Privacy Policy

What we collect, why, and what you can do about it.

Cascade Asia provides a B2B intelligence platform. We process two categories of personal data: information about our customers and their seats, and information about third-party subjects our customers ask us to research. This policy covers both, in plain English.

Effective 1 May 2026 · Privacy contact privacy@cascadeasia.com

Important: This policy is the starting point. Specific contractual commitments to enterprise customers live in a signed Master Services Agreement and Data Processing Agreement, which take precedence over anything stated here. The standard DPA is published at cascade-dpa.html — read it, print it, or email privacy@cascadeasia.com for a countersigned copy.

01 — Who we are

The data controller for this policy.

For data we hold about our customers and their seats (account information, billing, support tickets, audit logs), Cascade Asia is the data controller. We decide what to collect and why.

For data our customers load into Onsight about third-party subjects (entities they want to monitor, individuals they're researching), Cascade Asia is the data processor. The customer is the controller; we process the data on their behalf under our Data Processing Agreement.

Cascade Asia is a Singapore-based intelligence services company operating the Onsight platform at cascadeasia.com. Reachable at inquiries@cascadeasia.com for general matters and privacy@cascadeasia.com for data-protection matters.
02 — What we collect

Three buckets of data.

About you, our customer

When you sign up for Onsight, request a demo, or contact support, we collect:

DataHow we get it
Email addressYou give it to us at signup or in a form
Full nameYou give it to us in account settings
Job title, company nameYou provide on demo request or invitation
PasswordYou set it; we store only a hashed form (bcrypt) — we cannot see the original
MFA secret (if enrolled)Generated on enrollment; stored encrypted
Support ticket contentYou write it when filing a support request
Browser + IP address (last sign-in)Captured automatically by Supabase Auth for security

About how you use the platform

To make Onsight useful and secure, we log:

About subjects you research

When you load entities or individuals into your watch list or commission an engagement, we hold the subject data you provided plus any data we (or our public sources) added to enrich it. See the Subject data section below for how this is governed differently.

We do not collect: payment card details (Stripe holds those), national identifiers about our customers, location data beyond city-level inference from IP, or any biometric data.

03 — Why we use it

Six purposes. No surprises.

We process customer data on the legal basis of contractual necessity (delivering the service you signed up for) and legitimate interest (security, abuse prevention, product improvement). Where consent is the proper basis (e.g. analytics cookies), we ask before setting them.

04 — Who we share it with

Sub-processors and nobody else.

We share customer data only with the third parties needed to deliver the service. The current list is published on our Security page with the data each one sees and the region they operate in. We notify customers at least 30 days before adding a new sub-processor that handles customer data.

We do not:

We may disclose data when required by lawful process (subpoena, court order). When we receive such a request, our policy is to:

05 — How long we keep it

Tied to the customer relationship + a tail for compliance.

06 — Your rights

What you can do, and how.

If you're in the EU, UK, or another jurisdiction with comparable data-protection law, you have the following rights over personal data we hold about you. Under Singapore's PDPA, customers have analogous rights (access, correction, withdrawal of consent).

To exercise any of these rights, email privacy@cascadeasia.com. We acknowledge within 72 hours and respond within 30 days as required by GDPR. No fee for reasonable requests.

07 — Subject data

If you're not a customer but you're named in our data.

Onsight holds information about third-party subjects — companies, beneficial owners, sanctioned individuals — that our customers have asked us to research, or that we publish in our intelligence briefs. If you're a named subject and want to know what we hold or have a correction:

Cascade Asia processes subject data on the legal basis of legitimate interest (the public interest in due-diligence transparency for businesses operating in the markets we cover) and contractual necessity (delivering the service to the customer who commissioned the research). Where applicable law requires consent for a specific category (e.g. health-status inferences), we don't process that category.

08 — Cookies

Strictly necessary, plus a small amount of preference storage.

We use the minimum cookies needed to operate the service. We do not use third-party advertising cookies, tracking pixels, or behavioral retargeting.

09 — International transfers

Customer data stays in Singapore. Sub-processor data moves.

Our primary infrastructure runs in Singapore (AWS ap-southeast-1). Customer data does not leave that region under our control.

Some sub-processors operate in other regions (Stripe in US/EU; Resend in US; Browserless in EU). When customer data crosses borders to reach those sub-processors, the transfer is governed by Standard Contractual Clauses where applicable, and by the sub-processor's own compliance posture (Stripe is GDPR-DPF certified; Resend is SOC 2 Type II audited). The full sub-processor list with regions is on the Security page.

10 — Children

Onsight is not for children.

Onsight is a B2B platform sold to professional compliance, ESG, investment, and investigation teams. We do not knowingly collect personal data from anyone under 16. If we learn that we have, we delete the data and the account.

Where Onsight holds research about subjects who happen to be minors (e.g. named in a beneficial-ownership filing), our editorial standards specifically exclude personal data about minors except to the minimum extent needed to identify the legal entity.

11 — Changes to this policy

We'll tell you before anything material changes.

For any material change to this policy — adding a new sub-processor that handles customer data, expanding the scope of what we collect, changing how we share data — we will:

Non-material changes (typos, contact-address updates, restructuring) are made without notice; the "Effective" date at the top changes.

Questions about this policy: privacy@cascadeasia.com.