Important: This policy is the starting point. Specific contractual commitments to enterprise customers live in a signed Master Services Agreement and Data Processing Agreement, which take precedence over anything stated here. The standard DPA is published at cascade-dpa.html — read it, print it, or email privacy@cascadeasia.com for a countersigned copy.
The data controller for this policy.
For data we hold about our customers and their seats (account information, billing, support tickets, audit logs), Cascade Asia is the data controller. We decide what to collect and why.
For data our customers load into Onsight about third-party subjects (entities they want to monitor, individuals they're researching), Cascade Asia is the data processor. The customer is the controller; we process the data on their behalf under our Data Processing Agreement.
Three buckets of data.
About you, our customer
When you sign up for Onsight, request a demo, or contact support, we collect:
| Data | How we get it |
|---|---|
| Email address | You give it to us at signup or in a form |
| Full name | You give it to us in account settings |
| Job title, company name | You provide on demo request or invitation |
| Password | You set it; we store only a hashed form (bcrypt) — we cannot see the original |
| MFA secret (if enrolled) | Generated on enrollment; stored encrypted |
| Support ticket content | You write it when filing a support request |
| Browser + IP address (last sign-in) | Captured automatically by Supabase Auth for security |
About how you use the platform
To make Onsight useful and secure, we log:
- Read events — which entity profiles, briefs, and exports you opened. Exposed to you under Account → Activity.
- Admin actions — pricing changes, role changes, brief approvals, and other consequential actions taken by Cascade Asia staff. Used for SOC 2 evidence and procurement audit.
- Notifications — what watch alerts and other in-app notifications were generated for you.
- Engagement metadata — which engagements you commissioned, when, and the deliverable status.
About subjects you research
When you load entities or individuals into your watch list or commission an engagement, we hold the subject data you provided plus any data we (or our public sources) added to enrich it. See the Subject data section below for how this is governed differently.
We do not collect: payment card details (Stripe holds those), national identifiers about our customers, location data beyond city-level inference from IP, or any biometric data.
Six purposes. No surprises.
- To provide the service. Sign you in, render the dashboard, deliver alerts, deliver engagements, generate invoices.
- To secure the service. Detect unusual activity, enforce MFA where required, log who did what for audit.
- To support you. Reply to tickets, restore data on request, troubleshoot bugs.
- To bill you. Generate invoices, reconcile payments via Stripe, comply with our tax obligations.
- To improve the service. Understand which features get used (in aggregate) so we know what to invest in. We don't run behavioral ad-targeting on this.
- To meet legal obligations. Tax records, SOC 2 evidence (when audited), responses to lawful requests from authorities.
We process customer data on the legal basis of contractual necessity (delivering the service you signed up for) and legitimate interest (security, abuse prevention, product improvement). Where consent is the proper basis (e.g. analytics cookies), we ask before setting them.
Sub-processors and nobody else.
We share customer data only with the third parties needed to deliver the service. The current list is published on our Security page with the data each one sees and the region they operate in. We notify customers at least 30 days before adding a new sub-processor that handles customer data.
We do not:
- Sell customer data to anyone, ever.
- Share customer data with advertisers or marketing networks.
- Use customer data to train AI models for use by other customers.
- Share between customers — your watchlist, your engagements, your activity, are visible only to your seats.
We may disclose data when required by lawful process (subpoena, court order). When we receive such a request, our policy is to:
- Verify the legal validity of the request.
- Narrow the scope to the minimum that satisfies the order.
- Notify the affected customer where lawful (most jurisdictions allow this except in narrow national-security contexts).
- Publish an aggregate transparency report annually starting 2027.
Tied to the customer relationship + a tail for compliance.
- Account data — for the duration of your subscription, plus 90 days for re-activation grace, then anonymized.
- Audit logs — retained as required by SOC 2 (currently 7 years) with personal identifiers replaced by stable anonymized tokens after account closure.
- Invoices and tax records — retained for the period required by Singapore and US tax law (currently 7 years).
- Support tickets — 3 years after closure, then anonymized.
- Read audit logs — anonymized but retained indefinitely as evidence the customer's seats accessed only what they were entitled to.
- Subject data — controlled by the customer who loaded it. When the customer deletes it (or their account closes), we delete subject records they uniquely loaded. Subjects also covered by other customers, or by Cascade Asia's own published research, are retained as part of our intelligence corpus.
What you can do, and how.
If you're in the EU, UK, or another jurisdiction with comparable data-protection law, you have the following rights over personal data we hold about you. Under Singapore's PDPA, customers have analogous rights (access, correction, withdrawal of consent).
- Access — get a copy of personal data we hold about you. Most of it is already visible in Account → Activity.
- Correction — fix anything inaccurate. Most fields are self-serve in Account → Profile.
- Deletion — ask us to delete your account and the personal data we hold about you. Subject to retention obligations above (some audit and tax data must be kept; identity is anonymized where possible).
- Portability — get your data in a machine-readable format. We offer CSV export of your activity, watchlist, and engagement history.
- Objection / restriction — limit how we process your data, where compatible with our delivering the service.
- Withdraw consent — for any processing that requires it (notification preferences, cookies, etc.).
- Lodge a complaint — with your local data protection authority. If you're in the EU, you can also reach our representative there (currently appointed via our Data Processing Agreement; address available on request).
To exercise any of these rights, email privacy@cascadeasia.com. We acknowledge within 72 hours and respond within 30 days as required by GDPR. No fee for reasonable requests.
If you're not a customer but you're named in our data.
Onsight holds information about third-party subjects — companies, beneficial owners, sanctioned individuals — that our customers have asked us to research, or that we publish in our intelligence briefs. If you're a named subject and want to know what we hold or have a correction:
- If we published a brief about you, use the Right of Reply form to submit a rebuttal that gets attached to the public record. We don't retract published findings except by formal correction process.
- If you're a subject loaded by a Cascade customer in their private workspace, we don't disclose which customer or what they hold. You can submit a data-subject access request to rights@cascadeasia.com; we will route the request to the customer who controls that data and respond as their data processor.
- If you believe a published finding is materially wrong, email rights@cascadeasia.com with citations. Our editorial team reviews. Documented errors are corrected with a published correction note; the original record remains for audit, marked as superseded.
Cascade Asia processes subject data on the legal basis of legitimate interest (the public interest in due-diligence transparency for businesses operating in the markets we cover) and contractual necessity (delivering the service to the customer who commissioned the research). Where applicable law requires consent for a specific category (e.g. health-status inferences), we don't process that category.
Strictly necessary, plus a small amount of preference storage.
We use the minimum cookies needed to operate the service. We do not use third-party advertising cookies, tracking pixels, or behavioral retargeting.
- Authentication cookies set by Supabase Auth. Required for sign-in to work. Expire on sign-out.
- Preference storage in your browser's localStorage: your default lens, your last-acknowledged jurisdiction-ceiling notice, your dismissed first-time-user panel. Used only to make the UI behave the way you set it.
- No analytics cookies are set without consent.
Customer data stays in Singapore. Sub-processor data moves.
Our primary infrastructure runs in Singapore (AWS ap-southeast-1). Customer data does not leave that region under our control.
Some sub-processors operate in other regions (Stripe in US/EU; Resend in US; Browserless in EU). When customer data crosses borders to reach those sub-processors, the transfer is governed by Standard Contractual Clauses where applicable, and by the sub-processor's own compliance posture (Stripe is GDPR-DPF certified; Resend is SOC 2 Type II audited). The full sub-processor list with regions is on the Security page.
Onsight is not for children.
Onsight is a B2B platform sold to professional compliance, ESG, investment, and investigation teams. We do not knowingly collect personal data from anyone under 16. If we learn that we have, we delete the data and the account.
Where Onsight holds research about subjects who happen to be minors (e.g. named in a beneficial-ownership filing), our editorial standards specifically exclude personal data about minors except to the minimum extent needed to identify the legal entity.
We'll tell you before anything material changes.
For any material change to this policy — adding a new sub-processor that handles customer data, expanding the scope of what we collect, changing how we share data — we will:
- Email every customer at least 30 days before the change takes effect.
- Post a notice on the customer dashboard for the 30-day window.
- Publish the prior version's text on this page (in a "previous versions" link, forthcoming).
Non-material changes (typos, contact-address updates, restructuring) are made without notice; the "Effective" date at the top changes.
Questions about this policy: privacy@cascadeasia.com.
