Privacy Policy

• Singapore – Personal Data Protection Act 2012 (PDPA)
• European Economic Area – General Data Protection Regulation (GDPR)
• United Kingdom – UK GDPR and Data Protection Act 2018
• India – Digital Personal Data Protection Act, 2023 (DPDPA)

For India: Where DPDPA applies, it prevails over any conflicting provision in this policy.

1. Important information and who we are

• 18 years in India (DPDPA)
• 16 years in the EEA and UK (GDPR/UK GDPR)
• 13 years in Singapore (PDPA)

If we learn that we have collected personal data from a child below the applicable age, we will delete that data and terminate any associated account. For Indian children’s data, we follow the erasure procedures under DPDPA.

Jurisdiction	Authority	Website	Special Requirements
Singapore	PDPC	www.pdpc.gov.sg	None
UK	ICO	www.ico.org.uk	None
EEA	Your national DPA	edpb.europa.eu	None
India	Data Protection Board (Once established)	—	You must use our grievance mechanism first (Section 9)

We appreciate the opportunity to address your concerns before you approach any authority.

2. What Personal Data We Collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

For India: Under DPDPA, “personal data” means any data about an individual who is identifiable by or in relation to such data. We only process your digital personal data (data in digital form).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data – Name, title, date of birth, gender, photo, identification documents
• Contact Data – Address (billing and delivery), email, telephone numbers
• Financial Data – Bank account and payment card details
• Transaction Data – Payment history and details of products/services purchased
• Professional Data – Work history, qualifications, job applications, salary details
• Technical Data – IP address, browser type, device information, cookies, time zone, operating system
• Profile Data – Username, password, purchases, preferences, feedback, survey responses
• Usage Data – How you use our website, products, and services
• Marketing and Communications Data – Your marketing preferences and communication choices

Aggregated data: We may create statistical or demographic data from your personal data. Once aggregated so it cannot identify you, it is no longer personal data. If we combine aggregated data with your personal data so that it could identify you, we treat it as personal data under this policy.

Sensitive data: We do not collect special categories of data (such as race, ethnicity, religious beliefs, health data, sexual orientation, political opinions, trade union membership, or genetic and biometric data). We do not collect data about criminal convictions or offences.

If you do not provide required data: Where we need personal data to fulfil a contract with you or to comply with the law, and you do not provide it, we may be unable to provide the relevant product or service. We will notify you if this is the case.

3. How We Collect Your Personal Data

• Analytics providers (e.g. Google) – Technical Data
• Payment providers (e.g. PayPal, Stripe) – Contact, Financial, and Transaction Data

For India: Where third parties process your data on our behalf, they act as Data Processors under DPDPA. We remain responsible for their processing and engage them only under valid contracts.

4. Why We Use Your Data (Legal Bases)

• Performance of a contract – to fulfil our obligations to you
• Legitimate interests – where our interests do not override your fundamental rights
• Legal obligation – to comply with the law
• Consent – primarily for marketing communications

Purpose	Data Used	Legal Basis
Register you as a customer	Identity, Contact	Contract (GDPR/UK/PDPA) OR Consent/Voluntary provision (DPDPA)
Process and deliver orders	Identity, Contact, Financial, Marketing	Contract (GDPR/UK/PDPA) OR Consent/Voluntary provision (DPDPA)
Manage our relationship with you	Identity, Contact, Profile, Marketing	Contract, Legal obligation, Legitimate interest (GDPR/UK/PDPA) OR Consent/Voluntary provision (DPDPA)
Administer and protect our business and website	Identity, Contact, Technical	Legitimate interests, Legal obligation (GDPR/UK/PDPA) OR Consent (DPDPA)
Deliver relevant content and advertising	Identity, Contact, Profile, Usage, Marketing, Technical	Consent (all jurisdictions)
Data analytics to improve our services	Technical, Usage	Consent (all jurisdictions)
Make product/service recommendations	Identity, Contact, Technical, Usage, Profile, Marketing	Consent (all jurisdictions)

For India: DPDPA requires explicit consent for marketing, analytics, and recommendations. There is no “legitimate interests” basis for these purposes under DPDPA.

5. Marketing

6. Who We Share Your Data With

We may share your personal data with:

• Service providers (IT, system administration) acting as processors / Data Processors
• Professional advisers (lawyers, auditors, insurers, bankers) acting as processors or joint controllers
• Regulators and authorities (in Singapore, EEA, UK, India, and other jurisdictions where we are regulated) who require reporting in certain circumstances

For India: Under DPDPA, we remain responsible for all processing by Data Processors on our behalf. We engage them only under valid contracts that require them to implement reasonable security safeguards.

We require all third parties to respect your personal data’s security and to treat it lawfully. They may only process it for specified purposes and under our instructions.

7. International Transfers

• www.obeden.com – Singapore servers
• app.obeden.<location> – Servers in your chosen location (Singapore, UK, EEA, or India)

We may transfer your data within the Obeden group or to authorised third parties (such as cloud providers and processors) located outside these territories. All recipients are legally bound to provide protection comparable to PDPA, GDPR, UK GDPR, and DPDPA standards.

For India: The Indian Central Government may restrict transfers of personal data to certain countries. We comply with all such restrictions, including those regarding making data available to foreign States or entities under their control. We ensure all transfers outside India comply with DPDPA requirements and any government notifications or orders.

8. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data, including:

• Encryption, obfuscation, masking, and virtual tokens
• Access controls to computer resources
• Logging, monitoring, and review for unauthorised access detection
• Data backup procedures for business continuity
• Log and data retention for at least one year (unless law requires longer)
• Contractual obligations on Data Processors to implement security safeguards
• Technical and organisational measures ensuring effective compliance

Only employees, agents, contractors, and third parties with a business need-to-know may access your data, and they are bound by confidentiality obligations.

These safeguards meet or exceed the requirements of PDPA, GDPR, UK GDPR, and DPDPA.

• Notify you (the affected individual) without delay, in clear and plain language, informing you of: the description of the breach (nature, extent, timing, location); consequences relevant to you; mitigation measures we have taken; safety measures you may take; and contact information for queries
• Notify the Data Protection Board of India: Initial notification without delay, followed by a detailed report within 72 hours (or such longer period as the Board allows), including updated information, the facts and circumstances, mitigation measures, findings regarding the person who caused the breach, remedial measures, and a report on notifications given to affected individuals
• Notify the relevant supervisory authority (PDPC, ICO, or national DPA) in accordance with the applicable jurisdiction’s requirements and timelines

9. Data Retention and Erasure

We retain personal data only as long as reasonably necessary to fulfil the purposes for which it was collected and to satisfy legal, regulatory, tax, accounting, or reporting requirements. We may retain data longer if there is a complaint or a reasonable prospect of litigation.

We erase your personal data on the earlier of:

• You withdrawing your consent; or
• The specified purpose no longer being served

Unless retention is necessary for legal compliance. We also require our Data Processors to erase data made available by us.

For India (DPDPA) – Deemed cessation of purpose: For e-commerce entities with specified user thresholds, the purpose is deemed no longer served if you have not: (a) approached us for the performance of the specified purpose, and (b) exercised any of your rights in relation to such processing. We will notify you at least 48 hours before erasure – you can prevent erasure by logging into your account or contacting us.

Anonymisation: We may anonymise your personal data so it can no longer identify you. Once anonymised, we may use it indefinitely for research or statistical purposes without further notice.

10. Your Rights

Your rights depend on your jurisdiction. Contact our Data Protection Officer at Obeden-DPO@obeden.com to exercise any right.

Right	Description	How to Exercise	Jurisdictions
Access	Obtain a copy or summary of your personal data and processing activities	Contact DPO	All
Correction	Correct inaccurate or misleading data	Contact DPO	All
Completion	Complete incomplete data	Contact DPO	All (DPDPA)
Updating	Update personal data	Contact DPO	All (DPDPA)
Erasure	Request deletion of personal data	Contact DPO	All
Object to processing	Object based on your particular situation	Contact DPO	GDPR/UK GDPR only
Restrict processing	Suspend processing in certain scenarios	Contact DPO	GDPR/UK GDPR only
Data portability	Receive your data in machine-readable format to transfer elsewhere	Contact DPO	GDPR/UK GDPR only
Withdraw consent	Withdraw consent with the same ease as giving it	DPO, opt-out links, or profile settings	All
Grievance redressal	Submit a grievance about our obligations or your rights	Section 11 mechanism	DPDPA (mandatory before Board)
Nominate	Nominate a person to exercise your rights upon your death or incapacity	Contact DPO	DPDPA only

• Comply with applicable laws while exercising your rights
• Not impersonate another person when providing personal data
• Not suppress material information when providing personal data for any official document, unique identifier, or proof of identity/address issued by the State
• Not register false or frivolous grievances or complaints with us or the Board
• Furnish only verifiably authentic information when exercising your right to correction or erasure

11. Grievance Redressal (Indian Data Principals)

• Any act or omission by us regarding our obligations in relation to your personal data; or
• The exercise of your rights under DPDPA

Contact: Obeden-DPO@obeden.com
Response time: We will respond within 30 days.

If unsatisfied: You may file a complaint with the Data Protection Board of India (once established). You must exhaust this grievance mechanism first.

Further appeals: If aggrieved by a Board order, you may appeal to the Appellate Tribunal (Telecom Disputes Settlement and Appellate Tribunal) within 60 days. You also have the right to an effective judicial remedy.

12. Special Provisions for Indian Data Principals

• A court of law; or
• A designated authority under the Rights of Persons with Disabilities Act, 2016; or
• A local level committee under the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999

13. Jurisdiction and Dispute Resolution

Disputes are governed by Singapore law and Singapore courts, subject to applicable consumer protection laws in your jurisdiction.

Level	Forum	Requirement	Timeline
1	Our grievance mechanism (Section 11)	Mandatory first step	30 days response
2	Data Protection Board of India	If unsatisfied with our response	Board inquiry process
3	Appellate Tribunal	If aggrieved by Board order	Appeal within 60 days
4	High Court	Final appeal	Per TRAI Act, 1997

Key points: DPDPA dispute resolution prevails for Indian Data Principals. Civil courts cannot entertain matters within the Data Protection Board’s jurisdiction. You must complete the grievance mechanism before filing a Board complaint.

14. Changes to This Policy

We review this policy regularly. Changes will be posted on this page with an updated date.

For India: If we make material changes to how we process your data, we will notify you through your registered email address or user account. Continued use after notification constitutes acceptance, subject to your right to withdraw consent or object to processing.

Please keep your personal data up to date and inform us of any changes.

15. Language

This policy is provided in English.

For India: You have the right to access this policy in Hindi or any language specified in the Eighth Schedule to the Constitution of India. To request a translation, email: Obeden-DPO@obeden.com

16. Key Terms Across Jurisdictions

This policy uses different terminology depending on which law applies to you:

Concept	GDPR/UK GDPR	PDPA	DPDPA	Meaning
Us (Obeden)	Controller	Organisation	Data Fiduciary	The entity determining why and how your data is processed
You	Data Subject	Individual	Data Principal	The person whose data is processed
Our service providers	Processor	Data Intermediary	Data Processor	Those who process data on our behalf under contract
Your agreement	Consent	Consent	Consent*	Your agreement to data processing
A data incident	Data Breach	Data Breach	Personal Data Breach*	A security incident affecting your data
Regulators	Supervisory Authority	PDPC	Data Protection Board	The government body overseeing compliance

Term	GDPR/UK GDPR	PDPA (Singapore)	DPDPA (India)
Personal Data	Any information relating to an identified or identifiable natural person	Data about an individual who can be identified from that data	Any data about an individual who is identifiable by or in relation to such data (digital only)
Processing	Any operation performed on personal data (collection, storage, use, disclosure, etc.)	Any operation performed on personal data	Wholly or partly automated operation on digital personal data including collection, storage, use, sharing, erasure, etc.
Consent	Freely given, specific, informed and unambiguous indication by clear affirmative action	Voluntary agreement given by individual	Free, specific, informed, unconditional and unambiguous agreement with clear affirmative action
Data Breach	Breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access	Unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction	Unauthorised processing OR accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access
Erasure	Right to have personal data erased	Right to withdraw consent and request deletion	Right to erasure (permanent deletion that cannot be recovered)
Legitimate Interest	Processing necessary for legitimate interests (unless overridden by individual’s rights)	Legitimate interests of organisation	“Certain Legitimate Uses” – 9 specific categories only (no general legitimate interests basis)
Special Category Data	Sensitive data (race, health, religion, etc.) requiring enhanced protection	Sensitive personal data requiring consent	Not defined – DPDPA treats all personal data uniformly

*DPDPA terms have stricter or broader definitions. In particular: Consent under DPDPA must be “free, specific, informed, unconditional and unambiguous” (adding “unconditional” – no bundled consent permitted). Personal Data Breach under DPDPA includes “loss of access” and “unauthorised processing” – broader than GDPR’s definition. Erasure under DPDPA means permanent deletion that cannot be recovered, and is triggered by consent withdrawal or purpose served, whichever is earlier. DPDPA has no general “legitimate interests” basis – only 9 specific “Certain Legitimate Uses”. DPDPA does not distinguish “special category data” – all personal data is treated uniformly. DPDPA requires all breaches to be notified regardless of risk level (no risk threshold, unlike GDPR).

Term	Definition	Why It Matters
Specified Purpose	The exact purpose stated in the notice given by the Data Fiduciary	Processing is strictly limited to this purpose; any change requires fresh consent
Significant Data Fiduciary	A Data Fiduciary notified by the Central Government based on volume/sensitivity of data and risk	Subject to additional obligations: DPO appointment, audits, DPIAs
Consent Manager	A person registered with the Board as a single point for managing consent	Optional service – you may use a Consent Manager to manage your consents
Data Protection Officer (DPO) (DPDPA)	Individual appointed by a Significant Data Fiduciary to represent them and be the point of contact for grievance redressal	Only Significant Data Fiduciaries must appoint a DPO; regular Data Fiduciaries (like Obeden currently) designate an “Authorised Person” instead

Term	Definition	Why It Matters
Data Protection Impact Assessment (DPIA)	Assessment of risks to individuals’ rights before high-risk processing	Required for high-risk processing under GDPR; under DPDPA only for Significant Data Fiduciaries
Data Portability	Right to receive personal data in machine-readable format and transfer to another controller	GDPR/UK GDPR right; not explicitly provided in DPDPA
Joint Controller	Two or more controllers jointly determining purposes and means of processing	GDPR concept; DPDPA does not explicitly address joint Data Fiduciaries

• Consent: GDPR – one of six legal bases; DPDPA – consent or Certain Legitimate Uses (9 categories) only
• Children: GDPR – under 16; UK GDPR – under 13 for online services; DPDPA – under 18
• Breach notification: GDPR – 72 hours to authority if risk to rights, notify individuals if high risk; DPDPA – 72 hours to Board + without delay to individuals for all breaches (no risk threshold)
• Erasure triggers: GDPR – specific circumstances (e.g. consent withdrawn, no longer necessary); DPDPA – mandatory erasure on consent withdrawal or purpose served, whichever is earlier
• Dispute resolution: GDPR – direct access to supervisory authority; DPDPA – mandatory hierarchy: grievance → Board → Appellate Tribunal → High Court
• Language: GDPR – language understood by data subject; DPDPA – must offer English or Hindi or any Eighth Schedule language

17. Contact Information

Purpose	Email
General privacy questions	Obeden-DPO@obeden.com
Grievances (Indian Data Principals)	Obeden-DPO@obeden.com
Marketing opt-outs	Obeden-OptOut@obeden.com

Jurisdiction	Authority	Website
Singapore	Personal Data Protection Commission (PDPC)	www.pdpc.gov.sg
UK	Information Commissioner’s Office (ICO)	www.ico.org.uk
EEA	Your country’s Data Protection Authority	edpb.europa.eu
India	Data Protection Board of India	(Once Established)

For India: You must first exhaust our grievance redressal mechanism (Section 11) before approaching the Data Protection Board.

• DPDPA applies to our processing of your personal data
• You understand your rights under DPDPA as described in this policy
• You understand the mandatory grievance redressal and dispute resolution mechanism
• You are aware of your duties under DPDPA
• You have been informed of your right to access this policy in Hindi or another Eighth Schedule language