Privacy Policy

Nomos Pte. Ltd. ("Nomos", "we", "us") is a company incorporated in Singapore. This Privacy Policy explains how we collect, use, disclose and protect personal data in accordance with Singapore's Personal Data Protection Act 2012 ("PDPA") and applicable advisory guidelines issued by the Personal Data Protection Commission ("PDPC").

Nomos provides agentic AI services to accounting firms. Where we process personal data on behalf of a customer (for example, records belonging to the customer's own clients), we act as a data intermediary under the PDPA and our processing is governed by the Data Processing Addendum entered into with that customer. This Policy primarily addresses personal data we collect as a data controller — for example, contact details of users of our website and customer representatives.

1. Data Protection Officer

Our Data Protection Officer can be contacted at dpo@nomosagents.com or by post to Nomos Pte. Ltd., Singapore. Please mark correspondence "Attention: DPO".

2. Personal data we collect

• Business contact information: name, work email, job title, employer, phone number.
• Account information: login credentials, authentication identifiers, role and access permissions.
• Communications: enquiries, support requests, meeting notes and any information you choose to share with us.
• Usage data: log files, device and browser information, IP address, pages viewed and actions taken within our services.
• Billing data: invoicing details, purchase orders and payment references (we do not store full payment card numbers).

3. Purposes for which we use personal data

• Providing, operating and improving our services.
• Onboarding, account administration and customer support.
• Billing, accounting and tax compliance.
• Communicating service updates, security advisories and (where you have consented) marketing materials.
• Detecting, preventing and investigating fraud, abuse and security incidents.
• Complying with legal, regulatory and audit obligations in Singapore and other applicable jurisdictions.

4. Basis for collection, use and disclosure

We rely on your consent, deemed consent (including by notification under section 15A of the PDPA where applicable), the legitimate interests exception under the First Schedule of the PDPA, and other exceptions permitted by law. Where we rely on consent, you may withdraw it at any time by writing to our DPO; withdrawal may affect our ability to provide the services.

5. Disclosure to third parties

We disclose personal data only as needed to deliver the services or as required by law. Our subprocessors include cloud infrastructure providers, transactional email providers, analytics providers and professional advisors. Each is bound by written agreements requiring them to protect personal data to a standard comparable to that imposed under the PDPA.

6. Use of personal data in AI systems

Personal data processed through our services is not used to train third-party foundation models. Where AI agents process personal data on a customer's behalf, a human reviewer in the customer's organisation (or our service team, as configured) signs off before outputs are released. Model prompts, completions and intermediate artifacts may be retained on a short-term basis for quality assurance, debugging and audit, and are purged in line with our retention schedule.

7. Cross-border transfers

Personal data may be transferred to, and processed in, jurisdictions outside Singapore. Where we transfer personal data overseas, we comply with the PDPA's Transfer Limitation Obligation by ensuring the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA — including, where appropriate, contractual clauses such as the ASEAN Model Contractual Clauses or the EU Standard Contractual Clauses.

8. Security

We implement administrative, technical and physical safeguards designed to protect personal data, including encryption in transit and at rest, role-based access controls, network segmentation, vulnerability management, secret rotation, personnel training and incident response procedures. No system is perfectly secure; we maintain a programme of continuous improvement aligned with industry frameworks.

9. Retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law (including Singapore's Companies Act, Income Tax Act and Goods and Services Tax Act record-keeping requirements). On termination of our relationship with a customer, customer-controlled personal data is returned or deleted in accordance with the applicable services agreement and DPA.

10. Your rights under the PDPA

You may, subject to certain exceptions under the PDPA:

• Request access to personal data we hold about you and information about how it has been used or disclosed in the past year.
• Request correction of personal data that is inaccurate or incomplete.
• Withdraw consent previously given for our collection, use or disclosure of your personal data.

Please direct requests to our DPO. We will respond within the timeframes prescribed by the PDPA. A reasonable fee may apply to access requests.

11. Cookies and analytics

Our website uses essential cookies required for it to function and may use analytics cookies to understand aggregate usage. You may disable cookies through your browser settings, although certain features may not function as intended.

12. Children's data

Our services are intended for business use and are not directed at children. We do not knowingly collect personal data from individuals under the age of 13.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified through our website or, where appropriate, by direct communication. The "Last updated" date above indicates when this Policy was most recently revised.

14. Complaints

If you are not satisfied with our handling of your personal data, please contact our DPO. You also have the right to make a complaint to the PDPC at www.pdpc.gov.sg.