Singapore PDPA Compliance Policy

Last Modified: 28 February 2025

Thank you for your interest in Nucleus Artificial Intelligence Pte. Ltd., ("Nucleus," "we", "our" or "us"). Nucleus provides a suite of open source tools, integrated to build a seamless developer experience. This Singapore Personal Data Protection Act (PDPA) Compliance Policy applies exclusively to individuals located in Singapore and explains how we collect, use, disclose, and protect personal data in accordance with Singapore's Personal Data Protection Act 2012 (PDPA) and its amendments.

Territorial Scope and Applicability

This PDPA Compliance Policy applies exclusively to:

  1. Personal data of individuals physically located in Singapore
  2. Personal data that Nucleus collects, uses, discloses, or otherwise processes in Singapore
  3. Customers accessing our services from Singapore

This policy governs our data practices in connection with our website at Nucleus (the "Site") and our services offered in connection with the Site (collectively with the Site, the "Service") when accessed by or used to process personal data of individuals in Singapore.

This policy covers:

  • How we collect and process personal data
  • How we secure and protect personal data
  • How we comply with the PDPA's obligations
  • Your rights under the PDPA
  • How you can exercise these rights

Our Service allows customers to submit, manage or otherwise use content relating to others, such as end users of applications built and managed through the Service or their employees and contractors ("Customer Data"). We use such Customer Data primarily as a data intermediary, processing such Customer Data on behalf of and under the instructions of the relevant customer, in accordance with our data processing addendum. This PDPA Compliance Policy primarily addresses how we handle personal data where we act as a data controller (organization).

Key Singapore PDPA Definitions

Personal Data: As defined under Singapore's PDPA, data, whether true or not, about an individual who can be identified from that data, or from that data and other information which an organization has or is likely to have access to.

Processing: The carrying out of operations on personal data including recording, organization, storage, adaptation, retrieval, combination, transmission, and erasure or destruction as governed by Singapore legislation.

Data Controller (Organization): The entity that determines the purposes and means of processing personal data, subject to Singapore's PDPA requirements.

Data Intermediary: An organization that processes personal data on behalf of another organization but does not include an employee of that other organization, as defined within Singapore's legal framework.

Our Singapore Data Protection Officer

In compliance with Singapore's PDPA requirements, we have appointed a Singapore-based Data Protection Officer (DPO) who is responsible for ensuring our compliance with the PDPA for our Singapore operations. Singapore customers may contact our DPO if you have any questions or feedback about your personal data or this policy, or if you wish to make a complaint about our collection, use, or disclosure of your personal data within Singapore.

Contact details of our Singapore DPO:

PDPA Compliance Framework

We collect, use, and disclose personal data only with consent unless otherwise authorized under the PDPA. Consent may be:

  • Express Consent: Where you actively provide consent through opt-in mechanisms
  • Deemed Consent: Where your actions reasonably indicate consent, such as providing personal data for a clear purpose

We allow you to withdraw consent at any time, subject to legal restrictions and reasonable notice. To withdraw consent, please contact our DPO.

Exceptions to Consent Requirement:

  • When collection, use, or disclosure is necessary to respond to an emergency
  • When required or authorized under the PDPA or other written laws
  • When the personal data is publicly available

2. Purpose Limitation Obligation

We collect, use, or disclose personal data about you only for purposes that:

  • A reasonable person would consider appropriate in the circumstances
  • You have been notified of
  • You have consented to

These purposes include:

  • Account creation and management
  • Service provision and customization
  • Processing payments and transactions
  • Security and fraud prevention
  • Communication about service updates
  • Customer support and issue resolution
  • Service improvement and development

3. Notification Obligation

We provide clear notification of:

  • The purposes for which we collect, use, or disclose personal data
  • Any other purpose for which consent is required
  • How to access and correct personal data
  • How to withdraw consent
  • How to contact our DPO

This notification is provided through:

  • This PDPA Compliance Policy
  • Our Privacy Policy
  • Our Terms of Service
  • Specific disclosures at data collection points

4. Access and Correction Obligation

You have the right to:

  • Request access to your personal data in our possession or control
  • Request information about how your personal data has been used or disclosed within a year before the request
  • Request correction of errors or omissions in your personal data

Process for Access and Correction Requests:

  1. Submit your request to our DPO
  2. We will respond within 30 days of receiving your request
  3. We may require reasonable verification of identity before providing access
  4. We may charge a reasonable fee for access requests

Limitations: We may decline access or correction requests where:

  • Providing access would reveal personal data about another individual
  • The request is frivolous or vexatious
  • The burden or expense of providing access would be unreasonable
  • Other exceptions under the PDPA apply

5. Accuracy Obligation

We make reasonable efforts to ensure that personal data collected is accurate and complete if it:

  • Is likely to be used to make a decision affecting you
  • May be disclosed to another organization

We implement the following measures:

  • Regular data verification processes
  • User-friendly correction mechanisms
  • Staff training on data accuracy importance
  • Periodic data cleaning and validation

6. Protection Obligation

We protect personal data in our possession or control by implementing reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.

Our security measures include:

  • Administrative Controls:
    • Comprehensive data protection policies
    • Regular staff training
    • Clear access authorization procedures
  • Technical Controls:
    • Encryption of data in transit and at rest
    • Multi-factor authentication
    • Secure network infrastructure
    • Regular security testing and assessments
    • System monitoring and logging
  • Physical Controls:
    • Secure access to facilities
    • Monitored server environments
    • Secure disposal procedures

7. Retention Limitation Obligation

We cease to retain personal data or remove the means by which it can be associated with particular individuals when:

  • The purpose for which the personal data was collected is no longer served by retention
  • Retention is no longer necessary for legal or business purposes

Our retention practices include:

  • Regular review of stored personal data
  • Clear retention schedules for different data types
  • Secure and permanent deletion procedures
  • Anonymization of data when appropriate

8. Transfer Limitation Obligation

Before transferring personal data outside Singapore, we ensure that the recipient provides a standard of protection comparable to that provided under the PDPA through:

  • Contractual arrangements
  • Binding corporate rules
  • Certification mechanisms
  • Recipient's location in jurisdictions with comparable data protection laws

Countries/territories where your data may be transferred include:

  • United States (with appropriate contractual safeguards)
  • European Economic Area
  • United Kingdom
  • Australia
  • Japan

9. Data Breach Notification Obligation

We maintain a data breach management plan that includes:

  • Steps to contain the breach and assess its severity
  • Steps to remediate the breach and prevent recurrence
  • Notification process for affected individuals and the PDPC

We will notify:

  • The PDPC about qualifying data breaches as soon as practicable, and no later than 3 calendar days after determining a notifiable breach has occurred
  • Affected individuals where the breach is likely to result in significant harm

10. Accountability Obligation

We implement and maintain:

  • Data protection policies and practices to comply with the PDPA
  • A process to receive and respond to complaints
  • A process to conduct regular internal audits
  • Staff training on data protection obligations
  • Transparency about our personal data protection policies and practices

Personal Data Categories We Collect

We collect the following categories of personal data:

CategoryExamplesPurposeLegal Basis
Contact InformationName, email address, phone number, physical addressAccount creation, communication, customer supportConsent, contractual necessity
Account InformationUser ID, password, account preferencesAccount management, service provisionConsent, contractual necessity
Payment InformationBilling address, transaction history, payment method details (processed by third-party payment processors)Processing payments, financial record-keepingConsent, contractual necessity
Technical InformationIP address, device information, browser type, operating systemService optimization, security, troubleshootingConsent, legitimate interests
Usage InformationInteraction with our services, feature usage patterns, login activityService improvement, user experience enhancementConsent, legitimate interests
Communication RecordsCustomer service interactions, feedback submissionsIssue resolution, service improvementConsent, legitimate interests

How We Share Personal Data

We may share your personal data with:

  1. Service Providers: Third parties who perform services on our behalf, such as cloud hosting, payment processing, and customer support.

  2. Corporate Affiliates: Other companies within our corporate family for purposes consistent with this policy.

  3. Business Transfers: In connection with any merger, acquisition, or sale of company assets.

  4. Legal Requirements: When required by law, court order, or governmental authority.

  5. With Consent: In other cases where we have your explicit consent.

All third parties with whom we share personal data are contractually required to maintain the confidentiality and security of your personal data and to process it in accordance with the PDPA.

Your Rights Under Singapore's PDPA

If you are located in Singapore, under the PDPA, you have the following rights:

  1. Access your personal data: Request information about what personal data we have collected in Singapore and how it has been used within our Singapore operations.

  2. Correct your personal data: Request that we correct any inaccurate or incomplete personal data processed in Singapore.

  3. Withdraw consent: Opt out of the collection, use, or disclosure of your personal data by our Singapore operations at any time, subject to legal or contractual restrictions under Singapore law.

  4. Data portability: Request the transfer of your personal data in a structured, commonly used and machine-readable format to another organization (for data processed in Singapore).

  5. Object to processing: In certain circumstances permitted under Singapore's PDPA, object to the processing of your personal data.

  6. Be forgotten: Request the deletion or anonymization of your personal data when it is no longer needed for Singapore business purposes.

How Singapore Customers Can Exercise Their Rights

If you are located in Singapore, to exercise any of your rights under Singapore's PDPA, please contact our Singapore DPO at [email protected] with the subject "Singapore PDPA Rights Request."

For verification purposes, we may require you to provide additional information to confirm your identity and Singapore residency status.

In accordance with Singapore PDPA timeframes, we will respond to your request within 30 days. If we cannot fulfill your request within this timeframe, we will inform you of the reasons and when we expect to be able to fulfill it.

Data Protection for Children

We do not knowingly collect personal data from children under 13 years of age. If we discover that we have collected personal data from a child under 13, we will promptly delete that data. If you believe we have collected personal data from a child under 13, please contact our DPO.

Updates to This Policy

We may update this PDPA Compliance Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

  • Posting the updated policy on our website
  • Sending an email notification
  • Displaying a notice upon login to our services

The revised policy will be effective from the date specified in the "Last Modified" section.

Complaints and Feedback for Singapore Customers

If you are a Singapore customer and have concerns about how we handle your personal data under Singapore's PDPA, please contact our Singapore DPO first. We are committed to resolving concerns from our Singapore customers promptly and fairly in accordance with local regulations.

If you are not satisfied with our response, as a Singapore resident, you may file a complaint with the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg, which is the relevant supervisory authority for Singapore's PDPA matters.

Contact Our Singapore Office

For any questions, comments, or requests from Singapore customers regarding this Singapore PDPA Compliance Policy or our data practices in Singapore, please contact:

Singapore Data Protection Officer
Nucleus Artificial Intelligence Pte. Ltd.
Email: [email protected]

Note on Jurisdictional Limitation: This PDPA Compliance Policy applies exclusively to the processing of personal data subject to Singapore's PDPA. If you are located outside of Singapore, different privacy laws may apply to your personal data, and you should refer to our general Privacy Policy or other region-specific privacy notices.

By using our Service in Singapore, you acknowledge that you have read and understood this Singapore PDPA Compliance Policy.