SeaLinkSeaLink
/
← Trust & Legal

Privacy Policy

Last updated: 2026-06-04

Policy scope: This policy covers the data SeaLink currently processes: account, billing, usage analytics, error diagnosis, and customer-enabled request snapshots.

1. What we collect

  • Account: email, hashed password, signup timestamp
  • Usage metadata: timestamps, model ID, token counts, latency, status codes
  • Payment: processed by Airwallex; we do not store full payment credentials

For customer and data-subject clarity, we disclose personal information categories using common privacy-law category names: identifiers (email, account ID, IP address), commercial information (top-ups, invoices, usage, and refund records), internet or electronic network activity (API request metadata, login and security events), country/region-level location signal (for risk controls and routing, not precise location), and professional information (company invoice header, company name, tax ID, if provided). We do not collect biometric information, and we do not sell or share personal information for cross-context behavioral advertising.

2. What we do NOT collect

  • Your request bodies (prompts)
  • Model response bodies (completions)
  • End-user data from your customers

3. Data storage & encryption

Default storage is in Singapore. Enterprise clients with dedicated residency requirements can define them in commercial and DPA terms.

  • Encryption in transit: client-to-SeaLink and SeaLink internal service communication is encrypted via TLS
  • Encryption at rest: database storage is AES-256 encrypted; API Keys are SHA-256 one-way hashed; OAuth tokens are encrypted with AES-256-GCM using HKDF-derived keys
  • Key management: encryption keys are purpose-isolated via HKDF, ensuring API Key encryption is cryptographically separated from OAuth token encryption

4. AI model inference & transmission

When you call an AI model, SeaLink processes your prompt text through the selected model path to generate a response. SeaLink does not store prompt or completion content — we transmit only.

5. Training opt-out

You can instruct SeaLink not to use your data for model training via the X-Training-Opt-Out request header or Dashboard privacy settings. SeaLink records and applies this preference where supported by the selected model path.

6. Content moderation

SeaLink applies automated content moderation to prompts to detect: prompt injection attacks, personally identifiable information (PII) in 12 languages, and hate/harassment/self-harm content in 8 SEA languages. When PII is detected, it is masked before logging. Blocked requests log metadata only — prompt bodies are not stored.

7. Automated decision-making

AI model responses are generated by third-party providers and do not constitute automated decisions producing legal effects or similarly significant impacts on individuals. SeaLink does not use AI outputs for profiling or decision-making about individuals.

8. Third parties

Payments: Airwallex. Email: Resend. Monitoring: Sentry. CDN: Cloudflare. See /legal/sub-processors.

9. Your rights

You may access, export, correct, or delete your account data. Email contact@sealink.io.

10. Southeast Asia data protection compliance

SeaLink operates in six Southeast Asian jurisdictions and complies with each country's data protection legislation:

Singapore — PDPA 2012

SeaLink is headquartered in Singapore and complies with the Personal Data Protection Act 2012 (PDPA) and PDPC advisory guidelines. Data subjects may exercise access rights via GET /v1/me/data and erasure rights via DELETE /v1/me/data. Data Protection Officer: contact@sealink.io.

Indonesia — UU PDP No. 27/2022

Complies with Indonesia's Personal Data Protection Law (UU PDP), including data subject rights, breach notification (3×72 hours), and records of processing activities. Indonesian users may submit data requests through the same GDPR-equivalent rights mechanisms.

Thailand — PDPA B.E. 2562 (2019)

Complies with Thailand's Personal Data Protection Act B.E. 2562 (PDPA), including consent management and sensitive data classification. For minors (under 18), consent must be provided by a parent or guardian before collecting personal data. Thai data subjects enjoy GDPR-equivalent rights of access, portability, rectification, and erasure.

Philippines — RA 10173 (2012)

Complies with the Philippines Data Privacy Act of 2012 (RA 10173) and National Privacy Commission (NPC) circulars, including data subject rights, security incident notification, and the right to file complaints with the NPC. Philippine data subjects may submit requests via contact@sealink.io or file complaints directly with the NPC.

Malaysia — PDPA 2010

Complies with Malaysia's Personal Data Protection Act 2010, including notice and choice obligations, data integrity principles, and Personal Data Protection Commissioner registration requirements. Malaysian data subjects are entitled to statutory access and correction rights.

Vietnam — Decree 13/2023

Complies with Vietnam's PDPL Decree 13/2023/ND-CP, including data subject rights (access/correction/deletion/restriction/portability/objection), breach notification (72 hours), and cross-border data transfer obligations. Vietnamese data subjects may exercise their statutory rights via contact@sealink.io.

11. EU GDPR compliance

SeaLink complies with the General Data Protection Regulation (GDPR) for EU data subjects. Legal bases for processing include: contractual necessity (Art.6(1)(b)) to provide the service, and legitimate interests (Art.6(1)(f)) for security and fraud prevention, where not overridden by your fundamental rights and freedoms. International transfers rely on the European Commission's adequacy decision for Singapore. SeaLink grants GDPR Standard Contractual Clauses (SCCs) to data processors for transfer paths not covered by an adequacy decision.

EU data subject rights (GDPR Art.15-21): access, rectification, erasure (right to be forgotten), restriction, data portability, objection, and automated decision-making opt-out. All exercisable via GET/DELETE/PATCH /v1/me/data. For additional GDPR-specific requests, email contact@sealink.io.

12. Other applicable privacy rights

SeaLink is a Singapore company and uses Singapore PDPA and customer contracts as the primary data-protection framework. Where your local law provides additional rights, such as CCPA/CPRA opt-out sale/sharing, right to know, deletion, correction, or non-discrimination, you may exercise them via contact@sealink.io, /legal/privacy-choices, or the GET/DELETE /v1/me/data API. SeaLink does not "sell" or "share" personal information as defined under CCPA/CPRA, and does not collect sensitive personal information to infer consumer characteristics.

13. Data retention, deletion & cross-border transfers

Usage logs expire automatically after 90 days by default. API Keys with Zero Data Retention (ZDR) mode enabled have their usage records purged every 24 hours. Account deletion is permanent and irreversible — no data is retained or archived.

Cross-border data transfers use Singapore as the default storage region, relying on the Singapore PDPA and the EU GDPR adequacy decision as the compliance basis. For transfer paths requiring additional safeguards, SeaLink enters into EU Standard Contractual Clauses with sub-processors. Customers may negotiate dedicated data residency requirements in commercial terms and Data Processing Agreements (DPAs).

14. Contact the Data Protection Officer

DPO: contact@sealink.io / Privacy inquiries: contact@sealink.io / Security issues: contact@sealink.io / API data access: GET /v1/me/data