This Privacy Policy explains how Beyond Clock PTE. LTD. may collect, use, store, disclose, and otherwise handle personal data in connection with the Beyond Clock platform and related support, security, and operational workflows.

For Customer Data that a Customer uploads or submits on behalf of patients, members, study participants, or other individuals, Beyond Clock generally acts as a processor or service provider on the Customer's behalf. The Customer remains primarily responsible for its relationship with those individuals, including notices, consents, lawful basis, and response handling. The Data Processing Terms describe that allocation in more detail.

Customer

The organization that purchases, receives, or otherwise authorizes use of the Beyond Clock service.

Authorized User

An employee, contractor, clinician, researcher, or other individual whom the Customer permits to access the service under its account.

Customer Data

Information, files, biomarker values, survey responses, demographics, identifiers, and related metadata submitted to or made available through the service by or for the Customer.

Report Output

Reports, scores, visualizations, benchmarks, exports, and related outputs generated by the service for a Customer workflow.

De-identified Data

Data derived from Customer Data after direct identifiers have been removed or reduced, but that may still remain linkable or reasonably capable of re-identification if combined with other information. De-identified Data is not the same as anonymized data.

Anonymized/Aggregated Data

Data that has been irreversibly altered, generalized, or combined so that an individual is not reasonably identifiable by Beyond Clock or a recipient using available means.

Service Improvements

Improvements to the service, software, models, workflows, documentation, security controls, and related know-how developed from operating and improving the platform, excluding Customer Data and Report Output in identifiable form.

Depending on the workflow, we may collect or receive:

• account and organization information, such as names, work email addresses, organization names, roles, and access records;
• Customer Data entered into report workflows, including biomarker values, demographic information, survey responses, labels, and related metadata;
• uploaded files and related file metadata, including PDFs and image files used for report preparation or quality review;
• Report Output and operational metadata linked to report requests, processing states, and delivery events;
• technical, usage, and security data such as IP addresses, session activity, device or browser information, logs, and diagnostic events; and
• support, inquiry, or contracting communications, including messages sent through contact forms or support channels.

We may use information to:

• provide, host, secure, troubleshoot, and support the service;
• extract, validate, review, process, and generate Report Output;
• authenticate users, prevent fraud, investigate abuse, and maintain system integrity;
• respond to customer inquiries, administer accounts, and manage commercial relationships;
• comply with contractual, regulatory, legal, audit, and recordkeeping obligations;
• create and use De-identified Data for internal product, workflow, and model improvement unless a signed enterprise agreement restricts that use; and
• create and use Anonymized/Aggregated Data for benchmarking, research, analytics, and population-level insights.

We do not use Customer Data for third-party advertising, and we do not sell personal data collected through the service.

Qualified and authorized personnel may review uploaded files, extracted values, report requests, and related Customer Data when needed to prepare reports, check data quality, resolve support issues, investigate anomalies, maintain security, or operate the service.

Human review is part of the operational design of the current service and may include reviewing biomarker inputs, validating structured data extracted from uploaded files, or escalating unusual cases for quality assurance.

Beyond Clock uses a strict distinction between De-identified Data and Anonymized/Aggregated Data. De-identified Data may have direct identifiers removed, but it can still remain linkable or reasonably capable of re-identification when combined with other information. For that reason, we do not treat De-identified Data as anonymous.

We reserve the term Anonymized/Aggregated Data for data that has been altered or combined so that an individual is not reasonably identifiable using available means. External benchmarking, research summaries, and population insights should be based on that stricter standard, not merely on de-identification.

We may disclose information to infrastructure, storage, security, support, and other service providers that help us operate the platform, subject to contractual and operational safeguards.

We may also disclose information to the relevant Customer and its Authorized Users, where necessary to fulfill the requested workflow, and where required by law, regulation, legal process, or to protect the rights, safety, security, or integrity of Beyond Clock, our Customers, or affected individuals.

By default, personal data and Customer Data submitted through the service are stored and operationally handled in Singapore. This includes hosting, secure file intake, report processing, support, logging, and security operations associated with the service.

Where access, support, subprocessors, or other service operations require information to be processed in another jurisdiction, Beyond Clock may rely on contractual, technical, and organizational safeguards that are appropriate to the transfer and the role we are performing.

If the Customer requires additional transfer commitments, those terms should be addressed in the applicable order form, data processing agreement, or other signed contract.

We retain information for as long as reasonably necessary to provide the service, maintain security, troubleshoot incidents, comply with law, resolve disputes, and enforce agreements.

Deleted files, report data, or account records may persist for a limited period in backups, logs, and disaster recovery systems. De-identified Data and Anonymized/Aggregated Data may be retained longer where permitted by contract and law because they support product integrity, benchmarking, and research use cases.

We use administrative, technical, and organizational safeguards designed to protect data against unauthorized access, loss, misuse, or disclosure. These measures include access controls, role-based handling, logging, and managed infrastructure protections appropriate to the service.

No environment is perfectly secure. Customers and Authorized Users are responsible for protecting credentials, limiting uploads to necessary information, and reporting suspected unauthorized access promptly.

Where Beyond Clock processes Customer Data on behalf of a Customer, individuals should direct access, correction, deletion, restriction, objection, or portability requests to the relevant Customer first. We will assist the Customer with those requests where required by contract or applicable law.

For account-level data or other information that Beyond Clock controls directly, privacy requests may be sent to hello@beyondclock.com. You may request that your personal data be removed or deleted in accordance with applicable data privacy laws. We may request reasonable information to verify identity before acting on a request, and we may apply lawful limitations, retention requirements, or exceptions where permitted.

Questions about this Privacy Policy or the current data handling model may be sent to hello@beyondclock.com. We may update this Privacy Policy from time to time as the service, subprocessors, and contractual model evolve.