Is this only for startups?

Not at all. We work with growing startups, SMEs, and even individual departments in enterprise or government configurations in Singapore who need senior tech leadership, cloud help, AI, or compliance support - but aren't ready (or shouldn't be) hiring a full-time CTO yet.

Do you only advise, or do you actually build things?

Both. We give you the senior judgment, then roll up our sleeves. We can assess, design, build, or lead your internal and external teams through it.

Can you help with SOC 2 or ISO 27001?

Yes - that's bread and butter for us. We focus on the technical side: engineering controls, infrastructure hardening, access management, evidence collection, incident response, and the day-to-day processes that keep you audit-ready.

What kind of AI projects do you take on?

Practical things that actually move the needle - internal knowledge tools, document processing, customer ops, reporting automation, engineering productivity, and bespoke AI workflows tailored to how your business actually runs.

How are you different from a software agency?

Agencies sell you delivery capacity. We bring senior technical leadership, architecture, risk thinking, and change management - tied to outcomes you actually care about.

How is this different from hiring a CTO?

A fractional setup gets you senior judgment and execution support now, without the cost or commitment of a full-time exec hire you might not be ready for yet.

Aijutsu

Let's Chat

Legal · Privacy

Privacy Policy

Effective date: 4 May 2026

This policy explains how Aijutsu collects, uses, and protects personal data when you visit aijutsu.dev or engage us as a client. It is written primarily for a Singapore audience under the Personal Data Protection Act 2012 (PDPA), and also includes the disclosures required for visitors and clients in the European Economic Area (EEA), the United Kingdom, and the United States.

1. Who we are

Aijutsu is a Singapore-based fractional technology leadership practice (“Aijutsu”, “we”, “us”, “our”). We provide advisory and delivery services across cloud, AI, compliance, infrastructure, internal tooling, and software delivery to founders and SMEs.

For the purposes of the PDPA we are the organisation responsible for the personal data described below. For the purposes of the EU and UK GDPR we act as a controller for personal data we collect about website visitors and prospective clients, and as a processor for personal data our clients ask us to handle on their behalf during an engagement (governed by a separate Data Processing Agreement).

Contact for any privacy question, request, or complaint: hello@aijutsu.dev.

2. Personal data we collect

2.1 Information you give us

Contact details when you email us, book a call, or respond to a proposal — typically your name, work email, company, role, and anything you choose to share about your situation.
Engagement information when you become a client — contracts, billing details, project notes, meeting recordings or transcripts (only where you’ve agreed), and operational artefacts shared with us during the engagement.
Correspondence — the content of emails, messages, and documents you send us.

2.2 Information collected automatically

Usage and device data — IP address, approximate location (country / region), browser type, device type, referring URL, pages viewed, and timestamps.
Analytics events — page views and basic interaction events recorded by Google Analytics (measurement ID G-NKXSEFZV1M), with IP addresses truncated by Google before storage.
Cookies and similar technologies — see Section 7.

2.3 Information from third parties

We may receive your contact details from a mutual introduction (for example, an existing client referring you), from publicly available business sources (e.g. LinkedIn, your company website), or from sub-processors we use to run the business (e.g. our calendar or email provider). We do not buy marketing lists.

We do not knowingly collect personal data from children under 13 (or under 16 in the EEA / UK), and our services are not directed at children.

3. Why we use your personal data

We use personal data only for the purposes set out below.

Responding to enquiries — to reply to messages, schedule calls, send proposals, and follow up on conversations you started.
Providing services — to deliver the engagement we’ve been hired for, including the artefacts, advice, and tooling agreed in the statement of work.
Running the business — invoicing, accounting, tax, internal records, and statutory reporting.
Improving the website — measuring traffic patterns and content performance in aggregate, and diagnosing technical issues.
Security and integrity — preventing fraud, abuse, and unauthorised access, and protecting our systems and clients.
Legal and regulatory compliance — complying with applicable laws, responding to lawful requests from authorities, and defending legal claims.

4. Legal bases (EEA / UK)

If you are in the EEA or the UK, we rely on the following legal bases under the GDPR / UK GDPR:

Contract — to take steps at your request before entering a contract, and to perform a contract with you or your organisation.
Legitimate interests — to operate, secure, and improve our website and business, to communicate with prospective clients who’ve expressed interest, and to keep records of our engagements. We balance these interests against your rights and freedoms.
Consent — for non-essential analytics or marketing where consent is required by local law. You can withdraw consent at any time without affecting processing already carried out.
Legal obligation — to meet record-keeping, tax, and other statutory obligations.

We do not sell personal data, and we do not “share” it for cross-context behavioural advertising as those terms are defined under US state privacy laws (including the CCPA / CPRA). We disclose personal data only as follows:

Service providers (sub-processors) who help us run the business — including email and calendar providers, hosting and CDN, analytics, document storage, accounting and invoicing tools, and AI tooling we use to draft or analyse content. They process personal data only on our instructions and under appropriate contractual safeguards.
Professional advisers — lawyers, accountants, auditors, insurers — under duties of confidentiality.
Authorities — where required by law, court order, or to defend legal rights, including the Personal Data Protection Commission (PDPC) of Singapore or equivalent regulators.
Successors — in connection with a merger, acquisition, or sale of assets, with appropriate confidentiality protections.

A current list of our key sub-processors is available on request from hello@aijutsu.dev.

6. International transfers

Aijutsu is based in Singapore. Some of our service providers store or process personal data in other jurisdictions, including the United States and the European Economic Area. When personal data leaves Singapore, we take steps to ensure a comparable standard of protection as required by the PDPA — typically via contractual commitments with the recipient.

For transfers from the EEA or UK to a country without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses or the UK International Data Transfer Addendum, together with supplementary measures where appropriate.

7. Cookies and analytics

Our site uses a small number of cookies and similar technologies. Strictly necessary cookies keep the site functional. Analytics cookies set by Google Analytics 4 help us understand how visitors use the site in aggregate; they do not identify you personally.

You can refuse non-essential cookies through your browser settings, by using your device’s “Do Not Track” or Global Privacy Control signal (which we honour where required by law for the relevant jurisdiction), or by installing the Google Analytics opt-out browser add-on. Disabling cookies may affect parts of the site.

8. How long we keep personal data

We keep personal data only as long as needed for the purpose it was collected, plus a reasonable period to meet legal, tax, accounting, audit, and dispute-resolution obligations.

Prospect enquiries that don’t become engagements — typically up to 24 months from last contact.
Client engagement records — for the duration of the engagement and for up to 7 years afterward, in line with Singapore record-keeping requirements.
Website analytics — retained per Google Analytics’ default retention (currently up to 14 months).

When personal data is no longer required, we delete or anonymise it.

9. Security

We use reasonable administrative, technical, and physical safeguards to protect personal data against loss, misuse, unauthorised access, disclosure, alteration, and destruction — including access controls, encryption in transit, vetted sub-processors, and least-privilege principles. No system is perfectly secure, and we cannot guarantee absolute security.

If a data breach affecting your personal data occurs, we will notify you and the relevant authorities (including the PDPC and / or supervisory authorities in the EEA / UK) where required by law and within the timeframes those laws specify.

10. Your rights

10.1 Singapore (PDPA)

Access — request a copy of the personal data we hold about you and information about how it has been used or disclosed in the past year.
Correction — ask us to correct inaccurate or incomplete personal data.
Withdraw consent — withdraw consent (where consent is the basis for processing) by contacting us; we will explain any consequences.
Data portability — once the PDPA’s data portability provisions are in force, request that certain data be transmitted to another organisation where technically feasible.

10.2 EEA and UK (GDPR / UK GDPR)

Access, rectification, erasure, and restriction of processing.
Data portability for data you provided to us under contract or consent.
Objection to processing based on legitimate interests, including direct marketing.
Withdrawal of consent at any time, without affecting prior processing.
The right to lodge a complaint with your local supervisory authority (e.g. the UK Information Commissioner’s Office, or your EU member-state regulator).

10.3 United States

Depending on your state of residence (e.g. California, Colorado, Connecticut, Virginia, Utah, Texas, and other states with comprehensive privacy laws), you may have the right to:

Know what personal information we collect, use, disclose, and retain about you.
Access, correct, or delete your personal information.
Receive a portable copy of your personal information.
Opt out of “sale” or “sharing” of personal information, or of profiling that produces legal or similarly significant effects. We do not sell or share personal information for cross-context behavioural advertising and do not use it for such profiling.
Be free from unlawful discrimination for exercising your privacy rights. We will not deny services, charge different prices, or provide a different level of quality because you exercised a right.

If you are a California resident, the categories of personal information we have collected in the last 12 months map to those described in Sections 2 and 3 above. We disclose personal information to the categories of recipients listed in Section 5.

10.4 How to exercise your rights

Email hello@aijutsu.dev with the request and enough information for us to verify your identity. We respond within the timeframes set by applicable law (typically 30 days; up to 45 days under US state laws, extendable where permitted). You may use an authorised agent where the applicable law allows it. There is no fee for most requests; we may charge a reasonable fee for manifestly unfounded or excessive requests where the law permits.

11. AI tools and automated processing

We use AI tooling (including large-language-model based assistants) to draft, review, or analyse content as part of running the business. We do not use your personal data to train third-party foundation models. Where AI tooling is used during a client engagement, the terms of that use are agreed in the engagement contract and Data Processing Agreement. We do not make decisions about you that produce legal or similarly significant effects solely by automated means.

12. Third-party links

Our site links to third-party services (for example, our email address handler, calendar, or external resources). Their privacy practices are governed by their own policies; we recommend reviewing them.

13. Changes to this policy

We may update this policy from time to time. The “Effective date” at the top reflects the most recent version. For material changes, we will take reasonable steps to notify you (for example, by updating the date and, where appropriate, providing additional notice).

14. Contact us

For any privacy question, request, or complaint, email hello@aijutsu.dev. If you are not satisfied with our response, you may also contact the Personal Data Protection Commission of Singapore at pdpc.gov.sg or your local supervisory authority.

Questions about this policy? hello@aijutsu.dev