Legal Document

Privacy Policy

How Aster Stream Tech Pte. Ltd. collects, uses, and protects your personal data across the AsterStream AIoT platform.

Effective: 1 January 2025 Last Updated: 14 April 2025 Aster Stream Tech Pte. Ltd.

1. Overview

Summary: We collect only the data necessary to provide the AsterStream AIoT energy management platform. Your operational energy data is never sold to third parties. You retain full ownership of all data generated by your IoT devices.

Aster Stream Tech Pte. Ltd. ("AsterStream", "we", "us", or "our") operates the AsterStream AIoT Energy Management System, accessible at asterstreambuild.com and related services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

By accessing or using the AsterStream platform, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our services.

Data Controller

Aster Stream Tech Pte. Ltd., registered in Singapore. Contact: info@asterstreambuild.com

2. Data We Collect

2.1 Account & Identity Data

When you register for an AsterStream account or subscribe to our platform, we collect information you provide directly:

  • Company name, company registration number (Tenant ID), and business address
  • Contact person name, business email address, and phone number
  • Username, encrypted password (BCrypt hashed — we never store plaintext passwords)
  • Country, currency preference, and timezone settings
  • Subscription plan and billing information (processed by Stripe — we do not store raw card numbers)

2.2 IoT & Energy Operational Data

As part of providing the energy management service, we process data from your connected IoT devices:

  • Real-time and historical energy consumption readings (kWh, kW, voltage, current, power factor)
  • Device status, alarm events, and fault logs
  • Site configuration, building floor plans, and equipment schedules
  • CO₂ emission calculations and ESG report data
  • AI model inputs (anonymised energy patterns for optimisation recommendations)

2.3 Usage & Technical Data

  • Browser type, IP address, operating system, and device identifiers
  • Pages visited, features accessed, and session duration
  • API request logs (for debugging and security monitoring)
  • Error logs and performance metrics

3. How We Use Your Data

PurposeLegal BasisData Used
Providing the AsterStream platform and servicesContract performanceAccount data, IoT data
Processing subscription payments via StripeContract performanceBilling & company data
Generating AI energy optimisation recommendationsContract performanceAnonymised energy readings
ISO 50001 compliance reportingContract performanceEnergy KPIs, baselines
Sending account notifications and alertsLegitimate interestEmail, preferences
Platform security monitoringLegitimate interestIP logs, access logs
Product improvement and analyticsLegitimate interestAnonymised usage data
Legal and regulatory complianceLegal obligationAs required by law

4. Data Sharing & Disclosure

We do not sell your personal data or operational energy data to any third party, ever.

We share data only with the following categories of recipients, on a strictly need-to-know basis:

  • Stripe Inc. — Payment processing. Stripe is PCI DSS Level 1 certified. We share billing contact details only.
  • Cloud Infrastructure Providers — AWS, Microsoft Azure, or Google Cloud Platform for hosting. All data is encrypted at rest. Providers are bound by data processing agreements.
  • Legal & Regulatory Authorities — When required by law, court order, or regulatory body (e.g. Singapore PDPC, MAS). We will notify you where legally permitted.
  • Business Transfers — In the event of a merger, acquisition, or asset sale, your data may transfer to the acquiring entity, subject to equivalent privacy protections.

5. Data Retention

Data CategoryRetention PeriodReason
Account & profile dataDuration of subscription + 30 daysAllow data export after cancellation
Energy readings (IoT data)Up to 7 yearsISO 50001 audit trail requirements
ESG reportsUp to 10 yearsRegulatory and audit purposes
Payment records7 yearsSingapore tax and accounting law
Security & access logs12 monthsSecurity incident investigation
Deleted account data30 days post-deletionRecovery window, then permanent deletion

6. Security Measures

We implement industry-standard technical and organisational security measures:

  • Encryption in Transit: All data transmitted between your browser/devices and our servers uses TLS 1.2 or higher
  • Encryption at Rest: All stored data is encrypted using AES-256
  • Multi-tenant Isolation: Strict database-level isolation ensures your data is never accessible to other tenants
  • Password Security: Passwords are hashed using BCrypt with salt — we never store plaintext passwords
  • Access Controls: Role-based access control (RBAC) with principle of least privilege
  • Infrastructure: Hosted on ISO 27001 certified cloud data centres in Asia Pacific regions
Security Incident Notification

In the event of a personal data breach that is likely to result in harm to you, we will notify you and the relevant supervisory authority (Singapore PDPC) within 3 calendar days of becoming aware of the breach, as required by the Singapore Personal Data Protection Act (PDPA).

7. Your Rights

Under the Singapore Personal Data Protection Act 2012 (PDPA) and applicable data protection laws in jurisdictions where we operate, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right of Correction: Request correction of inaccurate or incomplete personal data
  • Right of Erasure: Request deletion of your personal data (subject to legal retention obligations)
  • Data Portability: Request your data in a structured, machine-readable format (CSV/JSON)
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw at any time
  • Right to Restrict Processing: Request restriction of processing in certain circumstances

To exercise any of these rights, contact our Data Protection Officer at info@asterstreambuild.com. We will respond within 30 days.

8. International Data Transfers

AsterStream operates across Singapore, India, Malaysia, Indonesia, Thailand, Vietnam, and other countries. Your data may be transferred to and processed in countries outside your home jurisdiction.

When transferring data internationally, we ensure adequate protection through:

  • Data processing agreements with standard contractual clauses
  • Transfers only to countries with adequate data protection frameworks
  • Compliance with Singapore PDPA cross-border transfer obligations

9. Cookies

AsterStream uses cookies and similar tracking technologies to operate the platform. For full details, please review our Cookie Policy.

We use authentication cookies (strictly necessary, cannot be disabled) and optional analytics cookies. You can manage your cookie preferences at any time.

10. Children's Privacy

The AsterStream platform is an enterprise B2B service intended exclusively for use by businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has submitted personal data to us, please contact us immediately at info@asterstreambuild.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Send an email notification to the primary contact on your account
  • Display an in-platform notification for 30 days after the change

12. Contact Us

Data Protection Officer — Aster Stream Tech Pte. Ltd.

Email: info@asterstreambuild.com
Address: Singapore
Website: asterstreambuild.com

If you are unsatisfied with our response to your privacy concerns, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg.