Kebijakan Privasi

Privasi Anda sangat penting bagi kami

Last updated: 2026-05-21

ColivingSG

Singapore

[email protected]

Introduction & PDPA Commitment

XPD TECHNOLOGY PTE. LTD. (trading as ColivingSG; "we", "us", "our") is committed to protecting your personal data in accordance with the Singapore Personal Data Protection Act 2012 (PDPA) and any subsequent amendments.

This Privacy Policy explains how we collect, use, disclose, transfer, retain, and protect your personal data when you visit https://colivingsg.com or interact with our advisory services. By using our website, you consent to the practices described in this policy.

Website Visitors

Like most website operators, ColivingSG collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. Our purpose in collecting non-personally identifying information is to better understand how our visitors use the website.

ColivingSG also collects potentially personally-identifying information like Internet Protocol (IP) addresses for logged-in users and for users who submit enquiry forms on our platform.

Personal Data We Collect

We collect personal data only when you voluntarily provide it. The categories of personal data we collect include:

  • Identity & Contact Data: name, email address, phone number, WhatsApp ID, country of origin, school or institution name.
  • Housing Preferences: budget, preferred locations, move-in dates, room type, lifestyle preferences, intended length of stay.
  • Communication Records: enquiry messages, WhatsApp chat history with our advisory team, email correspondence.
  • Technical Data: IP address, browser type and version, device type, operating system, referring URL, pages visited, time spent on pages.
  • Marketing Data: email subscription status and preferences (only if you opt in).

We collect this information only to the extent necessary to provide our free advisory services, fulfil each interaction's purpose, and comply with applicable laws.

Purposes of Collection, Use & Disclosure

In line with the PDPA Purpose Limitation Obligation, we use your personal data strictly for the following purposes:

  • To respond to your enquiries and provide coliving advisory services.
  • To match you with suitable coliving properties and brands.
  • To facilitate property viewings and bookings with partner brands (with your prior knowledge).
  • To send you service updates, transactional messages, and (where you have opted in) marketing communications.
  • To improve our website, advisory process, and content quality.
  • To comply with legal, regulatory, and law enforcement obligations in Singapore.
  • To detect, prevent, and respond to fraud, abuse, or security incidents.

We will not use your personal data for any purpose materially different from those listed above without first obtaining your fresh consent.

Disclosure of Personal Data

ColivingSG discloses your personal data only to:

  • Internal team members who need access to provide advisory services and operate the platform.
  • Affiliated partner coliving brands — only when you explicitly enquire about a specific property or brand, and only the information necessary to facilitate that enquiry.
  • Data processors (see the Third-Party Data Processors section below) who process data strictly on our instructions under written data-processing terms.
  • Authorities in response to a subpoena, court order, or other lawful governmental request.

We will always inform you before sharing your information with a partner brand. All recipients are bound by confidentiality and PDPA-equivalent protection obligations.

Protection Measures

In line with the PDPA Protection Obligation, we implement the following technical and organisational safeguards:

  • Encryption in transit: all traffic to and from colivingsg.com is served exclusively over HTTPS/TLS 1.2+.
  • Encryption at rest: personal data stored in our database is encrypted at rest using AES-256 (Supabase managed Postgres).
  • Access control: production database access is restricted to authorised personnel via authenticated admin accounts; all tables enforce Row Level Security (RLS) policies.
  • Least-privilege principle: team members are granted only the minimum access required to perform their role.
  • Vendor security: we only use enterprise-grade processors (Vercel, Supabase) that hold relevant SOC 2 Type II and ISO 27001 certifications.
  • Account security: admin accounts require strong authentication and password rotation.
  • Monitoring: infrastructure-level logging and abnormal-activity alerting via our hosting and database providers.

While no method of transmission over the Internet is 100% secure, we use commercially reasonable means consistent with the PDPA Protection Obligation.

Cookies & Tracking Technologies

ColivingSG uses cookies and similar technologies to display personalised content, store your preferences (such as language settings), measure traffic, and improve our platform.

The cookies we use fall into the following categories:

  • Strictly necessary cookies: required for the website to function (e.g. session, language, security).
  • Analytics cookies: Google Analytics 4 — measures aggregate traffic patterns.
  • Advertising cookies: Meta Pixel and Google Ads conversion tags — measure the effectiveness of our marketing campaigns.

You may set your browser to refuse cookies, but certain features may not function correctly. By continuing to navigate our website without changing your cookie settings, you consent to our use of cookies as described above.

Third-Party Data Processors

In line with the PDPA Transfer Limitation Obligation, we disclose all third-party data processors that may handle your personal data on our behalf:

  • Vercel Inc. (USA) — website hosting, edge delivery, and serverless functions. Primary serving region: Singapore (SIN1). Privacy Policy
  • Supabase Inc. (USA) — managed PostgreSQL database and authentication. Data residency: AWS ap-southeast-1 (Singapore). Privacy Policy
  • Google LLC — Google Analytics 4, Google Ads, Google Maps Platform. Privacy Policy
  • Meta Platforms, Inc. — Meta Pixel (Facebook/Instagram advertising attribution). Privacy Policy
  • WhatsApp Business (Meta) — direct communication with our advisory team. Privacy Policy
  • Resend / transactional email provider — delivery of enquiry confirmations and notifications. Privacy Policy

All processors are bound by contractual obligations to handle your data in accordance with the PDPA standard of protection or higher.

Cross-Border Data Transfers

In line with the PDPA Transfer Limitation Obligation, where personal data is transferred outside Singapore, we take reasonable steps to ensure the receiving organisation provides a standard of protection that is comparable to the PDPA.

  • Primary storage location: personal data submitted via our website is stored in Supabase managed Postgres located in AWS ap-southeast-1 (Singapore).
  • Hosting: our website is served by Vercel from its Singapore (SIN1) edge region as the primary region.
  • Operational metadata (e.g. logs, analytics) may be processed in the United States or European Union by Vercel, Supabase, Google, and Meta. These providers are contractually bound to PDPA-comparable protection standards and/or maintain Standard Contractual Clauses, EU-US Data Privacy Framework certification, or equivalent safeguards.

We do not sell or transfer personal data to any jurisdiction without comparable data protection laws.

Data Retention

In line with the PDPA Retention Limitation Obligation, we retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws.

  • Enquiry and communication records: retained for up to 24 months from the date of last interaction, after which they are anonymised or deleted.
  • Marketing subscription data: retained until you unsubscribe.
  • Server access logs: retained for up to 90 days for security and abuse-detection purposes.
  • Analytics data: aggregated and anonymised; raw event-level data retained for up to 14 months per Google Analytics default.

You may request earlier deletion at any time by contacting our DPO.

Your Rights Under the PDPA

Under the Singapore Personal Data Protection Act, you have the following rights:

  • Right of Access: request a copy of the personal data we hold about you.
  • Right to Correction: request correction of inaccurate or incomplete personal data.
  • Right to Withdraw Consent: withdraw, in whole or in part, consent for the collection, use, or disclosure of your personal data.
  • Right to Data Portability (where applicable under upcoming PDPA amendments).
  • Right to Lodge a Complaint: file a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

To exercise any of these rights, please email our Data Protection Officer at [email protected]. We will respond to verified requests within 30 calendar days in accordance with PDPA timelines.

Data Breach Notification

In line with the PDPA Data Breach Notification Obligation (Part 6A of the PDPA), should a notifiable data breach occur, we will:

  • Notify the Personal Data Protection Commission (PDPC) as soon as practicable, and in any case no later than 3 calendar days after the breach is assessed as notifiable.
  • Notify affected individuals as soon as practicable where the breach is likely to result in significant harm to any individual, providing information about the nature of the breach, the data affected, and recommended steps to mitigate risk.
  • Document and investigate the breach internally to prevent recurrence.

If you believe a data breach has occurred or your data may have been compromised, please contact our DPO immediately at [email protected].

Minors

Our services are intended for individuals aged 18 and above. We do not knowingly collect personal data from minors below the age of 18 without the consent of a parent or legal guardian. If you believe we have inadvertently collected personal data from a minor, please contact our DPO so we can take appropriate action.

Aggregated Statistics

ColivingSG may collect aggregated, anonymised statistics about visitor behaviour (e.g. most popular properties, search filter usage). We may publish or share such statistics. We do not disclose any personally-identifying information through these statistics.

Data Protection Officer (DPO)

In line with Section 11(3) of the PDPA, ColivingSG has appointed a Data Protection Officer responsible for ensuring our compliance with the PDPA.

You may contact our DPO regarding any matter relating to the collection, use, disclosure, or protection of your personal data, including access requests, correction requests, consent withdrawal, complaints, and data breach reports.

Privacy Policy Changes

ColivingSG may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will update the "Last updated" date at the top of this page upon any revision.

For material changes, we will provide more prominent notice (such as a website banner or email notification where appropriate). Your continued use of our website after a revision constitutes your acceptance of the updated policy.

Contact Information

Registered entity: XPD TECHNOLOGY PTE. LTD. (Singapore), trading as ColivingSG.

For general enquiries:

For data protection matters (access, correction, withdrawal, complaints, breaches):

© 2026 ColivingSG. All rights reserved.