Personal Data Protection Act (PDPA) Statement

Last updated: February 10, 2026

How KAIGA complies with Singapore's Personal Data Protection Act 2012, including how we collect, use, disclose, and protect your personal data.

Introduction

KAIGA is committed to protecting your personal data in accordance with the Personal Data Protection Act 2012 ("PDPA") of Singapore. This statement explains how we collect, use, disclose, and protect your personal data, and outlines your rights under the PDPA.

This statement should be read together with our Privacy Policy, which provides additional detail on our data practices.

Personal Data We Collect

We collect personal data that is necessary to provide our services. This includes:

Account Information:

Name and email address (via Google Sign-In or direct registration)
Profile picture (if provided via Google or uploaded)
Username and display name

Transaction Information:

Shipping address
Order history and transaction records
Payment records (processed securely via Stripe — we do not store full card details)

Collection Data:

Your Pokemon card collection inventory
Sourcing requests and bookmarks
Wishlist and preference data

Technical Data:

IP address, browser type, and device information
Website usage data (pages visited, features used)
Session and authentication cookies

We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data.

Purposes for Collection, Use, and Disclosure

We collect, use, and disclose your personal data for the following purposes:

Account Management — Creating, maintaining, and securing your KAIGA account
Service Delivery — Providing collection management, sourcing request, and e-commerce features
Order Fulfillment — Processing purchases, payments, shipping, and returns
Communication — Sending order confirmations, shipping notifications, and account alerts
Platform Improvement — Analysing usage patterns to improve our services (using aggregated, non-identifying data)
Legal Compliance — Complying with applicable laws, regulations, and tax requirements
Dispute Resolution — Handling complaints, returns, and customer support inquiries
Security — Detecting and preventing fraud, unauthorized access, and abuse

We will not use your personal data for purposes beyond those stated above without obtaining your consent, unless permitted or required by law.

Consent

Obtaining Consent

By creating an account on KAIGA and using our services, you consent to the collection, use, and disclosure of your personal data as described in this statement.

For specific purposes not covered by this statement (such as marketing communications), we will seek your explicit consent before collecting or using your data.

Deemed Consent

Under the PDPA, consent may be deemed in certain circumstances, including:

When you voluntarily provide personal data for a purpose that is reasonable in the circumstances (e.g., providing a shipping address to receive an order)
When you have been notified of the purpose and given a reasonable opportunity to opt out but have not done so
When the collection, use, or disclosure is reasonably necessary to perform a contract to which you are a party

Withdrawing Consent

You may withdraw your consent for us to collect, use, or disclose your personal data at any time by:

Email: Send a request to support@kaiga.org with the subject line "Withdrawal of Consent"
Account Settings: Adjust your privacy and communication preferences in your account settings

Upon receiving your withdrawal request, we will:

Process your request within a reasonable timeframe (typically within 10 business days)
Inform you of the likely consequences of withdrawal (e.g., inability to process orders or maintain your account)
Cease collecting, using, or disclosing your personal data for the specified purposes

Please note that withdrawing consent does not affect the legality of any collection, use, or disclosure of your data carried out before the withdrawal. There may also be circumstances where we are required by law to retain certain data despite your withdrawal of consent.

Access and Correction

You have the right to:

Request access to the personal data we hold about you
Request correction of any personal data that is inaccurate, incomplete, or outdated

To make an access or correction request:

Email: support@kaiga.org with the subject line "Data Access Request" or "Data Correction Request"
Account Settings: You can view and update certain personal data directly in your account settings

We will respond to access requests within 30 days of receiving a complete request. We may charge a reasonable fee to cover the cost of responding to access requests, and will inform you of the fee before processing your request.

We may decline access or correction requests in certain circumstances as permitted by the PDPA, such as when disclosure could threaten the safety of another individual, or when the data is subject to legal privilege.

Protection of Personal Data

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption: Data transmitted between your browser and our servers is encrypted using TLS. Stored data is encrypted at rest.
Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis.
Secure Infrastructure: Our platform is hosted on reputable cloud infrastructure providers that maintain industry-standard security certifications.
Authentication Security: We use secure session management, httpOnly cookies, and CSRF protection.
Regular Updates: We apply security patches and updates to our systems promptly.

For more detail on our security practices, see our Data Security Statement.

Retention of Personal Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

Active Accounts: Data is retained for the duration of your account's active status.
Inactive Accounts: Accounts inactive for 3 years may be subject to deletion after reasonable notice.
Deleted Accounts: When you delete your account, all associated personal data is permanently deleted within 30 days, except where retention is required by law.
Legal Requirements: Transaction records and financial data may be retained for up to 7 years for tax and accounting compliance under Singapore law (Income Tax Act, GST Act).
Anonymised Data: We may retain anonymised, non-identifying data indefinitely for analytical purposes.

Transfer of Personal Data Outside Singapore

If we transfer your personal data outside of Singapore, we will ensure that the receiving party provides a standard of protection comparable to the PDPA. This may include:

Contractual obligations requiring the recipient to protect your data to a standard comparable to the PDPA
Ensuring the recipient is subject to enforceable data protection laws comparable to the PDPA
Obtaining your consent for the transfer after informing you that the data may not receive a comparable standard of protection

Currently, personal data may be transferred to:

Singapore — Primary database hosting
United States — Cloud file storage and content delivery networks

Our third-party service providers (including Stripe for payment processing and cloud hosting providers) are contractually bound to protect your data.

Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals or is of a significant scale:

We will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of completing our assessment of the breach.
We will notify affected individuals as soon as practicable, providing:
- A description of the breach
- The types of personal data involved
- Actions we are taking to address the breach
- Steps individuals can take to protect themselves
- Contact details for further information

We maintain internal procedures for detecting, assessing, and responding to data breaches promptly.

Do Not Call (DNC) Registry

We comply with Singapore's Do Not Call (DNC) provisions under the PDPA:

We will not send marketing messages (SMS, voice calls, or fax) to Singapore telephone numbers listed on the DNC Registry, unless you have given us clear and unambiguous consent.
If you have opted in to receive marketing communications from us, you may opt out at any time by contacting us at support@kaiga.org or using the unsubscribe link in our emails.
We check the DNC Registry before sending any marketing messages to Singapore telephone numbers.

Data Intermediaries

Where we engage third-party service providers ("data intermediaries") to process personal data on our behalf, we ensure that:

They are contractually bound to process your data only for the purposes we specify
They implement appropriate security measures to protect your data
They return or delete your data upon termination of the engagement
They notify us promptly of any data breach involving your personal data

Our current data intermediaries include:

Cloud hosting providers — For secure data storage and infrastructure
Stripe — For payment processing
Email service providers — For transactional email delivery (order confirmations, notifications)
SingPost — For order delivery (shipping address shared for delivery purposes)

Accountability

KAIGA is committed to the accountability obligation under the PDPA. We:

Have designated a Data Protection Officer (DPO) responsible for ensuring compliance with the PDPA
Maintain internal data protection policies and practices
Communicate our data protection policies to our staff
Conduct periodic reviews of our data protection practices to ensure ongoing compliance
Make information about our data protection policies available upon request

Your Rights Under the PDPA

As an individual, you have the right to:

Be informed of the purposes for which your personal data is collected, used, and disclosed
Give or withdraw consent for the collection, use, and disclosure of your personal data
Request access to your personal data held by us
Request correction of inaccurate or incomplete personal data
Request data portability — transfer your personal data to another organisation in a commonly used machine-readable format (where applicable)

Updates to This Statement

We may update this PDPA statement from time to time. Any changes will be posted on this page with a revised "Last Updated" date. For significant changes, we will notify you via email.

Continued use of our services after the posting of changes constitutes your acceptance of the updated statement.

Contact Our Data Protection Officer

If you have any questions, concerns, or requests regarding your personal data or this PDPA statement, please contact our Data Protection Officer:

Email: support@kaiga.org

Subject: PDPA Inquiry

Response Time: Within 10 business days

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

Last Updated: 10 February 2026

Personal Data Protection Act (PDPA) Statement

Last updated: February 10, 2026

How KAIGA complies with Singapore's Personal Data Protection Act 2012, including how we collect, use, disclose, and protect your personal data.

Introduction

This statement should be read together with our Privacy Policy, which provides additional detail on our data practices.

Personal Data We Collect

We collect personal data that is necessary to provide our services. This includes:

Account Information:

Name and email address (via Google Sign-In or direct registration)
Profile picture (if provided via Google or uploaded)
Username and display name

Transaction Information:

Shipping address
Order history and transaction records
Payment records (processed securely via Stripe — we do not store full card details)

Collection Data:

Your Pokemon card collection inventory
Sourcing requests and bookmarks
Wishlist and preference data

Technical Data:

IP address, browser type, and device information
Website usage data (pages visited, features used)
Session and authentication cookies

We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data.

Purposes for Collection, Use, and Disclosure

We collect, use, and disclose your personal data for the following purposes:

Account Management — Creating, maintaining, and securing your KAIGA account
Service Delivery — Providing collection management, sourcing request, and e-commerce features
Order Fulfillment — Processing purchases, payments, shipping, and returns
Communication — Sending order confirmations, shipping notifications, and account alerts
Platform Improvement — Analysing usage patterns to improve our services (using aggregated, non-identifying data)
Legal Compliance — Complying with applicable laws, regulations, and tax requirements
Dispute Resolution — Handling complaints, returns, and customer support inquiries
Security — Detecting and preventing fraud, unauthorized access, and abuse

We will not use your personal data for purposes beyond those stated above without obtaining your consent, unless permitted or required by law.

Consent

Obtaining Consent

By creating an account on KAIGA and using our services, you consent to the collection, use, and disclosure of your personal data as described in this statement.

For specific purposes not covered by this statement (such as marketing communications), we will seek your explicit consent before collecting or using your data.

Deemed Consent

Under the PDPA, consent may be deemed in certain circumstances, including:

When you voluntarily provide personal data for a purpose that is reasonable in the circumstances (e.g., providing a shipping address to receive an order)
When you have been notified of the purpose and given a reasonable opportunity to opt out but have not done so
When the collection, use, or disclosure is reasonably necessary to perform a contract to which you are a party

Withdrawing Consent

You may withdraw your consent for us to collect, use, or disclose your personal data at any time by:

Email: Send a request to support@kaiga.org with the subject line "Withdrawal of Consent"
Account Settings: Adjust your privacy and communication preferences in your account settings

Upon receiving your withdrawal request, we will:

Process your request within a reasonable timeframe (typically within 10 business days)
Inform you of the likely consequences of withdrawal (e.g., inability to process orders or maintain your account)
Cease collecting, using, or disclosing your personal data for the specified purposes

Access and Correction

You have the right to:

Request access to the personal data we hold about you
Request correction of any personal data that is inaccurate, incomplete, or outdated

To make an access or correction request:

Email: support@kaiga.org with the subject line "Data Access Request" or "Data Correction Request"
Account Settings: You can view and update certain personal data directly in your account settings

Protection of Personal Data

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption: Data transmitted between your browser and our servers is encrypted using TLS. Stored data is encrypted at rest.
Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis.
Secure Infrastructure: Our platform is hosted on reputable cloud infrastructure providers that maintain industry-standard security certifications.
Authentication Security: We use secure session management, httpOnly cookies, and CSRF protection.
Regular Updates: We apply security patches and updates to our systems promptly.

For more detail on our security practices, see our Data Security Statement.

Retention of Personal Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

Active Accounts: Data is retained for the duration of your account's active status.
Inactive Accounts: Accounts inactive for 3 years may be subject to deletion after reasonable notice.
Deleted Accounts: When you delete your account, all associated personal data is permanently deleted within 30 days, except where retention is required by law.
Legal Requirements: Transaction records and financial data may be retained for up to 7 years for tax and accounting compliance under Singapore law (Income Tax Act, GST Act).
Anonymised Data: We may retain anonymised, non-identifying data indefinitely for analytical purposes.

Transfer of Personal Data Outside Singapore

If we transfer your personal data outside of Singapore, we will ensure that the receiving party provides a standard of protection comparable to the PDPA. This may include:

Contractual obligations requiring the recipient to protect your data to a standard comparable to the PDPA
Ensuring the recipient is subject to enforceable data protection laws comparable to the PDPA
Obtaining your consent for the transfer after informing you that the data may not receive a comparable standard of protection

Currently, personal data may be transferred to:

Singapore — Primary database hosting
United States — Cloud file storage and content delivery networks

Our third-party service providers (including Stripe for payment processing and cloud hosting providers) are contractually bound to protect your data.

Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals or is of a significant scale:

We will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of completing our assessment of the breach.
We will notify affected individuals as soon as practicable, providing:
- A description of the breach
- The types of personal data involved
- Actions we are taking to address the breach
- Steps individuals can take to protect themselves
- Contact details for further information

We maintain internal procedures for detecting, assessing, and responding to data breaches promptly.

Do Not Call (DNC) Registry

We comply with Singapore's Do Not Call (DNC) provisions under the PDPA:

We will not send marketing messages (SMS, voice calls, or fax) to Singapore telephone numbers listed on the DNC Registry, unless you have given us clear and unambiguous consent.
If you have opted in to receive marketing communications from us, you may opt out at any time by contacting us at support@kaiga.org or using the unsubscribe link in our emails.
We check the DNC Registry before sending any marketing messages to Singapore telephone numbers.

Data Intermediaries

Where we engage third-party service providers ("data intermediaries") to process personal data on our behalf, we ensure that:

They are contractually bound to process your data only for the purposes we specify
They implement appropriate security measures to protect your data
They return or delete your data upon termination of the engagement
They notify us promptly of any data breach involving your personal data

Our current data intermediaries include:

Cloud hosting providers — For secure data storage and infrastructure
Stripe — For payment processing
Email service providers — For transactional email delivery (order confirmations, notifications)
SingPost — For order delivery (shipping address shared for delivery purposes)

Accountability

KAIGA is committed to the accountability obligation under the PDPA. We:

Have designated a Data Protection Officer (DPO) responsible for ensuring compliance with the PDPA
Maintain internal data protection policies and practices
Communicate our data protection policies to our staff
Conduct periodic reviews of our data protection practices to ensure ongoing compliance
Make information about our data protection policies available upon request

Your Rights Under the PDPA

As an individual, you have the right to:

Be informed of the purposes for which your personal data is collected, used, and disclosed
Give or withdraw consent for the collection, use, and disclosure of your personal data
Request access to your personal data held by us
Request correction of inaccurate or incomplete personal data
Request data portability — transfer your personal data to another organisation in a commonly used machine-readable format (where applicable)

Updates to This Statement

We may update this PDPA statement from time to time. Any changes will be posted on this page with a revised "Last Updated" date. For significant changes, we will notify you via email.

Continued use of our services after the posting of changes constitutes your acceptance of the updated statement.

Contact Our Data Protection Officer

If you have any questions, concerns, or requests regarding your personal data or this PDPA statement, please contact our Data Protection Officer:

Email: support@kaiga.org

Subject: PDPA Inquiry

Response Time: Within 10 business days

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

Last Updated: 10 February 2026

Legal Documents

Personal Data Protection Act (PDPA) Statement

Introduction

Personal Data We Collect

Purposes for Collection, Use, and Disclosure

Consent

Obtaining Consent

Deemed Consent

Withdrawing Consent

Access and Correction

Protection of Personal Data

Retention of Personal Data

Transfer of Personal Data Outside Singapore

Data Breach Notification

Do Not Call (DNC) Registry

Data Intermediaries

Accountability

Your Rights Under the PDPA

Updates to This Statement

Contact Our Data Protection Officer

Legal Documents

Personal Data Protection Act (PDPA) Statement

Introduction

Personal Data We Collect

Purposes for Collection, Use, and Disclosure

Consent

Obtaining Consent

Deemed Consent

Withdrawing Consent

Access and Correction

Protection of Personal Data

Retention of Personal Data

Transfer of Personal Data Outside Singapore

Data Breach Notification

Do Not Call (DNC) Registry

Data Intermediaries

Accountability

Your Rights Under the PDPA

Updates to This Statement

Contact Our Data Protection Officer