Privacy Policy

StreetMP Sdn. Bhd. ("StreetMP", "we", "our") operates the StreetMP OS platform — a sovereign AI execution infrastructure. This Privacy Policy explains what personal data we collect, why we collect it, how it is protected, and the rights you hold as a data subject under applicable law, including the Singapore Personal Data Protection Act 2012 (PDPA), the European Union General Data Protection Regulation (GDPR), and the India Digital Personal Data Protection Act 2023 (DPDP).

We collect the following categories of personal data:

• **Account Data**: name, email address, hashed password, and role (Client / Engineer / Admin). • **Usage Data**: API request logs, token consumption metrics, model selections, and execution timestamps. These are retained as part of the immutable V35 Audit Ledger for regulatory compliance. • **Billing Data**: Stripe Connect account identifiers (partially masked). We do not store raw payment card numbers. • **Session Data**: JWT session tokens stored server-side; browser cookies contain only non-sensitive session identifiers. • **Prompt Metadata**: SHA-256 hashes of prompt inputs and outputs. Raw prompt text is never stored — only its cryptographic fingerprint.

We never sell, broker, or rent personal data to third parties.

Under GDPR (Article 6), we process personal data on the following lawful bases:

• **Contract Performance (Art. 6(1)(b))**: Processing required to provide API execution services, issue compliance certificates, and manage billing. • **Legitimate Interests (Art. 6(1)(f))**: Security monitoring, fraud prevention, and abuse detection. • **Legal Obligation (Art. 6(1)(c))**: Retaining audit logs as required by MAS TRM, BNM RMiT, and other applicable financial regulations. • **Consent (Art. 6(1)(a))**: Marketing communications. You may withdraw consent at any time by emailing support@streetmp.com.

For Singapore users, processing is conducted under sections 13–15 of the PDPA. For India users, processing aligns with DPDP Chapter II obligations.

Retention schedules are determined by the compliance framework active on your account:

• **Default (GDPR)**: Audit logs retained for 3 years. Account data retained for the duration of the contract plus 1 year after closure. • **MAS TRM**: Audit logs retained for 5 years (1,825 days) per MAS TRM §9.4.1. • **BNM RMiT**: Audit logs retained for 7 years (2,556 days) per BNM RMiT §10.55.

After the applicable retention period, data is cryptographically wiped from all primary and backup storage.

StreetMP OS employs enterprise-grade security at every layer:

• **Encryption**: All data is encrypted in transit (TLS 1.3) and at rest (AES-256-GCM). • **Zero-Knowledge Architecture**: Raw prompt text passes through the V67 DLP Scrubber and is never logged in cleartext. Only SHA-256 hashes are persisted. • **Hardware Enclave**: Sensitive operations run within AWS Nitro Enclaves — an isolated execution environment with no persistent memory. • **API Keys**: Stored exclusively as SHA-256 hashes. Plaintext keys are displayed once upon generation and immediately discarded. • **Access Control**: All internal service communication requires HMAC-signed tokens. Human access to production databases follows a Zero Standing Privilege policy.

Depending on your jurisdiction, you have the following rights regarding your personal data:

• **Access (GDPR Art. 15, PDPA §21)**: Request a copy of all personal data we hold about you. • **Rectification (GDPR Art. 16, PDPA §22)**: Request correction of inaccurate data. • **Erasure (GDPR Art. 17, DPDP §11)**: Request deletion of your data. Note: data anchored in the V35 Immutable Audit Ledger cannot be erased due to legal obligations. • **Portability (GDPR Art. 20)**: Receive your account data in machine-readable format (JSON/CSV). • **Objection / Withdrawal of Consent**: Object to processing based on legitimate interests, or withdraw marketing consent at any time.

To exercise any right, email **support@streetmp.com** with subject "Data Rights Request — [Your Right]". We will respond within 30 days.

We share personal data only with trusted processors under Data Processing Agreements:

• **Stripe Inc.** (payment processing) — SOC 2 Type II certified. • **Resend Inc.** (transactional email) — data processed in the EU. • **Sentry Inc.** (error monitoring) — PII scrubbed before transmission per our Sentry DSN configuration. • **AWS** (infrastructure) — data residency enforced per your active compliance framework (SG / MY / EU).

For privacy inquiries, data rights requests, or to report a breach:

**StreetMP Sdn. Bhd.** Unit 3A-01, Menara KL Eco City Bangsar, 59200 Kuala Lumpur, Malaysia

Email: support@streetmp.com DPO Email: dpo@streetmp.com (EU/UK GDPR enquiries)

Last updated: 1 April 2026