Privacy
Policy.

1. Who we are

DYRE is a product designed and operated in Singapore. Our service consists of a NFC travel ID system that allows tag owners to receive messages from finders and manage their tags through our platform at bydyre.com.

For the purposes of the PDPA, DYRE acts as the data controller for personal data collected through this website and service.

2. What personal data we collect

We collect only what is necessary to operate the service. This includes:

• Email address — provided when you join the waitlist, sign in, or register a tag
• Finder messages — free-text messages submitted by finders through a tag page, which are forwarded to the tag owner
• Location data — approximate geographic location shared voluntarily by a finder when submitting a contact message. This is optional and requires explicit browser permission
• Session data — a temporary session token stored in your browser URL hash to keep you signed in, valid for 24 hours
• Referral data — a referral code and, if applicable, the code of the person who referred you, used to calculate waitlist discounts

We do not collect names, phone numbers, payment details, or any other personal data beyond the above.

3. How we use your data

Your personal data is used solely for the following purposes:

• To send you a confirmation email when you join the waitlist
• To send you a sign-in link when you request access to your account
• To forward finder contact messages to the tag owner's email address
• To calculate and track referral discounts on your waitlist spot
• To operate and improve the DYRE service

We do not use your data for advertising, profiling, or any purpose beyond what is listed above. We do not sell your data to third parties.

4. Legal basis for processing

Under the PDPA, we collect and use personal data on the following bases:

• Consent — by submitting your email address on our waitlist form or sign-in page, you consent to us contacting you for the stated purposes. You may withdraw consent at any time by contacting us
• Contractual necessity — once you register a tag, we process your email address to deliver the core features of the service (sign-in links, finder notifications)
• Legitimate interests — we retain minimal session and referral data to operate the service securely and correctly

5. Data storage and security

Your data is stored in an Upstash Redis database hosted on servers in a secure cloud environment. We implement the following safeguards:

• All data is transmitted over HTTPS (TLS)
• Session tokens are cryptographically random (256-bit) and expire after 24 hours
• Magic sign-in links expire after 15 minutes and can only be used once
• Waitlist confirmation tokens expire after 24 hours
• Finder contact messages do not include the tag owner's email address or any identifying details in their response to the finder

While we take reasonable precautions, no internet-based service can guarantee absolute security. We will notify affected individuals and the Personal Data Protection Commission (PDPC) of any data breach as required under the PDPA's mandatory breach notification obligation.

6. Data retention

We retain your personal data only for as long as necessary:

• Waitlist signups — retained until you request removal or until DYRE ceases operations
• Tag and account data — retained for as long as your account is active. You may reset or delete your tags at any time from your dashboard
• Finder contact messages — retained until you delete them from your dashboard, or until your account is closed
• Session tokens — automatically expire after 24 hours
• Pending sign-up tokens — automatically expire after 24 hours

7. Disclosure to third parties

We share your data with the following third-party service providers solely to operate the service:

• Resend (resend.com) — used to send transactional emails (confirmation, sign-in links, finder notifications). Your email address is passed to Resend for this purpose
• Upstash (upstash.com) — cloud database provider where your data is stored
• Netlify (netlify.com) — hosting and serverless function provider
• OpenStreetMap / Nominatim — used to reverse-geocode location coordinates shared voluntarily by finders. No personal data beyond the coordinates is transmitted

These providers process data on our behalf and are not permitted to use it for their own purposes. We do not share data with any other third parties.

We will disclose personal data if required to do so by Singapore law or a valid legal order.

8. Your rights under the PDPA

Under the Personal Data Protection Act 2012, you have the following rights:

• Right of access — you may request a copy of the personal data we hold about you
• Right of correction — you may request that we correct any inaccurate or incomplete personal data
• Right of withdrawal of consent — you may withdraw your consent at any time. This will not affect the lawfulness of processing carried out before withdrawal
• Right of data portability — you may request your data in a structured, machine-readable format where technically feasible

To exercise any of these rights, contact us at brendon@bydyre.com. We will respond within 10 business days as required under the PDPA.

9. Cookies and local storage

We do not use cookies. We use localStorage in your browser solely to remember your waitlist referral code so the referral panel remains visible if you return to the page. No tracking or advertising cookies are used.

10. Children's data

Our service is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes will be communicated via email to waitlist subscribers where required.

Continued use of the service after any changes constitutes your acceptance of the updated policy.

12. Contact and complaints

If you have any questions about this policy or how we handle your personal data, please contact us:

• Email: brendon@bydyre.com
• Website: bydyre.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at pdpc.gov.sg.