Lucky Shovel Pte. Ltd.

Privacy Notice

Version 1.0 · Effective 21 February 2026 · Next review: February 2027

Introduction

Lucky Shovel Pte. Ltd. ("we", "us", "our") is committed to protecting the personal data of our customers, website visitors, and business contacts. This Privacy Notice explains how we collect, use, disclose, and protect your personal data in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore.

This notice applies to all our brands and products, including Komplyze, Zero Wait, MRDK, Response Velocity, Raih AI, and Marqitel.

Who We Are

Company	Lucky Shovel Pte. Ltd.
UEN	202426301M
Country	Singapore
Data Protection Officer	Zulfadli Ghani
DPO Contact	dpo@luckyshovel.com

What Personal Data We Collect

Data Type	How We Collect It
Name	Website contact forms, WhatsApp messages, email, assessments
Email address	Website contact forms, email correspondence, assessments
Phone number	Website contact forms, WhatsApp messages
Company name	Website contact forms, assessments
Message content	Contact forms, WhatsApp messages, email
Assessment responses	Komplyze online assessments

We do not collect sensitive personal data such as NRIC numbers, financial information (other than through our payment processor), or biometric data.

Why We Collect Your Data

Responding to your enquiries — When you contact us via a form, WhatsApp, or email, we use your data to respond to your question or request
Providing our services — Delivering consulting, software access, compliance assessments, and other products you have engaged us for
Conducting compliance assessments — Processing your responses through Komplyze to generate compliance reports and recommendations
Service communications — Sending you information related to services you are using or have enquired about
Invoicing and payments — Processing payments for our services (via Stripe, when applicable)
Improving our services — Understanding how our websites and services are used so we can improve them (using self-hosted analytics — see "Cookies and Analytics" below)

We will not use your personal data for purposes beyond what is described here without obtaining your consent first.

Legal Basis

Consent — You provide consent when you submit a contact form, send us a message, or complete an assessment (Sections 13–14, PDPA)
Contractual necessity — Processing necessary to deliver services you have engaged us for
Legitimate interests — Service improvement through anonymised analytics (Section 17A, PDPA — Business Improvement Exception)

How We Store and Protect Your Data

System	Purpose	Location
Hetzner Cloud VPS	Application hosting, databases	Singapore
Google Workspace	Email, documents	Google global infrastructure (encrypted)
GitHub	Code repositories (no personal data)	United States

We protect your data through:

Encrypted storage and encrypted data transmission (HTTPS/TLS)
Multi-factor authentication on all accounts
Access restricted to authorised personnel only
Regular security updates and monitoring
Firewall protection and SSH key-only server access

Third Parties

Provider	Purpose	Data Shared
Google (Workspace)	Email, document storage	Email address, name, message content
Hetzner	Cloud hosting	Data stored on servers (infrastructure only)
Stripe (future)	Payment processing	Name, email, payment details (handled by Stripe directly)
Telnyx	Telephony services	Phone number, call metadata
OpenAI	AI processing	No personal data — only anonymised content

We do not sell your personal data to any third party. We do not share your personal data with third parties for their own marketing purposes.

How Long We Keep Your Data

Data Type	Retention Period
Contact details (name, email, phone)	Duration of business relationship + 2 years
Assessment data (Komplyze)	Duration of subscription + 1 year
Email correspondence	3 years from last contact
Payment records	7 years (Singapore tax requirements)
WhatsApp messages	2 years from last contact

After the retention period, your data is securely deleted. You may request earlier deletion by contacting us.

Cookies and Analytics

Our websites use Umami, a self-hosted, privacy-focused analytics tool. Umami:

Does not use cookies
Does not collect personal data
Does not track individuals across sessions
Does not send data to any third party
Collects only anonymised, aggregated usage statistics (page views, referral sources, device types)

Our websites do not use third-party tracking cookies, advertising pixels, or social media trackers.

Your Rights

Right of Access (Section 21, PDPA)

You may request a copy of the personal data we hold about you, and information about how it has been used or disclosed in the past year. We will respond within 30 days.

Right of Correction (Section 22, PDPA)

You may request that we correct any errors or omissions in your personal data. We will make corrections within 30 days.

Right to Withdraw Consent (Section 16, PDPA)

You may withdraw your consent for us to collect, use, or disclose your personal data at any time. We will inform you of the likely consequences. Withdrawal will not affect the lawfulness of processing carried out before the withdrawal.

How to Exercise Your Rights

Contact our Data Protection Officer:

Email: dpo@luckyshovel.com
Subject line: Include "Data Access Request", "Data Correction Request", or "Consent Withdrawal"

There is no charge for correction requests. A reasonable fee may apply to access requests involving significant effort; we will inform you of any fee before proceeding.

Children's Data

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us immediately.

Changes to This Notice

We may update this Privacy Notice from time to time. Changes will be posted on our websites with an updated effective date.

Contact Us

If you have any questions, concerns, or complaints about this Privacy Notice or how we handle your personal data:

Data Protection Officer: Zulfadli Ghani
Email: dpo@luckyshovel.com
Company: Lucky Shovel Pte. Ltd. (UEN: 202426301M)

If you are not satisfied with our response, you may contact the Personal Data Protection Commission (PDPC).