Privacy Policy

Relay ("Relay", "we", "us", "our") operates the service available at tryrelay.pro: an AI-assisted lead management tool for property agents registered with the Council for Estate Agencies (CEA) in Singapore.

This Privacy Policy explains what personal data we collect from agents who use Relay, how we use it, who we share it with, and the rights you have under the Personal Data Protection Act 2012 ("PDPA"). It applies to the agent account holder (the "Agent", "you", "your").

If you have any question about this policy or our data practices, contact our Data Protection Officer at [email protected].

We collect only what is necessary to operate the Relay service:

• Agent account information — name, email address, password (hashed), agency name, CEA registration number, mobile number.
• Forwarded lead emails — when you forward a portal enquiry from PropertyGuru, 99.co, EdgeProp, SRX, or similar to [email protected], the email content is parsed and stored against your account. This may include the lead's name, contact number, listing reference, and enquiry text.
• Voice samples — short writing samples and past replies you submit to train your voice profile so AI drafts read like you.
• Conversation drafts and edits — drafts we generate for you, and any edits you make before sending.
• Payment metadata — Stripe customer ID, subscription status, billing email, last 4 digits of card, and invoice history. Full card numbers are handled by Stripe and never touch Relay servers.
• Usage and technical logs — IP address, browser type, timestamps, error logs, used to operate and secure the service.

• To create and operate your agent account.
• To parse forwarded lead emails into structured records you can act on.
• To draft WhatsApp replies in your voice, score lead quality, calculate Buyer's Stamp Duty (BSD) and Additional Buyer's Stamp Duty (ABSD) estimates, and generate viewing briefs.
• To auto-include your CEA registration number in every drafted reply (CEA Practice Circular requirement).
• To process subscription payments and issue invoices.
• To send service emails (account confirmation, billing receipts, security alerts).
• To investigate abuse, fraud, or misuse of the service.

We do not use your data, your voice samples, or any forwarded lead content for advertising, resale, or to train third-party AI foundation models.

Under PDPA, we rely on your consent (given when you sign up) and on the legitimate interests necessary to deliver a service you have contracted for. Where deemed consent applies (for example, processing a forwarded lead email so we can return a drafted reply to you), we limit processing to what a reasonable person would expect in that context.

Relay is the data controller of your agent account. The following third parties act as our data processors / sub-processors and are bound by their own data protection commitments:

• Supabase — managed Postgres database and authentication. Your account data, lead records, drafts, and voice profile are stored here behind Row-Level Security (RLS).
• Anthropic (Claude API) — generates reply drafts, scores, and briefs. Lead text is sent to Anthropic to produce a response and is not used by Anthropic to train models per their commercial API policy.
• Stripe — payment processing. PCI-DSS Level 1 certified. Card numbers never reach Relay infrastructure.
• Cloudflare — email routing for the @tryrelay.pro inbound address and edge security.
• Vercel — application hosting and edge network for the Relay web app.

We do not sell personal data, share it with marketers, or disclose it to other agents. We may disclose data when compelled by Singapore law, court order, or a lawful request from a competent authority (for example, the PDPC, CEA, or police).

Account and lead data is stored in Supabase regions (typically Singapore or the United States). AI processing occurs on Anthropic infrastructure. Where data is transferred out of Singapore, we rely on the recipient's contractual safeguards equivalent to the PDPA Transfer Limitation Obligation.

• Account data — retained while your account is active.
• Forwarded lead emails, conversation history, and drafts — retained while the parent account is active, or until you delete the lead from your dashboard.
• Voice samples — retained while your account is active; you can replace or delete them in Settings.
• Billing records and invoices — retained for at least 5 years to meet Singapore tax and accounting requirements.
• On account deletion, personal data and lead data are purged within 30 days, except where retention is required by law.

As an Agent using Relay, you have the right to:

• Access — request a copy of personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete personal data.
• Withdrawal of consent — withdraw consent for any purpose; this will typically require account closure as the service cannot operate without core data.
• Data portability — export your leads and drafts in CSV from the dashboard.
• Complaint — lodge a complaint with the Personal Data Protection Commission (PDPC) if you are unsatisfied with how we have handled your data.

To exercise any right, email [email protected]. We will respond within 30 calendar days as required by PDPA.

When a lead enquires through PropertyGuru, 99.co, EdgeProp, SRX, or similar portals, the lead's personal data is collected by you, the Agent. You are the Data Controller of that data under PDPA. By forwarding it to Relay, you appoint Relay as a Data Intermediary processing on your behalf, limited to the purposes set out in Section 3.

As the Data Controller, you remain responsible for obtaining consent (or relying on deemed consent), responding to lead access and correction requests, and complying with the CEA Code of Ethics and Professional Client Care.

• Data encrypted in transit over HTTPS / TLS 1.3.
• Data encrypted at rest by Supabase managed Postgres.
• Row-Level Security (RLS) on every table — you can only read your own rows; no Agent can see another Agent's leads or drafts.
• Passwords hashed by Supabase Auth using industry-standard algorithms.
• API keys and service credentials stored as server-side environment variables, never exposed to the browser.
• Stripe handles all payment data under PCI-DSS Level 1.
• Access to production systems restricted to Relay's operator and logged.

Relay uses only essential cookies needed for authentication (Supabase session) and CSRF protection. We do not deploy advertising, analytics, or third-party tracking cookies.

If a data breach affecting your personal data is likely to result in significant harm, we will notify you and the PDPC as required by the PDPA Mandatory Data Breach Notification regime, normally within 3 calendar days of assessing notifiability.

We may update this Privacy Policy from time to time. Material changes will be communicated by email and surfaced in-app at least 14 days before they take effect. The "Last updated" date above always reflects the current version.

Data Protection Officer
Email: [email protected]

To lodge a complaint with the regulator: Personal Data Protection Commission Singapore — pdpc.gov.sg.