CUI Labs Privacy & Data Protection Policy

1. Scope & Applicability

This Policy applies to all Personal Data processed by CUI Labs in the course of providing our products, solutions, professional services, research collaborations, events, and outreach activities. It governs data collected through our websites, portals, APIs, communication channels, and any engagement where we act as a data controller or data intermediary / processor on behalf of our clients.

Where we process Personal Data on behalf of our clients, we do so under the instructions of the relevant data controller and the contractual terms agreed. In such cases, this Policy supplements—rather than replaces—those agreements.

2. Key Definitions

• Personal Data means data, whether true or not, about an individual who can be identified from that data or from that data and other information to which we have or are likely to have access.
• Processing means any operation performed on Personal Data, including collection, use, disclosure, storage, adaptation, destruction, or transfer.
• Data Subject refers to the individual to whom Personal Data relates.
• Data Intermediary / Processor refers to an organisation that processes Personal Data on behalf of another organisation but does not process it for its own purposes.

3. Personal Data We Collect

The types of Personal Data we collect depend on the context of your interaction with CUI Labs. Categories may include:

• Identity & Contact Data: full name, business title, identification documents (where legally required), email address, phone number, postal address.
• Professional & Engagement Data: organisation, role, areas of interest, contractual relationship details, due diligence information, project requirements, and communications history.
• Technical & Usage Data: server logs, IP address, device identifiers, authentication data, secure telemetry from our platforms and APIs, and configuration metadata necessary to provide services.
• Compliance & Verification Data: sanctions screening results, beneficial ownership information, regulatory filings, certifications, and attestations submitted as part of risk management.
• Sensitive Information: only collected where strictly necessary and with explicit consent or other lawful basis (e.g., biometric identifiers for secure facilities, health data for event access controls). Such data is subject to enhanced safeguards.

4. How We Collect Personal Data

• Directly from you when you submit contact forms, request materials, enter into contracts, participate in events, or interact with our platforms.
• Automatically through secure telemetry, access logs, and platform instrumentation necessary to protect and maintain our infrastructure.
• From third-party sources such as partners, information providers, public registries, or regulatory filings, where lawful and relevant to our engagements.

5. Lawful Grounds for Processing

We process Personal Data only where a valid legal basis exists. Depending on jurisdiction, this may include:

• Consent obtained explicitly or implied where permitted under PDPA and other laws.
• Performance of a Contract to deliver products, services, support, and obligations outlined in agreements.
• Legitimate Interests such as securing our systems, pursuing business development, conducting due diligence, or improving services—provided such interests are not overridden by individual rights.
• Compliance with Legal Obligations including regulatory filings, audits, sanctions screening, and law enforcement requests.
• Vital Interests in rare situations to protect life or safety.

6. How We Use Personal Data

We may use Personal Data for the following purposes:

• Assessing engagements, responding to enquiries, and providing proposals or documentation.
• Delivering, operating, and supporting our platforms, solutions, and managed services.
• Conducting security monitoring, incident response, fraud prevention, and risk assessments.
• Managing contractual relationships, billing, and compliance obligations.
• Improving our products, research, and development roadmap.
• Communicating updates, insights, or invitations that align with your stated interests (you may opt out at any time).
• Complying with laws, regulations, court orders, or governmental requests.

7. Disclosure & International Data Transfers

We do not sell Personal Data. We may disclose Personal Data to trusted parties under strict confidentiality controls when necessary to deliver services or meet legal obligations, including:

• Affiliated entities within the CUI Labs group.
• Clients and partners, where the disclosure is part of delivering contracted services.
• Specialist vendors (e.g., secure hosting, encryption key custodians, audit providers) bound by data protection agreements.
• Professional advisors (legal, tax, cybersecurity) under duty of confidentiality.
• Government authorities, regulators, or law enforcement where required by applicable law.

As a Singapore-headquartered company serving global partners, we may transfer Personal Data across borders. When we do so, we implement appropriate safeguards such as contractual clauses, intra-group agreements, PDPA-compliant transfer assessments, and technical controls to ensure an equivalent standard of protection.

8. Data Retention & Accuracy

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal or contractual obligations, or to establish, exercise, or defend legal claims. Retention schedules account for regulatory requirements in Singapore and other jurisdictions where our clients operate.

We take reasonable steps to ensure Personal Data is accurate, complete, and updated. Please notify us of any material changes to your information.

9. Security & Governance Controls

CUI Labs employs a defence-in-depth security architecture, including encryption at rest and in transit, hardware security modules, continuous monitoring, zero-trust network segmentation, least-privilege access controls, secure software development practices, and incident response procedures. Our personnel are bound by confidentiality obligations and undergo regular training on data protection and security obligations.

10. Individual Rights

Depending on your residency and the applicable legislation, you may have rights to access, correct, update, delete, restrict, or object to the processing of your Personal Data, as well as rights to data portability and to withdraw consent. Requests may be submitted by contacting our Data Protection Officer (details below). Where requests are made under foreign laws (e.g., GDPR, UK GDPR, CCPA), we will assess and respond in accordance with the respective frameworks and any prevailing exemptions.

11. Marketing Communications

We send marketing materials only where permitted by law and where you have provided consent or have an existing business relationship with us. You may opt out of such communications at any time using the link in the message or by contacting us directly. Operational and security notices may still be sent where they are necessary to provide services.

12. Cookies & Similar Technologies

Our public-facing website is currently designed to operate without non-essential cookies or tracking scripts. If we implement analytics or similar technologies in the future, we will present a clear notice and obtain consent where required. Essential cookies that enable core functionality (e.g., authentication) will be used only when necessary and subject to appropriate safeguards.

13. Automated Decision-Making

CUI Labs does not rely on solely automated decision-making that produces legal or similarly significant effects on individuals without human intervention. Should such processes be introduced, we will implement transparency, explainability, and opt-out mechanisms consistent with applicable law.

14. Children's Privacy

Our services are not directed at individuals under 18 years of age. We do not knowingly collect Personal Data from minors. If you believe a minor has provided us with Personal Data, please contact us and we will take the necessary steps to delete such information.

15. Contact & Complaints

For questions, requests, or complaints relating to this Policy or our data protection practices, please contact:

We will acknowledge and investigate all complaints in a timely manner. If you are not satisfied with our response, you may refer the matter to the Personal Data Protection Commission (Singapore) or the relevant data protection authority in your jurisdiction.

16. Changes to This Policy

We may update this Policy to reflect legal, technical, or operational changes. Material updates will be communicated through our website or direct correspondence. Continued engagement with CUI Labs after such updates constitutes acknowledgment of the revised Policy.