Privacy Policy

Last updated: April 2026

Milestone ("we", "us", "our") is committed to protecting the personal data of our users and their clients. This Privacy Policy explains how we collect, use, store, and share information when you use our service at milestonehq.co.

1. Who We Are & Data Protection Officer

Milestone is a relationship management tool for independent financial advisors. We are based in Singapore and our services are primarily directed at financial advisors in Southeast Asia.

We have designated a Data Protection Officer (DPO) as required under the Singapore Personal Data Protection Act (PDPA). For all privacy enquiries, data access requests, or complaints, contact our DPO directly:

Data Protection Officer, Milestone
Email: [email protected]
General enquiries: [email protected]

2. What Data We Collect

Your account data:

• Name, email address, firm name
• Phone number (for WhatsApp notifications)
• Password (stored as a salted hash — never in plaintext)

Your clients' data (entered by you):

• Names, birthdays, wedding anniversaries
• Phone numbers, LinkedIn profiles
• Assets under management (AUM), life stage, notes
• Call notes and interaction history
• Email correspondence logs

You are responsible for ensuring you have appropriate consent from your clients to store their data in a third-party tool.

3. How We Use Your Data

• To provide the Milestone service (reminders, dashboards, email drafts)
• To send WhatsApp notifications about upcoming client milestones
• To generate AI-powered client insights (see Section 5)
• To verify your email address and authenticate your account
• To send transactional emails (account verification, billing)

4. Data Storage, Security & Cross-Border Transfers

Your data is stored in Cloudflare's infrastructure (Cloudflare D1 database and KV store). Cloudflare operates globally distributed data centres. Data is encrypted in transit (HTTPS/TLS) and at rest.

Passwords are never stored in plaintext. We use salted hashing for all passwords. Sessions expire after 30 days of inactivity.

Cross-border transfers: Some of our third-party service providers are based outside Singapore (including Anthropic and Twilio in the United States). When we transfer personal data overseas, we take steps to ensure it receives a standard of protection comparable to the PDPA, including by relying on contractual data processing agreements with each provider. By using the Service, you consent to these transfers. A list of providers and links to their privacy policies is in Section 5.

5. Third-Party Services

We share data with the following third parties to deliver our service:

• Anthropic — When you use AI Insights, your client's data (name, notes, AUM, life events) is sent to Anthropic's Claude API to generate insights. Anthropic's privacy policy applies: anthropic.com/privacy.
• Twilio — Your phone number and notification content are sent via Twilio's WhatsApp API. Twilio's privacy policy applies: twilio.com/legal/privacy.
• Resend — We use Resend to send transactional emails (e.g. email verification). Your email address is processed by Resend: resend.com/privacy.
• Cloudflare — All infrastructure, including analytics, runs on Cloudflare: cloudflare.com/privacypolicy.

We do not sell your data or your clients' data to any third party.

We have entered into, or rely on, data processing agreements with each of these providers to ensure your data is handled appropriately.

6. Your Rights (PDPA)

Under the Singapore Personal Data Protection Act (PDPA) and equivalent laws in Malaysia, Thailand, and other SEA jurisdictions, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Delete your account and all associated data at any time (via Settings → Danger Zone)
• Withdraw consent at any time by deleting your account

To exercise these rights or make a data request, email [email protected].

7. Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals, we will:

• Notify the Singapore Personal Data Protection Commission (PDPC) within 3 business days of becoming aware of the breach, in accordance with the PDPA (2021 amendments)
• Notify affected individuals as soon as reasonably practicable if the breach is likely to result in significant harm to them
• Take immediate steps to contain and remediate the breach

If you become aware of any potential security issue or breach, please notify us immediately at [email protected].

8. Data Retention

We retain your data for as long as your account is active. When you delete your account, all your data (account, clients, call notes, email log) is permanently deleted from our systems within 30 days.

9. Cookies

We use Cloudflare Web Analytics, which does not use cookies or track individual users. We do not use advertising cookies or tracking pixels.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email. Continued use of the service after changes constitutes acceptance.

11. Contact

For any privacy concerns, data requests, or to reach our Data Protection Officer: [email protected]