Effective date: May 2026

This Privacy Policy explains how Kyboa Pte. Ltd. (“Kyboa”, “we”, “us” or “our”) collects, uses, discloses, stores and protects personal data in connection with our website, communications and compliance screening platform.

Kyboa is registered in Singapore under UEN 202620917G. Our registered office is 2 Venture Dr, #19-21 Vision Exchange, Singapore 608526.

For privacy questions or requests, please contact our Data Protection Officer at [email protected].

1. Scope of this policy

This Privacy Policy applies to:

  • visitors to the Kyboa website;
  • people who contact us, request a demo, subscribe to updates or communicate with us;
  • users of the Kyboa platform;
  • customers and prospective customers of Kyboa; and
  • personal data submitted to the Kyboa platform for screening, KYB, KYC, due diligence, monitoring, reporting or audit purposes.

This policy is intended to support our obligations under the Singapore Personal Data Protection Act 2012 (“PDPA”). It does not replace any written agreement between Kyboa and a customer. If there is a conflict between this policy and a signed customer agreement, the signed agreement will apply to the extent of that conflict.

2. Our role for different types of personal data

Kyboa may process personal data in different roles depending on the context.

2.1 Personal data we process for our own purposes

For website visitors, demo enquiries, business contacts, account users, platform administration, support, security, service improvement and legal compliance, Kyboa acts as the organisation responsible for determining the purposes of collection, use and disclosure of personal data.

2.2 Customer-submitted screening data

Where a customer submits personal data to the Kyboa platform for screening, KYB, KYC, due diligence, monitoring or report generation, Kyboa generally processes that data on behalf of the customer and in accordance with the customer’s instructions and the applicable customer agreement.

In that context, the customer is generally responsible for ensuring that it has the necessary authority, consent, notification, legal basis or other permission to submit the data to Kyboa and to use the results for its compliance workflow.

Kyboa may still process customer-submitted data for limited service-related purposes, such as platform operation, security, auditability, troubleshooting, legal compliance, abuse prevention and enforcing our agreements.

3. Personal data we may collect

3.1 Website and enquiry data

When you visit our website or contact us, we may collect:

  • name;
  • email address;
  • company or organisation name;
  • job title or role;
  • country or region;
  • message content and communications with us;
  • technical information such as IP address, browser type, device type, referring page, pages visited and approximate location; and
  • analytics information collected through Google Analytics.

3.2 Platform account data

When you use the Kyboa platform, we may collect:

  • user name, email address and organisation details;
  • login, authentication and account activity data;
  • role, permissions and account configuration information;
  • support requests and communications;
  • usage information such as screenings run, monitoring settings, reports generated and account activity; and
  • security logs and technical diagnostics.

3.3 Screening, KYB, KYC and monitoring data

Customers may submit or maintain personal data in the platform as part of their compliance workflows. Depending on the use case, this may include:

  • names, aliases, translated names and previous names;
  • company names, registration numbers, business details and related entity information;
  • director, officer, shareholder, beneficial owner or other associated person details;
  • addresses, jurisdictions, dates of birth, birth years, nationality, citizenship or identity reference details where provided;
  • screening inputs, screening outputs, match candidates, review decisions and monitoring alerts;
  • screening reports and audit records; and
  • public source links, search result metadata and other due diligence context.

Customers should avoid submitting unnecessary personal data and should only submit data that is relevant to their lawful compliance, due diligence, onboarding, monitoring or risk review purposes.

4. How we collect personal data

We may collect personal data:

  • directly from you when you submit a form, contact us, request a demo or use the platform;
  • from customer administrators or users who create accounts or submit screening data;
  • from platform activity and security logs;
  • from public or commercially available sources used in compliance screening workflows;
  • from third-party service providers used to operate, host, secure, analyse or support the website and platform; and
  • from communications with customers, prospective customers, partners and suppliers.

5. Purposes for using personal data

We may use personal data for the following purposes:

  • operating, maintaining and improving the Kyboa website and platform;
  • responding to enquiries and demo requests;
  • creating and managing customer accounts and platform users;
  • providing screening, KYB, KYC, due diligence, monitoring, reporting and audit-trail functionality;
  • generating and storing screening reports and related audit records;
  • supporting customer compliance workflows and review processes;
  • providing customer support and troubleshooting;
  • monitoring platform usage, availability, performance and security;
  • protecting against misuse, unauthorised access, fraud, abuse or security incidents;
  • maintaining records required for business, contractual, legal, regulatory or audit purposes;
  • communicating service, account, legal or security updates;
  • analysing website traffic and usage through Google Analytics; and
  • complying with applicable law, regulatory requests, court orders or lawful instructions.

We do not use customer-submitted screening data to make automated legal determinations about any person or organisation. Screening results are intended to support review and due diligence workflows and should be assessed by the customer according to its own policies and legal obligations.

6. Cookies and analytics

Our website currently uses Google Analytics to understand website traffic, page usage and general audience behaviour. Google Analytics may collect information such as pages visited, device and browser information, approximate location, referral source and interaction events.

You can control cookies through your browser settings. Blocking or deleting cookies may affect some website functionality or analytics measurement.

We do not currently use an online payment provider on the website or platform.

7. Disclosure of personal data

We may disclose personal data to the following categories of recipients where reasonably necessary for the purposes described in this policy:

  • hosting, infrastructure and database service providers;
  • security, monitoring, logging and backup providers;
  • analytics providers, including Google Analytics for website analytics;
  • compliance screening, registry, search, media, background-check and reporting service providers used to operate platform workflows;
  • professional advisers such as lawyers, accountants, auditors and insurers;
  • regulators, law enforcement agencies, courts or government authorities where required or permitted by law;
  • business partners, contractors or service providers who support our operations under appropriate confidentiality or data protection obligations; and
  • another organisation in connection with a merger, acquisition, restructuring, financing or sale of all or part of our business, subject to appropriate safeguards.

We do not sell personal data.

8. International transfers

Kyboa is based in Singapore and the platform is hosted in Singapore.

Some service providers used for website analytics, communications, support, security, technical operations or compliance workflows may process or access personal data from outside Singapore. Where personal data is transferred outside Singapore, we take steps designed to ensure that the transferred personal data receives a standard of protection comparable to the protection under the PDPA, such as contractual obligations, service provider due diligence, technical safeguards and access controls.

9. Security

We take reasonable administrative, technical and organisational measures to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

These measures may include:

  • account authentication and access controls;
  • tenant separation and permission controls within the platform;
  • secure hosting and infrastructure controls;
  • encrypted transmission where appropriate;
  • activity logging and audit records;
  • limiting access to personal data to authorised personnel and service providers; and
  • security monitoring, backup and recovery processes.

No system can be guaranteed to be completely secure. Customers and users are responsible for keeping login credentials secure, managing user access appropriately and notifying us promptly of suspected unauthorised access.

10. Retention of personal data

We retain personal data only for as long as it is reasonably necessary for the purposes for which it was collected or processed, or for legal, regulatory, contractual, audit, security or legitimate business purposes.

Our general retention approach is as follows:

  • Website enquiries and sales communications: retained for up to 24 months after the last meaningful interaction, unless a longer period is needed for business or legal purposes.
  • Platform account and user records: retained while the account is active and for up to 7 years after account closure where needed for contractual, audit, legal, security or business record purposes.
  • Screening records, reports, monitoring records, review decisions and audit artifacts: retained while the customer account is active and for up to 7 years after account closure, unless the customer agreement specifies a different period or deletion is required and legally permissible.
  • Support records: retained for up to 3 years after the relevant support matter is closed, unless needed for legal, security, audit or service continuity purposes.
  • Security logs: retained for a limited period appropriate to security monitoring and incident investigation, and longer where needed to investigate misuse, fraud, unauthorised access or security incidents.
  • Analytics data: retained according to the settings configured in Google Analytics and used primarily in aggregated or statistical form.
  • Backups: retained according to our backup rotation schedule and then overwritten or deleted in the ordinary course of operations.

When personal data is no longer required, we will take reasonable steps to delete it, anonymise it or remove the means by which it can be associated with particular individuals, unless retention remains necessary for legal, regulatory, contractual, audit, security or legitimate business purposes.

11. Access and correction

You may request access to, or correction of, personal data that we hold about you by contacting [email protected].

For personal data submitted by a Kyboa customer for screening or monitoring, we may need to refer your request to the relevant customer because that customer may be the organisation responsible for deciding how the data is used. We will handle such requests in accordance with the PDPA and any applicable customer agreement.

We may need to verify your identity before responding to a request. We may also decline or limit a request where permitted by law, such as where disclosure would reveal personal data about another individual, compromise an investigation, reveal confidential commercial information, or conflict with legal or regulatory obligations.

12. Withdrawal of consent and deletion requests

You may contact us to withdraw consent for certain uses of your personal data or to request deletion of personal data where applicable.

Please note that withdrawing consent or requesting deletion may affect our ability to provide services, maintain your account, respond to enquiries or support compliance workflows. We may also need to retain certain data where required or permitted for legal, regulatory, contractual, audit, security or legitimate business purposes.

13. Accuracy

We take reasonable steps to keep personal data in our own records accurate and complete where it is likely to be used to make a decision affecting an individual or disclosed to another organisation.

For customer-submitted screening data, customers are responsible for ensuring that the data they enter or upload is accurate, complete and appropriate for their compliance purposes. Kyboa may help structure, enrich or compare information as part of platform workflows, but customers remain responsible for their own review decisions and compliance outcomes.

14. Data breach notification

If we become aware of a data breach involving personal data, we will assess the incident and take steps to contain and remediate it. Where required under the PDPA, we will notify the Personal Data Protection Commission and/or affected individuals within the applicable timeframe.

Where Kyboa is processing customer-submitted data on behalf of a customer, we will also notify the customer in accordance with the applicable customer agreement so that the customer can assess its own notification obligations.

15. Children’s personal data

The Kyboa website and platform are intended for business and professional use. They are not directed at children. Customers should not submit children’s personal data unless it is strictly necessary for a lawful compliance purpose and the customer has the necessary authority to do so.

16. Third-party websites and sources

Our website, platform, reports or screening outputs may include links to third-party websites, public sources, registry sources, media sources, regulatory sources or other external materials. We are not responsible for the privacy practices, content or security of third-party websites or external sources.

Our website uses Cloudflare Turnstile for bot protection, please see the Cloudflare Turnstile Privacy Addendum for more information on how information is collected and used by this service.

17. Changes to this policy

We may update this Privacy Policy from time to time. The updated version will be posted on our website with a revised effective date. Where changes are material, we may take additional steps to notify customers or users where appropriate.

18. Contact us

If you have questions about this Privacy Policy or how Kyboa handles personal data, please contact:

Data Protection Officer
Kyboa Pte. Ltd.
2 Venture Dr, #19-21 Vision Exchange
Singapore 608526
Email: [email protected]