Privacy Policy

Last updated: 1 January 2026

1. Introduction

Workboat Trading Pte Ltd ("WBT", "we", "our", or "us") is committed to protecting your personal data in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore and the 2024/2025 updates on AI Recommendation and Decision Systems.

2. Data We Collect

We collect the following categories of personal data:

• Account information: Name, email address, phone number, company name, and designation.
• Verification data (KYB): Company registration documents, director identification, and industry credentials.
• Transaction data: Purchase and sale history, payment information, and escrow records processed through our third-party provider, Stripe.
• Usage & behavioral data: Browser type, IP address, navigation patterns, and feature interactions captured via PostHog.
• AI-driven data: Queries and interactions with our AI features (powered by Gemini/Antigravity).

3. Third-Party Data Intermediaries & Transfers

To provide our services, we share data with specific intermediaries:

3.1 Stripe (Payment Processing)

User payment data is processed by Stripe. In accordance with the Transfer Limitation Obligation, we ensure that data transferred to Stripe's global servers for fraud prevention and tax compliance (via Stripe Tax/InvoiceNow) maintains a standard of protection comparable to Singapore law.

3.2 PostHog (Analytics & Session Recording)

We use PostHog for product analytics and session recording.

• Deemed Consent: By using our Platform for commerce-related activities, your consent to basic functional tracking is deemed under the PDPA.
• Opt-In: Explicit opt-in is required for advanced behavioral tracking and session recording in certain jurisdictions.

3.3 Supabase (Data Hosting & Security)

Supabase acts as our primary data host. Documents and sensitive data are secured via Row Level Security (RLS) and encryption.

3.4 Cross-Border Transfers & Global Safeguards

As WBT operates globally, our primary data intermediaries (Stripe, PostHog, Supabase) process and store data on servers outside Singapore, including in the United States and the European Union.

Under Singapore's PDPA Transfer Limitation Obligation and GDPR Article 46, we ensure that transfers outside your home jurisdiction are protected by standard contractual safeguards. Specifically, all global data processors bound to WBT have entered into Standard Contractual Clauses (SCCs) approved by the European Commission, guaranteeing that your personal data receives a standard of protection comparable to Singapore and European laws.

4. Artificial Intelligence & Agentic Systems

WBT utilizes advanced AI technologies to enhance your experience.

4.1 Sub-Processors (Gemini & Antigravity)

We use Google Gemini and Antigravity as sub-processors for AI-driven features.

• Data Training: We utilize Enterprise/Pro APIs which do not use your personal or proprietary data for training the underlying base models.
• AI Governance: We employ "Agentic AI" for automation. However, WBT maintains a "Human-in-the-Loop" policy for all critical decisions, including payment authorizations and document security classifications.

4.2 AI Recommendations

In compliance with the 2024/2025 PDPC updates, we disclose that AI is used to recommend vessels and insights based on your usage history. You may opt-out of personalized recommendations in your Account Settings.

5. Data Retention & Disposal Schedule

In accordance with the PDPA Retention Limitation Obligation and GDPR Article 5(1)(e), WBT maintains a strict schedule for the storage, redaction, and disposal of personal data:

• KYB Verification Files: Corporate registry logs and director identification documents (e.g. passport or national ID uploads) are stored securely with strict RLS policies. These files are permanently deleted and purged from our database and storage buckets exactly 30 days after verification status is completed (Approved/Rejected), retaining only the verified status flag.
• User Account Information: Held for the active duration of the user account. Upon account deletion requests, basic profiling details are anonymized or permanently deleted within 30 days.
• Transaction & Billing Records: Retained for a mandatory period of 7 years in compliance with Singapore tax (IRAS) and financial regulatory obligations.
• Analytics and Tracking Data: PostHog and Google Analytics session records are automatically expired and deleted after 14 months.

6. Your Rights

Under the PDPA, you have the right to access, correct, or withdraw consent for your personal data.

6.1 Additional Rights for EEA & UK Users (GDPR Compliance)

If you reside within the European Economic Area (EEA) or the United Kingdom (UK), you possess additional rights under the General Data Protection Regulation (GDPR) regarding your personal data:

• Right to Erasure ("Right to be Forgotten"): You may request the permanent deletion of your personal data where it is no longer required for legal compliance or the performance of our contract.
• Right to Data Portability: You have the right to request a copy of your personal data in a structured, machine-readable format (JSON or CSV) for transfer to another provider.
• Right to Restrict Processing: You may request that we temporarily suspend processing your personal data while you contest its accuracy or our lawful basis.
• Right to Object: You can object to processing based on legitimate interests, including our product analytics and session recordings.
• Supervisory Complaint: You have the right to lodge a complaint regarding our data practices with a competent Data Protection Authority in your country of residence.

To exercise these rights, please contact our Data Protection Officer. We will respond to verified requests within 30 days.

7. Data Protection Officer (DPO)

For any queries or to exercise your rights, please contact our Data Protection Officer:

• Name: Rizwan Abeer
• Contact: ops@wbtsingapore.com
• Address: 160 Robinson Road 14-04, 068914 Singapore