Privacy & Data Protection Policy

How CUI Labs protects the confidentiality, integrity, and availability of information entrusted to us

Last Updated: February 24, 2026

Your privacy matters

Your Privacy Matters

CUI Labs (Pte.) Ltd. is committed to protecting your personal data in accordance with Singapore PDPA, EU GDPR, UK GDPR, California CCPA, and other applicable data protection frameworks. This policy explains how we collect, use, disclose, and safeguard Personal Data.

Scope & Applicability

This Policy applies to all Personal Data processed by CUI Labs in the course of providing our products, solutions, professional services, research collaborations, events, and outreach activities. It governs data collected through our websites, portals, APIs, communication channels, and any engagement where we act as a data controller or data processor on behalf of our clients.

Where we process Personal Data on behalf of our clients, we do so under the instructions of the relevant data controller and the contractual terms agreed. In such cases, this Policy supplements — rather than replaces — those agreements.

Key Definitions

Personal Data

Data, whether true or not, about an individual who can be identified from that data or from that data and other information to which we have or are likely to have access.

Processing

Any operation performed on Personal Data, including collection, use, disclosure, storage, adaptation, destruction, or transfer.

Data Subject

The individual to whom Personal Data relates.

Data Processor

An organisation that processes Personal Data on behalf of another organisation but does not process it for its own purposes.

Personal Data We Collect

Identity & Contact Data

Full name, business title, identification documents (where legally required), email address, phone number, postal address.

Professional & Engagement Data

Organisation, role, areas of interest, contractual relationship details, due diligence information, project requirements, and communications history.

Technical & Usage Data

Server logs, IP address, device identifiers, authentication data, secure telemetry from our platforms and APIs, and configuration metadata necessary to provide services.

Compliance & Verification Data

Sanctions screening results, beneficial ownership information, regulatory filings, certifications, and attestations submitted as part of risk management.

Sensitive Information

Only collected where strictly necessary and with explicit consent or other lawful basis (e.g., biometric identifiers for secure facilities, health data for event access controls). Such data is subject to enhanced safeguards.

How We Collect Personal Data

  • Directly from you when you submit contact forms, request materials, enter into contracts, participate in events, or interact with our platforms
  • Automatically through secure telemetry, access logs, and platform instrumentation necessary to protect and maintain our infrastructure
  • From third-party sources such as partners, information providers, public registries, or regulatory filings, where lawful and relevant to our engagements

Lawful Grounds for Processing

We process Personal Data only where a valid legal basis exists:

1

Consent

Obtained explicitly or implied where permitted under PDPA and other laws.

2

Performance of a Contract

To deliver products, services, support, and obligations outlined in agreements.

3

Legitimate Interests

Such as securing our systems, pursuing business development, conducting due diligence, or improving services — provided such interests are not overridden by individual rights.

4

Compliance with Legal Obligations

Including regulatory filings, audits, sanctions screening, and law enforcement requests.

How We Use Personal Data

  • Assessing engagements, responding to enquiries, and providing proposals
  • Delivering, operating, and supporting our platforms and managed services
  • Conducting security monitoring, incident response, fraud prevention, and risk assessments
  • Managing contractual relationships, billing, and compliance obligations
  • Improving our products, research, and development roadmap
  • Communicating updates, insights, or invitations that align with your stated interests (you may opt out at any time)
  • Complying with laws, regulations, court orders, or governmental requests

Data Residency & Sovereignty

Data Location

For SaaS deployments, customer data is primarily stored in Singapore and may be replicated to additional regions (EU, US) based on customer selection. Metadata, logs, and operational telemetry may be processed in multiple regions for service delivery and security monitoring.

Deployment Options

Customers with specific data residency requirements may select:

  • SaaS with region selection (Singapore, EU, US)
  • Private cloud deployment in customer-specified cloud regions
  • On-premises deployment with full customer control of data location

Cross-Border Transfers

When data is transferred internationally, we comply with applicable data protection laws including GDPR (Standard Contractual Clauses), PDPA (transfer impact assessments), and CCPA. Transfers to countries without adequacy decisions are protected by appropriate safeguards.

Government Access

CUI Labs does not provide government agencies with direct access to customer data. We respond to lawful requests in accordance with applicable law and notify customers unless legally prohibited. For sovereign deployment models, customers maintain full control over government access decisions.

Your Data Protection Rights

Depending on your jurisdiction, you may have the following rights:

Access

Request copies of your personal data

Rectification

Correct inaccurate or incomplete data

Erasure

Request deletion of your personal data

Portability

Receive your data in a structured format

Restriction

Limit how we process your data

Objection

Object to certain processing activities

Data Security

We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction:

  • End-to-end encryption for data in transit and at rest
  • Post-quantum cryptographic algorithms (CRYSTALS-Kyber, CRYSTALS-Dilithium)
  • Multi-factor authentication and access controls
  • Regular security audits and penetration testing
  • Incident response and breach notification procedures
  • Employee training on data protection and security

Contact & Complaints

For questions about this Privacy Policy or to exercise your data protection rights:

Data Protection Officer
Email: privacy@cuilabs.io
Address: 552 Ang Mo Kio Avenue 10, Singapore 560552

If you are not satisfied with our response, you may refer the matter to:

  • Personal Data Protection Commission (Singapore)
  • Information Commissioner's Office (UK)
  • Relevant EU Data Protection Authority
  • California Attorney General (for CCPA matters)
Back to Home