Privacy Policy

1. Introduction

DirectorSphere (“we”, “our”, “us”) operates a confidential board and advisory appointment platform for senior executives and appointing organisations. We are committed to protecting the privacy and personal data of all members, applicants and visitors.

This Privacy Policy explains how we collect, use, store, protect and share personal data when you use the DirectorSphere platform and website. DirectorSphere handles sensitive professional information including board biographies, conflict declarations, confidential mandate details, professional documents and controlled introductions. We treat all such information with the highest level of discretion.

2. Scope of this Policy

This policy applies to all personal data collected through the DirectorSphere platform, website and related services, including data provided during admission applications, profile creation, mandate submissions, introductions, document uploads, communications and account management. It applies to directors, appointing organisations, visitors and any other individuals whose personal data we process.

3. Singapore PDPA and APAC Expansion

DirectorSphere is operated from Singapore and is designed to comply with the Personal Data Protection Act 2012 of Singapore (PDPA), as amended from time to time.

As DirectorSphere expands across APAC, we may also comply with other applicable privacy and data protection laws in the jurisdictions where we operate or where our members are located.

Where members are located in jurisdictions with their own data protection frameworks, we will take reasonable steps to meet applicable requirements. However, the PDPA is the primary governing framework for our data protection practices.

4. Personal Data We Collect

We collect the following categories of personal data:

Admission and account information: Name, email address, password, professional title, current organisation, seniority level, LinkedIn profile URL and other information provided during the admission application process.

Board biography and professional profile: Board proposition, executive summary, board and committee experience, sector experience, functional expertise, geographic operating experience, governance qualifications, appointment history, appointment preferences, availability, transaction and transformation experience, and other professional details.

Conflict declarations and sensitivities: Conflict of interest declarations, regulatory restrictions, non-compete obligations, political or reputational sensitivities and related notes.

Documents: Board CVs, professional references, governance certificates, identification documents and other files uploaded to the platform, together with associated visibility settings.

Company and mandate information: For appointing organisations, we collect company name, type, sector, headquarters, board composition requirements, succession context, governance needs, remuneration details, timeline, confidentiality preferences and other mandate details.

Introduction and engagement records: Expressions of interest, conflict check outcomes, confidentiality protocol records, identity reveal consents, introduction status and related communications.

Usage data: Information about how you interact with the platform, including pages visited, features used, timestamps and device information.

Communications: If you contact us directly, we retain the content of your correspondence along with your contact details.

5. How We Collect Personal Data

We collect personal data in the following ways:

• Directly from you when you register, complete your profile, submit an admission application, upload documents, submit a mandate, express interest in an opportunity or communicate with us.
• Automatically through your use of the platform, including session data, device information and usage patterns.
• From third-party sources where you authorise us to collect information, such as identity verification services.

6. How We Use Personal Data

We use personal data for the following purposes:

• To operate, maintain and improve the DirectorSphere platform.
• To process and review admission applications and assess suitability for membership.
• To create and maintain anonymised director profiles for controlled discovery by appointing organisations.
• To facilitate controlled introductions between directors and appointing organisations.
• To conduct internal conflict checks and assess introduction suitability.
• To manage confidentiality protocols, identity reveal consents and introduction processes.
• To manage document visibility and access controls.
• To communicate with you about your account, admission status, mandates, introductions and platform activity.
• To process payments and manage billing where applicable.
• To comply with legal and regulatory obligations.
• To prevent fraud, enforce our terms and protect the security of the platform.

7. Consent, Notification and Purpose

Under the Singapore PDPA, we collect, use and disclose personal data only where:

• You have given consent, including consent given at the time of registration, during the admission process, or through specific consent mechanisms within the platform (such as identity reveal consent).
• You are deemed to have consented under applicable law, for example where you voluntarily provide personal data for a purpose that is reasonable in the circumstances.
• Collection, use or disclosure is required or authorised by law.
• Collection, use or disclosure is necessary for legitimate business purposes permitted under the PDPA, including the provision of services you have requested.

By using DirectorSphere, you acknowledge that you have been notified of the purposes for which your personal data is collected, used and disclosed as described in this policy.

8. Confidentiality, Anonymisation and Controlled Disclosure

DirectorSphere is built around controlled introductions. We do not operate an open profile marketplace. Director identities and company mandate details are disclosed progressively and only where appropriate for the relevant stage of the introduction process.

The following principles govern how information is shared on the platform:

• Director profiles are not publicly visible. They are only accessible within the platform by authorised parties at the appropriate stage.
• Director identities are not openly visible to appointing organisations or other members. Before the confidentiality protocol and identity reveal stages, appointing organisations may only see anonymised or redacted profile information.
• Names, contact details, current organisation, LinkedIn profile, identifying career details and private documents are not shared before the relevant consent and disclosure stage has been completed.
• A director’s identity is only revealed for a specific mandate after the required confidentiality protocol and identity reveal consent process has been completed.
• Company mandate information may also be anonymised or redacted before disclosure to directors.
• DirectorSphere may conduct internal review before deciding whether to introduce a director to a mandate.

9. Who Can See Your Information

DirectorSphere internal team may access:

• Admission application details and professional background.
• Board biography and profile information.
• Conflict declarations, restrictions and sensitivities.
• Preferences and settings.
• Uploaded documents, subject to access settings.
• Introduction history and engagement records.

Appointing organisations may see:

• Anonymised director profiles, including non-identifying expertise, sector experience and governance credentials.
• Selected documents only where the correct visibility stage has been reached.
• Full director identity only after completion of the confidentiality protocol and identity reveal consent.

Directors may see:

• Anonymised mandate summaries, including mandate reference, appointment type, sector, geography, governance context and confidentiality level.
• Company identity only when the controlled introduction process permits it.

Service providers may process personal data only to the extent necessary to operate the platform, under contractual obligations consistent with this policy.

10. Director Documents and Visibility Controls

Documents uploaded to DirectorSphere are not automatically shared with appointing organisations. Directors control document visibility through the following settings:

• Private to me: Visible only to the director. Not accessible by DirectorSphere staff or appointing organisations.
• DirectorSphere only: Visible to the DirectorSphere internal team for assessment and suitability review. Not shared with appointing organisations.
• Visible after confidentiality protocol: Shared with an appointing organisation only after the Mutual Confidentiality Protocol has been executed for a specific mandate.
• Visible after identity reveal: Shared only after the director has given explicit identity reveal consent for a specific mandate.
• Visible for selected mandate only: Shared with a specific appointing organisation for a specific mandate, subject to the relevant disclosure stage.

11. Conflict Declarations and Sensitive Professional Information

Conflict declarations, restrictions, sensitivities, regulatory matters and related notes are used by DirectorSphere to assess suitability and manage introduction risk. They are not shared with appointing organisations unless disclosure is necessary for a specific mandate and the director has consented, or where disclosure is required by law.

12. Company Mandate Confidentiality

Company mandate details, board requirements, succession issues, governance concerns, ownership information and confidential appointment needs may be treated as confidential information. DirectorSphere may anonymise or redact such information before sharing it with directors. Full company and mandate details are disclosed only at the appropriate stage of the introduction process.

13. Service Providers

We do not sell personal data to third parties. We use trusted service providers to operate the platform, including:

• Supabase for data hosting and database services.
• Vercel for application hosting and delivery.
• Stripe for payment processing where applicable.

These providers process personal data on our behalf under contractual obligations that require them to protect personal data and use it only for the purposes we specify.

14. International Transfers

Our platform infrastructure and service providers may process personal data outside Singapore. Where we transfer personal data outside Singapore, we will take reasonable steps to ensure that the recipient provides a standard of protection comparable to the protection under the PDPA.

These steps may include contractual arrangements with service providers that require them to protect personal data to a standard consistent with the PDPA, or transferring data only to jurisdictions with comparable data protection standards.

15. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit using TLS/SSL.
• Secure authentication and password management.
• Role-based access controls limiting data access to authorised personnel.
• Document access controls and confidentiality-stage gating.
• Least-privilege access principles for internal systems.
• Access logging where available.
• Periodic security reviews.

No method of transmission or storage is completely secure, but we take reasonable steps to protect personal data in our possession or under our control.

16. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, to operate the platform, to maintain introduction records, to comply with legal obligations, to resolve disputes, to enforce agreements and for legitimate business record-keeping.

When an account is closed, we will delete or anonymise personal data within a reasonable period, unless retention is required or permitted for legal, regulatory, audit, dispute-resolution or legitimate business purposes.

We aim to delete or anonymise inactive account data within 90 days of account closure where there is no continuing legal, contractual, audit or legitimate business reason to retain it. Certain records, such as signed confidentiality protocols, introduction records and audit trails, may be retained for longer periods as required.

17. Access, Correction and Withdrawal of Consent

Under the Singapore PDPA, you have the following rights:

• Access: You may request access to the personal data we hold about you.
• Correction: You may request correction of personal data that is inaccurate or incomplete.
• Withdrawal of consent: You may withdraw consent for the collection, use or disclosure of your personal data at any time, subject to legal or contractual consequences. We will inform you of the likely consequences of withdrawal.
• Deletion or account closure: You may request deletion of your personal data or closure of your account, subject to legal and business retention requirements.

To exercise your rights under the PDPA, please contact our Data Protection Officer at hello@directorsphere.com. We will respond within a reasonable time in accordance with the PDPA.

18. Marketing and Service Communications

We may send service communications relating to your account, admission status, mandates, introductions, confidentiality protocols and platform changes. These are operational communications necessary for the provision of our services.

We will only send marketing communications where permitted under applicable law. You may opt out of marketing communications at any time by using the unsubscribe mechanism provided or by contacting us.

19. Cookies and Analytics

We use essential cookies to maintain your session, authenticate your identity and ensure the security of the platform.

We may use analytics tools to understand how members use the platform and to improve our services. Analytics data is aggregated or anonymised where practical and is not used to identify individual users.

We do not use third-party advertising cookies.

20. Children and Under-18s

DirectorSphere is intended for business users and senior professionals. It is not intended for children or individuals under 18 years of age. We do not knowingly collect personal data from individuals under 18.

21. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, platform features or legal requirements. Material changes will be communicated via email or a notice on the platform. We encourage you to review this policy periodically.

22. Data Protection Officer and Contact

DirectorSphere has appointed a Data Protection Officer to oversee our personal data protection practices. If you have questions about this policy, wish to access or correct your personal data, withdraw consent or make a complaint, please contact:

23. Complaints

If you have a complaint about how we handle personal data, please contact our Data Protection Officer first so we can try to resolve it.

If you are not satisfied with our response, you may contact the Personal Data Protection Commission of Singapore (PDPC).