Legal
Privacy Policy
This Privacy Policy explains how MOYA Analytics collects, uses, stores, and shares personal data when you use MOYA Cascade. It is written to align with applicable requirements under the GDPR and PDPA frameworks.
Last Updated: February 28, 2026
Legal entity: MOYA ANALYTICS PTE. LTD. (UEN 202432360K)
Entity type: Private Company Limited by Shares
Primary activity: Carbon consultancy services
Secondary activity: Data analytics, processing and related activities N.E.C.
Registered address: 33A Pagoda Street, #NA, Singapore 059192
Questions about this document can be sent to contact@moya-analytics.com.
1. Controller and Scope
MOYA ANALYTICS PTE. LTD. (UEN 202432360K), a Singapore private company limited by shares incorporated on August 8, 2024, operates MOYA Cascade and acts as the data controller for personal data described in this policy, except where another controller is explicitly identified by contract.
- Registered Address: 33A PAGODA STREET #na Singapore 059192
- Primary Business Activity: Carbon consultancy services
- Secondary Business Activity: Data analytics, processing and related activities n.e.c.
For the purposes of this page, “GDPR” refers to Regulation (EU) 2016/679 and “PDPA” refers to applicable Personal Data Protection Act requirements, including Singapore's Personal Data Protection Act 2012 where applicable.
Contact for privacy requests: contact@moya-analytics.com. Postal contact: 33A PAGODA STREET #na Singapore 059192.
This contact point serves as our privacy contact and PDPA data protection contact for user rights and complaints.
2. Data We Collect
We collect data directly from you, from your use of the product, and from other users when they interact with you through collaboration features.
| Category | Data Fields | Where It Comes From |
|---|---|---|
| Account and identity | Email, user ID, authentication credentials (managed by Supabase Auth) | Sign-up, login, password reset, and account confirmation flows |
| Session and security data | Session cookies, token refresh cookies, session state, auth timestamps | Browser and server session handling |
| Profile and plan data | Profile email, plan assignment, plan status, usage limits | Internal account provisioning and usage-limit features |
| Process modelling content | Asset names/descriptions, process/version JSON data, global resource lists | Data you create and save inside process-modelling features |
| Process map content | System names/descriptions, locations, latitude/longitude, edges, placements, tax budgets | Data you create and edit inside process-map features |
| Collaboration request data | Sender/receiver email, sender/receiver IDs, request message, resource, location, coordinates, request status timestamps | Request workflows between product users |
| Solver and results data | Solver run payloads/results, run type, system ID, run metadata, generated dashboards and analytics output | Solver, cascade, and abatement actions you initiate |
| Technical request data | IP address, user-agent, and request metadata processed by our infrastructure and service providers | Standard web and API operation logs |
Location coordinates in process maps and requests come from user actions in the map editor (for example, map clicks and user-entered location names). We do not run continuous background device geolocation tracking.
3. How We Use Personal Data
- Provide account access, authentication, and session management.
- Store and render the process, version, and map data you create.
- Deliver collaboration features including inbound/outbound system requests.
- Run solver and abatement workflows and persist result artifacts.
- Enforce usage limits, protect service security, and detect misuse.
- Meet legal obligations and maintain operational records.
4. Legal Bases (GDPR and PDPA)
Where GDPR applies, we rely on one or more of the following:
- Contract necessity: delivering requested product features and account services.
- Legitimate interests: security, abuse prevention, and service reliability.
- Legal obligation: compliance with applicable law.
- Consent: when required for optional processing.
Where PDPA applies, we process personal data under applicable bases including consent and business-operational necessity permitted by law.
5. Cookies and Similar Technologies
We use session/authentication cookies required to keep users securely signed in and to protect account sessions. Cookie details are provided in our Cookie Policy.
6. Sharing and Recipients
We share personal data only where needed to run the service:
- Vercel for web hosting and edge delivery.
- Amazon Web Services (AWS) for cloud infrastructure, including deployments in US East (us-east-1) and Singapore environments.
- Supabase for authentication, session handling, and database infrastructure, including US East and Singapore deployments as configured.
- Solver service providers for optimization and simulation runs initiated by users.
- OpenStreetMap tile servers when map tiles are loaded in map-based workflows.
- Regulators, courts, or advisers when legally required.
Some third-party services may act as independent controllers for data they process under their own terms and policies.
We do not sell personal data.
7. International Data Transfers
Your data may be processed in jurisdictions outside your own, including Singapore and the United States (including us-east-1 workloads), based on service configuration. When required, we use contractual and operational safeguards appropriate to the transfer context (for example, standard contractual protections and access controls).
8. Data Retention
Unless a shorter retention period is required by law or contract, we retain service data for as long as your account remains active, and thereafter as needed for legitimate business records, legal obligations, dispute resolution, and backup integrity.
In practice, current product records (including assets, brands, systems, requests, results, and usage events) are retained until deleted by user action, account removal workflow, or internal administrative action.
9. Security Measures
We apply technical and organizational safeguards including access control, authentication controls, role-based permissions, and database policy controls. No system is guaranteed to be perfectly secure.
10. Data Breach Notification
Where a personal data breach is legally notifiable, we will notify regulators and affected individuals within timelines required by applicable law. This includes GDPR Article 33 requirements where GDPR applies, and PDPA breach-notification requirements where PDPA applies.
11. Your Rights
Depending on applicable law, you may have rights to:
- Access personal data we hold about you.
- Correct inaccurate or incomplete personal data.
- Delete personal data in permitted cases.
- Restrict or object to certain processing.
- Receive a portable copy of data where applicable.
- Withdraw consent where processing is consent-based.
GDPR request handling target timeline is normally one month, subject to extensions allowed by law. For PDPA requests, we respond within legally required timelines.
Submit requests at contact@moya-analytics.com.
12. Children
MOYA Cascade is designed for business/professional use and is not intended for children.
13. Automated Decision-Making
We do not use personal data for solely automated decisions that produce legal or similarly significant effects on individuals in the sense of GDPR Article 22.
14. Changes to This Policy
We may update this policy from time to time. Material updates will be posted with a revised “Last Updated” date.
15. Complaints
If you believe your data rights have been infringed, you may contact us first at contact@moya-analytics.com and may also lodge a complaint with your local supervisory authority (including an EU data protection authority or the Singapore PDPC, as applicable).