Skip to content
PhysiCode

App Demo (opens in new tab)Instagram(opens in new tab)

Privacy

Effective 10 July 2026

Who we are

PhysiCode is a five-person student team at the Singapore University of Technology and Design (SUTD), Singapore. We are not yet incorporated as a company, so this policy is given by the team members collectively. It explains, in plain language, what personal data this website collects, why, where it goes, how long we keep it, and the rights you have over it. You can reach us about anything in it at physicodesolutions@gmail.com. It took effect on the date shown at the top of this page.

What this policy covers

This policy covers this website only — the pages you are reading and the two forms on it. It does not cover the PhysiCode learning kit or its companion app for children, which are separate products, are not offered through this site, and will carry their own, stricter privacy protections. It also does not cover other companies’ websites we may link to; once you leave our site, their policies apply.

What we collect

We collect only what you choose to type into our two forms, plus the page you sent it from. We ask for nothing more, and the forms are deliberately short.

  • Waitlist form: your name, your email address, optionally your role or organisation, and optionally a short message about what you hope to use PhysiCode for.
  • Contact form: your name, your email address, optionally your organisation, the role you select (Investor, Partner School, Grant Committee, Media or Other), and your message.
  • For both: the page on the site you submitted the form from, so we understand the context of your message.
  • That is the entire list. The site has no accounts and no passwords, takes no payments, hosts nothing you upload, and — as the cookies section explains — sets no cookies. We never collect special or sensitive categories of data.

Why we use it

We use each form’s data only for the purpose it was given, and we keep the two purposes strictly separate.

  • Contact-form submissions are used only to reply to your enquiry about PhysiCode. We do not use them for marketing, and we never add contact-form senders to the waitlist or to any mailing list.
  • Waitlist submissions are used to email you pilot details and early-access product updates, until you unsubscribe. Keeping you informed is the whole purpose of the waitlist, and it is what the sign-up asks you to agree to.
  • We do not use your data to build profiles, to advertise, or for any purpose beyond these. If we ever wanted to use it for something new, we would ask you first.

How we collect it, and your consent

We collect personal data in one way only: directly from you, when you fill in and submit a form. We do not buy data, we do not receive it from data brokers, and we do not gather it from other websites. When you submit a form you give your consent in two overlapping ways: you tick the “I agree to the Terms of Use and Privacy Policy” box — which starts unticked and is required, so nothing is sent without a deliberate, affirmative act — and, because each form states its single purpose right beside the submit button, submitting it is itself consent to that purpose under Singapore’s Personal Data Protection Act. We keep the submission, with its timestamp and the fact that you ticked the box, as our record of that consent, for as long as we keep the submission itself. You can withdraw your consent at any time; see “Your rights” below.

Who we share with, and where

We keep the number of people who touch your data as small as we can. Your form submissions pass through exactly three service providers, each processing data only to operate the site and forms for us:

  • Formspree, Inc. — a United States company that receives our form submissions and passes them to us; your data is stored on its US servers under its data-processing terms. This is a transfer of personal data outside Singapore, disclosed here in line with the PDPA’s transfer-limitation obligation.
  • Google (Gmail) — our inbox, also in the United States, where submissions are delivered and where we read and reply to them.
  • Cloudflare — our hosting provider (Cloudflare Pages), which serves the site from a global network and transiently processes visitors’ IP addresses to deliver pages; it does not receive the contents of your form.
  • We do not sell personal data, rent it, trade it, or share it with anyone for advertising or marketing — and we never have.
  • We would disclose personal data beyond this list only if the law genuinely required it of us — for example under a binding order of a court or regulator — and, if the team later incorporates as a company, your data would pass to that company under the same commitments made in this policy. We would announce any such change on this page.

Analytics

We want to know whether the site works, not who you are. We use Cloudflare Web Analytics, which is cookieless and privacy-first: it reports aggregate visit counts along with the page visited, the referring page, your device type and a coarse (country/region-level) location. It sets no cookies, builds no persistent identifier of you, performs no cross-site tracking, and uses no advertising identifiers — so there is no way for us, or for Cloudflare, to single you out from it. We run no other analytics and count no custom events; these figures are simple aggregate counters, never profiles.

Cookies and local storage

This site sets zero cookies — no essential cookies, no analytics cookies, no advertising cookies; none from us and none from any third party. That is why you see no cookie banner: there is nothing to consent to. The one thing the site ever writes to your browser is a single local-storage entry named “pc-calm”, created only if you switch on Calm mode, our reduced-motion viewing option. It records that preference and nothing more: it contains no personal data, it never leaves your device, and it is removed the moment you turn Calm mode off — or whenever you clear your browser data. Nothing else on the site, including the interactive demo, stores anything in your browser.

No profiling, no automated decisions

We do not profile visitors, score them, or make any automated decision that affects them. Every waitlist update and every reply to a contact message is written and sent by a member of the team. The aggregate analytics described above cannot be traced back to individuals, so they could not feed profiling even if we wanted them to — and we do not.

How we protect your data

We hold little, and we guard what we hold. In line with the PDPA’s protection obligation, our arrangements are:

  • The entire site is served over HTTPS, so everything you submit is encrypted in transit (TLS).
  • Submissions live in exactly two places — our Formspree account and our Gmail inbox — and access to both is limited to the team members who need it, with two-factor authentication switched on.
  • We minimise by design: no passwords, no payment details and no sensitive categories of data are ever collected, so the most that could ever be exposed is what the forms ask for.
  • We keep written internal data-protection practices that the whole team is required to follow, covering access, retention, purging and breach response.
  • No website can honestly promise perfect security, and we do not — but we can promise that if something went wrong, we would handle it as the next section describes.

If something goes wrong: data breaches

We maintain an internal breach-response process under Part 6A of the PDPA. If we ever suspected that personal data had been lost or exposed — a compromised inbox, for example — the team members responsible for data protection would assess it without delay. If the breach met the PDPA’s notification thresholds, we would notify Singapore’s Personal Data Protection Commission within three calendar days and tell the affected individuals directly, unless an exception under the Act applied. We record every assessment, including those that turn out not to be notifiable.

How long we keep it

The PDPA requires us to stop keeping personal data once it no longer serves the purpose it was collected for, and our retention periods are short:

  • Contact inquiries: deleted within about 12 months of the inquiry being resolved.
  • Waitlist entries: deleted when you unsubscribe, or when the pilot and early-access programme ends, whichever comes first.
  • Both stores are purged on the same schedule — the copies held in Formspree and the copies in our inbox.
  • The temporary analytics visitor identifier is discarded within 24 hours; the aggregate counts that remain contain no personal data.
  • Our record of your consent (the submission itself, with its timestamp) is kept only as long as the submission it belongs to, then deleted with it.

Your rights, and how to exercise them

Under the PDPA — and, where we go further, as our own promise — you can do any of the following at any time, free of charge, by emailing physicodesolutions@gmail.com. To protect your data we will usually verify a request by corresponding with the email address you originally submitted. We respond within 30 days; if a request genuinely needs longer, we will tell you within those 30 days when to expect our full answer. We will never treat you differently for exercising your rights.

  • Access: ask for a copy of the personal data of yours that we hold, and an account of how it has been used or disclosed within the past year.
  • Correction: ask us to fix anything that is inaccurate or incomplete.
  • Deletion: ask us to delete your data outright — we honour this even where the PDPA itself does not strictly require erasure.
  • Withdrawal and unsubscribing: withdraw your consent at any time; every waitlist email includes an unsubscribe route, and a plain email to us works just as well.
  • Complaint: raise any concern about how we have handled your data — see the complaints section below.

The people responsible for data protection

Responsibility for personal data protection within PhysiCode is held jointly by two designated members of the team, in line with section 11(3) of the PDPA. We have not appointed a formally titled Data Protection Officer — as an unincorporated student team we would rather be precise about that — but the team members responsible for data protection personally handle every rights request, question and complaint about personal data. You can reach them at physicodesolutions@gmail.com; putting “data protection” in the subject line helps us route your message faster.

Complaints, and escalating beyond us

If you are unhappy with anything we have done with your personal data, please email us first — most concerns can be put right quickly, and the team members responsible for data protection review every complaint. If you are not satisfied with our answer, you can complain to Singapore’s Personal Data Protection Commission (PDPC) at pdpc.gov.sg. If you live elsewhere, you may also have the right to complain to your local data protection authority; we will cooperate with any authority that contacts us about you.

Do Not Track and Global Privacy Control

Some browsers send “Do Not Track” or “Global Privacy Control” signals. We do not respond to them mechanically, for a simple reason: there is nothing for them to switch off. We do not track visitors over time or across other websites, no third party collects personally identifiable information across sites through our site, and we do not sell or share personal data. Every visitor already receives the treatment those signals ask for, whether or not their browser sends one.

Children

This website is written for adults — parents, educators, school leaders, investors and press — and its forms are intended for adults. We do not knowingly collect personal data from children through this site, and nothing on it is directed at them. If you believe a child has submitted one of our forms, email us and we will delete the entry promptly. The PhysiCode learning kit and its companion app, which are designed for children, are separate products that are not offered through this site and will carry their own, stricter protections. One further note for complete clarity: the illustrative imagery on this site that appears to show a child — for example the photograph-style image of a child’s hands — is AI-generated. No real child was photographed for it.

Links to other websites

The site may link to a small number of third-party websites, such as those of the organisations we work with. Once you leave our site, this policy no longer applies: those sites have their own privacy practices, we do not control them, and we encourage you to read their policies. The same is true of our service providers’ own sites — Formspree’s processing of form submissions, for instance, is additionally governed by Formspree’s own privacy documents.

Changes to this policy

This version took effect on 10 July 2026 — the date shown at the top of this page. If we change the policy we will post the new version here and update that date, and if a change materially affects what we collect or how we use it, we will say so prominently on this page rather than slipping it in quietly. Data you have already submitted remains governed by the commitments that applied when you submitted it, unless you agree to something new. If you are on the waitlist, we would encourage you to glance at this page from time to time.

One policy, honoured worldwide

We are a Singapore team and this policy is anchored in Singapore’s PDPA, but we do not ration our commitments by geography. Wherever in the world you visit or submit from, we honour everything above — including access, correction, deletion and withdrawal of consent — in the same way and on the same timelines. If the law where you live gives you a stronger right in respect of the data we hold, ask us for it and we will do our best to honour that too.

How to reach us

For anything in this policy — questions, rights requests, complaints, or simple curiosity about how something works — email physicodesolutions@gmail.com. A short line saying what you need is enough; there are no forms to fill in and no formality required. We reply to every genuine message.