Privacy Policy
Last updated: 6/5/2026
Human Layer Lab Pte. Ltd. Last updated: 5 June 2026
1. Introduction
Human Layer Lab Pte. Ltd. (UEN 202616831M) ("Human Layer Lab", "we", "us", or "our") is a company registered in Singapore. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI workforce design platform (the "Service").
This policy applies to all users of the Service. Where we process personal data on behalf of a customer organisation, we do so as a processor under that organisation's instructions, and our Data Processing Addendum governs that processing.
2. Information We Collect
2.1 Information You Provide
Account information:
- Name and email address
- Organisation name and your role within it
- Profile preferences
By default we use passwordless sign-in, either through single sign-on (SSO) or a one-time sign-in code. A password option is also available through our identity provider if you choose to use one.
Organisation data:
- Company name, size, and industry
- Workforce structure, role definitions, and configurations you create or upload
- Documents and knowledge you choose to add to the platform
2.2 Information We Collect Automatically
- Pages visited and features used
- Session activity, including session replays used to operate and improve the Service
- Device type and browser information
- IP address and approximate location
- Log files, error reports, and performance metrics
You can control optional analytics and tracking through your browser and cookie settings (see Section 10).
2.3 Optional Connected Data Sources
The Service can connect to systems your organisation already uses (for example GitHub, Linear, and AI usage telemetry from providers such as Anthropic and OpenAI) to measure whether AI adoption is landing.
These connections are entirely optional and off by default. They are configured only when an organisation administrator explicitly authorises them. The Service is fully functional without any of this data. Where a connection is enabled and the connected system returns user names, email addresses, or individual usage data, we process it only to provide the measurement features the organisation has turned on, and only for as long as the connection is active.
2.4 Insights We Generate
Our analysis produces derived outputs from the data in your account, including task-level role analysis, automation potential scoring, capacity mapping, skills intelligence, and Living Job Descriptions.
These outputs are estimates produced to support human decision-making. They are not factual determinations and are not designed to replace human judgement.
2.5 Public Data We Use
We enrich our analysis using data crawled from publicly available sources, such as job postings, skills taxonomies, and published industry research. This data is not derived from any customer's data, and we do not collect personal information about individuals outside the platform from these sources.
2.6 Optional Compensation Data
Organisations can choose to provide salary or compensation data to support certain analysis. This is entirely optional and off by default. The Service is fully functional without it. Where an organisation provides it, we process it only to support the features that organisation has enabled.
3. How We Use Information
3.1 To Provide the Service
- Delivering workforce analysis and the platform's features
- Generating the insights and documents described above
- Processing and displaying your organisation's data
- Enabling collaboration within your organisation
3.2 We Do Not Train AI Models on Customer Data
We do not use customer data to train, fine-tune, or otherwise develop AI models. This applies to customer data in any form, including anonymised or aggregated derivatives.
We do not opt in to any of our AI providers training their models on data we send through their APIs. We do not share customer data with any third party for the purpose of training AI models.
Where customers choose to give us feedback on outputs, we use it to operate and support their account. We do not use customer data to train models.
Improving our Service through aggregate, de-identified analytics (see Section 3.3) is separate from AI model training. It does not involve using customer data to train, fine-tune, or develop AI models.
3.3 To Improve and Secure the Service
- Analysing aggregate, de-identified usage patterns to improve features
- Debugging and performance optimisation
- Detecting and preventing fraud, abuse, and security threats
3.4 To Communicate
- Sending service notifications, security alerts, and updates
- Responding to support requests
- Sharing product announcements, where you have consented
3.5 To Meet Legal Obligations
- Complying with applicable law
- Enforcing our Terms of Service
- Responding to lawful requests from authorities
4. AI Processing
4.1 How AI Processes Your Data
Our analysis uses large language models provided by third-party AI providers to process inputs such as role titles, Living Job Description content, task and skill information, knowledge base entries, and agent conversation content. We send this data to providers via their APIs. We do not use it to train AI models, and our providers do not train on it (see Section 3.2 and our sub-processor list in the DPA).
4.2 No Automated Employment Decisions
We do not use automated decision-making to make employment decisions. All AI outputs are advisory, designed for human review, non-binding, and clearly identified as AI-generated.
4.3 No Solely-Automated Significant Decisions
We do not subject individuals to decisions based solely on automated processing that produce legal or similarly significant effects. Significant decisions require human oversight.
5. Sharing and Disclosure
5.1 Service Providers (Sub-processors)
We share data with the sub-processors needed to run the Service (hosting, database, AI processing, web search and research, analytics, authentication, email, and billing). Our current sub-processors and their roles are listed in our Data Processing Addendum. Each sub-processor is engaged under its own standard terms, including its own data protection terms.
5.2 Legal Requirements
We may disclose data where required by law, court order, or a governmental authority, or to protect our rights, prevent fraud or abuse, or ensure safety.
5.3 Business Transfers
In a merger, acquisition, or sale of assets, data may be transferred to the successor entity, subject to this policy.
5.4 With Your Consent
We share data with other third parties only where you have consented.
6. Data Retention
We retain personal data for as long as your account is active and for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.
You may request the return or deletion of your data at any time. On a verified deletion request, we delete personal data within 30 days, subject to legal retention requirements. De-identified aggregate data may be retained.
Operational logs and backups are held on rolling windows and overwritten in the normal course of running the Service.
7. Security
7.1 Technical Measures
- Encryption in transit (TLS) and at rest
- Role-based access controls
- Authentication via our identity provider, supporting passwordless sign-in and single sign-on
- Append-only audit logging
- Regular security review
7.2 Organisational Measures
- Security policies and staff awareness
- Access limited to personnel who need it
- Incident response procedures
7.3 SOC 2
We are working toward a SOC 2 Type II report. Our security program is built to the SOC 2 Trust Services Criteria, and we are progressing through the audit process with our compliance and audit partners. We can share our current security documentation and roadmap on request under NDA. We do not currently hold a completed SOC 2 report.
8. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, delete, port, object to, or restrict the processing of your personal data.
Where we process personal data on behalf of a customer organisation, please direct requests to that organisation; we will assist them as their processor.
To exercise your rights directly, contact us at [email protected]. We will respond within the timeframe required by applicable law, and in any event within 30 days.
9. Privacy Laws and Cross-Border Transfers
9.1 Applicable Laws
As a Singapore-registered company serving customers in Australia, New Zealand, and Singapore, we handle personal data in line with:
- The Singapore Personal Data Protection Act (PDPA)
- The Australian Privacy Act 1988 and the Australian Privacy Principles
- The New Zealand Privacy Act 2020
We do not currently target individuals in the EU or UK. If we process the personal data of individuals in those regions in future, we will apply the additional requirements of the EU and UK GDPR.
9.2 Cross-Border Transfers
Our infrastructure and AI providers are primarily located in the United States, so personal data may be processed outside your jurisdiction. Where we transfer personal data internationally, we apply appropriate contractual safeguards consistent with the Singapore PDPA, the Australian Privacy Principles, and the New Zealand Privacy Act 2020, so that it receives a comparable standard of protection. If we take on customers whose data is subject to the EU or UK GDPR, we will put the appropriate transfer mechanisms (such as Standard Contractual Clauses and the UK Addendum) in place at that time.
10. Cookies and Tracking
Essential cookies are required for the Service to function (session management, authentication, security). We also use analytics, including session replay, to understand usage and to operate and improve the Service. Analytics data is handled through our analytics provider and is not exposed as a separate product feature. You can limit optional cookies through your browser settings; disabling essential cookies may affect functionality.
11. Children's Privacy
The Service is not intended for anyone under 18. We do not knowingly collect personal data from children.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or through the Service.
13. Contact
Human Layer Lab Pte. Ltd. Contact: [email protected]
Exercise your data rights
To access, correct, export or delete the personal data we hold about you, submit a request and we will respond within the timelines described above.
Submit a data request


