Multiple regions |
We will give 30 days' advance notice before adding new subprocessors that handle message content.
7. Data sharing
We do not sell, rent, lease, or share your personal data with third parties for their own independent marketing, advertising, or data-brokerage purposes. The only situations in which your data leaves our systems are:
- To our subprocessors (Section 6), strictly to deliver the Service.
- When required by law, such as a valid court order or lawful government request. We will notify you unless legally prohibited.
- In a corporate transaction (merger, acquisition), in which case the acquiring entity must accept this Privacy Policy or notify you of changes.
We will never share your data with property portals, real estate agencies (other than your own, with your explicit consent), data brokers, or advertisers.
8. Data residency and cross-border transfer
Your account data, conversations, contacts, and listings are stored in Singapore. Some subprocessors (Anthropic, Resend, Sentry, PostHog) operate from the United States or other regions. Where personal data is transferred outside Singapore, we ensure the recipient is bound by contractual protections at least comparable to PDPA standards.
9. Data retention
| Data type | Retention |
|---|---|
| Account data | While your account is active + 30 days after deletion |
| Conversations, drafts, replies | While active. On deletion, hard-deleted within 30 days (including backups) |
| Tone learning context | While active. Deleted with your account. |
| Usage analytics (no content) | Up to 24 months in aggregate form |
| Logs (security & operational) | Up to 90 days |
| Backups | 30-day rolling, fully purged within 30 days of deletion |
You can request earlier deletion at any time (Section 11).
10. Security
We protect your data using industry-standard practices, including:
- Encryption in transit (TLS 1.2+).
- Encryption at rest for the primary database.
- Role-based access controls and the principle of least privilege.
- Logical isolation between accounts (no cross-account queries).
- Audit logging of administrative access.
- Regular review of subprocessor security posture.
No system is perfectly secure. In the event of a personal data breach affecting you, we will notify you and the Singapore Personal Data Protection Commission (PDPC) where required by law, generally within 72 hours of becoming aware of the breach.
11. Your rights
Under Singapore's PDPA, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate personal data.
- Withdraw consent to our processing (which may end your ability to use the Service).
- Request deletion of your personal data.
- Export your data in a portable, machine-readable format.
To exercise any of these rights, write to hello@astate.sg. We will respond within 30 days. For users covered by other privacy laws (e.g., EU GDPR), additional rights may apply. We honour reasonable requests regardless of jurisdiction.
If you are a client who contacted an Astate-powered agent, the fastest route is usually to contact the agent directly because they control the client relationship and final replies. You can also write to us, and we will help route your request, including requests to stop WhatsApp follow-ups or avoid AI-assisted drafting where feasible.
12. Children
Astate is for licensed real estate professionals. We do not knowingly collect data from anyone under 18. If you believe we have collected such data, contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered address at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
14. Contact us
For any privacy-related question, request, or concern:
Daysun Labs Pte. Ltd.
Attn: Data Protection Officer
hello@astate.sg
152 Beach Road, #23-02, Gateway East, Singapore 189721