Obeden Privacy Policy
Last updated 30th January 2026
1. Who We Are
OBEDEN PTE LTD (“Obeden”, “we”, “us”, “our”) is a company registered in Singapore. We operate websites and services in Singapore, the United Kingdom, the European Economic Area (EEA), and India.
We are the Controller (GDPR/UK GDPR), Organisation (PDPA), and Data Fiduciary (DPDPA) responsible for your personal data.
This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have. It applies whenever you use our website or services, regardless of where you are located.
This policy complies with:
- Singapore – Personal Data Protection Act 2012 (PDPA)
- European Economic Area – General Data Protection Regulation (GDPR)
- United Kingdom – UK GDPR and Data Protection Act 2018
- India – Digital Personal Data Protection Act, 2023 (DPDPA)
For India: Where DPDPA applies, it prevails over any conflicting provision in this policy.
1.1 Contact Details
Data Protection Officer / Authorised Person
Obeden PTE Ltd
20 Cecil Street
#05-03, Plus
Singapore, 049705
Email: Obeden-DPO@obeden.com
For India: As we are not currently a Significant Data Fiduciary, our Data Protection Officer acts as our Authorised Person under DPDPA.
1.2 Age Restrictions
Our website and services are not intended for children. A “child” means anyone under:
- 18 years in India (DPDPA)
- 16 years in the EEA and UK (GDPR/UK GDPR)
- 13 years in Singapore (PDPA)
If we learn that we have collected personal data from a child below the applicable age, we will delete that data and terminate any associated account. For Indian children’s data, we follow the erasure procedures under DPDPA.
1.3 Your Right to Complain
You may complain to the relevant data protection authority at any time:
|
Jurisdiction |
Authority |
Website |
Special Requirements |
|
Singapore |
PDPC |
None |
|
|
UK |
ICO |
None |
|
|
EEA |
Your national DPA |
None |
|
|
India |
Data Protection Board |
(Once established) |
You must use our grievance mechanism first (Section 9) |
We appreciate the opportunity to address your concerns before you approach any authority.
2. What Personal Data We Collect
“Personal data” means any information that identifies you or can be used to identify you.
For India: Under DPDPA, “personal data” means any data about an individual who is identifiable by or in relation to such data. We only process your digital personal data (data in digital form).
|
Category |
Examples |
|
Identity Data |
Name, title, date of birth, gender, photo, identification documents |
|
Contact Data |
Address (billing and delivery), email, telephone numbers |
|
Financial Data |
Bank account and payment card details |
|
Transaction Data |
Payment history and details of products/services purchased |
|
Professional Data |
Work history, qualifications, job applications, salary details |
|
Technical Data |
IP address, browser type, device information, cookies, time zone, operating system |
|
Profile Data |
Username, password, purchases, preferences, feedback, survey responses |
|
Usage Data |
How you use our website, products, and services |
|
Marketing and Communications Data |
Your marketing preferences and communication choices |
Aggregated data: We may create statistical or demographic data from your personal data. Once aggregated so it cannot identify you, it is no longer personal data. If we combine aggregated data with your personal data so that it could identify you, we treat it as personal data under this policy.
Sensitive data: We do not collect special categories of data (such as race, ethnicity, religious beliefs, health data, sexual orientation, political opinions, trade union membership, or genetic and biometric data). We do not collect data about criminal convictions or offences.
If you do not provide required data: Where we need personal data to fulfil a contract with you or to comply with the law, and you do not provide it, we may be unable to provide the relevant product or service. We will notify you if this is the case.
3. How We Collect Your Personal Data
3.1 Directly from You
When you create an account, subscribe to our services, request marketing, provide feedback, or contact us.
3.2 Automatically
When you use our website, we automatically collect Technical Data using cookies and similar technologies. See our Cookie Policy for details.
3.3 From Third Parties
- Analytics providers (e.g. Google) – Technical Data
- Payment providers (e.g. PayPal, Stripe) – Contact, Financial, and Transaction Data
For India: Where third parties process your data on our behalf, they act as Data Processors under DPDPA. We remain responsible for their processing and engage them only under valid contracts.
4. Why We Use Your Data (Legal Bases)
The legal grounds we rely on depend on your jurisdiction:
4.1 GDPR / UK GDPR / PDPA
- Performance of a contract – to fulfil our obligations to you
- Legitimate interests – where our interests do not override your fundamental rights
- Legal obligation – to comply with the law
- Consent – primarily for marketing communications
4.2 DPDPA (India) – Two Grounds Only
Ground 1: Consent. Your consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. You may withdraw consent at any time with the same ease as giving it. On withdrawal, we stop processing your data unless authorised under Certain Legitimate Uses or required by law.
Ground 2: Certain Legitimate Uses. We may process your data without consent for: (a) voluntary provision of data for a specified purpose where you have not indicated non-consent; (b) government subsidies or benefits; (c) state functions under law; (d) legal obligations to disclose to the State; (e) compliance with court orders; (f) medical emergencies; (g) public health measures; (h) disasters or breakdown of public order; (i) employment purposes or safeguarding the employer from loss or liability.
4.3 Purposes of Processing
Where standards differ between jurisdictions, we apply the strictest requirement.
|
Purpose |
Data Used |
Legal Basis |
|
Register you as a customer |
Identity, Contact |
Contract (GDPR/UK/PDPA) OR Consent/Voluntary provision (DPDPA) |
|
Process and deliver orders |
Identity, Contact, Financial, Marketing |
Contract (GDPR/UK/PDPA) OR Consent/Voluntary provision (DPDPA) |
|
Manage our relationship with you |
Identity, Contact, Profile, Marketing |
Contract, Legal obligation, Legitimate interest (GDPR/UK/PDPA) OR Consent/Voluntary provision (DPDPA) |
|
Administer and protect our business and website |
Identity, Contact, Technical |
Legitimate interests, Legal obligation (GDPR/UK/PDPA) OR Consent (DPDPA) |
|
Deliver relevant content and advertising |
Identity, Contact, Profile, Usage, Marketing, Technical |
Consent (all jurisdictions) |
|
Data analytics to improve our services |
Technical, Usage |
Consent (all jurisdictions) |
|
Make product/service recommendations |
Identity, Contact, Technical, Usage, Profile, Marketing |
Consent (all jurisdictions) |
For India: DPDPA requires explicit consent for marketing, analytics, and recommendations. There is no “legitimate interests” basis for these purposes under DPDPA.
5. Marketing
When we send marketing:
- GDPR/UK GDPR/PDPA: If you have requested information or purchased from us, and have not opted out
- DPDPA (India): Only if you have given explicit consent
Third-party marketing: We require your express opt-in consent before sharing your data with any third party for their own marketing (all jurisdictions).
How to opt out: Follow the unsubscribe link in any marketing message, update your profile settings, or email:
Obeden-OptOut@obeden.com
For India: Withdrawing marketing consent exercises your right under DPDPA. We will stop processing your data for marketing within a reasonable time.
Opting out of marketing does not affect data we process for other purposes, such as fulfilling your purchases.
5.1 Cookies
You can set your browser to refuse or alert you to cookies. Disabling cookies may affect the functionality of some parts of our website. See our Cookie Policy for details.
5.2 Change of Purpose
We only use your data for the purpose we collected it for, unless: the new purpose is compatible with the original (GDPR/UK GDPR/PDPA); you give fresh consent; the new purpose falls under Certain Legitimate Uses (DPDPA); or we are required or permitted by law.
For India: DPDPA requires fresh consent unless the new purpose qualifies as a Certain Legitimate Use.
We may process your data without your knowledge or consent where required or permitted by law.
6. Who We Share Your Data With
We may share your personal data with:
- Service providers (IT, system administration) acting as processors / Data Processors
- Professional advisers (lawyers, auditors, insurers, bankers) acting as processors or joint controllers
- Regulators and authorities (in Singapore, EEA, UK, India, and other jurisdictions where we are regulated) who require reporting in certain circumstances
For India: Under DPDPA, we remain responsible for all processing by Data Processors on our behalf. We engage them only under valid contracts that require them to implement reasonable security safeguards.
We require all third parties to respect your personal data’s security and to treat it lawfully. They may only process it for specified purposes and under our instructions.
7. International Transfers
Where your data is stored:
- www.obeden.com – Singapore servers
- app.obeden.<location> – Servers in your chosen location (Singapore, UK, EEA, or India)
We may transfer your data within the Obeden group or to authorised third parties (such as cloud providers and processors) located outside these territories. All recipients are legally bound to provide protection comparable to PDPA, GDPR, UK GDPR, and DPDPA standards.
For India: The Indian Central Government may restrict transfers of personal data to certain countries. We comply with all such restrictions, including those regarding making data available to foreign States or entities under their control. We ensure all transfers outside India comply with DPDPA requirements and any government notifications or orders.
8. Data Security
We have implemented appropriate technical and organisational measures to protect your personal data, including:
- Encryption, obfuscation, masking, and virtual tokens
- Access controls to computer resources
- Logging, monitoring, and review for unauthorised access detection
- Data backup procedures for business continuity
- Log and data retention for at least one year (unless law requires longer)
- Contractual obligations on Data Processors to implement security safeguards
- Technical and organisational measures ensuring effective compliance
Only employees, agents, contractors, and third parties with a business need-to-know may access your data, and they are bound by confidentiality obligations.
These safeguards meet or exceed the requirements of PDPA, GDPR, UK GDPR, and DPDPA.
8.1 Data Breach Notification
For India: Under DPDPA, a “personal data breach” includes any unauthorised processing of personal data oraccidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability. All breaches must be notified regardless of severity.
If a personal data breach occurs, we will:
- Notify you (the affected individual) without delay, in clear and plain language, informing you of: the description of the breach (nature, extent, timing, location); consequences relevant to you; mitigation measures we have taken; safety measures you may take; and contact information for queries
- Notify the Data Protection Board of India: Initial notification without delay, followed by a detailed report within 72 hours (or such longer period as the Board allows), including updated information, the facts and circumstances, mitigation measures, findings regarding the person who caused the breach, remedial measures, and a report on notifications given to affected individuals
- Notify the relevant supervisory authority (PDPC, ICO, or national DPA) in accordance with the applicable jurisdiction’s requirements and timelines
9. Data Retention and Erasure
We retain personal data only as long as reasonably necessary to fulfil the purposes for which it was collected and to satisfy legal, regulatory, tax, accounting, or reporting requirements. We may retain data longer if there is a complaint or a reasonable prospect of litigation.
We erase your personal data on the earlier of:
- You withdrawing your consent; or
- The specified purpose no longer being served
Unless retention is necessary for legal compliance. We also require our Data Processors to erase data made available by us.
For India (DPDPA) – Deemed cessation of purpose: For e-commerce entities with specified user thresholds, the purpose is deemed no longer served if you have not: (a) approached us for the performance of the specified purpose, and (b) exercised any of your rights in relation to such processing. We will notify you at least 48 hours before erasure – you can prevent erasure by logging into your account or contacting us.
Anonymisation: We may anonymise your personal data so it can no longer identify you. Once anonymised, we may use it indefinitely for research or statistical purposes without further notice.
10. Your Rights
Your rights depend on your jurisdiction. Contact our Data Protection Officer at Obeden-DPO@obeden.com to exercise any right.
|
Right |
Description |
How to Exercise |
Jurisdictions |
|
Access |
Obtain a copy or summary of your personal data and processing activities |
Contact DPO |
All |
|
Correction |
Correct inaccurate or misleading data |
Contact DPO |
All |
|
Completion |
Complete incomplete data |
Contact DPO |
All (DPDPA) |
|
Updating |
Update personal data |
Contact DPO |
All (DPDPA) |
|
Erasure |
Request deletion of personal data |
Contact DPO |
All |
|
Object to processing |
Object based on your particular situation |
Contact DPO |
GDPR/UK GDPR only |
|
Restrict processing |
Suspend processing in certain scenarios |
Contact DPO |
GDPR/UK GDPR only |
|
Data portability |
Receive your data in machine-readable format to transfer elsewhere |
Contact DPO |
GDPR/UK GDPR only |
|
Withdraw consent |
Withdraw consent with the same ease as giving it |
DPO, opt-out links, or profile settings |
All |
|
Grievance redressal |
Submit a grievance about our obligations or your rights |
Section 11 mechanism |
DPDPA (mandatory before Board) |
|
Nominate |
Nominate a person to exercise your rights upon your death or incapacity |
Contact DPO |
DPDPA only |
10.1 Limitations on Rights
Access: We need not disclose information about sharing your personal data with other Controllers/Data Fiduciaries authorised by law (e.g. law enforcement) where such sharing is for prevention, detection, or investigation of offences or cyber incidents.
Erasure: We may refuse erasure if retention is necessary for the specified purpose or for legal compliance.
10.2 Your Duties Under DPDPA (Indian Data Principals Only)
If you are located in India, you have the following duties:
- Comply with applicable laws while exercising your rights
- Not impersonate another person when providing personal data
- Not suppress material information when providing personal data for any official document, unique identifier, or proof of identity/address issued by the State
- Not register false or frivolous grievances or complaints with us or the Board
- Furnish only verifiably authentic information when exercising your right to correction or erasure
10.3 Exercising Your Rights
We may request specific information from you to verify your identity before actioning any rights request. We aim to respond within one month. Complex or multiple requests may take longer, in which case we will notify you. There is usually no fee, but we may charge a reasonable fee for clearly unfounded, repetitive, or excessive requests.
11. Grievance Redressal (Indian Data Principals)
In accordance with DPDPA, we have established an effective grievance mechanism.
You may submit a grievance about:
- Any act or omission by us regarding our obligations in relation to your personal data; or
- The exercise of your rights under DPDPA
Contact: Obeden-DPO@obeden.com
Response time: We will respond within 30 days.
If unsatisfied: You may file a complaint with the Data Protection Board of India (once established). You must exhaust this grievance mechanism first.
Further appeals: If aggrieved by a Board order, you may appeal to the Appellate Tribunal (Telecom Disputes Settlement and Appellate Tribunal) within 60 days. You also have the right to an effective judicial remedy.
12. Special Provisions for Indian Data Principals
12.1 Children’s Data
Under DPDPA, a “child” is anyone under 18 years. Obeden does not knowingly process children’s data and will immediately disable and remove any accounts identified as having been created by a child.
12.2 Persons with Disabilities
If you have a lawful guardian appointed under applicable law, your guardian may exercise your rights under DPDPA on your behalf. We will verify the guardian’s appointment by:
- A court of law; or
- A designated authority under the Rights of Persons with Disabilities Act, 2016; or
- A local level committee under the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999
12.3 Data Accuracy
Where your personal data is likely to be used to make a decision that affects you, or disclosed to another Data Fiduciary, we shall ensure its completeness, accuracy, and consistency.
12.4 Exemptions
DPDPA does not apply to processing that is necessary for: enforcing any legal right or claim; court, tribunal, or regulatory functions; or prevention, detection, investigation, or prosecution of offences; and certain other specified circumstances under DPDPA.
12.5 Cross-Border Transfer Restrictions
The Indian Central Government may, by notification, restrict the transfer of personal data to certain countries or territories outside India. We will comply with any such restrictions and requirements.
13. Jurisdiction and Dispute Resolution
Disputes are governed by Singapore law and Singapore courts, subject to applicable consumer protection laws in your jurisdiction.
13.1 India-Specific Dispute Resolution (Prevails Over Other Provisions)
For Indian Data Principals, the following mandatory hierarchy applies:
|
Level |
Forum |
Requirement |
Timeline |
|
1 |
Our grievance mechanism (Section 11) |
Mandatory first step |
30 days response |
|
2 |
Data Protection Board of India |
If unsatisfied with our response |
Board inquiry process |
|
3 |
Appellate Tribunal |
If aggrieved by Board order |
Appeal within 60 days |
|
4 |
High Court |
Final appeal |
Per TRAI Act, 1997 |
Key points: DPDPA dispute resolution prevails for Indian Data Principals. Civil courts cannot entertain matters within the Data Protection Board’s jurisdiction. You must complete the grievance mechanism before filing a Board complaint.
14. Changes to This Policy
We review this policy regularly. Changes will be posted on this page with an updated date.
For India: If we make material changes to how we process your data, we will notify you through your registered email address or user account. Continued use after notification constitutes acceptance, subject to your right to withdraw consent or object to processing.
Please keep your personal data up to date and inform us of any changes.
14.1 Third-Party Links
Our website may link to third-party websites, plug-ins, and applications. We do not control these third-party sites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.
15. Language
This policy is provided in English.
For India: You have the right to access this policy in Hindi or any language specified in the Eighth Schedule to the Constitution of India. To request a translation, email: Obeden-DPO@obeden.com
16. Key Terms Across Jurisdictions
This policy uses different terminology depending on which law applies to you:
|
Concept |
GDPR/UK GDPR |
PDPA |
DPDPA |
Meaning |
|
Us (Obeden) |
Controller |
Organisation |
Data Fiduciary |
The entity determining why and how your data is processed |
|
You |
Data Subject |
Individual |
Data Principal |
The person whose data is processed |
|
Our service providers |
Processor |
Data Intermediary |
Data Processor |
Those who process data on our behalf under contract |
|
Your agreement |
Consent |
Consent |
Consent* |
Your agreement to data processing |
|
A data incident |
Data Breach |
Data Breach |
Personal Data Breach* |
A security incident affecting your data |
|
Regulators |
Supervisory Authority |
PDPC |
Data Protection Board |
The government body overseeing compliance |
16.1 Detailed Key Terms
|
Term |
GDPR/UK GDPR |
PDPA (Singapore) |
DPDPA (India) |
|
Personal Data |
Any information relating to an identified or identifiable natural person |
Data about an individual who can be identified from that data |
Any data about an individual who is identifiable by or in relation to such data (digital only) |
|
Processing |
Any operation performed on personal data (collection, storage, use, disclosure, etc.) |
Any operation performed on personal data |
Wholly or partly automated operation on digital personal data including collection, storage, use, sharing, erasure, etc. |
|
Consent |
Freely given, specific, informed and unambiguous indication by clear affirmative action |
Voluntary agreement given by individual |
Free, specific, informed, unconditional and unambiguous agreement with clear affirmative action |
|
Data Breach |
Breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access |
Unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction |
Unauthorised processing OR accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access |
|
Erasure |
Right to have personal data erased |
Right to withdraw consent and request deletion |
Right to erasure (permanent deletion that cannot be recovered) |
|
Legitimate Interest |
Processing necessary for legitimate interests (unless overridden by individual’s rights) |
Legitimate interests of organisation |
“Certain Legitimate Uses” – 9 specific categories only (no general legitimate interests basis) |
|
Special Category Data |
Sensitive data (race, health, religion, etc.) requiring enhanced protection |
Sensitive personal data requiring consent |
Not defined – DPDPA treats all personal data uniformly |
*DPDPA terms have stricter or broader definitions. In particular:
- Consent under DPDPA must be “free, specific, informed, unconditional and unambiguous” (adding “unconditional” – no bundled consent permitted)
- Personal Data Breach under DPDPA includes “loss of access” and “unauthorised processing” – broader than GDPR’s definition
- Erasure under DPDPA means permanent deletion that cannot be recovered, and is triggered by consent withdrawal or purpose served, whichever is earlier
- DPDPA has no general “legitimate interests” basis – only 9 specific “Certain Legitimate Uses”
- DPDPA does not distinguish “special category data” – all personal data is treated uniformly
- DPDPA requires all breaches to be notified regardless of risk level (no risk threshold, unlike GDPR)
16.2 Additional DPDPA-Specific Terms
|
Term |
Definition |
Why It Matters |
|
Specified Purpose |
The exact purpose stated in the notice given by the Data Fiduciary |
Processing is strictly limited to this purpose; any change requires fresh consent |
|
Significant Data Fiduciary |
A Data Fiduciary notified by the Central Government based on volume/sensitivity of data and risk |
Subject to additional obligations: DPO appointment, audits, DPIAs |
|
Consent Manager |
A person registered with the Board as a single point for managing consent |
Optional service – you may use a Consent Manager to manage your consents |
|
Data Protection Officer (DPO) (DPDPA) |
Individual appointed by a Significant Data Fiduciary to represent them and be the point of contact for grievance redressal |
Only Significant Data Fiduciaries must appoint a DPO; regular Data Fiduciaries (like Obeden currently) designate an “Authorised Person” instead |
16.3 Additional GDPR/UK GDPR-Specific Terms
|
Term |
Definition |
Why It Matters |
|
Data Protection Impact Assessment (DPIA) |
Assessment of risks to individuals’ rights before high-risk processing |
Required for high-risk processing under GDPR; under DPDPA only for Significant Data Fiduciaries |
|
Data Portability |
Right to receive personal data in machine-readable format and transfer to another controller |
GDPR/UK GDPR right; not explicitly provided in DPDPA |
|
Joint Controller |
Two or more controllers jointly determining purposes and means of processing |
GDPR concept; DPDPA does not explicitly address joint Data Fiduciaries |
16.4 Key Differences to Note
- Consent: GDPR – one of six legal bases; DPDPA – consent or Certain Legitimate Uses (9 categories) only
- Children: GDPR – under 16; UK GDPR – under 13 for online services; DPDPA – under 18
- Breach notification: GDPR – 72 hours to authority if risk to rights, notify individuals if high risk; DPDPA – 72 hours to Board + without delay to individuals for all breaches (no risk threshold)
- Erasure triggers: GDPR – specific circumstances (e.g. consent withdrawn, no longer necessary); DPDPA – mandatory erasure on consent withdrawal or purpose served, whichever is earlier
- Dispute resolution: GDPR – direct access to supervisory authority; DPDPA – mandatory hierarchy: grievance → Board → Appellate Tribunal → High Court
- Language: GDPR – language understood by data subject; DPDPA – must offer English or Hindi or any Eighth Schedule language
17. Contact Information
Data Protection Officer / Authorised Person
OBEDEN PTE LTD
20 Cecil Street
#05-03, Plus
Singapore, 049705
|
Purpose |
|
|
General privacy questions |
|
|
Grievances (Indian Data Principals) |
|
|
Marketing opt-outs |
Supervisory authorities:
|
Jurisdiction |
Authority |
Website |
|
|
Personal Data Protection Commission (PDPC) |
|
|
UK |
Information Commissioner’s Office (ICO) |
|
|
EEA |
Your country’s Data Protection Authority |
|
|
India |
Data Protection Board of India |
(Once Established) |
For India: You must first exhaust our grievance redressal mechanism (Section 11) before approaching the Data Protection Board.
17.1 Acknowledgement
By using our website and services, you acknowledge that you have read and understood this privacy policy, including the provisions applicable to your jurisdiction.
For Indian Data Principals, you additionally acknowledge that:
- DPDPA applies to our processing of your personal data
- You understand your rights under DPDPA as described in this policy
- You understand the mandatory grievance redressal and dispute resolution mechanism
- You are aware of your duties under DPDPA
- You have been informed of your right to access this policy in Hindi or another Eighth Schedule language