Privacy Policy

Effective Date: Dec 6^th, 2025
Last Updated: Dec 6^th, 2025

Welcome to RiskScan (“Service”), a security scanning solution provided by Elyxia Digital Pte Ltd (“Company”, “we”, “our”, or “us”). Your privacy is critically important to us. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our threat detection and security scanning services.

By using our services, you agree to the collection and use of information in accordance with this Privacy Policy.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or plural.

Definitions

For the purposes of this Privacy Policy:

Account means a unique account created for You to access our Service or parts of our Service.
Affiliate means an entity that controls, is controlled by, or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for election of directors or other managing authority.
Channel means a communication pathway configured by You for security scanning, including email domains, email forwarding addresses, social media accounts (WhatsApp, LINE, Telegram), or in-app scanning interfaces.
Company (referred to as either “the Company”, “We”, “Us”, or “Our” in this Agreement) refers to Elyxia Digital Pte Ltd, 68 Circular Road #02-01, Singapore 049422.
Cookies are small files that are placed on Your computer, mobile device, or any other device by a website, containing the details of Your browsing history on that website among its many uses.
Country refers to: Singapore.
Credit means a unit of service measurement where one (1) credit equals one (1) security scan performed on content submitted through any Channel.
Device means any device that can access the Service, such as a computer, a cellphone, or a digital tablet.
Personal Data is any information that relates to an identified or identifiable individual.
Risk Score means a numerical value (1-100) generated by our AI models indicating the likelihood that scanned content contains security threats.
Scan Result means the output of our threat detection analysis, including Risk Scores, threat classifications, confidence levels, and recommended actions.
Service refers to RiskScan at https://riskscan.io (or your designated domain).
Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service, or to assist the Company in analyzing how the Service is used.
Threat Detection means the automated analysis of content using artificial intelligence and machine learning models to identify phishing attempts, malware, spam, fraud, impersonation, and other security risks.
Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Website refers to RiskScan, accessible from https://riskscan.io (or your designated domain).
You means the individual accessing or using the Service, or the company or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

1. Information We Collect

We collect various types of information, including:

1.1 Personal Information You Provide

Name, email address, phone number
Billing information (processed securely via Stripe/PayPal)
Login credentials for account access
Channel configuration details (domain names, forwarding addresses, social media identifiers)

1.2 Content Data Processed for Threat Detection

RiskScan processes content submitted through your configured Channels for security analysis:

Email Domain Protection:

Domain name, MX records, DNS configuration
Email sender and recipient addresses
Email subject lines and message content
Email headers and metadata
Attachments (scanned only, not permanently stored)

Email Forwarding:

Forward address configuration
Original sender information
Message content (temporarily processed for scanning)

Social Media Channels (WhatsApp, LINE, Telegram):

Phone numbers or platform user IDs for bot communication
Text messages forwarded to our scanning bots
Media files (images, documents, voice messages) sent for analysis
Group chat identifiers (if applicable)

In-App Scanning:

Text, URLs, email content, or documents you manually submit
File uploads for threat analysis

Content Processing & Retention:

Message Content: Temporarily stored for scanning purposes only and automatically deleted within 48 hours after analysis completion
Attachments & Media: Scanned immediately upon receipt and deleted within 24 hours
Scan Results Only: We retain metadata (risk scores, threat types, timestamps) but NOT the original content
No Manual Review: We do not actively read, review, or manually inspect your message content. All analysis is performed by automated AI systems only.

1.3 Automatically Collected Information

Log data (IP address, browser type, device information, timestamps)
Cookies and tracking technologies (see Section 7)
Usage patterns and feature interactions
Performance metrics and error logs

1.4 Third-Party Integrations

RiskScan connects with the following third-party services:

Cloud Infrastructure Providers: Encrypted temporary storage and compute resources (AWS, Azure, Google Cloud)
AI/ML Service Providers: Threat detection and classification models hosted in US and/or EU regions
Payment Processors: Stripe and PayPal for secure, PCI-DSS–compliant transactions
Email Relay Infrastructure: SMTP relay services for domain and deliverability protection
Workflow Automation Tools: Systems for message routing and processing orchestration
Analytics Services (Optional): Aggregated usage metrics for service improvement (e.g., Google Analytics, Mixpanel)

Data Processing Agreements:
We maintain DPAs with all service providers that handle personal data to ensure GDPR and PDPA compliance.

Geographic Processing:
Data may be processed in Singapore, the United States, and/or the European Union depending on service requirements and your account configuration.

If you connect additional third-party services through our platform, we collect data only as authorized by you and those providers. Please review each provider’s privacy policy for details on their data handling practices.

2. How We Use Your Information

We use your data for the following purposes:

2.1 Service Provision

Process and analyze content for security threats
Generate risk scores and threat classifications
Block, quarantine, or flag suspicious content based on your settings
Deliver scan results and security notifications
Maintain and improve threat detection accuracy

2.2 Threat Detection & AI Analysis

Automated Security Scanning:

All content submitted to RiskScan is automatically analyzed by AI-powered threat detection models
We identify phishing attempts, malware, spam, fraud, impersonation, and other security risks
Each scan generates a Risk Score (1-100) and threat classification (low/medium/high)
Confidence scores indicate the AI model’s certainty in its assessment

Automated Decision-Making:

Content may be automatically allowed, quarantined, blocked, or flagged based on:
- Your configured scan sensitivity level (basic/medium/high)
- Risk score thresholds
- Threat type severity
You retain full control over scan settings and can configure actions per Channel
All automated decisions are logged and available for review in your dashboard

AI Model Information:

We use proprietary and third-party AI models for threat detection
Model versions are tracked for audit and compliance purposes
You can request human review of any automated decision through our support channels

Model Improvement & Training:

By default, anonymized scan results (threat classifications, risk scores) may be used to improve our AI models
We NEVER use your actual message content for model training
You can opt-out of contributing anonymized data to model improvements in your account settings

Accuracy Disclaimer:

We strive for high accuracy in threat detection but cannot guarantee 100% detection of all threats
False negatives (missed threats) and false positives (legitimate content flagged as threats) may occasionally occur
RiskScan is a security tool designed to assist, not replace, user judgment and other security measures
See Section 12 for detailed liability limitations

2.3 Security & Fraud Prevention

Prevent unauthorized access and detect abuse
Monitor for system anomalies and security incidents
Enforce compliance with our Terms of Service

2.4 Customer Support

Respond to user inquiries and troubleshoot issues
Provide technical assistance with Channel configuration
Investigate disputed scan results or false positives

2.5 Billing & Transactions

Process subscription payments and manage credits
Track usage against plan limits
Handle refunds and billing disputes

2.6 Legal Compliance

Maintain records as required by Singapore law and international regulations
Respond to lawful requests from authorities (see Section 4.3)
Comply with data protection obligations under PDPA, GDPR, and CCPA

2.7 Service Improvement

Analyze usage patterns to enhance features
Develop new threat detection capabilities
Optimize performance and reliability

3. How We Store & Secure Your Data

3.1 Security Measures

🔒 We implement industry-leading security controls:

Encryption in Transit: All data transmitted to/from RiskScan uses TLS 1.3 encryption
Encryption at Rest: Message content stored temporarily in AWS S3 is encrypted using AES-256
Access Controls: Role-based access restrictions limit employee access to production data
Audit Logging: All access to scan results and customer data is logged for security monitoring
Regular Security Audits: Penetration testing and vulnerability assessments
Infrastructure Security: AWS-hosted infrastructure with enterprise-grade physical security

⚠️ Note: While we employ robust security measures, no system is 100% secure. See Section 3.4 for data breach notification procedures.

3.2 Data Retention Policy

Content Retention (Automatically Deleted):

Email/Message Content: Maximum 48 hours after scan completion, then permanently deleted
Attachments & Media Files: Maximum 24 hours after scan completion, then permanently deleted
Temporary Processing Data: Deleted immediately after scan analysis is complete

Scan Results & Metadata Retention:

Risk Scores & Threat Classifications: Retained for up to 1 year for analytics and reporting
Channel Configuration Data: Retained while Channel is active, deleted upon Channel deletion
User Account Data: Retained until you request account deletion
Billing Records: Retained for 7 years as required by Singapore tax law

Credit Usage Tracking:

Monthly credit consumption is tracked per billing cycle
Usage history retained for current and previous 12 months for billing transparency
Credits reset automatically on your monthly billing anniversary date

3.3 User-Controlled Deletion

You have full control over your data:

Delete individual Channels and their associated scan results anytime
Export all scan results before deletion via dashboard export function
Request complete account deletion (all data permanently removed within 30 days)
Contact [email protected] for deletion requests

3.4 Data Breach Notification (PDPA Compliance)

In accordance with Singapore’s and Malaysia’s Personal Data Protection Act (PDPA):

If we experience a data breach that is likely to result in significant harm or impact to You, we will:
- Notify the Personal Data Protection Commission (PDPC) within 72 hours of becoming aware of the breach
- Notify affected users as soon as practicable, but no later than 3 calendar days after PDPC notification
- Provide details about the nature of the breach, affected data, and remediation steps
Our notification will include:
- What data was compromised
- When the breach occurred and was discovered
- Actions we’ve taken to contain the breach
- Steps you should take to protect yourself
- Contact information for further assistance
We maintain an incident response plan and conduct regular security drills to ensure rapid breach detection and response.

4. Data Sharing & Third-Party Services

4.1 We Never Sell Your Data

We never sell your data. We may share it only under the following circumstances:

4.2 Service Providers & Processors

Payment Processors: Stripe, PayPal for secure transaction processing (PCI-DSS compliant)
Cloud Infrastructure: AWS for encrypted temporary storage and compute resources
AI/ML Providers: Enterprise artificial intelligence platforms for automated threat detection and risk scoring. We use multiple providers to ensure reliability and may change providers based on performance optimization. All AI providers are contractually prohibited from using your data for training their models.
Email Relay Services: Infrastructure providers for email domain protection (SMTP relay)
Analytics Tools: Google Analytics, Mixpanel (if enabled) for aggregated usage metrics only

Data Processing Agreements: We maintain Data Processing Agreements (DPAs) with all service providers handling personal data, ensuring GDPR and PDPA compliance.

4.3 Legal Requirements & Law Enforcement

We may disclose data in response to:

Valid Legal Process: Court orders, subpoenas, or warrants issued by Singapore courts or equivalent foreign legal authority
Regulatory Compliance: Requests from PDPC, IMDA, or other Singapore regulatory bodies
Emergency Situations: When disclosure is necessary to prevent imminent harm, death, or serious property damage

Our Policy on Law Enforcement Requests:

We require all requests to comply with Singapore law and international legal assistance treaties
We review all requests for legal validity before disclosure
We will notify affected users unless legally prohibited (e.g., gagging orders)
We disclose only the minimum data necessary to comply with the request
We maintain a transparency report (available upon request) detailing the number and nature of requests received

What Data May Be Disclosed:

Account information (name, email, subscription details)
Scan results and risk scores (if relevant to investigation)
Channel configuration data (domain names, forwarding addresses)
Message Content: Only if content is still within our 48-hour retention window AND legally compelled by valid court order

What We Do NOT Disclose Without Court Order:

Message content that has been deleted per our retention policy
Content of communications with our support team
Detailed threat detection algorithms or AI model parameters

4.4 Business Transfers

If RiskScan or Elyxia Digital Pte Ltd is involved in a merger, acquisition, asset sale, or bankruptcy:

We will provide notice before your data is transferred and becomes subject to a different privacy policy
You will have the option to delete your account before the transfer
The acquiring entity must honor the commitments made in this Privacy Policy

5. Your Data Rights

5.1 General Rights

Access: Request a copy of all personal data we hold about you
Correction: Update or correct inaccurate information in your account settings
Portability: Download your scan results and account data in CSV or Excel format
Deletion (Right to Be Forgotten): Request permanent deletion of your account and all associated data
Restriction: Temporarily suspend processing of your data (Channel deactivation)
Opt-Out of Marketing: Manage email notification preferences in account settings

5.2 RiskScan – Specific Rights

Export Scan Results: Download complete scan history with risk scores and threat classifications
Pause/Resume Scanning: Temporarily disable scanning on any Channel without deletion
Configure Scan Sensitivity: Adjust threat detection thresholds per Channel
Review Automated Decisions: Access logs of all automated allow/block/quarantine actions
Request Human Review: Submit disputed scan results for manual security analyst review
Opt-Out of Model Training: Disable use of anonymized scan results for AI model improvement

5.3 EU & GDPR Compliance

Legal Basis for Processing:

Contractual Necessity: We process data to provide the threat detection service you subscribed to
Legitimate Interest: Fraud prevention, security monitoring, and service improvement
Consent: Where explicitly provided (e.g., marketing communications, model training)

EU Data Transfers:

If your data is transferred outside the EU/EEA, we use Standard Contractual Clauses (SCCs) approved by the European Commission
AWS infrastructure includes EU-region data centers to minimize international transfers
You can request details of our international data transfer safeguards

5.4 US (California) CCPA Compliance

California Residents’ Rights:

Request disclosure of personal data collected in the last 12 months
Request deletion of personal data (with exceptions for legal/contractual obligations)
Opt-out of data “sales” (though we do not sell data)
Non-discrimination for exercising privacy rights

Data Categories Collected (CCPA):

Identifiers (name, email, IP address)
Commercial information (subscription plan, payment history)
Internet activity (usage logs, scan requests)
Inferences (threat patterns, false positive rates – aggregated only)

5.5 PDPA Compliance

Your Rights Under PDPA:

Access Request: Obtain copy of personal data within 30 days (S$10 fee may apply for extensive requests)
Correction Request: Correct inaccurate or incomplete data within 30 days
Withdrawal of Consent: Withdraw consent for optional data processing (e.g., marketing)
Data Portability: Receive data in structured, commonly-used format

Our PDPA Obligations:

Appoint a Data Protection Officer (contact: [email protected])
Notify PDPC and affected individuals of data breaches within required timeframes
Maintain accountability through documented data policies and staff training

5.6 Exercising Your Rights

To submit a data request:

Email: [email protected]
Subject line: “Data Rights Request – [Access/Deletion/Correction]”
Include: Account email, request type, and identity verification details
We will respond within 30 days (may be extended to 60 days for complex requests)

Identity Verification: To protect your privacy, we may request additional verification before processing sensitive requests (deletion, access to detailed logs).

6. Scan Results Storage & Analytics

6.1 What We Store

Scan Results Include:

Risk Score (1-100) and risk level classification (low/medium/high)
Threat types detected (e.g., “phishing”, “malware”, “spam”, “fraud”, “impersonation”)
AI confidence score (0.0 to 1.0)
Action taken (allowed/quarantined/blocked/flagged)
Timestamp of scan
Channel ID and type (email domain, WhatsApp, etc.)
Processing time and AI model version used

What We DO NOT Store Long-Term:

❌ Full email/message content (deleted within 48 hours)
❌ Email attachments or media files (deleted within 24 hours)
❌ Complete conversation threads
❌ Sensitive personal information beyond what’s necessary for billing

6.2 Analytics Dashboard

Your RiskScan dashboard provides:

Real-Time Monitoring: Active threat detections and scan statistics
Historical Trends: 30/60/90-day threat analysis and risk score trends
Channel Performance: Per-Channel breakdown of scans and detections
Threat Intelligence: Aggregated insights into threat types and attack patterns
Credit Usage: Real-time consumption tracking against your plan limits

Data Aggregation: Dashboard analytics are derived from stored scan results (metadata only) and do not require retention of original message content.

6.3 Reporting & Exports

Export scan results as CSV or JSON for external analysis
Generate compliance reports for security audits
API access to historical scan data (Business/Enterprise plans only)

7. Cookies & Tracking Technologies

We use cookies for:
🍪 Essential Operations: Authentication, session management, security
📊 Analytics: Google Analytics, Mixpanel (aggregated usage metrics only)
🔧 Functionality: Remembering user preferences, dashboard customization

Managing Cookies:

Adjust settings in your browser (Chrome, Firefox, Safari, Edge)
Use “Do Not Track” signals (we honor DNT requests)
Opt-out of analytics tracking in your account settings

Cookie Duration:

Session cookies: Deleted when you close your browser
Persistent cookies: Expire after 30-365 days depending on purpose

8. Data Transfers & International Compliance

8.1 Cross-Border Data Transfers

RiskScan operates globally and may transfer data across borders for service provision. When we do:

Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Compliance: We comply with GDPR (EU), CCPA (California), PDPA (Singapore)
Standard Contractual Clauses: Used for EU-to-third-country transfers
Adequacy Decisions: We rely on European Commission adequacy decisions where available

8.2 Primary Data Locations

Singapore: Primary operational headquarters (Elyxia Digital Pte Ltd)
AWS Regions: Singapore (ap-southeast-1), EU (eu-west-1), US-East-1 (based on customer location)
AI Processing: US, UK, and Singapore

9. Children’s Privacy

Our services are not intended for users under 18 years of age. We do not knowingly collect data from minors.

If You Are a Parent/Guardian: If you believe your child has provided us with personal data, please contact us immediately at [email protected]. We will promptly investigate and delete the data.

Age Verification: By using RiskScan, you represent that you are at least 18 years old or the age of majority in your jurisdiction.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service features.

How We Notify You:

Email Notification: For significant changes affecting your rights or data handling
In-App Notification: Dashboard banner alerting you to policy updates
Effective Date: All changes clearly marked with “Last Updated” date at top of policy

Your Continued Use: Using RiskScan after policy changes constitutes acceptance of the updated terms.

Major Changes Archive: Previous versions of this policy are available upon request for transparency.

11. Liability, Disclaimers & Limitations

11.1 Threat Detection Accuracy

Service Performance Disclaimer:

RiskScan uses advanced AI and machine learning for threat detection, but NO security system is 100% accurate
False Negatives: Some threats may not be detected and may reach your inbox/messaging platform
False Positives: Legitimate content may occasionally be flagged as threats

No Guarantee of Security: RiskScan is designed as a supplementary security layer and does not replace:

Antivirus software
Firewall protection
User security awareness training
Other cybersecurity best practices

11.2 Limitation of Liability

To the maximum extent permitted by Singapore law:

RiskScan is provided “AS IS” and “AS AVAILABLE” without warranties of any kind
We are not liable for:
- Damages from undetected threats that bypass our scanning
- Lost revenue or business opportunities due to false positives blocking legitimate communications
- Data loss due to system failures or force majeure events
- Third-party actions or breaches beyond our control
Liability Cap: Our total liability for any claims related to the Service shall not exceed the amount you paid to RiskScan in the 12 months preceding the claim

Exceptions: Nothing in this section limits liability for:

Fraud or fraudulent misrepresentation
Death or personal injury caused by our negligence
Violations of your statutory rights that cannot be excluded by law

11.3 False Positive Resolution Process

If legitimate content is blocked or quarantined:

Immediate Action: Access your RiskScan dashboard to review flagged content
Manual Override: Mark the scan result as “False Positive” to whitelist the sender/content
Appeal Process:
- Click “Request Review” on the scan result
- Our security team will manually analyze within 24-48 business hours
- You’ll receive an email with the review outcome and explanation
Allowlist Configuration: Add trusted senders/domains to your Channel’s allowlist to prevent future false positives
Adjustment Recommendations: We may suggest lowering scan sensitivity if you experience frequent false positives

Business Impact Mitigation:

Enterprise customers can contact priority support for immediate false positive resolution
All users can temporarily pause scanning on a Channel if false positives are blocking critical communications

11.4 Confidential Information Handling

Automated Processing Only:

We do not manually read or review your message content under normal operations
All threat detection is performed by automated AI systems without human intervention
RiskScan employees do NOT have access to your message content during routine operations

Limited Human Review Exceptions:

You explicitly request human review of a disputed scan result
Debugging critical system errors affecting your account (with your consent)
Responding to valid legal process requiring content disclosure (see Section 4.3)
Investigating Terms of Service violations (e.g., suspected abuse of the Service)

Confidentiality Safeguards:

All employees sign confidentiality agreements
Access to production data is logged and audited
“Need-to-know” access principle strictly enforced
Any manual review is conducted by authorized security analysts only

No Attorney-Client Privilege Review: While we employ technical safeguards, we cannot guarantee protection of legally privileged communications (attorney-client, doctor-patient, etc.). Users handling such communications should:

Use end-to-end encrypted messaging for sensitive conversations
Consult legal counsel about appropriate communication channels
Consider excluding privileged communications from RiskScan scanning

11.5 Indemnification (See Terms of Service)

Detailed indemnification clauses covering:

Your misuse of the Service
Violation of third-party rights through your use of RiskScan
Breach of Terms of Service or this Privacy Policy

→ Refer to our separate Terms of Service document for complete indemnification provisions.

12. Contact Us

For privacy inquiries, data rights requests, or questions about this policy:

Email: [email protected]
Support: [email protected]
Data Protection Officer: [email protected]

Mailing Address:
Elyxia Digital Pte Ltd
Attn: Privacy Team / Data Protection Officer
68 Circular Road #02-01
Singapore 049422

Response Time: We aim to respond to all privacy inquiries within 5 business days and complete data requests within 30 days as required by PDPA.

13. Governing Law & Dispute Resolution

Jurisdiction: This Privacy Policy is governed by the laws of Singapore, including the Personal Data Protection Act (PDPA) 2012.

Dispute Resolution:

Informal Resolution: Contact [email protected] to resolve concerns directly
Mediation: Singapore Mediation Centre for facilitated negotiation
Singapore Courts: Disputes will be subject to the exclusive jurisdiction of Singapore courts
PDPC Complaints: You may file a complaint with the Personal Data Protection Commission (PDPC) if you believe we’ve violated PDPA

International Users: If you are located outside Singapore, your use of RiskScan constitutes consent to the transfer and processing of your data in Singapore under this Privacy Policy.

Document Control

Version: 1.1
Document ID: RISK-PRIVACY-RP01