개인정보 보호정책
귀하의 개인정보는 저희에게 매우 중요합니다
Last updated: 2026-05-21
Introduction & PDPA Commitment
XPD TECHNOLOGY PTE. LTD. (trading as ColivingSG; "we", "us", "our") is committed to protecting your personal data in accordance with the Singapore Personal Data Protection Act 2012 (PDPA) and any subsequent amendments.
This Privacy Policy explains how we collect, use, disclose, transfer, retain, and protect your personal data when you visit https://colivingsg.com or interact with our advisory services. By using our website, you consent to the practices described in this policy.
Website Visitors
Like most website operators, ColivingSG collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. Our purpose in collecting non-personally identifying information is to better understand how our visitors use the website.
ColivingSG also collects potentially personally-identifying information like Internet Protocol (IP) addresses for logged-in users and for users who submit enquiry forms on our platform.
Personal Data We Collect
We collect personal data only when you voluntarily provide it. The categories of personal data we collect include:
- Identity & Contact Data: name, email address, phone number, WhatsApp ID, country of origin, school or institution name.
- Housing Preferences: budget, preferred locations, move-in dates, room type, lifestyle preferences, intended length of stay.
- Communication Records: enquiry messages, WhatsApp chat history with our advisory team, email correspondence.
- Technical Data: IP address, browser type and version, device type, operating system, referring URL, pages visited, time spent on pages.
- Marketing Data: email subscription status and preferences (only if you opt in).
We collect this information only to the extent necessary to provide our free advisory services, fulfil each interaction's purpose, and comply with applicable laws.
Purposes of Collection, Use & Disclosure
In line with the PDPA Purpose Limitation Obligation, we use your personal data strictly for the following purposes:
- To respond to your enquiries and provide coliving advisory services.
- To match you with suitable coliving properties and brands.
- To facilitate property viewings and bookings with partner brands (with your prior knowledge).
- To send you service updates, transactional messages, and (where you have opted in) marketing communications.
- To improve our website, advisory process, and content quality.
- To comply with legal, regulatory, and law enforcement obligations in Singapore.
- To detect, prevent, and respond to fraud, abuse, or security incidents.
We will not use your personal data for any purpose materially different from those listed above without first obtaining your fresh consent.
Disclosure of Personal Data
ColivingSG discloses your personal data only to:
- Internal team members who need access to provide advisory services and operate the platform.
- Affiliated partner coliving brands — only when you explicitly enquire about a specific property or brand, and only the information necessary to facilitate that enquiry.
- Data processors (see the Third-Party Data Processors section below) who process data strictly on our instructions under written data-processing terms.
- Authorities in response to a subpoena, court order, or other lawful governmental request.
We will always inform you before sharing your information with a partner brand. All recipients are bound by confidentiality and PDPA-equivalent protection obligations.
Protection Measures
In line with the PDPA Protection Obligation, we implement the following technical and organisational safeguards:
- Encryption in transit: all traffic to and from colivingsg.com is served exclusively over HTTPS/TLS 1.2+.
- Encryption at rest: personal data stored in our database is encrypted at rest using AES-256 (Supabase managed Postgres).
- Access control: production database access is restricted to authorised personnel via authenticated admin accounts; all tables enforce Row Level Security (RLS) policies.
- Least-privilege principle: team members are granted only the minimum access required to perform their role.
- Vendor security: we only use enterprise-grade processors (Vercel, Supabase) that hold relevant SOC 2 Type II and ISO 27001 certifications.
- Account security: admin accounts require strong authentication and password rotation.
- Monitoring: infrastructure-level logging and abnormal-activity alerting via our hosting and database providers.
While no method of transmission over the Internet is 100% secure, we use commercially reasonable means consistent with the PDPA Protection Obligation.
Third-Party Data Processors
In line with the PDPA Transfer Limitation Obligation, we disclose all third-party data processors that may handle your personal data on our behalf:
- Vercel Inc. (USA) — website hosting, edge delivery, and serverless functions. Primary serving region: Singapore (SIN1). Privacy Policy
- Supabase Inc. (USA) — managed PostgreSQL database and authentication. Data residency: AWS ap-southeast-1 (Singapore). Privacy Policy
- Google LLC — Google Analytics 4, Google Ads, Google Maps Platform. Privacy Policy
- Meta Platforms, Inc. — Meta Pixel (Facebook/Instagram advertising attribution). Privacy Policy
- WhatsApp Business (Meta) — direct communication with our advisory team. Privacy Policy
- Resend / transactional email provider — delivery of enquiry confirmations and notifications. Privacy Policy
All processors are bound by contractual obligations to handle your data in accordance with the PDPA standard of protection or higher.
Cross-Border Data Transfers
In line with the PDPA Transfer Limitation Obligation, where personal data is transferred outside Singapore, we take reasonable steps to ensure the receiving organisation provides a standard of protection that is comparable to the PDPA.
- Primary storage location: personal data submitted via our website is stored in Supabase managed Postgres located in AWS ap-southeast-1 (Singapore).
- Hosting: our website is served by Vercel from its Singapore (SIN1) edge region as the primary region.
- Operational metadata (e.g. logs, analytics) may be processed in the United States or European Union by Vercel, Supabase, Google, and Meta. These providers are contractually bound to PDPA-comparable protection standards and/or maintain Standard Contractual Clauses, EU-US Data Privacy Framework certification, or equivalent safeguards.
We do not sell or transfer personal data to any jurisdiction without comparable data protection laws.
Data Retention
In line with the PDPA Retention Limitation Obligation, we retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws.
- Enquiry and communication records: retained for up to 24 months from the date of last interaction, after which they are anonymised or deleted.
- Marketing subscription data: retained until you unsubscribe.
- Server access logs: retained for up to 90 days for security and abuse-detection purposes.
- Analytics data: aggregated and anonymised; raw event-level data retained for up to 14 months per Google Analytics default.
You may request earlier deletion at any time by contacting our DPO.
Your Rights Under the PDPA
Under the Singapore Personal Data Protection Act, you have the following rights:
- Right of Access: request a copy of the personal data we hold about you.
- Right to Correction: request correction of inaccurate or incomplete personal data.
- Right to Withdraw Consent: withdraw, in whole or in part, consent for the collection, use, or disclosure of your personal data.
- Right to Data Portability (where applicable under upcoming PDPA amendments).
- Right to Lodge a Complaint: file a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.
To exercise any of these rights, please email our Data Protection Officer at [email protected]. We will respond to verified requests within 30 calendar days in accordance with PDPA timelines.
Withdrawing Your Consent
You may withdraw your consent for our collection, use, or disclosure of your personal data at any time by:
- Emailing our DPO at [email protected] with the subject "Withdraw Consent".
- Clicking the "unsubscribe" link in any marketing email.
- Replying "STOP" to any WhatsApp message from our advisory team.
We will process your request within a reasonable time (and in any case no later than 30 calendar days). Please note that withdrawing consent may limit our ability to provide certain services to you. We will inform you of any consequences before processing the withdrawal.
Data Breach Notification
In line with the PDPA Data Breach Notification Obligation (Part 6A of the PDPA), should a notifiable data breach occur, we will:
- Notify the Personal Data Protection Commission (PDPC) as soon as practicable, and in any case no later than 3 calendar days after the breach is assessed as notifiable.
- Notify affected individuals as soon as practicable where the breach is likely to result in significant harm to any individual, providing information about the nature of the breach, the data affected, and recommended steps to mitigate risk.
- Document and investigate the breach internally to prevent recurrence.
If you believe a data breach has occurred or your data may have been compromised, please contact our DPO immediately at [email protected].
Minors
Our services are intended for individuals aged 18 and above. We do not knowingly collect personal data from minors below the age of 18 without the consent of a parent or legal guardian. If you believe we have inadvertently collected personal data from a minor, please contact our DPO so we can take appropriate action.
Aggregated Statistics
ColivingSG may collect aggregated, anonymised statistics about visitor behaviour (e.g. most popular properties, search filter usage). We may publish or share such statistics. We do not disclose any personally-identifying information through these statistics.
Links to External Sites
Our platform may contain links to external sites, including coliving brand websites, that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy and terms of every site you visit.
We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites, products, or services.
Data Protection Officer (DPO)
In line with Section 11(3) of the PDPA, ColivingSG has appointed a Data Protection Officer responsible for ensuring our compliance with the PDPA.
- Name: ZHANG JIAHENG
- Email: [email protected]
- Jurisdiction: Singapore
You may contact our DPO regarding any matter relating to the collection, use, disclosure, or protection of your personal data, including access requests, correction requests, consent withdrawal, complaints, and data breach reports.
Privacy Policy Changes
ColivingSG may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will update the "Last updated" date at the top of this page upon any revision.
For material changes, we will provide more prominent notice (such as a website banner or email notification where appropriate). Your continued use of our website after a revision constitutes your acceptance of the updated policy.
Contact Information
Registered entity: XPD TECHNOLOGY PTE. LTD. (Singapore), trading as ColivingSG.
For general enquiries:
- Email: [email protected]
- WhatsApp: available via the chat button on our website
For data protection matters (access, correction, withdrawal, complaints, breaches):
- Data Protection Officer: ZHANG JIAHENG
- Email: [email protected]
© 2026 ColivingSG. All rights reserved.