Privacy notice

We collect only what is needed to evaluate access requests, deliver the platform to authenticated users, underwrite credit, secure the service, and meet our legal obligations. The categories are:

Account data.

Name, work email, organisation, role, country, and the authentication identifiers held by our identity provider on our behalf. We do not store passwords.

KYC and KYB material.

Government identification, proof of address, ultimate beneficial ownership records, sanctions and politically-exposed-persons screening results, and the supporting documents required to satisfy our obligations under applicable financial-services and anti-money-laundering law.

Financial documents.

Operating, accounting, and treasury records you upload as part of an advisory engagement or credit application — including bank statements, audited and management accounts, ageing schedules, cap tables, contracts, and asset-level reports.

Behavioural and technical metadata.

IP address, device and browser identifiers, pages visited, features used, the referring page, and a salted hash of your IP for fraud-detection linkage. Captured at submission time and at sensitive product actions.

We use personal data for the following purposes:

Underwriting.

Evaluating creditworthiness, structuring facilities, sizing exposure, and supporting human underwriters. AI-assisted scoring informs decisions; a qualified person reviews and approves every credit outcome.

Servicing.

Operating active facilities: drawdowns, repayments, covenant monitoring, restructuring, and customer support.

Marketing (consent only).

Sending product updates and educational content where you have opted in. You can withdraw at any time from any email or by writing to privacy@tanah.ai.

Analytics and product improvement.

Aggregated, pseudonymised measurement of how the product is used so we can prioritise the work that helps customers most.

Regulatory and legal.

Anti-money-laundering, counter-terrorism financing, sanctions screening, tax reporting, regulator inquiries, lawful production orders, and the defence of legal claims.

We rely on one or more of the following bases, depending on the activity and the jurisdiction in which the data subject is located:

Consent.

For marketing communications and any optional data we collect outside what is necessary to deliver a service or meet a legal obligation.

Performance of a contract.

For account creation, advisory engagements, credit applications, loan servicing, and any data needed to perform pre-contractual steps you have requested.

Legitimate interest.

For securing the service, preventing fraud, defending legal claims, and improving the product through aggregated analytics. Subject to a balancing test against your rights and freedoms.

Legal obligation.

For KYC, KYB, AML, sanctions screening, tax reporting, and records that must be retained under financial-services law.

We use a vetted set of third parties to operate the service — authentication, hosting, object storage, error monitoring, log aggregation, transactional email, and large-language-model inference. Each is bound by a written data-processing agreement requiring confidentiality, security controls, and prompt assistance with data-subject requests.

The current authoritative list lives at tanah.ai/subprocessors. We update that page when sub-processors change and notify authenticated customers in advance of material additions where the engagement letter requires it.

Subject to local law, you can ask us to access, correct, erase, or port the personal data we hold about you, withdraw consent for any processing based on consent, restrict or object to processing based on legitimate interest, and lodge a complaint with your local regulator. To exercise any of these, write to privacy@tanah.ai.

We may need to verify your identity before acting on certain requests. We do not charge for reasonable requests. The statutory response windows we commit to in each Southeast Asian jurisdiction we serve are:

Where local law gives you a longer window than the table shows, we will not use the shorter table window to disadvantage you.

Tanah serves Southeast Asia, but the service runs on cloud infrastructure that may process data in Singapore, the United States, the European Union, or another jurisdiction depending on which sub-processor is handling the request. We rely on recognised transfer mechanisms — standard contractual clauses, ASEAN Model Contractual Clauses, intra-group data-transfer agreements, or your explicit consent — and contractually require equivalent safeguards from every sub-processor.

We retain personal data for the periods set out below:

Account and customer data.

For the duration of the engagement, then for the periods required by financial-services record-keeping law. For activities subject to MAS supervision in Singapore this is at minimum 7 years from the end of the relationship; equivalent floors apply in our other regulated jurisdictions.

Waitlist submissions.

Until you ask us to delete them, or for 12 months after we open access in your jurisdiction without onboarding completion, whichever comes first.

Security and audit telemetry.

90 days for routine logs; up to 24 months for records linked to a confirmed fraud or security incident.

Marketing-list data.

Until you withdraw consent.

We use a small number of strictly-necessary cookies (region, language, session, CSRF, authentication) that do not require consent, plus opt-in analytics cookies where local law requires consent. The full classification, including how to manage your preferences, lives in the cookie policy.

Tanah is a business-to-business platform. It is not directed at children, you must be at least 18 years old to use it, and we do not knowingly collect personal data from anyone under 18. If you believe we have, please write to privacy@tanah.ai and we will delete it.

For any privacy question, request, or complaint, write to privacy@tanah.ai. For other legal questions write to legal@tanah.ai. The contracting controller will be confirmed once the operating entity is incorporated; until then, the persons operating the Tanah service handle privacy requests.

We will update this page when our practices change. Material changes will be notified by email to anyone with an active waitlist record or account before they take effect. The Last updated date at the top of this page reflects the most recent revision.