Back to Home

Privacy Policy

Last updated 28 April 2026

OriginSpace is operated by HomeAuto Solutions Pte. Ltd., a company incorporated in Singapore. This policy describes how we collect, use, disclose, and protect personal data in accordance with Singapore's Personal Data Protection Act 2012 (PDPA). By using OriginSpace (originspace.homeauto.sg), you agree to the practices described below.

1. Data we collect

We collect data you provide directly and data generated as you use the platform.

  • Account data: name, email, phone (Singapore +65 or China +86), password hash, role (customer / supplier / contractor / admin), language preference.
  • Brief data (customers): property type, district, floor area, budget range, design styles, services needed, project description.
  • KYC data (suppliers and contractors): National ID, business licence (营业执照), export licence, HDB licence number, BCA registration number, business name in English and Chinese, WeChat ID, province, city.
  • Transactional data: orders, milestone payments, settlements, invoices, dispute records and evidence files.
  • Communications: in-platform chat messages between customers, suppliers, and contractors; AI-agent (Ori) conversations.
  • Technical data: IP address, browser type, device identifiers, session cookies (`originspace_session`), error and audit logs.

2. How we use your data

  • Provide the marketplace: matching briefs to suppliers and contractors, accepting proposals, processing milestone payments, holding funds in escrow, and resolving disputes.
  • Verify identity and business credentials (KYC) before allowing supplier or contractor accounts to accept work.
  • Send transactional emails (registration confirmation, proposal updates, payment receipts, milestone reminders, dispute notifications) via Resend from [email protected].
  • Detect, prevent, and investigate fraud, abuse, and security incidents through audit logging and rate limiting.
  • Improve the platform, including providing the Ori AI assistant (powered by Anthropic Claude) for customer support and brief drafting.
  • Comply with legal and regulatory obligations under Singapore law.

3. Cross-border data transfer to China

OriginSpace connects Singapore homeowners with suppliers and designers based in mainland China. In order to deliver this service, certain personal data is necessarily transferred to and accessed from outside Singapore.

  • What is transferred: the customer's first name, project brief contents (property details, budget, styles, design preferences), and in-platform chat messages with the matched supplier or contractor. The customer's home address, full identity documents, and payment card details are not shared with suppliers or contractors.
  • Where it is accessed: mainland China (designers, material suppliers, furniture manufacturers) and Singapore (local contractors and OriginSpace staff).
  • Legal basis: performance of the marketplace contract you enter into when you submit a brief or accept a proposal.
  • Safeguards: contractual obligations on suppliers and contractors under our Supplier Terms and Customer Terms; KYC verification; in-platform chat (rather than direct exchange of personal contact details) until a proposal is accepted; restricted reveal of WeChat ID until acceptance.

In accordance with Section 26 of the PDPA, OriginSpace takes reasonable steps to ensure that recipient organisations are bound to a comparable standard of data protection.

4. Third-party processors

We use the following processors to operate the platform:

  • Stripe (payment collection, SGD) — payment card data is collected directly by Stripe; OriginSpace receives only tokenised references.
  • Airwallex (CNY supplier payouts; live API not yet active — payouts are currently manual).
  • Cloudflare R2 (file storage for KYC documents, profile photos, portfolio images, dispute evidence).
  • Cloudflare (CDN, bot mitigation, performance analytics).
  • Resend (transactional email).
  • Railway (PostgreSQL database hosting).
  • Anthropic (Claude API for the Ori AI assistant; conversations may be transmitted to Anthropic for inference).
  • Sentry (error tracking, with user identity attached for crash investigation).
  • Upstash Redis (rate-limit counters).
  • Logify (sea-freight shipment data for delivery tracking).

5. Cookies and similar technologies

We use a strictly necessary session cookie (originspace_session, encrypted via iron-session, 7-day expiry) to keep you logged in. We use Cloudflare analytics for aggregate, privacy-preserving performance metrics. We do not use third-party advertising trackers. You can opt out of non-essential analytics via the cookie banner shown on first visit; your choice is stored locally on your device.

6. Retention

  • Account data: retained for as long as the account is active, plus 7 years after closure for tax and audit purposes.
  • KYC documents: retained for 7 years after account closure as required for supplier verification trail.
  • Transactional records (orders, payments, settlements): retained for 7 years to comply with Singapore tax and accounting obligations.
  • Audit logs: retained for 2 years.
  • Chat messages: retained for 2 years after the last message in a conversation.
  • Dispute evidence: retained for 7 years after dispute resolution.

7. Security

Passwords are hashed with bcrypt. Sessions are encrypted with iron-session. We enforce token-version session invalidation on password reset and admin sensitive actions, CSRF origin checks, per-user and per-IP rate limits, and a structured audit log of security-relevant events. KYC documents and dispute evidence are stored on Cloudflare R2 with private ACLs and short-lived signed URLs.

8. Your rights under the PDPA

You have the right to:

  • Access the personal data we hold about you and request a copy.
  • Correct or update inaccurate or incomplete data.
  • Withdraw consent for non-essential processing (this may limit your ability to use the service).
  • Request deletion of your data, subject to retention obligations under Section 6.
  • Lodge a complaint with the Personal Data Protection Commission of Singapore (pdpc.gov.sg) if you believe we have not handled your data appropriately.

9. Children

OriginSpace is not directed to anyone under 18. We do not knowingly collect personal data from minors.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to registered users at least 14 days before they take effect. The current version is always available at this URL.

11. Data Protection Officer

For privacy questions, data subject access requests, or to withdraw consent, contact our Data Protection Officer at [email protected]. For general support, see /contact.

HomeAuto Solutions Pte. Ltd. (Singapore) · Registered office: Singapore