This policy is issued by GridWind Integrated Solutions Pte. Ltd. (UEN-registered in Singapore), 68 Circular Road, #02-01, Singapore 049422 (“GridWind”, “we”, “us”). For personal data covered by this policy, GridWind is the data controller (or “organisation” within the meaning of Singapore’s Personal Data Protection Act 2012 (“PDPA”)).
It applies to gridwind-solutions.com and its subdomains (including status and docs), the GridWind Console, our sales and support processes, and recruitment. It does not apply to Customer Content, which we handle as a processor under the terms described in Section 4.
We do not collect special categories of personal data, and we do not buy data about you from brokers.
We use personal data to: respond to enquiries and prepare capacity plans; provide, operate, secure, and bill the services; meet our contractual commitments (including the SLA); detect and prevent abuse and security incidents; comply with law; and assess job applications.
Under the PDPA we rely on consent, contractual necessity, and the legitimate-interests and business-improvement exceptions as applicable. Where the EU/UK GDPR applies, our lawful bases are: performance of a contract (accounts, service delivery), legitimate interests (security, service telemetry, B2B sales follow-up), consent (optional communications), and legal obligation (tax, accounting, sanctions screening). We send marketing only about our own services, only to business contacts, and every message has a working unsubscribe. We comply with Singapore’s Do Not Call provisions.
Your datasets, models, weights, checkpoints, and outputs are Customer Content. We process Customer Content solely as a data intermediary/processor, on your documented instructions, to operate the workloads you run. We do not access it except to provide the services or as required by law; we do not use it for analytics, product development, or model training — ever, for anything.
Customer Content is pinned to the region(s) you select (SG1, TY1, SL1, SY1) and does not leave them without your instruction. A Data Processing Agreement incorporating PDPA obligations and, where applicable, EU Standard Contractual Clauses is available from your account team. On offboarding, Customer Content is deleted to contractual timelines with certificates of destruction on request.
The website uses only first-party cookies: strictly-necessary cookies for the Console session and security (these cannot be switched off while using the Console), and a minimal, privacy-respecting first-party analytics measurement of page views. We use no advertising cookies, no cross-site trackers, and no social-media pixels. You can clear or block cookies in your browser; the marketing site works without them.
We never sell personal data. We share it only with: (a) subprocessors that help us run the services — data-centre facility operators, network carriers and interconnect providers, billing and accounting systems, and email delivery — each bound by contract to protection standards no weaker than this policy; (b) professional advisers (legal, audit, insurance) under confidentiality; and (c) authorities where the law requires it, in which case we notify you unless legally prevented.
A current subprocessor list is available from your account team or dpo@gridwind-solutions.com. Customers receive 30 days’ notice before we add a subprocessor that touches Customer Content.
We operate from Singapore with facilities in Singapore, Tokyo, Seoul, and Sydney. Where personal data crosses borders between our regions or to a subprocessor, we transfer it in accordance with the PDPA’s transfer limitation obligation — ensuring a standard of protection comparable to the PDPA through contractual safeguards — and, for data subject to the GDPR, on the basis of adequacy decisions or Standard Contractual Clauses. Customer Content follows the stricter rule in Section 4: it stays in the region you pin it to.
We anonymise or delete personal data once the purpose for which it was collected is no longer served and retention is no longer necessary for legal or business purposes.
Personal data is protected by the same control set that is audited across our platform: ISO/IEC 27001, SOC 2 Type II, and MTCS SS 584 Level 3 controls; encryption in transit and at rest; least-privilege access with hardware-key MFA; and 24/7 monitoring. Details are on our Security & Compliance page. Where a data breach is notifiable under the PDPA, we notify the PDPC and affected individuals within the statutory timelines; contractual notice to customers is faster.
Under the PDPA you may request access to your personal data and information about how it has been used or disclosed in the past year, request correction, and withdraw consent (which may affect our ability to serve you). Where the GDPR applies, you additionally have rights to erasure, restriction, portability, and to object to processing based on legitimate interests, and the right not to be subject to solely automated decisions with legal effect — we make none.
Write to dpo@gridwind-solutions.com. We verify identity before acting, respond within 30 days (PDPA) or one month (GDPR), and never charge more than a permitted reasonable fee for access requests.
If you are not satisfied with our response, you may complain to the Personal Data Protection Commission of Singapore (pdpc.gov.sg) or, for GDPR matters, to your local supervisory authority.
We may update this policy as the services or the law evolve. The effective date and version above always reflect the current text; material changes are announced to account contacts at least 30 days before they take effect. Earlier versions are available on request.