Back to Trust

Privacy policy

Last updated: 2026-04-11

Template notice: this policy is an honest summary of our practices but is not a substitute for legal advice. For a custom DPA or jurisdiction-specific policy, contact security@socianote.com.

1. Who we are

Socianote is a software-as-a-service platform for social service agencies, operated by Better Future Holdings Pte Ltd, a company incorporated in Singapore. When an agency (the "Customer") uses Socianote to manage their participants and cases, the Customer is the data controller and Better Future Holdings Pte Ltd (operating the Socianote service) is the data processor. This policy describes what we, as processor, do with the personal data the Customer entrusts to us.

For brevity, this policy uses “Socianote” to refer to the service and “we” / “us” to refer to Better Future Holdings Pte Ltd acting as the processor.

2. What data we process

  • Participant records: name, contact details, demographic information, consent status, case notes, support history, document attachments — only what the Customer chooses to record.
  • Staff records: name, email, role, audit trail of actions taken in the system.
  • Operational data: login timestamps, IP addresses (transient, for security), error logs (PII-scrubbed where possible).

We do not store national ID numbers (NRIC, SSN, passport), payment card data, or biometric data. We do not use participant data for advertising, analytics beyond service operation, or AI training.

3. Lawful basis

We process personal data on behalf of the Customer under a contract (the Customer's Socianote subscription plus this policy). The Customer is responsible for establishing their own lawful basis with each data subject — typically consent or legitimate interest in the social service context.

4. How we protect data

  • Encryption at rest (Supabase / AWS) and in transit (TLS 1.2+).
  • Row-level security policies enforce that organisations only see their own data.
  • Role-based access control: Admin / Supervisor / Case Manager / Viewer.
  • Every change to a sensitive record is logged in an immutable audit trail, scoped to admins and supervisors.
  • Authentication via Supabase Auth with bcrypt password hashing.
  • Service-role keys are server-side only and never exposed to browsers.

We are not currently SOC 2 or ISO 27001 certified. EU residency is available on request for enterprise customers.

4.1 Staff access

Like every SaaS provider with a hosted database, authorised Socianote personnel may access customer data. We disclose this transparently rather than pretend technical isolation. Specifically:

  • When: only to provide and operate the Service, respond to support requests, investigate security incidents or bugs, or comply with legal obligations. There is no casual or routine access — every access is tied to a specific operational reason.
  • Who: only authorised Socianote personnel who have signed a written confidentiality agreement.
  • How we log it: database-level access is logged at the infrastructure layer (Supabase query logs). Platform-admin operations in the application are captured in the audit trail.
  • What we will never do: sell, share, or use customer data for advertising, analytics beyond service operation, AI model training, or any secondary purpose not specified in the Data Processing Agreement.
  • What you can ask for:a written access log summary for your organisation on request, under the DPA's audit rights clause.

This is the industry-standard approach (Stripe, Notion, Vercel, Linear all disclose similar provisions). Technical isolation via column-level encryption or bring-your-own-key is available as an enterprise-tier option on request.

5. Data subject rights

Where Socianote acts as processor, data subjects should direct rights requests to the Customer agency that holds their record. Customer admins can fulfil the following requests directly from the Privacy Center inside the Socianote dashboard:

  • Right of access (GDPR Art.15 / PDPA s.21): one-click JSON export of every record we hold about a person.
  • Right to rectification: edit any field on the participant record.
  • Right to erasure (GDPR Art.17): permanent deletion with audit-log redaction. Audit chain of custody (who/when/what action) is preserved; the underlying personal data is scrubbed.
  • Right to portability: the JSON export is machine-readable and transferable.

6. Subprocessors

We use the following subprocessors to deliver the service:

  • SupabaseDatabase, authentication, file storage, realtime. Data location: Singapore (ap-southeast-1) — primary; EU regions available on request for enterprise customers.
  • VercelApplication hosting, edge runtime, CDN. Data location: Global edge network; static + edge functions only — no PII at rest.
  • ResendTransactional email (invites, password resets, notifications). Data location: United States; minimal data (recipient email + subject only).
  • CloudflareDNS, CDN, DDoS protection — routes traffic; IP address metadata only. Data location: Global edge network; no Customer Data persisted (request metadata retained <7 days).

Full details and links to each vendor's own privacy policy: /trust/subprocessors.

7. Retention

Personal data is retained for as long as the Customer maintains an active subscription and the data is needed for the social service work. Customer admins can configure automatic archival policies in Settings → Privacy & data. On subscription termination, data is exported and then deleted within 30 days unless legal hold applies.

8. Breach notification

In the event of a personal data breach affecting Customer data, Socianote will notify the affected Customer admins without undue delay and within 72 hours of becoming aware, in line with GDPR Article 33.

9. Contact

Privacy or security questions: security@socianote.com