Engram Privacy Policy
1. Who we are
The Site is operated by NGIS PTE LTD (UEN 202403437E), a private limited company incorporated in Singapore (the “Company”, “we”, “us”, “our”). The Site is available at https://joinengram.com and is the pre-launch marketing and waitlist surface for Engram. The Site is hosted in Singapore. Engram is the cognitive substrate product NGIS is building; this Policy covers only the Site, not the product.
This Privacy Policy explains what personal data we collect when you use the Site, why we collect it, what we do with it, and the rights you have under the Singapore Personal Data Protection Act 2012 (PDPA) and, where applicable, the Malaysian Personal Data Protection Act 2010 (PDPA Malaysia).
2. Our Data Protection Officer
In accordance with Section 11(3) of the Singapore PDPA, we have designated a Data Protection Officer (DPO) to oversee our compliance with this Policy and with applicable privacy laws:
- Email: info@ng-is.com
- Postal: NGIS PTE LTD, Singapore (registered office on ACRA Bizfile)
You may contact the DPO at any time with privacy questions, access requests, correction requests, consent withdrawals, complaints, or other concerns.
3. Scope
This Policy applies to personal data of:
- Individuals who submit the waitlist form on the Site
- Individuals who apply for the founding-customer programme via the Site
- Individuals who correspond with us through the Site, our contact form, or by email
- Individuals whose browser visits the Site (limited cookie data — see Section 10)
This Policy does not apply to:
- The Engram product itself. When the Engram product becomes commercially available (target H1 2027), it will be governed by a separate Privacy Notice and Data Processing Agreement. The Engram product is customer-hosted: when you run the product, your data lives entirely on your infrastructure and is not transferred to us.
- The third-party large language model (LLM) you may choose to use with the Engram product. That contractual relationship is between you and the LLM provider, not with us.
- Engram Community Edition open-source software, which is governed by its applicable open-source licence (Apache License 2.0) and not by this Policy.
- Third-party websites we may link to from the Site. Their privacy practices are governed by their own policies.
4. What personal data we collect
We collect the following categories of personal data directly from you when you use the Site.
4.1 Waitlist and contact data
- Email address (required)
- Name (optional, given when you provide it)
- Organisation name (optional)
- Role / job title (optional)
- The content of any message you send through the contact form or via email
4.2 Founding-customer programme applications
- The information listed in Section 4.1
- Any additional information you choose to provide about your organisation, use case, or compliance regime when applying
4.3 Browser and session data
- Your IP address, automatically captured when you submit a form on the Site. Under Singapore PDPA, an IP address is personal data when it can be associated with an identifiable individual. We treat IP addresses as personal data accordingly.
- Browser user agent, locale, and timestamp at the moment of submission, used for abuse prevention and audit logging.
4.4 Cookies
The Site uses essential cookies only. See Section 10 for details.
4.5 Marketing consent
If you tick a marketing consent box at the point of waitlist signup, we record that you consented, the date, and the scope of the consent (founder briefing series, pilot announcements, product updates). You may withdraw this consent at any time. See Section 9.3.
5. Why we collect and use personal data
We collect and use personal data for the following purposes and on the following lawful grounds under the PDPA:
| # | Purpose | Lawful basis |
|---|---|---|
| 1 | To respond to your enquiry or application | Necessary for steps requested by you prior to entering into a contract; legitimate interests in answering business enquiries |
| 2 | To send you the founder briefing series and notify you when pilot slots open | Your consent (opt-in, withdrawable) |
| 3 | To maintain abuse-prevention and audit logs for the Site | Legitimate interests in protecting the Site; legal obligation where applicable |
| 4 | To send transactional communications (e.g., confirming a request you made, responding to a contact-form submission) | Necessary for steps requested by you |
| 5 | To comply with legal obligations and respond to lawful requests from regulators or courts | Legal obligation |
| 6 | To enforce our Terms of Service, prevent abuse, and defend legal claims | Legitimate interests |
We do not use waitlist data for product analytics, model training, advertising, profiling, or sale to third parties — ever.
6. Who we share personal data with
We do not sell your personal data.
We share personal data only with the following categories of recipient, and only to the extent necessary for the stated purpose:
- Service providers engaged to help us operate the Site, in particular providers of transactional email delivery and hosting infrastructure. We require each provider to protect your data and to use it only for the services they perform for us. A current list of these service providers is available on written request to the DPO.
- Professional advisers, such as our lawyers, accountants, and auditors, under duties of confidentiality.
- Authorities, where we are required to disclose by law, a valid court order, or a lawful request from a regulator (for example, the Personal Data Protection Commission of Singapore).
- Successors, if NGIS PTE LTD is acquired or reorganised, subject to this Policy continuing to apply.
7. Cross-border transfers
The Site is hosted in Singapore. Personal data captured on the Site is stored and processed in Singapore by default.
If a service provider we engage operates outside Singapore (for example, an email-delivery platform), we rely on contractual safeguards (such as Standard Contractual Clauses or equivalent commitments) to ensure your data receives a standard of protection comparable to the PDPA, in line with Section 26 of the PDPA.
Where you are based in Malaysia, cross-border transfers of your personal data are carried out in accordance with Section 129 of the PDPA Malaysia. At the point of submission of the form, we collect your explicit consent to such transfer where applicable.
8. How long we keep personal data
| Category | Retention period |
|---|---|
| Waitlist contact data and applications | Until you withdraw your consent, or 24 months of inactivity, whichever occurs first |
| Email correspondence (contact form and direct email) | 3 years after the last interaction, unless a longer period is required for dispute resolution |
| Abuse-prevention and audit logs | 12 months from the date of the recorded event |
| Marketing consent records | Until you withdraw consent, plus 3 years for evidence of lawful processing |
| Records that we are required to keep by law (e.g., Singapore tax record-keeping) | 7 years from the relevant date |
When a retention period expires, we delete the personal data, anonymise it, or archive it in a form from which you cannot be re-identified.
9. Your rights
Under the Singapore PDPA (Sections 21–24) and, where applicable, the Malaysian PDPA, you have the following rights.
9.1 Right of access
You may ask us to confirm what personal data we hold about you and to provide a copy. We respond within 30 days (Singapore PDPA) or 21 days (Malaysian PDPA) of a verified request, or we will tell you if we need more time.
9.2 Right of correction
You may correct or update your personal data. Email the DPO with the correction; we will update the record unless we have a lawful basis to refuse.
9.3 Right to withdraw consent
If we rely on your consent for a particular processing activity (in particular, marketing communications), you may withdraw that consent at any time. Every marketing email contains an unsubscribe link. You may also email the DPO at info@ng-is.com. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal, and does not affect processing carried out on a different lawful basis.
9.4 Right of deletion
You may ask us to delete the personal data we hold about you. We will delete it within 30 days of a verified request, except where we are required by law to retain specific records (for example, tax-related records). In that case we keep only the minimum the law requires and confirm in writing what has been kept, why, and for how long.
9.5 Right of portability
You may request an export of the personal data associated with your record in a common machine-readable format.
9.6 How to exercise these rights
Contact the DPO at info@ng-is.com and clearly state which right you wish to exercise. We may need to verify your identity before acting on the request. We do not charge a fee for routine requests.
9.7 Right to lodge a complaint
If you are not satisfied with how we handle your request, you may contact us first so we can attempt to resolve the matter. If you remain dissatisfied, you may complain to the Personal Data Protection Commission of Singapore at https://www.pdpc.gov.sg, or, if you are based in Malaysia, the Department of Personal Data Protection at https://www.pdp.gov.my.
10. Security and cookies
10.1 Security
We take commercially reasonable technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, and destruction. These measures include HTTPS via TLS 1.3 for all traffic to and from the Site, role-restricted internal access to submitted data, encrypted storage at rest, regular patching of system components, and an internal incident-response runbook.
No Internet service is 100% secure. We continue to invest in security measures appropriate to the scope and sensitivity of the data we hold.
10.2 Cookies
The Site currently uses essential cookies only. These are limited to the minimum cookies required to deliver the Site to your browser (for example, basic session state and cross-site-request-forgery tokens on any future interactive forms). The Site does not use analytics cookies, marketing cookies, or third-party tracking pixels at this time.
If we add analytics or other non-essential cookies in the future, we will:
- Deploy a consent banner with “Reject all” as prominently presented as “Accept all” in line with the guidance of the Personal Data Protection Commission of Singapore.
- Update this Policy and the version number above.
- Notify recipients of our marketing communications by email at least 30 days before the change takes effect.
You may control cookies through your browser settings. Blocking essential cookies may prevent the Site from functioning correctly.
11. Data breach notification
If we become aware of a data breach that (a) is likely to result in significant harm to affected individuals, or (b) affects 500 or more individuals, we will notify the Personal Data Protection Commission of Singapore within 3 calendar days of establishing the breach, in accordance with Section 26D of the PDPA and the Personal Data Protection (Notification of Data Breaches) Regulations 2021, and we will notify affected individuals as soon as practicable.
12. Changes to this Policy and contact
12.1 Changes to this Policy
We may update this Policy from time to time. When we make a material change, we will update the version number and effective date at the top, notify you by email at the address you have provided (if any), and post a notice on the Site at least 30 days before the change takes effect (unless the change is required immediately by law). Continued use of the Site after the effective date of an update means you accept the updated Policy.
12.2 Electronic communications
By using the Site and providing an email address to us, you acknowledge that all notices, modifications, and communications provided to you electronically (including via the email address you provide) satisfy any legal requirement for written communication under the Singapore Electronic Transactions Act (Cap. 88).
12.3 Contact
- Data Protection Officer: info@ng-is.com
- Company: NGIS PTE LTD (UEN 202403437E), Singapore