LegalPDPA Data Protection Policy
Last updated: 11 May 2026 · Effective: 11 May 2026
1. Introduction and scope
This Data Protection Policy ("Policy") describes how Coreframes Lab, operator of MaidCopilot, complies with the Singapore Personal Data Protection Act 2012 (PDPA) and its subsidiary legislation, including the PDPA (Amendment) Act 2020.
This Policy applies to personal data collected from, or on behalf of, our customers (maid agencies), their end users (coordinators and owners), and the individuals whose data agencies store on the platform (employers, maids, and contacts).
MaidCopilot acts as a data intermediary with respect to the personal data of maids, employers, and contacts — processing that data on behalf of the agency that is the data controller. For the personal data of agency staff, Coreframes Lab is the data organisation.
2. Our obligations under the PDPA
The PDPA imposes nine data protection obligations. Here is how MaidCopilot addresses each:
Obligation 1
Accountability
A Data Protection Officer is appointed. All staff with data access receive PDPA awareness.
Obligation 2
Notification
We notify individuals of the purposes for which their data is collected at or before the point of collection.
Obligation 3
Consent
We obtain consent before collecting personal data, and provide a mechanism to withdraw it. Intake questionnaires include consent language.
Obligation 4
Purpose Limitation
Personal data is collected only for disclosed purposes and not used beyond those purposes without fresh consent.
Obligation 5
Accuracy
Agencies are responsible for keeping biodata accurate. The platform provides correction tools for all records.
Obligation 6
Protection
Data is protected by RLS, TLS 1.2+, AES-256 encryption at rest, HMAC-verified webhooks, and role-based access control.
Obligation 7
Retention Limitation
Data is retained only as long as necessary (see retention schedule below) and deleted thereafter.
Obligation 8
Transfer Limitation
Cross-border transfers are governed by contractual clauses. Primary data resides in AWS ap-southeast-1 (Singapore).
Obligation 9
Openness
This Policy and our Privacy Policy are publicly accessible. A DPO contact is published for queries and complaints.
3. Data Protection Officer
Coreframes Lab has appointed a Data Protection Officer (DPO) responsible for:
- Ensuring compliance with PDPA obligations
- Handling access, correction, and complaint requests from individuals
- Liaising with the Personal Data Protection Commission (PDPC)
- Reviewing and updating data protection policies and practices
Data Protection Officer
Coreframes Lab DPO
Email: admin@coreframeslab.com
Response time: within 3 business days for acknowledgement; within 30 days for resolution.
4. Personal data we process
As data organisation (our own customers)
- Agency owner and coordinator name and email address
- Agency name, MOM licence number, and business address
- Role assignments, login records, and audit trail
As data intermediary (on behalf of agencies)
- Maid biodata — name, nationality, passport/FIN, work permit, skills, history
- Employer biodata — name, NRIC/FIN (if supplied), contact number, address, household profile
- Uploaded documents — identification copies, medical reports, employment contracts
- WhatsApp messages — content, timestamps, phone numbers
Agencies using MaidCopilot are themselves data organisations under the PDPA and are responsible for obtaining appropriate consents from maids and employers before entering their data into the platform.
5. Consent management
MaidCopilot provides the following features to support agencies' consent obligations:
- Intake questionnaire builder — configurable WhatsApp questionnaires that can include consent collection steps
- Consent timestamps — the audit log records when consent language was presented and accepted
- Withdrawal mechanism — coordinators can mark a contact's consent as withdrawn, which flags the record and restricts outbound messaging
Agencies are responsible for crafting consent language that meets their specific PDPA obligations. MaidCopilot does not provide legal advice.
6. Retention schedule
- Agency account data — active subscription period + 90 days
- Maid and employer biodata — held by the agency; MaidCopilot retains for 5 years after case closure per MOM record-keeping guidance
- WhatsApp messages — 2 years
- Audit logs — 5 years
- Backup snapshots — purged within 30 days of account deletion
Agencies may export and delete their data at any time from the platform settings. Deletion requests are processed within 30 days.
7. Cross-border data transfers
All primary Customer Data is stored in AWS ap-southeast-1 (Singapore). The following transfers outside Singapore may occur:
- Meta WhatsApp Cloud API — message content is transmitted to and from Meta's global infrastructure for delivery. Meta maintains Standard Contractual Clauses for cross-border transfers.
- Vercel CDN — the frontend application is served from Vercel's global edge network. No personal data is stored at edge nodes.
We ensure that all cross-border transfers are subject to contractual protections comparable to PDPA standards, as required under Section 26 of the PDPA.
8. Data breach management
In accordance with the PDPA's Mandatory Data Breach Notification (MDBN) obligation (effective 1 February 2021), we will:
- Assess any suspected data breach within 30 days of becoming aware
- Notify the PDPC within 3 business days if a breach is notifiable (likely to cause significant harm or affects 500+ individuals)
- Notify affected individuals without undue delay where their data is at risk
- Notify affected agency customers within 3 business days of confirming a breach involving their data
We maintain an internal data breach register and conduct post-incident reviews to prevent recurrence.
9. Individual rights
Individuals whose data is processed by MaidCopilot (in either capacity) have the following rights under the PDPA:
- Right of access — request a copy of personal data held about you (Section 21)
- Right of correction — request correction of inaccurate or incomplete data (Section 22)
- Right to withdraw consent — withdraw consent at any time, subject to legal or contractual restrictions
- Right to data portability — receive personal data in a machine-readable format where technically feasible (Section 26F)
Requests from agency staff should be directed to our DPO. Requests from maids and employers regarding their data held within an agency's workspace should first be directed to that agency, which is the relevant data organisation.
We will respond to access and correction requests within 30 days. In complex cases, we will acknowledge the request within 3 business days and provide a timeline.
10. Subprocessors
We engage the following subprocessors to operate the platform. Each is bound by a Data Processing Agreement with security and confidentiality obligations:
- Supabase / AWS ap-southeast-1 (Singapore) — database and object storage
- Railway (Singapore region) — backend application hosting
- Vercel — frontend hosting and CDN (no personal data stored)
- Meta (WhatsApp Cloud API) — message delivery and template management
An up-to-date subprocessor list is available on request from our DPO. We will provide 30 days' notice of material changes to our subprocessors.
11. Policy reviews
This Policy is reviewed at least annually, or whenever there is a material change to our data processing activities or applicable law. The DPO is responsible for maintaining and updating this Policy.
12. Complaints
If you believe we have not complied with our PDPA obligations, please contact our DPO in the first instance. We will acknowledge your complaint within 3 business days and respond substantively within 30 days.
If you are unsatisfied with our response, you may escalate to the Personal Data Protection Commission (PDPC):
13. Contact our DPO
Data Protection Officer · Coreframes Lab
Email: admin@coreframeslab.com
For: access requests, correction requests, withdrawal of consent, data breach reports, and PDPA queries.
