Data Protection

kokabu has designated a Data Protection Officer under Section 11(3) of the Singapore Personal Data Protection Act 2012.

You can contact the DPO by email at dpo@kokabu.co. The DPO is responsible for handling access requests, correction requests, deletion requests, breach notifications, and any other data protection matter.

You have the following data protection rights:

• Right to access: request a copy of all personal data we hold about you.
• Right to correction: request that we update or correct any inaccurate or incomplete data.
• Right to deletion: request that we delete your data, subject to legal retention obligations (e.g. seven years for AML records).
• Right to withdraw consent: opt out of marketing or any consent-based processing at any time, without affecting your account.
• Right to data portability: receive a machine-readable export of your data.
• Right to complain: lodge a complaint with the Personal Data Protection Commission of Singapore (PDPC) or the supervisory authority in your jurisdiction.

Email dpo@kokabu.co with the following information:

• Your full name and the email associated with your account.
• The right you wish to exercise.
• Any context that helps us locate the relevant data (account ID, date ranges, types of data).

We respond to all requests within 30 days. For complex requests, we may extend this period by up to 60 days and will inform you in writing.

We may request additional verification before fulfilling a request, to protect your data against impersonation.

If we become aware of a personal data breach that is likely to result in significant harm to affected individuals or that affects the data of 500 or more individuals, we will notify the Personal Data Protection Commission of Singapore and the affected individuals within 72 hours, as required under the PDPA.

Notifications will include the nature of the breach, the data affected, the steps we are taking, and what you can do to protect yourself.

We apply layered security controls including:

• Encryption of personal data at rest and in transit (TLS 1.3 minimum, AES-256 at rest).
• Access controls with mandatory multi-factor authentication for administrative access.
• Network controls including a web application firewall and DDoS protection.
• Continuous vulnerability and dependency scanning.
• Encrypted off-site backups with regular restore testing.
• Audit logging of every administrative action.
• Annual security review (independent penetration testing planned before live launch).

We retain personal data only as long as needed for the purposes described in our Privacy Policy or as required by law. KYC and AML records are kept for seven years after the end of the relationship, as required by MAS. Other data is deleted or anonymized when no longer needed.

If you are not satisfied with how we have handled a data protection request or concern, you may file a complaint with the Personal Data Protection Commission of Singapore at pdpc.gov.sg.

If you are resident in the European Union, the United Kingdom, or another jurisdiction with its own supervisory authority, you may also file a complaint with that authority.

Email dpo@kokabu.co for any data protection matter.