TradeOn b2b Merchant Privacy Policy

01General provisions

This Privacy Policy (hereinafter — the "Policy") governs the collection, use, storage, transfer and protection of personal and corporate data in connection with the provision of TradeOn b2b Merchant B2B services (hereinafter — the "Services", the "Service", the "Platform") to corporate Clients (hereinafter — the "Client") via the application programming interface (API) and the account dashboard.

The data controller is TradeOn b2b Merchant Pte. Ltd. (hereinafter — "we", the "Operator", "TradeOn b2b Merchant"). Contact details of the Operator and the Data Protection Officer (DPO) are set out in section 14 of this Policy.

The Policy applies to all categories of subjects and data processed in connection with the Services:

• Client — a legal entity that has entered into a B2B agreement with us for the use of the Services;
• Client representatives — directors, beneficial owners, authorised persons, contact persons whose access to the account dashboard and correspondence is provided for in the agreement;
• Customer Data — the data of the Client's end customers (natural persons using the Client's service) that the Client transfers to us for the purpose of executing skin delivery orders.

In respect of personal data of the Client's representatives, we act as Data Controller and determine the purposes and means of processing. In respect of Customer Data, we act as Data Processor and process data solely on behalf of the Client, who remains the Data Controller. A detailed allocation of roles is set out in section 5.

This Policy forms an integral part of the TradeOn b2b Merchant User Agreement. Use of the Services constitutes the Client's and its representatives' acknowledgement and acceptance of the terms of the Policy. Where applicable law requires separate consent, such consent is requested separately via the account dashboard or by other legally significant means.

In the event of conflict between this Policy and an individual contract signed between the parties (Master Services Agreement, Data Processing Agreement), the provisions of the individual contract prevail in respect of the matters expressly addressed therein.

02What data we collect

In connection with the provision of the Services, we collect and process the following categories of data. The scope of data is determined by the processing purposes (section 3) and by the principle of data minimisation.

2.1. Corporate data of the Client

For the conclusion of the contract, completion of KYC/KYB procedures and performance of obligations towards the Client, we collect information on the legal entity:

• Constitutional documents (Certificate of Incorporation, Articles of Association, charter, registration certificates);
• Registration number, jurisdiction, date of registration, registered and operational addresses;
• Ownership structure and shareholders register;
• Information on Ultimate Beneficial Owners (UBO) in accordance with AML/CFT requirements;
• Tax identifiers (Tax ID, VAT/GST, EIN, INN and equivalents);
• Bank details for billing operations (IBAN/SWIFT, bank name, account currency);
• Licences, permits, regulatory statuses (if applicable to the Client's activity).

2.2. Personal data of the Client's representatives

To verify authority and ensure communication, we process the personal data of the Client's representatives (directors, beneficial owners, contact persons):

• Family name, given name, patronymic (if any);
• Position and role in the Client's structure;
• Corporate email and telephone number;
• Citizenship and country of tax residence;
• Copies of identity documents (passport, ID card, driving licence) — for directors and UBOs in the KYC process;
• Proof of residential address (utility bill, bank statement) — for UBOs;
• Specimen signature and copies of powers of attorney — where necessary.

2.3. Technical and behavioural data

While using the Platform and the API, the following technical information is automatically collected to ensure security, monitoring and service improvement:

• IP address, User-Agent, device and operating system type;
• Authentication logs in the account dashboard (time, IP, success/failure);
• API request logs — logs of API requests: method, endpoint, response status, processing time, Client identifier;
• Transaction logs — logs of deposit, order, refund, withdrawal operations;
• Webhook delivery logs — logs of webhook notification deliveries (timestamp, delivery status, retries);
• Security/access logs — events of access to confidential information and administrative functions;
• Data on interaction with the account dashboard interface (sections viewed, session time) — in anonymised form.

2.4. Customer Data (indirectly — via the Client)

To execute skin delivery orders, the Client transfers to us a minimum set of data on its end customers (Customers):

• Customer's Steam ID — public Steam account identifier;
• Trade URL — public link for sending Steam Trade Offers;
• Customer's identifier in the Client's system (internal user_id) — for order reconciliation purposes;
• Order metadata: game type, list of items, price parameters, order time.

We do not receive from the Client and do not request the name, email, telephone number, payment details or other direct identifiers of Customers. For more details on the roles of the parties and areas of responsibility, see section 5.

2.5. Cookies and similar technologies

The TradeOn b2b Merchant account dashboard uses cookies and similar tracking technologies (LocalStorage, SessionStorage) for authentication, saving user preferences and collecting anonymised analytics. The composition and categories of cookies are disclosed in section 11.

2.6. Data we do NOT collect

To minimise risks and comply with the data minimisation principle, we deliberately do not collect:

• Biometric data;
• Data on health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation (special categories of data under GDPR);
• Full payment card details — these data are processed directly by payment providers (PCI DSS compliant);
• Data of minors — see section 12.

03Purposes of data processing

We process data solely for explicitly stated, lawful and compatible purposes. Each purpose has a corresponding legal basis (section 4) and determines the scope of collected data and the retention period (section 8).

3.1. Performance of the contract and provision of the Services

Processing of the Client's and its representatives' data is necessary for registration in the Service, opening and topping up the deposit, processing orders for skins, conducting trade offers via the Steam Web API, calculating fees, issuing invoices and refunds. Without processing this data, provision of the Services is impossible.

3.2. AML / KYC / KYB and counter-terrorist financing

In accordance with applicable AML/CFT requirements, we are obliged to carry out Know Your Business (KYB) procedures for the Client, Know Your Customer (KYC) procedures for its ultimate beneficial owners, to verify the source of funds and source of wealth, monitor transactions for anomalies, prepare and store compliance documentation, and submit reports to competent authorities where there are grounds.

3.3. Security and counter-fraud

We process technical data (IP, User-Agent, logs) and behavioural indicators to prevent unauthorised access, detect suspicious activity, identify attempts to circumvent KYC, counter fraud, protect against DDoS attacks and automated abuse. Risk-scoring models and behavioural analytics algorithms are used.

3.4. Billing and financial reporting

Transaction data is used for settlements with the Client, preparation of invoices and reconciliation acts, accounting of deposits, bonuses, fees and refunds, and for accounting and tax purposes in accordance with applicable financial law.

3.5. Operation and improvement of the Service

Technical and behavioural data is used to monitor API performance, measure rate limits and SLA, detect performance problems, capacity planning, develop new features and improve existing ones. Anonymised analytics on aggregated data is used.

3.6. Marketing communications

With the explicit consent of the Client's representative, we may send marketing materials: information about new products, promotions, changes to pricing policy, industry analytics. Consent may be withdrawn at any time via the "unsubscribe" link in the message or through the account dashboard. Transactional and service notifications (about operations, changes in terms, security incidents) are sent regardless of marketing consent as part of contract performance.

3.7. Compliance with the law and protection of our rights

We process data to comply with mandatory requirements of applicable law (tax, AML, regulatory), to respond to requests from authorised governmental authorities in the manner prescribed, to defend our rights in pre-trial and judicial procedures, and to enforce court orders and decisions.

04Legal bases for processing

Data processing is carried out on the following legal grounds in accordance with the GDPR, Singapore PDPA and other applicable data protection legislation:

4.1. Performance of contract (Article 6(1)(b) GDPR)

Processing of the Client's and its representatives' data necessary for the conclusion and performance of the B2B contract: registration, opening of the deposit, processing of orders, billing, delivery of skins via Steam, and support. Without this processing, the Services cannot be provided.

4.2. Compliance with legal obligations (Article 6(1)(c) GDPR)

Processing to comply with applicable legal requirements: AML/CFT, tax reporting, responses to requests from authorised bodies, retention of documentation within prescribed periods.

4.3. Legitimate interests (Article 6(1)(f) GDPR)

Processing for the pursuit of our reasoned and balanced legitimate interests: ensuring the security of the Platform, counter-fraud, protection against abuse, network monitoring, protection of our assets and rights in pre-trial and judicial procedures, internal reporting and audits, anonymised business analytics. When processing on this basis, we assess the balance of our interests and the rights of data subjects (Legitimate Interests Assessment).

4.4. Consent (Article 6(1)(a) GDPR)

Processing for purposes requiring the explicit consent of the data subject: marketing mailings, non-essential cookies (analytics, functional), specific categories of data not covered by other grounds. Consent may be withdrawn at any time without prejudice to the lawfulness of processing carried out before withdrawal.

4.5. Processing of Customer Data on the instructions of the Client

In respect of Customer Data, we act as Data Processor and process data solely on the documented instructions of the Client (B2B agreement, API documentation, individual Data Processing Addendum) to the extent necessary for the Client to perform its obligations to its Customers. The legal bases for processing Customer Data in respect of the Customers are determined by the Client as Data Controller (see section 5).

05Customer Data and roles of the parties

This section is key for the TradeOn b2b Merchant B2B model and describes the allocation of responsibility between the Client and the Operator in processing the data of the Client's end customers (Customers).

5.1. Scope of Customer Data processing

For each order, we receive from the Client the minimum necessary set of data: steam_id, trade_url, the Client's internal_user_id (for reconciliation), and order parameters (game, items, price). Processing is limited to the order lifecycle: selecting/preparing the item → sending the Steam Trade Offer → confirming acceptance by the Customer → closing the order.

5.2. Client warranties

When transferring Customer Data to us, the Client warrants that:

• the Customer has been duly informed about the processing of their data, including the fact of transfer of the Steam ID / Trade URL to a third party (TradeOn b2b Merchant) for order execution;
• all necessary legal grounds for processing have been obtained (informed consent or another basis under applicable law);
• the Customer has reached the age of majority in their jurisdiction;
• the Customer has been informed of their rights (access, rectification, erasure, etc.) and the procedure for exercising them via the Client;
• the Client's privacy policy discloses the use of TradeOn b2b Merchant's processing services as a sub-processor.

5.3. Sub-processors

To perform Processor functions, we engage technical sub-processors (hosting, monitoring, antifraud — see section 6). The list of sub-processors and their roles is disclosed to the Client upon request via the account dashboard or by email. The Client is notified of material changes in the list of sub-processors no less than 30 days in advance.

5.4. Implementation of Customer rights

Customer requests to exercise their rights (data subject requests) are addressed to the Client as Data Controller. If such a request is received directly by us, we forward it to the Client and provide reasonable assistance with its handling within the framework of the Data Processing Addendum.

5.5. Incident notification

In the event of a security incident affecting Customer Data, we notify the Client within 72 (seventy-two) hours of detection with a description of the nature of the incident, the scope of the affected data, and the measures taken and planned. The Client is responsible for notifying supervisory authorities and affected Customers in accordance with applicable law.

06Transfer of data to third parties

We transfer data to third parties only on the grounds expressly provided for by applicable law and this Policy. All recipients undergo vendor due diligence, and confidentiality agreements and Data Processing Agreements are entered into with them where applicable.

6.1. Categories of recipients

• Payment providers — for processing deposits and payouts to the Client. The Client's bank details and operation metadata are transferred. Full card details are stored on the provider's side in a PCI DSS-compliant environment.
• AML/KYC/KYB providers — for verification of the Client and UBOs, checks against sanctions and PEP lists, and risk assessment. The Client's registration documents and UBO documents are transferred.
• Hosting providers — Hetzner (Germany), Amazon Web Services (EU/SG locations) — for hosting infrastructure, databases and traffic processing. A Data Processing Agreement is in place.
• Monitoring and observability — Sentry (for error monitoring), performance logging. Data is transferred in anonymised form, without PII where possible.
• Steam Web API (Valve Corporation) — for conducting trade offers, retrieving inventory data, confirming delivery. The Customer's Steam ID and trade offer parameters are transferred.
• Contractors and consultants — external legal, audit and tax consultants in the course of their professional activities under NDA.
• Authorised bodies — tax, regulatory, law enforcement bodies — exclusively in response to reasoned requests in accordance with applicable law.
• Successors — in the event of reorganisation, merger, sale of the business or assets, ensuring continued data protection.

6.2. What we do NOT do with your data

• We do not sell personal and corporate data to third parties;
• We do not transfer data for advertising purposes without the data subject's explicit consent;
• We do not use Customer Data for our marketing purposes or for purposes unrelated to the execution of the Client's order;
• We do not exchange data between Clients without their explicit consent (except for anonymised aggregated industry analytics).

6.3. Disclosure under legal requirements

Upon receiving a reasoned request from an authorised governmental authority, we assess the legality of the request, the scope of the requested data and the applicable law. If the lawfulness is confirmed, we provide the minimum necessary amount of data, record the fact of transfer in a register of disclosures and, where permitted by law, notify the affected Client or data subject.

07Cross-border data transfers

Given the global nature of the TradeOn b2b Merchant infrastructure and the distributed nature of cloud services, data may be transferred, stored and processed outside the country of the Client or data subject.

7.1. Processing jurisdictions

The main jurisdictions in which data processing may take place:

• Singapore — the Operator's main jurisdiction, head office, primary compliance and support centre;
• European Economic Area (EEA) — for hosting server capacity and monitoring services with European providers;
• United States of America — for certain cloud services (Steam Web API, a number of monitoring and communication SaaS tools);
• Other jurisdictions — when specialised contractors are engaged, with notice to the Client.

7.2. Legal mechanisms for cross-border transfers

To ensure an adequate level of protection in cross-border transfers, we apply legal mechanisms recognised by the GDPR and other applicable law:

• Standard Contractual Clauses (SCC) — standard contractual clauses of the European Commission (Decision 2021/914), included in agreements with recipients of data outside the EEA;
• Adequacy decisions — transfers to countries recognised as providing an adequate level of protection (for example, an adequacy decision for Singapore, if adopted at the time of the transfer);
• Additional technical and organisational measures — encryption at rest and in transit, pseudonymisation, access controls, regular audits;
• Privacy Frameworks — where applicable (for example, the EU-US Data Privacy Framework for US recipients).

7.3. Level of protection

Regardless of the processing jurisdiction, we provide a level of data protection no lower than the standards of the GDPR and other applicable rules. The technical and organisational security measures described in section 9 apply to all processing environments.

7.4. Right to information

The Client and its representatives may request detailed information about the jurisdictions of processing of their data, the legal mechanisms applied and the possibility of receiving a copy of the SCC via the DPO email (section 14).

08Data retention periods

We retain data for no longer than necessary for the purposes of its processing and no longer than required by applicable law. Upon expiry of the retention periods, data is irretrievably deleted or anonymised (severing the link with the subject).

8.1. Specific periods

• KYC/KYB documentation (constitutional documents, UBO documents, source of funds, scoring) — 7 (seven) years from termination of business relations with the Client, in accordance with AML/CFT requirements;
• Transaction logs (deposits, orders, withdrawals, fees) — 5 (five) years from the date of the operation, in accordance with financial and tax law;
• Contact data of the Client's representatives — for the term of the contract plus 1 (one) year after its termination for the purposes of post-contractual communication and protection of rights;
• API request logs — 90 (ninety) days, thereafter anonymised and aggregated for capacity planning purposes;
• Webhook delivery logs — 30 (thirty) days, thereafter deleted;
• Security / access / audit logs — 90 (ninety) days in active storage, 1 (one) year in archive storage for incident investigation;
• Customer Data (Steam ID, Trade URL, order metadata) — until order closure plus 30 days for dispute resolution purposes; thereafter deleted or anonymised (except for transaction logs retained under financial law);
• Marketing data (consents, communication history) — until withdrawal of consent plus 3 (three) years to confirm the existence of consent;
• Cookies — according to the type of cookie (section 11): session cookies — until the browser is closed; persistent cookies — up to 12 months.

8.2. Data retention by law or to protect rights

If data is required to protect our rights in pre-trial or judicial proceedings, to enforce court orders, investigate incidents or undergo regulatory inspections, the retention period may be extended until the completion of the relevant procedures and expiry of the statute of limitations.

8.3. Deletion procedure

Deletion is performed using irreversible methods (overwrite + crypto-erase for encrypted storage). Backups contain data until their natural rotation (typically 90 days); restoration from backup for the purpose of retrieving deleted data is not performed.

09Data security

Data protection is our priority. We apply a multi-layered set of technical and organisational security measures, regularly reviewed in light of current threats, best industry practices (ISO 27001, SOC 2 Type II as references) and the nature of the data processed.

9.1. Technical measures

• TLS 1.2+ — all connections to the Platform and API are protected by enforced TLS 1.2 or higher (TLS 1.3 where supported); HSTS headers; legacy protocols disabled;
• Encryption at rest — sensitive data (KYC documents, bank details, secrets, tokens) are stored encrypted using AES-256 or equivalent algorithms; keying material is managed via KMS;
• Encryption in transit — internal service communications in the infrastructure are protected by mutual TLS or equivalent mechanisms;
• Environment isolation — production, staging and development environments are isolated; production data is not used in non-production environments in identifiable form;
• Backups — regular automatic encrypted backups; periodic restore verifications;
• Web Application Firewall and DDoS protection — filtering of malicious traffic, protection against automated attacks.

9.2. Organisational measures

• Role-Based Access Control (RBAC) — access to data is segregated on a least-privilege and need-to-know basis;
• Multi-factor authentication — mandatory for all employees with access to production systems and dashboards with administrative rights;
• Logging and alerting — actions involving confidential data are logged; automatic alerts are configured for anomalies;
• Staff training — regular training of employees on data protection, IT-security hygiene and social engineering;
• Confidentiality agreements — NDAs and data protection commitments are signed with all employees and contractors;
• Internal security audits — regular self-checks against internal standards and applicable law;
• Vendor risk management — assessment of contractor reliability and periodic review.

9.3. Incident response

We maintain a formalised Incident Response Plan:

1. Detection and recording of the incident (Detection);
2. Containment and prevention of spread (Containment);
3. Investigation and root cause analysis (Root Cause Analysis);
4. Remediation and recovery of services (Eradication & Recovery);
5. Notification of affected Clients within 72 (seventy-two) hours of detection of a personal data breach, with a description of the nature of the incident, scope of data and measures taken;
6. Post-mortem and process improvement (Lessons Learned).

10Data subject rights

In respect of personal data processed by us as Data Controller (data of the Client's representatives), data subjects have the following rights under applicable data protection law (GDPR, Singapore PDPA, other acts).

10.1. List of rights

• Right of access — to receive confirmation of processing and a copy of the data being processed in a structured form;
• Right to rectification — to require correction of inaccurate data or completion of incomplete data;
• Right to erasure ("right to be forgotten") — to require deletion of data where the grounds for processing have ceased, subject to legal retention obligations (section 8);
• Right to restriction of processing — to require suspension of certain processing operations in cases set out in law;
• Right to data portability — to receive your data in a structured, machine-readable, commonly used format (JSON / CSV) and to transfer it to another controller;
• Right to object — to processing on the basis of legitimate interests or for direct marketing;
• Right to withdraw consent — at any time, without prejudice to the lawfulness of processing carried out before withdrawal;
• Right not to be subject to decisions based solely on automated processing, where such processing produces legal effects on the subject;
• Right to lodge a complaint with the competent data protection supervisory authority in the country of residence, work or alleged infringement.

10.2. Procedure for exercising rights

To exercise any of the rights, the data subject sends a written request to the DPO email: privacy@tradeon.market. The request must contain:

• Subject identification (full name, corporate email, Client name);
• A clear description of the right being exercised and the essence of the request;
• Contact details for the response;
• Identification documents (where verification is required).

10.3. Timing and conditions of consideration

We consider requests within 30 (thirty) calendar days of receipt. In complex cases the period may be extended by an additional 60 days with prior notice to the subject. Responses are provided free of charge, except for clearly unfounded or excessive (repetitive) requests, for which a reasonable administrative fee may be charged or the request may be refused with reasons.

10.4. Restrictions

The exercise of rights may be restricted where processing is necessary to comply with a legal obligation, to defend our rights in court, to carry out regulatory procedures or due to the need to retain data under AML/tax legislation. In each case of refusal, reasons are provided.

10.5. Customer requests

Requests from the Client's end customers (Customers) to exercise rights in respect of Customer Data are addressed to the Client as Data Controller. See section 5.4.

11Cookies and tracking

The TradeOn b2b Merchant account dashboard uses cookies and similar technologies (LocalStorage, SessionStorage) to provide basic functionality, save preferences and gather anonymised analytics. The promotional website may use additional cookies for attendance analytics.

11.1. Categories of cookies used

• Strictly necessary — session cookies, authentication tokens, CSRF protection, load balancing. Without them the Platform cannot function. They do not require consent under the GDPR / ePrivacy Directive;
• Functional — language, currency, display format, selected tabs and filters. Retention period — up to 12 months;
• Analytics — anonymised usage statistics (number of requests, session time, sections visited), used to improve the interface. Not used to identify a specific subject. May be disabled via cookie settings or the browser;
• Third-party — Sentry (for error monitoring) and other technical tools. The composition is disclosed in the cookie banner or upon request.

11.2. What we do NOT use

• Advertising cookies;
• Tracking pixels for retargeting;
• Cross-site tracking for advertising purposes;
• Cookies selling data to third parties.

11.3. Cookie management

The user can manage cookies in the following ways:

• Via the cookie banner (where applicable) — on the first visit to the promotional website;
• Via the account dashboard settings (for functional and analytics cookies);
• Via browser settings — blocking, deletion, incognito mode;
• Via specialised browser extensions (Privacy Badger, uBlock Origin and equivalents).

Disabling strictly necessary cookies may make it impossible to use certain Platform functions (including authentication).

11.4. Do Not Track

We respect the browser's Do Not Track (DNT) signal and do not apply behavioural tracking to users who have expressed such a preference, in respect of cookies that are not strictly necessary.

12Protection of minors' data

The TradeOn b2b Merchant Services are intended solely for legal entities and adult natural persons (the Client's representatives) acting for commercial purposes. The Service is not directed at use by minors and does not provide for such use.

12.1. Age restrictions

All representatives of the Client with access to the account dashboard and API must be of legal age in their jurisdiction (usually 18 years, in some countries 21 years). The Client confirms compliance with this requirement upon entering into the contract.

12.2. Client warranties in respect of Customers

The Client warrants that its service is not directed at minors, that the Client applies appropriate age verification procedures for its Customers, and that the Customer Data transferred to us does not relate to minors. The Client's service must comply with the age requirements of Steam, the Valve Subscriber Agreement and applicable child online protection laws (COPPA, GDPR-K and equivalents).

12.3. Detection and response

If we discover the processing of a minor's data (through a complaint, an enquiry from a parent/guardian, internal monitoring or otherwise) we:

• Immediately cease processing of the relevant data;
• Irretrievably delete such data (except for the minimum required for compliance and investigation);
• Notify the Client whose actions led to the transfer of such data;
• Take measures to prevent recurrence of the incident, up to suspension of the Services.

12.4. Enquiries from parents and guardians

Parents and legal representatives who believe that the data of their minor child has been processed in connection with TradeOn b2b Merchant Services may contact privacy@tradeon.market. Requests are handled as a priority.

13Changes to the Policy

We reserve the right to make unilateral changes to this Privacy Policy to reflect changes in legislation, infrastructure, list of sub-processors, operational processes and other factors.

13.1. Categories of changes

• Material changes — changes affecting the legal grounds for processing, scope of data collected, purposes of processing, list of sub-processors, retention periods, jurisdictions of cross-border transfers, data subject rights;
• Non-material changes — editorial corrections, clarification of wording, updating of contact details, formatting, correction of typos.

13.2. Notification of changes

We notify the Client of material changes no less than 30 (thirty) calendar days before they take effect, in one or more of the following ways:

• Email to the corporate email address of the Client's representative provided at registration;
• Notification in the account dashboard at the next login;
• Publication of the updated Policy on the promotional website with a note about the changes.

Non-material changes take effect upon publication of the updated version.

13.3. Update date and versioning

The top of the document always states the current effective date and version number. Archival versions of the Policy may be provided upon request via the DPO email.

13.4. Acceptance of the updated Policy

Continued use of the Services after the changes take effect constitutes acceptance by the Client and its representatives of the updated version of the Policy. If the Client does not agree with the changes, the Client must cease use of the Services and may terminate the Agreement under the terms of the User Agreement.

13.5. Right to object

If the changes materially affect the rights of a data subject (for example, expansion of processing purposes that requires a new legal basis), we request separate consent or provide alternative ways of delivering the Services preserving the previous processing terms, where this is technically and legally possible.

14Data Protection Officer contacts

For all matters relating to the processing of personal data, the exercise of data subject rights, security incidents and this Policy, please contact the Data Protection Officer (DPO).

14.1. DPO contact details

• DPO email (privacy and exercise of rights): privacy@tradeon.market
• Compliance email (AML / KYC / regulatory): compliance@tradeon.market
• General enquiries email: b2b@tradeon.market
• Security incident notifications (24/7): security@tradeon.market

14.2. Operator details

Legal entity: TradeOn b2b Merchant Pte. Ltd.
Registered address: 1 Raffles Place, #20-61, One Raffles Place Tower 2, Singapore 048616
Registration number: to be provided upon official registration
Jurisdiction: Singapore

14.3. Response times

Response times for enquiries:

• Data subject rights requests — no more than 30 (thirty) calendar days from receipt; in complex cases — extension by 60 days with notice;
• Notifications of material incidents — no later than 72 (seventy-two) hours from detection;
• General compliance and Client requests — no more than 10 (ten) business days;
• Requests from authorised authorities — in the manner and within the periods set by applicable law.

14.4. Complaints to supervisory authorities

If a data subject believes that the processing of their data infringes applicable law, and is not satisfied with our response to a complaint, they may contact the competent data protection supervisory authority:

• Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg;
• European Union: the competent supervisory authority at the place of residence, work or alleged infringement (list — at edpb.europa.eu);
• Other jurisdictions: the authorised authority of the relevant country.

We provide reasonable assistance in identifying the competent supervisory authority and in providing necessary documentation.