Skip to content

Legal

Privacy Policy

Effective 2026-04-28·Last updated 2026-04-28·CUI Labs (Pte.) Ltd.

This Privacy Policy explains how CUI Labs (Pte.) Ltd. ("CUI Labs") collects, uses, shares, and protects personal data when you use Bee or visit bee.cuilabs.io. We act as the controller for data of website visitors and account holders and as the processor for personal data inside Customer Data submitted via the API or workspace (governed by the DPA).

1. Who we are

CUI Labs (Pte.) Ltd. is a private limited company incorporated in Singapore. We are the data controller for personal data described as "controller" data below, including for EEA, UK, and Singapore data subjects. EU/UK representatives are appointed where applicable; contact us via the privacy address.

2. Personal data we collect

  • Account data — email, display name, organisation, password hash, OAuth provider id, subscription tier.
  • Billing data — Stripe customer id, last-4 of payment method, billing address (we never see full card numbers).
  • Product telemetry — request volume, latency, error rates, feature usage. Aggregated and minimised where possible.
  • Communications — emails to support / sales / security inboxes; chat with the in-product assistant; contact-form submissions and attachments.
  • Inputs and outputs — prompts you submit, files you upload, and responses Bee generates for you. These are Customer Data; we are processor for these under the DPA.
  • Server logs — IP address, user-agent, request method and path; retained 30 days for security investigation.

3. Sources

Most personal data comes directly from you. Some comes from third parties: Stripe (billing metadata), Supabase (authentication), OAuth providers (Google / GitHub / Microsoft, when you choose to use them), and in limited cases public sources for sales contact research.

4. Why we use it

  • Operate the service — serve responses, route traffic, scale, render the workspace.
  • Bill you — invoicing, payment, dispute handling.
  • Secure the platform — anomaly detection, abuse prevention, incident response.
  • Comply with law — tax, regulatory, legal-process compliance.
  • Improve operational reliability — fix bugs, debug latency, plan capacity. We do not use Customer Data to train the base model.
  • Communicate — service updates, billing notices, security bulletins, and (where permitted) marketing you opt into.

5. Legal bases (GDPR / UK GDPR)

  • Performance of the contract — operating the service for paid customers.
  • Legitimate interests — security, fraud prevention, product analytics; balanced against your rights.
  • Consent — optional analytics and marketing cookies; product marketing communications.
  • Legal obligation — tax, accounting, court orders.
  • For Singapore (PDPA) processing, equivalent grounds (consent, legitimate interests assessment, deemed consent) apply.

6. Sharing and sub-processors

  • We do not sell personal data, do not show third-party advertising, and do not share Customer Data with anyone except sub-processors used to run the service.
  • Sub-processors are listed in the Data Processing Addendum and updated via the changelog. Customers can subscribe to sub-processor change notifications.

7. International transfers

  • We are headquartered in Singapore and use sub-processors in the EU/EEA, UK, and US. Personal data may be transferred to countries outside the country of collection.
  • EEA / UK transfers rely on the EU Standard Contractual Clauses (Decision 2021/914) plus the UK Addendum where applicable. APAC transfers comply with the Singapore PDPA's data-transfer provisions.
  • Hive-plan and above customers can request EU-only or US-only processing for Customer Data.

8. Retention

  • Account data — retained while your account is active and for up to 24 months after closure (for billing/audit/dispute).
  • Conversation history — retained per workspace policy (default 90 days; configurable up to 7 years on Enclave).
  • Audit logs (Hive+) — 1 year by default, configurable up to 7 years.
  • Server logs — 30 days.
  • Backups — encrypted backups expire on a 35-day rolling window.

9. Your rights

  • EEA / UK / similar regimes: access, rectification, erasure, restriction, portability, and objection.
  • California (CCPA / CPRA): the right to know, delete, correct, and limit use of sensitive personal information; the right not to be discriminated against for exercising those rights. We do not 'sell' personal information as defined by the CCPA.
  • Singapore (PDPA): access, correction, withdrawal of consent, and complaint to the PDPC.
  • Exercise rights by emailing the privacy address. Identity verification is required. We respond within 30 days.

10. Children

Bee is not directed at children under 16. We do not knowingly collect personal data from children under 16 absent verifiable parental consent.

11. Security

We use industry-standard administrative, technical, and physical safeguards. Cryptography on the API path is post-quantum (FIPS 203/204/205) by default. See the Security Practices document for details.

12. Updates

Material changes to this Policy are announced via the changelog and (for account holders) by email at least 30 days before they take effect.

Questions about this document? Contact bee-privacy@cuilabs.io. Service of process: bee-legal@cuilabs.io (CUI Labs (Pte.) Ltd., Singapore).

Counter-signed copies on request. The text on this page is the canonical published version. For procurement teams that need a counter-signed copy of the Terms, DPA, or Order Form, email bee-legal@cuilabs.io. Where there is conflict between this page and an executed counter-signed agreement, the counter-signed agreement controls.

Terms of ServiceData Processing AddendumAcceptable Use PolicySecurity PracticesBEE for Startups Program TermsPartner Program TermsVC Partner Program TermsCookie Policy
CUI Labs (Pte.) Ltd. · Singapore · cuilabs.ioSee evidence index →