Privacy Policy

Composites Bridge ("we", "us", "the platform") is operated by Composites Bridge Pte Ltd, a private limited company registered in Singapore (the "Principal Controller"). For event-execution data tied to the in-person edition of Composites Bridge — South East Asia 2027 at QSNCC Bangkok, our operating partner Messe Asia Co., Ltd. (registered in Bangkok, Thailand) acts as joint controller under a written Operating Partner Agreement.

Two privacy regimes apply to our processing because the platform spans two jurisdictions: the Singapore Personal Data Protection Act 2012 (Singapore PDPA) and Thailand's Personal Data Protection Act B.E. 2562 (2019) (Thailand PDPA). Where they diverge, the regime that gives you the stronger protection applies.

Contact our privacy team: [email protected]

We collect personal data in five ways:

• When you sign in. If you sign in with Google or Microsoft Entra ID we receive your work email, display name, and the company tenant identifier from that provider. If you use our email magic-link sign-in instead, we only receive the email address you type in.
• When you onboard as a buyer. Your declared company name, country, website, and procurement intent (industry, material, process, region preference, volume band, urgency, free-text notes) — used to seed the matchmaking engine described in section 4.
• When you onboard as a supplier or exhibitor. Your declared company name, country, website, capability matrix (material × process × certification × geography), AS9100 / ISO certification evidence, and Digital Product Passport (DPP) records. Certification PDFs are stored in a private Cloudflare R2 bucket; access is via signed URL only.
• When you post or respond to an RFQ. The buyer- side spec sheet, drawing files, and BOM you upload; the supplier-side technical brief, unit price, lead time, and self-declared CBAM Scope-3 figure. Visibility is governed by the RFQ visibility setting (matched-only, verified- suppliers, or public).
• When you use the platform. Our edge servers automatically log basic request metadata (IP address, user-agent, timestamps) for security and abuse prevention.

What we don't treat as sensitive. Composites Bridge is a B2B procurement platform. We do not solicit or process health, racial, political, religious, biometric, or sexual- orientation data. Government export-control declarations (ITAR / EAR / EU dual-use) are processed under contractual necessity for the specific RFQs they apply to.

When you first visit the site you will see a cookie banner. You can accept all, reject non-essential, or customise your choices by category. Your decision is stored in a first-party cookie (cb-cookies) for 12 months; you can change or withdraw consent at any time via the “Cookie settings” link in the footer.

We group cookies into four categories:

• Strictly necessary(always on, exempt from consent under Thailand PDPA §24(5) / Singapore PDPA First Schedule) — NextAuth session cookie, CSRF cookie, theme preference (cb-theme), and the consent record itself (cb-cookies).
• Analytics(opt-in) — anonymous first- party usage signals such as which directories are most visited. We do not run any third-party analytics today; your choice applies the moment we enable any.
• Preferences(opt-in) — non-essential settings such as saved directory filters, language, or default currency.
• Marketing(opt-in) — campaign-response measurement so we can avoid over-emailing buyers and exhibitors. Not currently active.

We do not use advertising cookies or third-party analytics that track you across other websites. If that ever changes, we will bump the consent version and re-prompt you before loading any new category.

Consent is captured per purpose. Each consent is logged individually in our email_consents ledger so that you can withdraw any one purpose without affecting the others. Processing purposes and the basis we rely on:

• Account & platform operation. Contractual necessity. We create your account, verify ownership of company listings, and deliver features you request (RFQ posting, directory access, dashboard).
• Stable matchmaking (Gale–Shapley engine). Contractual necessity. Your declared procurement intent is used to compute mutually preferred buyer-supplier pairs. Once a match is computed, your company name, country, sector tags and procurement-intent summary are shared with the matched counter-party. Personal contact details are never auto-shared — they exchange only after both parties accept the match in-platform.
• Certification verification (AS9100, ISO, NADCAP, ITAR, etc.). Contractual necessity. Supplier-uploaded certificate PDFs are reviewed by our verification team. The certification status (verified / pending / expired) is shown publicly on your supplier profile; the underlying PDF is never made public.
• CBAM & sustainability disclosure (Digital Product Passport).Contractual necessity for buyers who specify a CBAM-Scope-3 ceiling on their RFQ; legitimate interest for general supplier transparency. Self-declared figures are flagged as such; auditor-attested figures display the auditor's name.
• Transactional email (magic-link sign-in, match notifications, RFQ status, payment receipts). Contractual necessity.
• Marketing email. Explicit opt-in consent only. Thailand PDPA Section 80 imposes criminal liability for marketing sends without an audited consent trail; we treat theemail_consentsledger as the sole source of truth and never send to any address that lacks a consent row for the "marketing" purpose.
• Fraud / abuse prevention & platform security. Legitimate interest, balanced against your privacy rights.
• Legal & tax records. Legal obligation (Singapore IRAS + Thailand Revenue Department retention rules — typically 5 years for invoices, 7 years for tax filings).

We share personal data only with the service providers we rely on to run the platform, under written data-processing agreements that oblige them to protect your data:

• Cloudflare, Inc.— hosting (Workers & Pages), database (D1), object storage (R2), and DNS. Primary storage is in the Asia-Pacific region.
• Resend, Inc.— transactional email, including magic-link sign-in emails, match notifications, and RFQ status alerts.
• Stripe, Inc.— payment processing for paid exhibitor tiers and Founding Exhibitor agreements. Stripe processes card data in the United States under the Stripe Standard Contractual Clauses.
• Google LLC and Microsoft Corporation— as OAuth providers when you choose to sign in with Google Workspace or Microsoft Entra ID. Their own privacy policies govern what they share with us.
• Anthropic PBC— powers the AI sales agent and RFQ summarisation. Where the agent processes your text, we send only the minimum data needed to answer the specific request and do not allow retention for model training.
• Messe Asia Co., Ltd.— Operating Partner for on-site event execution at QSNCC Bangkok. Acts as joint controller for badge issuance, attendance logs, and Thai vendor coordination only.

We do not sell personal data and we do not share personal data with advertisers. Listings marked published in our public directories are visible to anyone who visits the site — that is the point of a directory, but it is not the same as sharing your private data.

Your account, RFQ, and entity data are stored in Cloudflare D1 databases located in the Asia-Pacific region (primary). Email delivery via Resend, payment processing via Stripe, and AI summarisation via Anthropic may transit servers in other regions including the United States. Where data leaves Singapore or Thailand we rely on the safeguards required by both PDPAs:

• Singapore PDPA — Transfer Limitation Obligation. Subprocessors are bound by a written contract that affords a standard of protection comparable to the Singapore PDPA.
• Thailand PDPA — Section 28 cross-border transfer. Subprocessors are bound by Standard Contractual Clauses equivalent to those approved by the Personal Data Protection Committee (PDPC) of Thailand.

Whether you are a Thai or Singapore data subject, you have the right to:

• Access — obtain a copy of your personal data.
• Rectify — correct data that is inaccurate or incomplete.
• Erase — ask us to delete your data, subject to legal retention.
• Restrict / Object — limit or object to processing based on legitimate interest.
• Portability — receive your data in a machine-readable format.
• Withdraw consent — per purpose, at any time, with effect from the point of withdrawal.
• Lodge a complaint — with the PDPC of Thailand or the PDPC of Singapore.

You can exercise most of these rights directly from your privacy dashboard (download your data, withdraw a per-purpose consent, delete your account), or by emailing [email protected]. We aim to respond within 72 hours for urgent requests (account deletion, consent withdrawal, breach reports) and within 30 days for other rights requests, in line with Thailand PDPA Section 30.

We retain your account data for as long as your account is active. When you delete your account, we remove your personal data within 30 days, except where Singapore or Thai law requires us to keep specific records — financial records for tax audits (5 years Singapore IRAS / 7 years Thailand Revenue Department), and AS9100 / cert-verification audit trails for as long as the certification is referenced in any open RFQ. Anonymised, aggregated statistics about platform use may be kept indefinitely.

We take reasonable technical and organisational measures to protect your data: TLS everywhere, passwordless authentication (no password databases to leak), scoped access to the production database, RFQ technical attachments stored in private R2 buckets with signed-URL-only access, and regular review of our third- party subprocessors. No system is perfectly secure. If we discover a breach that affects your data we will notify you and the relevant supervisory authority (PDPC Thailand under PDPA §37; PDPC Singapore under PDPA §26D) within 72 hours of becoming aware.

Composites Bridge is a B2B procurement platform intended for verified business representatives. The platform is not intended for users under 18 years of age. If we learn that we hold data on a minor, we will delete it.

We may update this policy from time to time. If the changes are material we will notify you by email (to the address on your account) at least 14 days before they take effect. The current version number and effective date are shown at the top of this page.

Composites Bridge Pte Ltd (Principal Controller)
Singapore
Messe Asia Co., Ltd. (Joint Controller — event execution)
Bangkok, Thailand
Email: [email protected]

Regulators: Personal Data Protection Commission (PDPC) of Singapore; Office of the Personal Data Protection Committee (PDPC), Thailand (Ministry of Digital Economy and Society).