Data Protection.

Our Commitment

Edgemaker Pte. Ltd. takes data protection seriously. As a platform that processes customer communications and member data on behalf of our clients, we act as both a data controller (for data we collect directly) and a data processor (for data processed on behalf of our clients). We are committed to handling all personal data with integrity, transparency, and in full compliance with applicable data protection laws.

This page explains the frameworks we comply with, the protections we have in place, and how you can exercise your rights or request a Data Processing Agreement.

Legal Frameworks

Our data protection practices are designed to comply with the following frameworks:

• Singapore PDPA — Singapore's Personal Data Protection Act 2012 (and its 2020 amendments) establishes the baseline for how we collect, use, disclose, and care for personal data. We honour the PDPA's mandatory data breach notification requirements, consent obligations, and data portability provisions.
• EU/UK GDPR — For clients and end-users in the European Economic Area or United Kingdom, we process personal data in accordance with the General Data Protection Regulation (GDPR) and UK GDPR respectively. This includes maintaining appropriate lawful bases for processing, honouring data subject rights, and entering into Standard Contractual Clauses (SCCs) where required for international transfers.
• Other Applicable Laws — We monitor evolving privacy legislation across the jurisdictions in which our clients operate and update our practices accordingly. Clients with specific regional compliance requirements are encouraged to contact us to discuss tailored arrangements.

Data We Process

As a data processor acting on behalf of our clients, we process the following categories of data:

• Member and contact profiles (names, contact details, custom attributes defined by the client)
• Conversation data (messages, timestamps, and channel metadata across WhatsApp, Telegram, Instagram, Facebook Messenger, and web chat)
• Workflow inputs (form responses, survey answers, and process completion data)
• Behavioural and engagement data (interaction patterns, activity logs, and bot conversation histories)
• Authentication data (account credentials and access logs for administrator accounts)

We do not process special categories of personal data (such as health, biometric, or financial data) unless specifically agreed in writing with the client and with appropriate safeguards in place.

Lawful Basis for Processing

For data we collect as a data controller (e.g. account and billing data), our lawful bases for processing include:

• Contract — processing necessary to fulfil our subscription agreement with you
• Legitimate interests — analytics and platform improvement, fraud prevention, and security
• Consent — marketing communications, where you have opted in
• Legal obligation — compliance with applicable laws and regulatory requirements

For data processed on behalf of clients (as a data processor), the lawful basis is determined by the client as the data controller. Clients are responsible for ensuring they have appropriate legal grounds to process end-user data through our platform.

Your Rights

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

• Right of access — obtain a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data, subject to legal retention requirements
• Right to restriction — ask us to restrict processing in certain circumstances
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — withdraw consent at any time where processing is consent-based

To submit a data subject request, email [email protected] with the subject line “Data Subject Request”. We will respond within 30 days.

Data Processing Agreement

Organisations subject to PDPA, GDPR, or equivalent frameworks are required to have a Data Processing Agreement (DPA) in place with Edgemaker before processing personal data through our platform.

Our standard DPA covers:

• The subject matter, nature, and purpose of processing
• Categories of data subjects and personal data processed
• Obligations and rights of both parties
• Sub-processor arrangements and notifications
• Data security obligations and breach notification procedures
• Data subject rights assistance
• Return and deletion of data upon contract termination

To request a DPA or discuss your organisation’s specific requirements, contact us at [email protected].

Security Measures

We implement the following technical and organisational measures to protect personal data:

• Encryption in transit using TLS 1.2 or higher for all data transmitted to and from the platform
• Encryption at rest using AES-256 for stored data
• Role-based access controls (RBAC) limiting data access to authorised personnel only
• Multi-factor authentication (MFA) available for all administrator accounts
• Comprehensive audit logging of all administrative actions and configuration changes
• Regular vulnerability assessments and penetration testing by qualified third parties
• Secure development practices including code reviews and dependency management
• Employee training on data protection and information security

International Transfers

Edgemaker is headquartered in Singapore. Data may be processed by our sub-processors in other jurisdictions, including the United States (OpenAI, Anthropic, Stripe) and the European Union. Where personal data is transferred outside Singapore or the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for EU/UK data transfers
• Adequacy decisions where applicable
• Data processing agreements with all sub-processors requiring equivalent data protection standards

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, and resolve disputes. Our standard retention schedule is as follows:

• Account and billing data — retained for the duration of the subscription plus 7 years for financial compliance
• Platform usage and interaction logs — retained for up to 24 months
• Customer Data (processed on behalf of clients) — retained for the duration of the contract and deleted within 90 days of termination
• Audit logs — retained for up to 36 months

Data Breach Response

In the event of a personal data breach, Edgemaker will:

• Contain and assess the breach as quickly as possible
• Notify affected clients without undue delay and within 72 hours of becoming aware of the breach, where feasible
• Provide clients with sufficient information to assess their own notification obligations to regulators and data subjects
• Cooperate fully with regulatory investigations and remediation efforts

If you suspect a security incident affecting your account, please contact us immediately at [email protected].

Contact & DPO

For all data protection enquiries, DPA requests, or to exercise your data subject rights, please contact our Data Protection Officer:

If you are unsatisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg, or with your local data protection authority if you are located in the EU/UK.