Privacy Policy

This Privacy Policy explains how Bluesheets Pte. Ltd., trading as fileAI (“we,” “us,” “our”), collects, uses, shares, and protects personal data when you visit our website at www.file.ai (the “Site”) or use our cloud-based AI and document automation platform and related services (the “Services”). It also describes your rights regarding your personal data and how to exercise them.

This Privacy Policy applies to: (a) visitors to the Site; (b) individuals who create accounts and subscribe to the Services through our self-serve channel; and (c) users who access the Services on behalf of an organisation that has subscribed to our Services. It should be read together with our Legal Terms available at www.file.ai/legal-terms and our Data Processing Agreement (“DPA”) available at www.file.ai/dpa, which applies when we process personal data on behalf of our business customers.
‍

Data Controller: Bluesheets Pte. Ltd. (trading as fileAI), 138 Robinson Road, #26-01 Oxley Tower, Singapore 068906, UEN 201605699K.

‍Data Protection Officer (DPO): For all privacy enquiries, please contact our DPO at privacy@file.ai or at the registered address above (Attention: Data Protection Officer).

‍US Entity: fileAI LLC, a Delaware limited liability company, may act as a local administrative contact for US customers. The data controller for all personal data processed under this Privacy Policy remains Bluesheets Pte. Ltd.
‍

We collect personal data in the following categories depending on how you interact with us:

‍2.1  Data you provide directlyIdentity data: first name, last name, job title, company name, and username or similar identifier.

- Contact data: email address, telephone number, and billing address.
- Account credentials: password and authentication information.
- Payment data: billing information including payment card type, last four digits, expiry date, and billing address. Full card numbers are not stored by fileAI and are processed directly by our third-party payment processors (such as Stripe).
- Communications: the content of messages you send us, including support requests, feedback, and survey responses.

‍2.2  Data we collect automatically
- Technical data: IP address, browser type and version, operating system, device type, time zone, referring URLs, and login data.
- Usage data: pages visited, features used, session duration, clickstream data, and other information about how you interact with the Site and Services.
- Cookie data: data collected via cookies and similar tracking technologies, as described in Section 5 below.

‍2.3  Data we receive from third parties
- Identity and contact data from third-party authentication providers (such as Google OAuth) if you choose to sign in using those services.
- Marketing and analytics data from third-party analytics and advertising partners such as Google Analytics and HubSpot, in accordance with their respective privacy policies.

‍2.4  Data we do not collect
‍We do not intentionally collect special categories of personal data (including data about racial or ethnic origin, religious beliefs, health, biometric data, sexual orientation, or criminal convictions) through the Site or in connection with account registration. The Site is not directed at children under 16, and we do not knowingly collect personal data from children.
‍

We process your personal data only where we have a lawful basis to do so. Below we outline the purposes for which we use personal data and the legal basis for each.

‍Account creation and management
‍To create and manage your account, authenticate your identity, and maintain account security. Legal basis: Performance of a contract (our Legal Terms).

‍Providing and improving the ServicesTo deliver the Services you subscribe to, process transactions, provide customer support, and develop and improve our platform and AI models using Aggregated Data (as defined in our Legal Terms). Legal basis: Performance of a contract; legitimate interests (improving our products and services).

‍Billing and payment processingTo process subscription fees, issue invoices, manage renewals, and handle payment disputes. Legal basis: Performance of a contract; compliance with legal obligations (tax and accounting requirements).

‍CommunicationsTo send you transactional communications (account confirmations, invoices, security alerts, and service notices) and, where you have opted in or where permitted by applicable law, to send you marketing communications about our products and services. Legal basis: Performance of a contract (transactional); legitimate interests or consent (marketing).

‍Security and fraud preventionTo monitor for suspicious activity, detect and prevent fraud, enforce our Acceptable Use Policy, and maintain the integrity and security of the Services. Legal basis: Legitimate interests; compliance with legal obligations.

‍Analytics and product developmentTo analyse how users interact with the Site and Services using tools such as Google Analytics, to measure the effectiveness of our marketing, and to inform product development decisions. Legal basis: Legitimate interests. Where required by applicable law, we obtain your consent via cookie preferences.

‍Legal compliance and dispute resolutionTo comply with applicable laws and regulations, respond to legal requests and court orders, enforce our agreements, and establish, exercise, or defend legal claims. Legal basis: Compliance with legal obligations; legitimate interests.
‍

We do not sell your personal data. We share personal data only in the following circumstances:

‍4.1  Service providers and subprocessors
‍We share personal data with third-party service providers who process data on our behalf to help us operate and deliver the Services. A current list of our subprocessors, including the categories of service they provide and the countries in which they are located, is maintained at www.file.ai/subprocessors. We will provide reasonable advance notice of at least thirty (30) days of any material changes to our subprocessor list. All service providers are contractually required to protect personal data and process it only for the purposes we specify.

‍4.2  Affiliates
‍We may share personal data with our Affiliates (as defined in our Legal Terms), including fileAI LLC in the United States, for the purposes described in this Privacy Policy. Our Affiliates are bound by equivalent data protection obligations.

‍4.3  Professional advisers
‍We share personal data with lawyers, auditors, bankers, and insurers in Singapore and the United States where necessary for the conduct of our business, subject to confidentiality obligations.

‍4.4  Business transfers
‍If fileAI is involved in a merger, acquisition, restructuring, or sale of all or part of its business or assets, personal data may be transferred to the relevant third party as part of that transaction. We will notify you of any such transfer where required by applicable law.

‍4.5  Legal and regulatory disclosures
‍We may disclose personal data where required by applicable law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of fileAI, our users, or others. Where legally permitted, we will notify you of such a request before disclosing.

‍4.6  With your consent
‍We may share personal data with third parties for purposes not listed above where we have obtained your prior consent.
‍

We use cookies and similar tracking technologies on the Site to enhance your experience, analyse usage, and support our marketing activities. Cookies are small data files stored on your device by your browser.

‍5.1  Types of cookies we use
- Strictly necessary cookies: required for the Site to function and cannot be disabled. These include session authentication cookies and security cookies.
- Analytical/performance cookies: help us understand how visitors interact with the Site (e.g., Google Analytics). We use this data in aggregate to improve the Site.
- Functional cookies: remember your preferences and settings to personalise your experience.
- Marketing cookies: track your browsing activity to help us deliver relevant advertising (e.g., LinkedIn Insight Tag, Google Ads). These are only set with your consent where required by applicable law.

‍5.2  Managing cookiesYou can manage cookie preferences through your browser settings, which allow you to refuse, delete, or be notified when cookies are set. Please note that disabling certain cookies may affect the functionality of the Site. For more information on managing cookies, visit www.allaboutcookies.org. Where required by applicable law, we will seek your consent before placing non-essential cookies.
‍

fileAI is based in Singapore and processes personal data primarily in Singapore and the United States (via AWS). If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, your personal data may be transferred to and processed in countries that do not provide the same level of data protection as your home country.

Where we transfer personal data from the EEA, UK, or Switzerland to countries not recognised as providing adequate protection, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms approved by the UK Information Commissioner’s Office (UK Addendum to SCCs).
- Adequacy decisions issued by the relevant authority.
- Other appropriate safeguards as permitted by applicable law.A copy of the relevant transfer mechanisms can be obtained by contacting us at privacy@file.ai.
‍

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required by applicable law. The key retention principles we apply are:
- Account data is retained for the duration of your account and for a period of up to seven (7) years after account closure, for audit, legal, and accounting purposes.
- Billing and transaction data is retained for seven (7) years from the date of the relevant transaction to comply with tax and financial reporting obligations.
- Marketing data is retained until you opt out or withdraw consent, after which it is suppressed or deleted within thirty (30) days.
- Usage and technical data is retained for up to two (2) years for analytics and security purposes.
- Customer Data uploaded to the Services by business subscribers is retained and deleted in accordance with the DPA and the applicable Subscription Agreement.

When personal data is no longer required, we securely delete or anonymise it. Anonymised data may be retained indefinitely for research, statistical, and product improvement purposes.
‍

We implement and maintain administrative, technical, and physical safeguards designed to protect personal data against unauthorised access, use, disclosure, alteration, or destruction. These measures include encryption in transit and at rest, role-based access controls, multi-factor authentication, regular security assessments, and incident response procedures.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law. Our breach notification procedures are described in further detail in the DPA at www.file.ai/dpa.

Despite our security measures, no method of transmission over the internet or electronic storage is completely secure. If you become aware of any security vulnerability or incident, please notify us immediately at security@file.ai.
‍

Depending on your location and the applicable law, you may have the following rights regarding your personal data. We will respond to all legitimate requests within one month of receipt (or within the timeframe required by applicable law), and will notify you if we need additional time.

‍9.1  Rights available to all users
- Access: request a copy of the personal data we hold about you and information about how we use it.
- Correction: request correction of inaccurate or incomplete personal data.
- Deletion: request deletion of your personal data where we no longer have a lawful basis to retain it, subject to applicable legal retention obligations.
- Objection to marketing: opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or contacting us at privacy@file.ai.

‍9.2  Additional rights for EEA, UK, and Swiss residents (GDPR)If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the GDPR or equivalent legislation:
- Restriction of processing: request that we restrict processing of your personal data in certain circumstances.
- Data portability: receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller, where processing is based on consent or contract and carried out by automated means.
- Objection to legitimate interests processing: object to processing based on legitimate interests where your rights and freedoms override our interests.
- Withdrawal of consent: where we rely on consent as a legal basis, withdraw your consent at any time without affecting the lawfulness of prior processing.
- Lodge a complaint: lodge a complaint with your local supervisory authority. In Singapore, this is the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg. In the EEA, this is your national data protection authority. In the UK, this is the Information Commissioner’s Office (ICO) at www.ico.org.uk.

‍9.3  Rights for Singapore residents (PDPA)
‍If you are located in Singapore, you have the following rights under the Personal Data Protection Act 2012 (PDPA):
- Access: request access to your personal data and information about how it has been used or disclosed in the preceding year.
- Correction: request correction of inaccurate or incomplete personal data.
- Withdrawal of consent: withdraw consent to the collection, use, or disclosure of your personal data, subject to applicable legal and contractual restrictions. Note that withdrawal of consent may affect our ability to provide the Services to you.
- Data portability: request transmission of your personal data to another organisation in a commonly used machine-readable format, where this right is available under the PDPA.
‍
9.4  Rights for California residents (CPRA / CCPA)
‍If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Know: request information about the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes of use, and the categories of third parties with whom we share it.
- Delete: request deletion of your personal information, subject to certain exceptions.
- Correct: request correction of inaccurate personal information.
- Opt out of sale or sharing: we do not sell your personal information or share it for cross-context behavioural advertising as those terms are defined under the CPRA.
- Limit use of sensitive personal information: we do not use or disclose sensitive personal information for purposes beyond those permitted by the CPRA.
- Non-discrimination: we will not discriminate against you for exercising your CPRA rights.

To exercise your California rights, submit a verifiable consumer request to privacy@file.ai. We will respond within 45 days of receiving a verifiable request, with an extension of up to 45 additional days where necessary. You may designate an authorised agent to submit a request on your behalf by providing written authorisation.

‍California “Shin’s Law” disclosure: California Civil Code Section 1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes without your consent.

‍9.5  How to exercise your rightsTo exercise any of the rights described in this Section 9 (other than California-specific requests, which are addressed in Section 9.4 above), please contact us at:
‍Email: privacy@file.ai
‍Post: Data Protection Officer, Bluesheets Pte. Ltd., 138 Robinson Road, #26-01 Oxley Tower, Singapore 068906

We may need to verify your identity before responding to your request. We will not charge a fee for reasonable requests, but may charge a reasonable administrative fee for manifestly unfounded, repetitive, or excessive requests.
‍

The Site and Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access through our platform. fileAI is not responsible for the privacy practices of third-party websites or services.
‍

fileAI's Services use artificial intelligence and machine learning to process documents and data submitted by our customers. Where fileAI processes personal data contained in documents uploaded by business customers, this processing is governed by the DPA, not this Privacy Policy.

In connection with the operation of the Site and our direct relationship with individual users, we do not use automated decision-making processes (including profiling) that produce legal or similarly significant effects on individuals, unless we notify you specifically and, where required by applicable law, obtain your consent or give you the right to request human review.

We may use Usage Data and Aggregated Data (which cannot identify you) to improve and train our AI models. We will not use your personal account data or the content of documents you upload as an individual user to train our AI models without your explicit consent.
‍

The Site and Services are not directed at individuals under the age of 16 (or such higher age as required by applicable law in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us immediately at privacy@file.ai and we will take steps to delete such data promptly.
‍

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. For material changes, we will notify you by email (to the address associated with your account) or by a prominent notice on the Site at least thirty (30) days before the change takes effect. The updated Privacy Policy will be accessible at www.file.ai/privacy-policy and will include the updated effective date. Your continued use of the Site or Services after the effective date of a material change constitutes your acceptance of the updated Privacy Policy.
‍

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

‍Email: privacy@file.ai
‍Post: Data Protection Officer, Bluesheets Pte. Ltd., 138 Robinson Road, #26-01 Oxley Tower, Singapore 068906
‍Security incidents: security@file.ai
‍DMCA / Copyright notices (US): legal@file.ai (Attention: DMCA Agent)

We aim to respond to all enquiries within five (5) business days and to all formal rights requests within the timeframes required by applicable law.