kokabu

Privacy Policy

Last updated · 21 May 2026

Pre-launch document

kokabu has not yet gone live. This document outlines our intended position pending counsel review. The final form will be issued before any investor is onboarded.

This Privacy Policy describes how kokabu collects, uses, stores, and shares your personal data when you use our platform. It is aligned with the Singapore Personal Data Protection Act 2012 (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Data controller

kokabu is the data controller for personal data collected through the platform. Our Data Protection Officer can be reached at dpo@kokabu.co.

2. What we collect

We collect the following categories of personal data:

  • Account data: name, email, password hash, phone number.
  • Identity data: government ID, date of birth, nationality, country of residence, tax residency, address, biometric verification data collected via our KYC partner Didit.
  • Accreditation data: declared net worth, income, investor status, and supporting documents you upload.
  • Financial data: bank account details, payment-method tokens (no card numbers stored), transaction history, distributions received, balance.
  • On-chain data: custodial wallet address, token holdings, transfer history. This data is necessarily public on the Polygon blockchain.
  • Usage data: pages visited, actions performed, device information, IP address, browser type, approximate location.
  • Communications: emails, support messages, and any other contact you have with us.

3. Why we collect it

We process your personal data for the following purposes:

  • To create and manage your account.
  • To verify your identity, accreditation, and eligibility (KYC, AML, sanctions screening).
  • To execute investments, distributions, withdrawals, and other transactions.
  • To provide statements, tax summaries, and other reporting.
  • To communicate with you about your account, transactions, security, and important changes.
  • To detect fraud, prevent abuse, and maintain platform security.
  • To comply with legal, regulatory, and tax obligations.
  • To improve the platform, with your consent where required.
  • To send you marketing communications, with your consent and your right to opt out at any time.

4. Legal basis

We rely on the following lawful bases under PDPA (and GDPR, where applicable):

  • Consent for marketing communications and optional cookies.
  • Contract for processing necessary to perform the platform services you request.
  • Legal obligation for KYC, AML, sanctions, and tax reporting.
  • Legitimate interest for fraud prevention, platform security, and product improvement, balanced against your privacy rights.

5. Who we share data with

We share data only with parties necessary to operate the platform:

  • Service providers including Clerk (authentication), Privy (wallet custody), Didit (KYC), Stripe (payments), Resend (email), and infrastructure providers. Each is bound by a data processing agreement.
  • Sponsors of deals you invest in receive your name, holdings, and contact information for the purposes of operating the SPV and complying with their own legal obligations.
  • Regulators and authorities when required by law (e.g. MAS, IRAS, STRO).
  • Successor entities in the event of a merger, acquisition, or orderly wind-down, with notice to you.

We never sell your personal data. We do not share data with third parties for their own marketing purposes.

6. How long we keep it

We retain personal data for as long as your account is active and thereafter for as long as required by law:

  • KYC and AML records: seven years after relationship ends (MAS requirement).
  • Transaction records: seven years.
  • Audit logs: five years.
  • Marketing consent records: as long as consent is active plus one year.
  • On-chain data: permanent on the Polygon blockchain. We have no ability to delete this.

7. Security

We employ industry-standard technical and organizational measures to protect your data. These include encryption at rest and in transit, hardened infrastructure, access controls, mandatory multi-factor authentication for administrative access, regular vulnerability scanning, security audits, and a documented incident response plan.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the PDPC (or relevant authority) within the timeframes required by law (within 72 hours for material breaches under PDPA).

8. Your rights

You have the following rights with respect to your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request that inaccurate or incomplete data be corrected.
  • Deletion: request that we delete your personal data, subject to legal retention obligations.
  • Withdraw consent: opt out of marketing or other consent-based processing at any time.
  • Data portability: request a machine-readable export of your data.
  • Complain: lodge a complaint with the PDPC or the supervisory authority in your jurisdiction.

Exercise any of these rights by emailing dpo@kokabu.co. We respond within 30 days.

9. International transfers

Some of our service providers operate outside Singapore. Where we transfer your data internationally, we rely on contractual safeguards (data processing agreements, standard contractual clauses) to ensure your data receives an equivalent level of protection.

10. Cookies and tracking

We use privacy-friendly analytics (PostHog and Plausible, both self-hosted) and a minimal set of cookies. You can manage your cookie preferences via the consent banner shown on first visit. Strictly necessary cookies (for authentication and security) cannot be disabled.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to you by email and via the platform.

12. Contact

Email our Data Protection Officer at dpo@kokabu.co for any privacy-related question.