Last updated: February 2026
SUAR fully complies with Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR) — and the Singapore Personal Data Protection Act (PDPA).
• Contract performance (Art. 6(1)(b) GDPR) — necessary to provide the service • Consent (Art. 6(1)(a) GDPR) — for marketing communications • Legitimate interest (Art. 6(1)(f) GDPR) — for service improvement and fraud prevention
Data is stored on EU servers (Supabase). When data is transferred outside the EEA (AI processing via Anthropic in the US), we ensure adequate safeguards through Standard Contractual Clauses (Art. 46 GDPR).
• Right of access (Art. 15) • Right to rectification (Art. 16) • Right to erasure / "Right to be forgotten" (Art. 17) • Right to restriction of processing (Art. 18) • Right to data portability (Art. 20) • Right to object (Art. 21) • Right not to be subject to automated decision-making (Art. 22)
To exercise your rights or submit complaints: Email: privacidade@suardot.com You also have the right to lodge a complaint with a supervisory authority (ICO in the UK, CNIL in France, AEPD in Spain, PDPC in Singapore, etc.).
• Supabase Inc. — Database and authentication (EU) • Anthropic — AI processing (US, with SCCs) • Stripe Inc. — Payment processing (US/EU) • Airwallex — Payment processing (Singapore/EU) • OpenAI — Voice synthesis (US, with SCCs) • Vercel Inc. — Hosting (global edge network)
• TLS 1.3 encryption on all communications • AES-256 encryption for data at rest • OAuth 2.0 authentication (no password storage) • Role-based access control (RBAC) • Regular security audits • No payment data storage (PCI DSS via Stripe/Airwallex)
Account data: retained while account is active + 30 days after deletion. Simulation data: retained for 12 months for user progress. Payment data: per legal obligations (7 years for tax purposes).