Fast Statement – Privacy Policy

Effective Date: 27 January 2026
Company: 2ND BRAIN PTE. LTD. (UEN: 202343194N) ("Fast Statement", "we", "us", "our")
Contact: support@faststatement.com

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you access or use Fast Statement (the "Service"), including when the Service is used by professional accounting firms, accountants, or bookkeepers on behalf of their clients.

By using the Service or providing personal data to us, you acknowledge that you have read and understood this Privacy Policy.

1. Scope and Applicability

This Privacy Policy applies to:

• visitors to our websites and digital channels;
• users who create or use an account on Fast Statement; and
• personal data contained within information submitted to the Service, to the extent that it constitutes personal data.

If you provide personal data of another individual (e.g., a client, employee, director, or shareholder) to us, you represent that you have the authority and/or have obtained consent to do so for the purposes described in this Privacy Policy.

2. Key Definitions

• "Personal Data" means information about an individual who can be identified from that information, or from that information and other information we have or are likely to have access to.
• "Customer Data" means data, documents, files, records, and information that you (or your authorised users) upload, import, submit, or otherwise make available through the Service, which may include Personal Data.
• "Professional User" means an accounting firm, accountant, bookkeeper, or similar professional using the Service for their own clients.
• "Client" means an end customer of a Professional User.
• "Outputs" means financial statements, reports, documents (including PDF and Word files), formula calculation results, and other content generated by the Service.

3. How We Collect Personal Data

We collect personal data in the following ways:

3.1 Data you provide directly

Examples include when you:

• create an account or register for the Service;
• purchase or top up credits;
• contact support, submit tickets, or communicate with us;
• participate in surveys, webinars, marketing campaigns, or events (if any);
• configure settings or invite authorised users;
• enter business information during guided setup (such as company details, director names, and shareholder names); or
• upload or input financial data that contains personal data.

3.2 Data collected automatically

When you use the Service, we may collect:

• device and technical data (e.g., IP address, device type, browser type, operating system);
• usage and activity data (e.g., pages viewed, timestamps, feature usage, clicks, logs);
• cookies and similar tracking technologies (see Section 10).

3.3 Data from third parties and integrations

If you connect third-party services (e.g., accounting systems, document storage, bank feeds), we may receive data from those services as authorised by you, subject to the third party's terms and your configuration.

4. Types of Personal Data We May Process

Depending on how you use the Service, we may process:

• Account data: name, email, role, organisation name, login identifiers, user preferences. (Note: Business contact information such as your name, title, business telephone number, and business address provided for business purposes are generally not covered by the data protection provisions of the PDPA, though we still treat them with care.)
• Billing and transaction data: billing contact details, invoice details, payment status, top-up history (we do not intentionally collect full payment card details if processed by a third-party payment processor).
• Support and communications data: messages, emails, call notes (if any), and attachments you send to us.
• Usage and technical data: logs, diagnostic data, device identifiers, cookies, approximate location derived from IP.
• Customer Data containing Personal Data, which may include:
  • financial records, transaction descriptions, vendor/customer names;
  • director and shareholder names entered during guided setup or included in financial statement projects;
  • company registration details, incorporation dates, and business addresses;
  • payroll-related entries (where applicable);
  • other content you upload or import.
• Financial formula and reference data: formula configurations, trial balance references, custom field values, and lease liability data that may indirectly contain or relate to personal data.
• Marketing preferences: subscription preferences and opt-in/opt-out records.

We do not intentionally collect "special category" data (as commonly understood in other jurisdictions) unless you choose to upload it as part of Customer Data.

5. Purposes of Collection, Use, and Processing

We use personal data for the following purposes:

5.1 To provide and operate the Service

Including to:

• create and administer accounts;
• provide features and generate Outputs (e.g., financial statements, reports, documents);
• process formula calculations by referencing financial data you maintain;
• process credit top-ups and track credit consumption;
• provide customer support, troubleshooting, and service communications;
• maintain the security, integrity, and performance of the Service.

5.2 To enable AI-assisted features (with no training on your Customer Data)

Fast Statement may use AI techniques to assist with specific functions, such as suggesting formula mappings between your financial data categories and financial statement line items.

Important: We do not use Customer Data to train or fine-tune general-purpose AI/ML models for use by other customers, and we do not allow our processors to use Customer Data for their model training, unless you explicitly opt in under a separate written agreement.

We may, however, use aggregated and/or de-identified usage statistics to improve reliability, performance, and user experience (see Section 9). We aim to minimise data shared with AI providers and take reasonable steps to transmit only data necessary for the relevant AI-assisted feature, ensuring we have agreements in place with such providers to process data only on our instructions.

5.3 To improve and develop the Service

Including to:

• monitor performance, debug issues, and optimise the user experience;
• analyse feature adoption and system reliability;
• develop new features and improve existing features using aggregated and/or de-identified analytics.

5.4 To protect users and the Service

Including to:

• prevent fraud, abuse, unauthorised access, or security incidents;
• enforce our terms, policies, and usage limits;
• comply with legal obligations and requests.

5.5 Marketing (where permitted)

Where permitted by law and subject to your preferences, we may use your contact details to send:

• product updates;
• service announcements;
• educational content and promotional materials.

You can opt out at any time (see Section 12). If we send marketing messages to your Singapore telephone number, we will comply with the Do Not Call (DNC) provisions of the PDPA, unless we have your clear and unambiguous consent or an exemption applies.

6. Legal Basis / Consent (Singapore PDPA)

We take our responsibilities under Singapore's Personal Data Protection Act 2012 ("PDPA") seriously.

Depending on the circumstances, we may collect, use, or disclose personal data based on:

• your consent (express or deemed);
• where it is necessary to provide the Service you requested;
• where permitted under PDPA exceptions (e.g., for legal compliance, investigations, or to respond to emergencies);
• legitimate business purposes permitted by law (e.g., service security and fraud prevention), where applicable.

You may withdraw consent in accordance with Section 12, subject to legal or contractual restrictions and reasonable notice.

7. Disclosure of Personal Data

We may disclose personal data in the following circumstances:

7.1 Service providers and processors

We may share personal data with third-party vendors who help us operate the Service, such as:

• cloud hosting and storage providers;
• AI service providers (such as large language model providers used for formula mapping suggestions);
• analytics and monitoring providers;
• customer support tooling providers;
• payment processors;
• security and fraud prevention vendors.

They may process personal data only on our instructions and for the purposes described in this Privacy Policy.

7.2 Integrations you enable

If you connect third-party services, data may be shared as needed to provide that integration, subject to your settings and the third party's terms.

7.3 Professional Users and Client data

If you are a Client of a Professional User, your Personal Data (including your name as a director or shareholder) may be uploaded to the Service by the Professional User as Customer Data.

In that scenario:

• the Professional User is typically responsible for informing you about the use of the Service and obtaining required permissions/consents; and
• Fast Statement generally acts as a service provider (a "data intermediary" under the PDPA) processing Customer Data on the Professional User's instructions to provide the Service, except where we are required to process data to meet our own legal obligations or legitimate interests (e.g., service security).

7.4 Legal and regulatory

We may disclose personal data to regulators, law enforcement, courts, or other parties where we believe disclosure is necessary to:

• comply with applicable laws or lawful requests;
• protect our rights, safety, and property, or those of our users; or
• prevent fraud or security incidents.

7.5 Business transfers

If we undergo a corporate transaction (e.g., merger, acquisition, sale of assets), personal data may be disclosed to relevant parties and advisers as part of that transaction, subject to appropriate safeguards.

8. Cross-Border Transfers

Your personal data may be transferred to, stored in, or processed in countries outside Singapore where our service providers (including AI service providers) operate.

Where we transfer personal data overseas, we will take reasonable steps to ensure that the recipient provides a standard of protection comparable to that under the PDPA, including through contractual obligations or other safeguards.

9. Aggregated / De-Identified Data

We may create aggregated and/or de-identified data derived from:

• usage patterns (e.g., feature adoption rates, latency metrics);
• performance metrics (e.g., error rates, uptime);
• general statistical trends.

Such data is used to operate, improve, and secure the Service and does not reasonably identify you or any individual.

10. Cookies and Similar Technologies

We may use cookies and similar technologies to:

• keep you signed in;
• remember preferences;
• enable essential functionality;
• analyse usage and improve performance.

You can control cookies through your browser settings. Blocking certain cookies may affect Service functionality. Third parties may also set cookies when you interact with embedded content or integrations; we do not control those cookies.

11. Data Security

We maintain reasonable administrative, technical, and organisational safeguards designed to protect personal data against unauthorised access, disclosure, alteration, and destruction.

No system is completely secure. You are responsible for:

• keeping your credentials confidential;
• using strong passwords and appropriate access controls; and
• ensuring that only authorised users access your account.

11.1 Data Breach Notification

If we determine that a data breach has occurred affecting your personal data, and it is a notifiable data breach under applicable law (e.g., PDPA), we will notify the PDPC and affected individuals in accordance with the statutory timelines (generally within 3 calendar days of determination for PDPC, and as soon as practicable for individuals).
Where we act as a data intermediary processing Customer Data on behalf of a Professional User, we will also notify the Professional User (as the relevant organisation/data controller) without undue delay once we have credible grounds to believe a data breach has occurred.

12. Your Rights and Choices (PDPA)

Subject to applicable law, you may:

12.1 Access and correction

You may request access to and/or correction of personal data we hold about you.
How to submit: Please email your request to our DPO at support@faststatement.com.
Verification: We may need to verify your identity before responding.
Timeframe: We aim to respond as soon as reasonably possible. If we are unable to respond within 30 calendar days, we will inform you of the expected time.
Fees: We may charge a reasonable fee to cover the incremental costs of providing access, and will provide a written estimate for your approval in advance.

12.2 Withdraw consent

You may withdraw your consent for the collection, use, or disclosure of your personal data by contacting us. Withdrawal may affect our ability to provide the Service.

12.3 Marketing opt-out

You may opt out of marketing communications at any time by:

• using the unsubscribe link (if provided); or
• emailing support@faststatement.com.

We will process requests within a reasonable timeframe. We may still send essential service or administrative communications.

12.4 Client requests via Professional Users

If your personal data is submitted by a Professional User on your behalf (as their Client) — for example, if your name was entered as a director or shareholder in a financial statement project — you may need to direct your request to that Professional User, as they may control the Customer Data and your relationship.

13. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, including to meet legal, regulatory, tax, or accounting obligations.

Unless otherwise agreed:

• we may retain Customer Data (which may contain Personal Data, including director and shareholder names) for up to seven (7) years, reflecting common recordkeeping requirements; and
• after account closure or termination, we may delete or de-identify Customer Data after a reasonable period (typically 30 days), unless retention is required by law or necessary for legitimate purposes (e.g., dispute resolution, compliance).

We do not retain personal data longer than necessary for the purposes described. We will delete or de-identify it when it is reasonable to assume the purpose is no longer served and retention is no longer necessary for legal or business purposes.

You are responsible for exporting your data before account closure or termination.

14. Third-Party Links and Services

Our Service may contain links to third-party sites or services. Their privacy practices are governed by their own policies. We are not responsible for third-party privacy practices.

15. Children

The Service is intended for business and professional use and is not directed at children. We do not knowingly collect personal data from children.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be effective from the stated effective date. If changes are material, we will take reasonable steps to notify you (e.g., via email or in-product notice).

17. Contact Us

If you have questions, feedback, or requests regarding this Privacy Policy or our handling of personal data, contact:

Fast Statement (2ND BRAIN PTE. LTD., UEN: 202343194N)
Email: support@faststatement.com
Data Protection Officer (DPO): For PDPA-related enquiries (access/correction/withdrawal), please contact our DPO at the email above.