Privacy Policy

Effective 2026-04-30. Replaces all earlier versions.

This policy explains what personal data we collect, why, and how we protect it. Cadences.work plays two different roles depending on the relationship with you, and the policy is structured around that.

1. Who we are

"Cadences.work", "we", or "us" means Nozemans Software Pte. Ltd., a private company limited by shares incorporated in Singapore (UEN 202507332E) with registered office at 160 Robinson Road #14-04, Singapore Business Federation Center, Singapore 068914. Cadences.work is a trade name.

Contact for privacy matters: privacy@cadences.work.

EU Representative (Article 27 GDPR) and UK Representative (Article 27 UK GDPR): being appointed. Once active, each representative's name and address will be published here and on our sub-processors page. Until then, EU and UK supervisory authorities and data subjects may contact privacy@cadences.work.

Singapore Data Protection Officer: Lauren ten Hoor — privacy@cadences.work.

2. The two relationships

2.1 You are a visitor or a direct customer signing up for Cadences.work. In this relationship we are the data controller. Section 3 describes how we handle your data.

2.2 Your employer is our customer. Your employer uses Cadences.work to operate performance feedback, time tracking, and related processes that involve you. In this relationship your employer is the controller, and we are the processor acting on their instructions. Section 4 describes how this works and your rights.

3. When we are the controller

3.1 What we collect

  • Account data — name, work email, employer / company name, role. End-user sign-in is passwordless: we do not store user passwords.
  • Communications — the content of any email, contact-form, or support request you send us.
  • Usage data — IP address (anonymised at collection), device and browser type, pages viewed, timestamps. Only after you accept analytics cookies.
  • Billing data — name, email, billing address, VAT / GST identifiers, processed by our payment provider.

3.2 Why we collect it (lawful bases under GDPR)

  • To provide the service you requested — Article 6(1)(b) (contract).
  • To bill and account for the service — Article 6(1)(b) (contract) and 6(1)(c) (legal obligation, tax law).
  • To secure the service and prevent abuse — Article 6(1)(f) (legitimate interest).
  • To improve the product through analytics — Article 6(1)(a) (consent), via our cookie banner.
  • To send you product updates — Article 6(1)(a) (consent), with an unsubscribe link in every message.

3.3 How long we keep it

  • Account data: for the duration of the relationship plus 30 days, unless tax law requires longer (Singapore: 5 years; Netherlands: 7 years for billing records).
  • Support communications: 24 months.
  • Usage / analytics data: 14 months in Google Analytics; aggregated counts may be retained longer.

4. When we are the processor

When your employer (the "Customer") uses Cadences.work, they decide what data to put into the service, how long to keep it, and who has access. We act on their instructions under a Data Processing Agreement.

4.1 What is processed

  • Identification: name, work email, role, organisational relationships (manager, team).
  • Performance feedback content: free-text qualitative comments, ratings, peer evaluations.
  • Time-tracking data: hours worked, projects, tasks, timesheets.
  • Authentication data: end-users sign in passwordlessly via single-use email magic-link / one-time codes (or via your employer's SAML/OIDC identity provider where SSO is configured). We store session metadata and short-lived authentication tokens; we do not store user passwords. Platform-level access logs are retained per our infrastructure providers' defaults (Vercel, Supabase).

4.2 Where to direct requests

For requests about data your employer has put into the service — access, correction, deletion, restriction, objection, portability — please contact your employer in the first instance, as they determine how the data is used. We will support them in fulfilling valid requests, and we will refer any direct request we receive to them without responding to it ourselves, except to confirm the referral.

If your employer does not respond, you can still contact privacy@cadences.work, and we will assist as far as our role permits.

5. International transfers

Nozemans Software Pte Ltd is established in Singapore. Customer data is stored in Ireland on our infrastructure providers (Supabase Ireland for the database; Vercel Dublin for application functions). Some sub-processors process data in the United States.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's 2021 Standard Contractual Clauses, supplemented where appropriate by the UK International Data Transfer Addendum and the Swiss amendments. A Transfer Risk Assessment for transfers to Singapore and the United States is available on request.

For Singapore PDPA purposes, the cross-border transfer obligation is met by binding sub-processors to contractual protections comparable to PDPA standards.

6. Sub-processors

We engage a small number of carefully selected sub-processors to deliver the service. The current list, including each sub-processor's role, location, and applicable certifications, is at cadences.work/trust/sub-processors. Customers receive at least 30 days' advance notice before we engage a new sub-processor that processes customer personal data.

7. Your rights

Under GDPR, you have the right to:

  • Access your personal data and obtain a copy.
  • Have inaccurate data rectified.
  • Have your data erased in certain circumstances ("right to be forgotten").
  • Restrict or object to certain processing.
  • Receive your data in a portable format and have it transmitted to another controller.
  • Withdraw consent for any processing based on consent, at any time, without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint with a supervisory authority — for example the Autoriteit Persoonsgegevens (Netherlands), CNIL (France), or your local DPA. For Singapore residents, the Personal Data Protection Commission (PDPC).

To exercise any of these, contact privacy@cadences.work. We will respond within 30 days.

8. Security

We protect personal data with administrative, technical, and physical safeguards including encryption in transit and at rest, multi-factor authentication on administrative accounts, role-based access control, platform-level access logging, and automated dependency-vulnerability scanning. For details see our Trust & Security page.

9. Cookies

Cadences.work uses strictly necessary cookies to operate the service, and analytics cookies (Google Analytics 4) only after you consent via our cookie banner. We do not load advertising cookies. You can change your preferences at any time from the "Cookie settings" link in our footer.

10. Children

The service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@cadences.work and we will delete it.

11. Changes to this policy

We will update this policy when our practices change. The "Effective" date at the top reflects the current version. For material changes that affect your rights, we will notify you by email or in-app notification with reasonable advance notice — typically 30 days — before the change takes effect.

12. Complaints

If you are unhappy with how we have handled your data, please tell us first at privacy@cadences.work — we will work to resolve it. You also have the right to lodge a complaint with your local supervisory authority at any time.