Privacy Policy

1. Scope and interpretive posture

This Privacy Policy describes the manner in which TRADEBZ PTE. LTD., a Singapore private limited company operating the website tradebz.asia and conducting the business of corporate gifting, branded merchandise sourcing, customisation coordination, quotation, fulfilment, delivery administration and incidental business-to-business customer support, may collect, receive, generate, store, use, disclose, transmit, protect, retain, delete and otherwise process information relating to an identified or reasonably identifiable natural person.

For the avoidance of doubt, this Policy applies to visitors browsing the website, representatives of prospective corporate customers, procurement personnel, finance contacts, event coordinators, human-resource teams, delivery recipients, suppliers, logistics contacts, print vendors, payment counterparties and any other individual whose personal data comes into our possession through an enquiry, quotation, purchase order, payment instruction, invoice, delivery list, artwork approval, sample request, dispute, compliance review or ordinary commercial correspondence.

This Policy is intended to be read together with our Terms & Conditions and our Shipping & Refund Policy. Where a payment service provider, bank, card network, e-wallet, acquiring institution, payment facilitator, fraud monitoring provider or similar financial intermediary, including without limitation Stripe or Airwallex where such services are made available to us or to you in connection with an order, separately provides its own privacy notice, terms, dashboard notice or data-processing statement, that separate notice governs its independent processing activities. We do not purport to amend those notices, incorporate them without express reference, or assume legal responsibility for a third party's independent determination of the means and purposes of processing.

2. Controller and contact

The entity responsible for the website and the principal commercial relationship described in this Policy is TRADEBZ PTE. LTD. References to "Tradebz", "we", "us" and "our" mean TRADEBZ PTE. LTD. unless the context indicates that a service provider is acting independently. Questions, requests and complaints concerning privacy may be sent to contact@tradebz.asia. Operational enquiries may also be made by telephone or WhatsApp at +65 8286 0709, although formal privacy requests should be sent by email so that the request, identity confirmation, scope and response can be recorded with appropriate precision.

Where you communicate with us on behalf of a company, association, public body, school, agency, event organiser, procurement platform or other organisation, you represent that you are authorised to provide the relevant business and contact information and, where recipient lists are supplied, that the organisation has provided all required notices and obtained all required consents or other lawful bases for disclosure to us. We are not in a position to audit the internal employment, membership, customer or attendee relationship by which your organisation obtained each recipient's details, and our reliance on your representation is a material premise of our willingness to quote, produce, pack and dispatch orders.

3. Personal data we process

We may process identity and contact data such as name, business email address, telephone number, WhatsApp number, company name, job title, department, billing contact, shipping contact, authorised purchaser, event representative and account administrator details. We may process order and commercial data such as requested products, stock-keeping units, quantities, branding preferences, logo placement instructions, artwork files, mock-up approvals, purchase-order numbers, payment status, tax information, quotation history, delivery deadlines, invoice records, proof of delivery, support correspondence and notes reasonably necessary to administer a corporate-gifting project.

When you provide a recipient list, we may process recipient names, delivery addresses, telephone numbers, email addresses, company or department labels, delivery instructions, dietary or preference notes if voluntarily included in an order brief, and similar data required to pack, label, courier or otherwise fulfil a distributed delivery. You should not include special-category, sensitive, health, biometric, national-identification, financial-account, card-number or unrelated personal information unless we have expressly requested it in writing for a lawful and necessary purpose. In the ordinary course of selling corporate gift sets, we do not need passport numbers, identity card numbers, bank login details, medical history, political opinions or other sensitive or high-risk personal data unrelated to fulfilment.

We may process technical and usage data generated when you visit the website, including device type, browser type, approximate location inferred from network data, referring page, pages viewed, interaction with forms, timestamps, diagnostic logs and other information that typical web infrastructure may create. The present website is a lightweight static site and does not require a customer account, but hosting providers, analytics tools, security services, browser vendors, font providers and embedded map providers may process certain technical information in accordance with their own notices.

4. Purposes and legal grounds

We process personal data to respond to enquiries, prepare quotations, recommend suitable products, confirm stock, produce branding mock-ups, verify artwork instructions, issue invoices, receive payments, administer deposits and balances, arrange samples, pack and label goods, coordinate shipping, manage replacements, answer service questions, maintain business records and perform obligations arising from a quotation, purchase order, contract, invoice, payment confirmation or related commercial communication.

We also process personal data for legitimate business purposes, including improving the website, preventing fraud, maintaining account and order security, evaluating supplier and logistics performance, preserving audit trails, establishing or defending legal claims, conducting ordinary accounting, complying with tax rules, responding to law-enforcement or regulator requests, screening orders that appear unlawful or inconsistent with payment partner requirements, and communicating with business customers about related products or services where applicable law permits such communication and where the recipient has not opted out.

Where consent is required, such as for certain marketing communications or optional cookies, we will rely on consent and permit withdrawal in the manner provided at collection or in subsequent communication. Withdrawal of consent does not affect processing already lawfully undertaken, nor does it require us to erase records that must be retained for tax, accounting, dispute, payment, fraud-prevention, contractual or legal reasons. Consent is one lawful basis among several, and its withdrawal is respected within the limits of applicable law, any competing lawful basis and our continuing legal or contractual obligations.

5. Payments, Stripe, Airwallex and financial intermediaries

We may use third-party payment processors, acquiring banks, card networks, payment facilitators, banking platforms, payout providers or related financial technology services to support payment by bank transfer, corporate card, local payment method, invoice link, payment link or other method made available for a particular order. Such providers may include Stripe, Airwallex or comparable providers. These providers may collect and process payment credentials, card details, payer information, billing information, device signals, fraud indicators, transaction records, verification data and compliance information under their own terms and privacy notices.

We do not intentionally collect or store full card numbers, card security codes or raw payment credentials through the website contact form. If a payment link or hosted checkout is used, the payment interface should be understood as a processor or financial intermediary environment, not as an invitation to email card data to us. Customers must not send card numbers, one-time passwords, banking login credentials, API secrets or similar sensitive payment information by email, WhatsApp, free-text form field or artwork upload.

Payment providers may be required by law, network rules, anti-money-laundering obligations, sanctions obligations, fraud-monitoring expectations, know-your-business or know-your-customer procedures, dispute rules and internal risk policies to process data about merchants, representatives, payers and transactions. We may disclose transaction-related data to those providers so that they can process payments, prevent misuse, comply with legal obligations, review disputes, investigate chargebacks or determine whether an order, customer or business activity is permitted under their acceptable-use and restricted-business requirements.

6. Disclosure and recipients

We may disclose personal data to personnel, contractors, fulfilment partners, print vendors, packaging suppliers, warehousing providers, logistics providers, couriers, payment processors, banks, professional advisers, insurers, auditors, IT service providers, hosting providers, fraud prevention services, regulators, law-enforcement agencies, courts, tax authorities and any other recipient where disclosure is reasonably necessary for the purposes described in this Policy. We seek to limit disclosure to information relevant for the receiving party's function, while recognising that delivery, payment, fulfilment, audit and legal processes cannot be completed where essential information is withheld from the party required to perform the relevant function.

Where vendors receive personal data to perform services on our behalf, we expect them to process the data only for the instructed purpose, protect it using reasonable safeguards and return, delete or otherwise handle it in accordance with our instructions and applicable law. Where a recipient acts as an independent controller, such as a payment provider, courier, regulator, professional adviser or legal authority, that recipient is responsible for its own processing and may have separate obligations to you.

If we undertake a merger, acquisition, financing, restructuring, sale of assets, assignment, transfer of contracts or similar corporate transaction, personal data may be disclosed to counterparties, advisers and successors to the extent reasonably necessary to evaluate or complete the transaction, subject to appropriate confidentiality expectations. Any such disclosure is intended to support business continuity, due diligence, transaction execution, customer support, accounting and legal administration, and not to permit unrelated use of customer, recipient or transaction records outside the legitimate purposes connected with the transaction or successor business.

7. Cross-border transfers

Because corporate gifting frequently involves suppliers, couriers, customers, event locations and remote recipients across Singapore, Malaysia, Indonesia, Thailand, the Philippines, Hong Kong and other jurisdictions, personal data may be transferred, accessed, stored or processed outside the jurisdiction in which it was originally collected. Payment providers such as Stripe or Airwallex, logistics networks, cloud providers and professional service providers may also process data in multiple countries according to their operating models.

Where we transfer personal data cross-border, we take steps intended to ensure that the data receives a standard of protection comparable to that required under applicable Singapore data-protection law, whether by contract, vendor due diligence, access controls, technical measures, transfer assessment, reliance on the recipient's statutory obligations or other safeguards appropriate to the nature of the data and the risk. You acknowledge that cross-border commerce, by its nature, may require cross-border information flows, including disclosure of recipient details to the delivery network, payment details to payment intermediaries and order details to suppliers or service providers where such disclosure is necessary to perform the transaction.

8. Retention and deletion

We retain personal data for as long as reasonably necessary to fulfil the purposes for which it was collected, including completing quotes, producing orders, arranging delivery, responding to after-sales questions, maintaining transaction records, satisfying accounting and tax obligations, resolving disputes, administering chargebacks, proving delivery, preserving consent records, complying with legal obligations and protecting our legitimate interests. Different categories of data are retained for different periods because a delivery address for a one-off shipment, an invoice record, a chargeback response file and a marketing preference record do not all serve the same function.

When data is no longer reasonably required, we may delete it, anonymise it, aggregate it, archive it in restricted systems, or otherwise handle it in accordance with retention schedules and legal obligations. Residual copies may remain in backups, logs, email archives or disaster-recovery systems for a limited period until overwritten or purged according to ordinary technical cycles. We do not represent that every residual copy can be deleted instantaneously upon request where the relevant copy is stored in a backup, archive, log, disaster-recovery environment or system subject to scheduled technical deletion.

9. Security

We use reasonable administrative, technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, misuse, alteration, disclosure and destruction. Measures may include access limitation, vendor selection, record segregation, secure payment redirection, employee confidentiality expectations, device and account controls, backup practices and review of unusual order or payment activity. No website, email account, courier network, payment method or human process can be guaranteed absolutely secure, and you should use caution when deciding what information to send through any channel.

You are responsible for ensuring that files sent to us, including artwork, CSV recipient lists and purchase orders, do not contain unnecessary personal data, hidden metadata, unrelated worksheets, private comments, embedded credentials or other information not needed for the order. If you discover that you have sent such information, notify us promptly so that we can consider reasonable containment steps.

10. Rights and choices

Subject to applicable law, identity verification, exceptions and the rights of others, you may request access to personal data we hold about you, correction of inaccurate data, withdrawal of consent where processing is based on consent, deletion where retention is no longer lawful or necessary, restriction of processing, objection to certain processing, or information about how data has been used or disclosed. Requests should be sent to contact@tradebz.asia with enough detail for us to identify the relevant record and understand the request.

Where a request relates to data provided by your employer, customer, event organiser or another organisation, we may need to coordinate with that organisation or direct you to it, particularly where we act as a processor or service provider for a corporate customer's fulfilment instructions. We may decline, limit or defer a request where permitted by law, including where disclosure would reveal another person's data, undermine a legal claim, interfere with fraud prevention, conflict with accounting obligations or require disproportionate effort relative to the data involved.

You may opt out of non-essential marketing communications by using the unsubscribe mechanism provided in the communication or by contacting us. Operational messages about quotes, orders, invoices, production, delivery, policy changes, payment issues, chargebacks, security or legal notices are not marketing messages merely because they arrive by email and contain words.

11. Cookies, analytics and embedded services

The website may use cookies, local storage, server logs, embedded fonts, map embeds or similar technologies to load pages, remember limited preferences, diagnose performance, understand aggregate usage and protect the site. Third-party services may set their own technologies when content is embedded or loaded from their domains. You can configure your browser to block or delete cookies, although doing so may affect site functionality, display or measurement.

At present, the website is principally an informational and quote-request site rather than an account platform. If we later add hosted checkout, analytics, live chat, customer portals, payment links, catalogue downloads, account logins or automated marketing tools, additional notices may be presented at the point of collection, and this Policy may be updated accordingly.

12. Minors and unsuitable submissions

Our services are directed to business customers and authorised representatives, not to children. We do not knowingly solicit personal data from minors. If you believe a minor has provided personal data to us without appropriate authority, contact us and we will review the matter. Customers must not use recipient fields, artwork notes or order briefs to submit unlawful, harmful, discriminatory, obscene, infringing, confidential, regulated or otherwise inappropriate information.

13. Changes to this Policy

We may amend this Policy from time to time to reflect changes in law, business operations, payment methods, fulfilment practices, technology, vendor arrangements, processor requirements, regulatory expectations or internal compliance review. The updated version will be posted on the website with an updated effective date. Continued use of the website or submission of personal data after publication of the updated Policy indicates acknowledgement of the updated terms to the extent permitted by law.

14. Questions, complaints and privacy contact

If you have questions, requests or complaints about this Privacy Policy or our processing of personal data, contact TRADEBZ PTE. LTD. at contact@tradebz.asia. Please include your name, organisation if applicable, contact details, the nature of your request, the order or quotation reference if known, and any information that helps us identify the relevant record, transaction, correspondence thread, recipient list, invoice, payment record, delivery record or account contact without conducting an unnecessarily broad search through unrelated business records.

15. Supplemental long-form provisions for payment, fulfilment and processor-facing transparency

Because modern payment facilitators, acquiring banks, card networks, fraud-monitoring systems, foreign-exchange providers and regulated financial-technology platforms often ask merchants to explain, in public-facing language, how a business collects customer information, how it uses such information, who receives such information, how payment information is handled, how delivery information is administered and how a customer may contact the merchant, we provide this additional statement to set out the relevant processing activities with specificity for customers, institutional reviewers and payment partners.

When a customer requests a quote for corporate gifts, the customer initiates a sequence of commercial processing steps that may include identification of a business representative, assessment of product suitability, price calculation, artwork coordination, stock reservation, supplier communication, sample dispatch, payment collection, invoice creation, bank reconciliation, courier booking, proof-of-delivery management, replacement handling, refund assessment, chargeback evidence compilation and retention of records for audit and dispute purposes. Each of those steps may require some personal data, and each is limited to the information reasonably necessary to quote, print, pack, courier, reconcile, defend or refund the relevant order.

For the avoidance of doubt, payment data is treated with a narrower discipline than ordinary order data. We may know that an invoice was paid, that a card payment succeeded, that a bank transfer reference matched an invoice, that a payment link was issued, that a transaction was disputed, or that a processor requested supporting information. We do not ask customers to email card numbers, card security codes, online banking credentials, one-time passwords or other sensitive payment credentials. If a hosted payment provider such as Stripe, Airwallex or a comparable provider is used, payment credentials are collected in that provider's environment, subject to that provider's independent security, privacy, compliance and payment-network obligations.

We may receive limited payment-related information from a payment processor, including transaction identifiers, payer name, business name, masked card details, payment status, refund status, dispute status, billing country, fraud-review signals or other information made available to merchants in the ordinary course of payment administration. Such information is used to identify payments, issue receipts, release orders, investigate failed transactions, respond to disputes, prevent unauthorised use, reconcile accounts and satisfy legal obligations. It is not used for unrelated profiling or unrelated marketing outside the purposes described in this Policy.

Where Airwallex, Stripe, banks, card networks, wallet providers, fraud-prevention vendors, logistics partners or other third parties process personal data independently, they may determine their own legal bases, retention periods, security measures, international transfer mechanisms and disclosure obligations. We encourage customers to read the privacy notices and terms of those providers. We cannot meaningfully promise that a payment provider will delete, amend, reveal, restrict or handle data in a particular way when that provider is acting under its own legal, regulatory, contractual and network duties rather than merely executing our written instructions.

16. Practical data map for a typical corporate-gifting transaction

At the enquiry stage, we may process the name, company, email address, telephone number, role, approximate quantity, desired product category, event timing, delivery country and short free-text brief of the person submitting the enquiry. At the quotation stage, we may process additional information about product preferences, brand requirements, budget expectations, artwork requirements, procurement restrictions, billing entity, decision-maker identity, internal approval timing and any constraints necessary to prepare a commercially useful quote supported by relevant order assumptions.

At the artwork and approval stage, we may process logos, brand guidelines, mock-up comments, print-position approvals, colour notes, packaging copy, event names, department names, approval emails, file metadata and the name or initials of the approving representative. At the payment stage, we may process invoice contacts, accounts-payable contacts, purchase-order references, remittance confirmations, processor transaction identifiers, refund instructions, billing addresses, dispute communications and information required to prove that the payment corresponded to the goods and services ordered.

At the fulfilment stage, we may process recipient names, delivery addresses, phone numbers, delivery windows, recipient labels, internal department routing, packing lists, courier tracking numbers, delivery confirmations, failed-delivery notes and replacement instructions. At the after-sales stage, we may process photographs of damaged or disputed goods, descriptions of alleged defects, replacement addresses, refund requests, chargeback notices, customer-service notes and final resolution records. This chain is described in detail so that the phrase "order information" is not left to carry multiple distinct processing activities without explanation.

17. Recipient lists, employee gifts and distributed shipments

Where a customer supplies a recipient list for employee onboarding kits, customer appreciation boxes, event welcome packs, conference gifts, home-address deliveries or cross-border distribution, the customer remains responsible for the lawful collection and disclosure of that list. We act on the customer's instructions to pack, label, dispatch, track and administer the shipment. We do not independently invite ourselves into the employment relationship, membership relationship, event registration relationship or customer relationship that gave rise to the recipient list.

Recipient lists should be limited to the information needed for fulfilment. A name, delivery address, telephone number and delivery note may be necessary. A recipient's performance rating, medical condition, salary, disciplinary history, national identification number, political view, family situation or other unrelated information is not necessary for dispatching a tumbler, notebook, power bank or umbrella set. If such information is supplied accidentally, we may delete, ignore, redact or restrict it where practicable, but the customer should avoid sending it in the first place.

Distributed shipping may require disclosure of recipient data to couriers, fulfilment staff, packing vendors, customs brokers, postal services, delivery platforms and, for cross-border orders, authorities or carriers in the destination country. A customer who requests delivery to multiple recipients acknowledges that such disclosure is inherent in the service. A parcel cannot be delivered without disclosure of the relevant recipient, address, contact and routing information to the parties responsible for dispatch, transit, customs clearance and final delivery.

18. Fraud, sanctions, misuse and restricted activity screening

We may use personal data and order data to screen for fraud, sanctions risk, payment abuse, unauthorised brand use, suspicious shipping patterns, inconsistent billing details, unusually high-risk refund behaviour, prohibited merchandise requests, transactions with no genuine commercial purpose, or orders that appear inconsistent with the acceptable-use expectations of payment processors and financial partners. This screening may involve manual review, processor dashboards, bank enquiries, public registries, internal order history and customer correspondence.

If an order appears to involve unlawful goods, counterfeit or unauthorised goods, abusive content, adult content, weapons, controlled substances, hate speech, deceptive promotions, bribery, corruption, sham transactions, payment laundering, excessive chargeback risk or other activity outside our risk appetite or the risk appetite of our payment partners, we may decline, cancel, pause, refund or request additional information. Data processed in connection with such review may be retained for legal, risk, fraud-prevention and audit purposes even if the order does not proceed.

Where a payment processor, bank, card network, regulator or law-enforcement body requests information about a transaction, payer, recipient, delivery or dispute, we may disclose relevant information as permitted or required. We may also preserve records where we reasonably anticipate a dispute, investigation, legal claim, processor review or regulatory enquiry. The fact that an order is cancelled does not mean that every record evaporates immediately into administrative mist.

19. Communications, recordings and correspondence records

We may keep records of emails, WhatsApp messages, quote-form submissions, phone notes, meeting notes, artwork comments, approval trails and related correspondence. These records help us understand what was requested, what was approved, what was changed, what was paid, what was dispatched and what was later disputed. Without such records, a custom merchandise project would lack a reliable evidentiary basis for order administration, replacement decisions, refund assessment, chargeback response and legal recordkeeping.

We may use contact details to send operational messages about quotes, samples, payment, production, courier issues, replacement options, refund decisions, legal notices and policy updates. These operational messages are not optional marketing. We may also send business-to-business marketing about related corporate gifting products where permitted by law, subject to opt-out rights. If you opt out of marketing, we will still send messages necessary to administer existing orders, disputes, invoices and legal obligations.

20. Expanded retention explanation

Quotation records that do not become orders may be retained long enough to respond to follow-up enquiries, compare revised requests, understand customer preferences, prevent repeated re-entry of the same information and maintain ordinary sales records. Order records may be retained longer because they support accounting, tax, audit, warranty, replacement, dispute, chargeback, legal and supplier-management needs. Payment and invoice records may be retained for statutory accounting periods and for as long as a transaction may reasonably be subject to dispute, reversal, regulatory review or audit.

Recipient delivery records may be retained for a shorter operational period where feasible, but may remain in courier records, proof-of-delivery files, invoice attachments, order archives, backup systems or dispute files when necessary. Artwork approval records may be retained to prove that a customer approved a logo, spelling, colour, placement or layout before production. Premature deletion of approval records could impair the ability to resolve disputes, verify instructions, respond to payment reversals or establish whether production followed the approved specification.

When we no longer need identifiable data, we may delete, anonymise, aggregate or archive it. Anonymised or aggregated information may be used to understand product demand, average lead times, defect rates, delivery performance, category pricing, stock planning and marketing effectiveness. Such information does not identify a natural person and is not treated as personal data where it can no longer reasonably be linked back to an individual.

21. Relationship between our role and the role of service providers

In some contexts we act as a controller because we decide why and how to process personal data for our own business, legal, accounting, customer-service and order-management purposes. In other contexts, particularly when a corporate customer provides a recipient list for fulfilment, we may act more like a processor or service provider acting on that customer's instructions. A single order may contain both roles: we control our invoice records, while we process the customer's employee delivery list for fulfilment.

Our suppliers and fulfilment partners may similarly have role distinctions. A print vendor that receives artwork and quantity instructions may act on our instructions. A courier may act as an independent service provider subject to transport and postal obligations. A payment processor may act under its own regulated obligations. A professional adviser may act under professional duties. These distinctions matter because they determine who can answer which request and who has the authority to correct, delete, disclose or restrict which record.

If a request concerns data we control, we will assess it directly. If it concerns data controlled by a corporate customer, payment provider, courier, bank or other independent entity, we may direct you to that entity or coordinate where appropriate. This is not procedural evasion; it is the legal plumbing by which responsibility is assigned to the party that actually controls the pipe.

22. Business representatives and corporate contact data

Many enquiries are submitted by employees using business contact details. Business contact data is still personal data when it identifies an individual, but the context affects how it is used. We may use a procurement manager's business email address to discuss quotes, approvals, invoices and delivery schedules because that is precisely why the address was supplied. We may also keep that contact attached to the customer account so future reorders and support questions can be handled without reconstructing the relationship from scratch.

If a representative leaves the customer organisation, the customer should notify us where continued use of that representative's contact details would be inappropriate. We may update account records to a successor contact, preserve historical emails as part of the order record, and avoid sending future operational communications to the former representative where no longer relevant. Historical records are not rewritten merely because an organisation changes personnel; the record of who approved a thing remains the record of who approved the thing.

23. No disguised guarantee about third-party payment services

This Privacy Policy is not a promise that Stripe, Airwallex, banks, card networks, wallets, couriers or other third parties will approve, process, settle, refund, delete, retain, disclose, restrict or otherwise handle any transaction in a particular way. Those parties may have their own rules, risk systems, regulatory obligations and contractual rights. We may assist with reasonable merchant-side information, but we cannot compel a processor to disregard its fraud model, regulatory duties or acceptable-use policy because a customer finds the result commercially inconvenient.

Similarly, nothing in this Policy should be read as an instruction to submit sensitive payment credentials to us, bypass hosted checkout, evade processor controls, conceal the nature of a transaction, misdescribe goods, route payments through unrelated entities, or use personal data in a manner inconsistent with law. If a sentence could be misread to support such conduct, the sentence should be read again, slowly, with less ambition.

24. Operational privacy annex with detailed processing specificity

If an order is simple, the data flow may also be simple: a representative sends an enquiry, we reply with a quote, the customer pays, goods are delivered, and the record is retained. If an order is complex, the data flow becomes correspondingly complex: multiple representatives may negotiate, a finance contact may pay, an accounts-payable mailbox may receive invoices, an event manager may approve delivery, a designer may approve artwork, a warehouse contact may coordinate dispatch, recipients may appear on a packing list, a courier may record proof of delivery, and a payment provider may require evidence when a transaction is reviewed. This Policy covers both situations because privacy obligations must be applied to the actual processing structure of the relevant transaction.

We may create internal administrative notes about an enquiry or order. Those notes may record such matters as "customer wants ivory bottle if black is unavailable", "finance requires purchase order before deposit", "artwork version approved by procurement", "urgent event date", "recipient file revised", "courier returned parcel", "customer requested replacement" or other operationally relevant statements. These notes are not usually visible on the website, but they may be personal data where they relate to an identifiable person. They are used to manage the order, avoid repeating mistakes, coordinate staff and preserve the factual record.

We may also receive inferred data from the circumstances of a transaction. For example, if an email is sent from a corporate domain, we may infer the sender is associated with that organisation. If a person approves artwork, we may infer that person has approval responsibility for the project. If a recipient list contains office addresses, we may infer that delivery is office-based rather than home-based. Such inferences are used cautiously and pragmatically; they are not used to make significant automated decisions about individuals, and we do not operate a credit-scoring, employment-screening or behavioural-profiling service.

Where we receive files, those files may contain metadata or hidden content. A spreadsheet may contain hidden tabs, comments, formulas, previous versions, author names or unrelated columns. A PDF purchase order may contain embedded metadata. A logo file may contain creator information. We do not actively seek such data, and customers should remove unnecessary information before sending files. If such data is received, it may be stored incidentally with the file unless we identify and remove it. The safest approach is to send only what the order requires, because a fulfilment provider should not be required to retain, review or protect unnecessary hidden data unrelated to the transaction.

We may use reasonable vendor-management practices when selecting providers, but we do not promise that every provider will use identical safeguards, identical countries of processing, identical retention periods or identical user interfaces. Instead, we consider the nature of the service, the sensitivity of the data, the practicality of alternatives, the provider's role, commercial necessity and legal requirements. Payment providers, couriers and cloud services may have sophisticated compliance programmes; small specialist print vendors may have simpler processes. The common objective is that information be used for the business purpose for which it was shared and protected with measures appropriate to the risk.

25. Edge cases, mistaken submissions and excessive data

If you send information to us by mistake, notify us promptly. We may delete, return, restrict or disregard the information where practicable. However, if the information has already been incorporated into an order record, transmitted to a courier, included in a payment dispute file, backed up, sent to a supplier or otherwise used in a legitimate business process before the mistake is identified, complete extraction may not be immediate or possible. Customers should therefore review attachments before sending them and should remove irrelevant personal data, hidden worksheets, embedded comments, unrelated contact lists and unnecessary metadata.

If an individual contacts us claiming that a corporate customer supplied their data without permission, we will review the request and may coordinate with the customer. Because the customer may be the party that collected the data and instructed fulfilment, the customer may be best placed to explain the lawful basis. We may pause further processing where appropriate, but we may also retain information necessary to investigate the claim, prove what occurred, comply with law or defend against disputes.

If a customer asks us to deliver gifts to recipients in jurisdictions with stricter data-localisation, employment, consumer, customs or privacy expectations, the customer must ensure that the transfer and delivery instructions are lawful. We will take reasonable steps within our role, but the customer controls the relationship with its employees, clients, event guests or other recipients. We cannot independently verify every consent, employment notice, event registration form or customer privacy statement that might sit behind a recipient list.

This Policy is intentionally expansive. It is not intended to alarm ordinary customers, but to make the full chain of processing visible enough that a reasonable business reviewer, payment provider or compliance analyst can see that the merchant understands its data flows. For avoidance of doubt, we do not sell recipient lists to unrelated advertisers, and we do not use recipient lists for unrelated advertising profiles. The detailed wording exists to describe the operational, payment, fulfilment, legal, retention and rights context in which corporate-gifting data may be processed.

This section applies where, and only to the extent that, the General Data Protection Regulation, Regulation (EU) 2016/679, the UK GDPR, the United Kingdom Data Protection Act 2018, or any implementing, supplementary or successor data-protection law applies to the relevant processing of personal data. TRADEBZ PTE. LTD. is established in Singapore and principally provides corporate-gifting services from Singapore. We do not state, by including this annex, that every enquiry from every person in every country is automatically governed by the GDPR. We include it because some corporate customers, recipients, payment processors, banks, platform reviewers, procurement teams and privacy officers quite reasonably expect a merchant that may receive EEA or UK personal data to explain what happens if GDPR-style rights and obligations become relevant.

For the purposes of this annex, references to "GDPR" should be read to include the EU GDPR where it applies and the UK GDPR where the United Kingdom regime applies, unless the context requires otherwise. References to the EEA include the European Economic Area. References to "data subject" mean the identified or identifiable natural person whose personal data is processed. References to "controller", "processor", "recipient", "personal data", "processing", "special categories of personal data", "supervisory authority" and related GDPR expressions should be interpreted consistently with the GDPR, while recognising that a Singapore merchant may also be subject to Singapore's Personal Data Protection Act and related PDPC expectations.

Where we act as a controller under GDPR, we determine the purposes and means of processing for our own business records, quote administration, payment reconciliation, legal compliance, dispute handling, fraud prevention, customer-service records, marketing preferences and merchant operations. Where we process a recipient list supplied by a corporate customer solely to pack and deliver gifts under that customer's instructions, we may act as a processor or service provider for that narrow fulfilment activity. Where a payment provider, courier, bank, card network, customs broker or professional adviser acts under its own legal or regulatory obligations, that party may be an independent controller. These role distinctions are material because the person or organisation responsible for responding to a GDPR request depends on who determines the purposes and means of the relevant processing.

Where GDPR applies and we act as a controller, our processing may rely on one or more lawful bases under Article 6. We may rely on performance of a contract or steps prior to entering into a contract where we process information to respond to an enquiry, prepare a quote, administer an order, arrange delivery, issue invoices, process replacements or manage customer support. We may rely on legitimate interests where processing is necessary for ordinary B2B communication, fraud prevention, payment verification, business administration, recordkeeping, supplier coordination, defence of legal claims, service improvement, network and information security, or proportionate direct marketing to business contacts, provided those interests are not overridden by the rights and freedoms of the data subject.

We may rely on legal obligation where processing is necessary for tax, accounting, sanctions, anti-money-laundering cooperation, regulatory response, court orders, law-enforcement requests, payment-network obligations or other binding legal duties. We may rely on consent where a particular processing activity requires consent, such as certain optional marketing communications or optional cookies if later implemented. Consent may be withdrawn, but withdrawal does not invalidate earlier lawful processing and does not require us to delete records retained under another lawful basis. We rarely expect to rely on vital interests or public task in ordinary corporate-gifting transactions, but if an extraordinary situation arises, applicable law will determine the analysis.

We do not seek special categories of personal data under Article 9 for ordinary corporate-gifting services. Customers should not send health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, sex life or sexual orientation information in recipient lists, artwork files, order briefs or delivery instructions unless a specific lawful basis and necessity have been established before disclosure. If such data is accidentally supplied, we may delete, restrict, return or ignore it where practicable. If special-category data must be processed for a lawful reason, such as a specific accessibility delivery instruction or dietary note voluntarily supplied for a gift pack, the customer must ensure an Article 9 condition is available and must limit the information to what is strictly necessary.

GDPR transparency rules require information to be provided in a concise, transparent, intelligible and easily accessible form. This Policy therefore includes a short operational summary for ordinary readers and extended provisions for business reviewers, payment processors, procurement teams, privacy officers and institutional stakeholders who require more detail. The condensed operational position is that we process data to quote, customise, take payment for, pack, deliver, support, account for and defend corporate-gifting orders. The extended provisions explain the related legal bases, recipients, transfers, retention periods, rights, processor relationships and dispute records.

Where we collect personal data directly from you, this Policy is intended to provide the categories of information required by GDPR-style transparency rules, including identity of the controller, purposes, lawful bases, recipients, transfer information, retention criteria, rights, complaints and contact details. Where we receive data indirectly from a corporate customer, such as an employee recipient list, the corporate customer is generally responsible for giving its employees, clients, event guests or other recipients the notices required by law. We may provide this Policy so that the customer can point recipients to our processing practices, but the customer must not treat our Policy as a substitute for its own notice where it controls the original collection.

Where GDPR applies, a data subject may have rights under Articles 12 to 22, including the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, and rights relating to automated decision-making and profiling. A request exercising these rights may be described as a data subject access request, DSAR, access request, erasure request, portability request, objection or other similar formulation. You do not need to recite statutory wording to make a request, but you do need to provide enough information for us to identify you, locate the relevant records and understand what you are asking us to do.

A right of access request may entitle the data subject to confirmation whether personal data is processed, access to that data, and supplementary information about the processing. However, access rights are not unlimited. We may need to protect the rights and freedoms of other individuals, preserve legally privileged material, avoid disclosing confidential business information, withhold processor-risk signals, protect fraud-prevention methods, comply with legal restrictions or coordinate with a corporate customer where the customer controls the relevant record. If a recipient asks us for a copy of a corporate customer's full gift-recipient spreadsheet, the response may be narrower than the spreadsheet because other recipients' personal data, customer confidential information and unrelated order records must also be protected.

A right to rectification may apply where personal data is inaccurate or incomplete. If your delivery address, name, phone number, email address or business contact details are wrong, tell us promptly. If a correction arrives after goods have been dispatched, the correction may apply to future processing but cannot necessarily chase a parcel already travelling through a courier network. If a correction affects invoice records, artwork approvals, payment evidence or dispute files, we may preserve the original record and add a correction note rather than rewriting history.

A right to erasure may apply in certain circumstances, such as where data is no longer necessary, consent is withdrawn and no other basis applies, processing is unlawful, or erasure is required by law. The right to erasure is not absolute. We may retain data where necessary for contract performance, legal obligation, accounting, tax, dispute resolution, establishment, exercise or defence of legal claims, fraud prevention, payment disputes, chargeback evidence, regulatory cooperation or other lawful grounds. If an order was paid, produced, delivered and later disputed, deletion may be refused or deferred because the order record may be necessary evidence of the transaction, approvals, payment, delivery and dispute history.

A right to restriction may allow certain processing to be paused while accuracy, objection, unlawfulness or retention issues are assessed. A right to data portability may apply to personal data provided by the data subject where processing is based on consent or contract and carried out by automated means. In our business, portability will often be limited because many records are mixed business documents, invoices, approvals, delivery records, supplier notes or correspondence rather than a portable consumer account dataset. Where portability applies, we will provide data in a reasonably usable format, subject to verification and third-party rights.

A right to object may apply to processing based on legitimate interests or direct marketing. If you object to direct marketing, we will stop sending direct marketing to the relevant contact details, subject to retaining suppression information so we know not to contact you again. If you object to legitimate-interest processing connected with an active order, dispute, payment, fraud review or legal claim, we will assess whether compelling legitimate grounds override the objection. The words "I object" are important, but they do not automatically cancel an invoice, recall a courier, erase a chargeback file or make a legal claim vanish in a puff of compliance perfume.

We do not intentionally make decisions producing legal or similarly significant effects about individuals solely by automated means within the ordinary meaning of GDPR Article 22. We may, however, rely on payment processors, fraud-prevention systems, banking tools, card-network rules, sanctions-screening indicators, courier-validation tools, spam filters, security logs or other automated or semi-automated systems that flag transactions, messages, addresses or activity for review. Such systems may influence whether we ask questions, delay fulfilment, request another payment method, decline an order, preserve records or submit evidence to a payment provider.

Where a payment provider such as Stripe or Airwallex uses its own automated or risk-based systems, those systems operate under that provider's policies and legal obligations. We may receive the outcome or a request for information, but we may not receive or control the full logic of the provider's model. If a provider declines a payment, places a hold, requests verification or restricts a transaction, the customer may need to engage with that provider or use an alternative lawful payment method. We will not falsify order descriptions, conceal risk information or route transactions deceptively to overcome automated review.

Where GDPR applies and personal data is transferred from the EEA, United Kingdom or Switzerland to Singapore or another country not treated as providing adequate protection for the relevant transfer, a transfer mechanism may be required. Depending on the facts, such mechanisms may include an adequacy decision, Standard Contractual Clauses, the United Kingdom International Data Transfer Agreement or Addendum, supplementary measures, derogations for contract performance, legal claims, explicit consent in limited cases, or other lawful transfer tools. This Policy does not itself execute Standard Contractual Clauses, but it identifies that such mechanisms may be needed where a controller-to-processor or controller-to-controller transfer requires them.

In practical corporate-gifting terms, international transfers may occur when an EEA or UK customer sends us a recipient list, when a Singapore team accesses the information, when a courier carries recipient data to a destination country, when a payment provider stores transaction data regionally or globally, when a cloud provider hosts records, or when a supplier receives limited information necessary for fulfilment. The transfer is not an incidental afterthought; cross-border fulfilment often cannot occur without cross-border information movement. Delivery to Paris, Berlin, Dublin, London or any other destination requires disclosure of the relevant recipient and address information to the parties needed to complete delivery.

Where we enter into a data-processing agreement with a corporate customer, that agreement may include GDPR Article 28 processor terms and appropriate transfer terms. Where we act as an independent controller, a controller-to-controller arrangement may be more appropriate. Where a third-party provider acts independently, its own transfer terms may apply. We will consider reasonable customer requests for transfer documentation, but we may decline documents that misstate our role, impose obligations unrelated to the order, require audit rights disproportionate to the processing, or impose documentation obligations not reasonably connected to the relevant corporate-gifting transaction.

GDPR Article 27 may require some non-EU controllers or processors subject to GDPR to designate a representative in the Union, unless an exemption applies. Similar concepts may arise under UK GDPR. We have not appointed a general EU or UK representative solely by publishing this Policy. If a specific processing activity requires such appointment, or if a corporate customer requires a representative arrangement for a particular governed processing activity, that issue should be addressed in the relevant contract before the data is transferred. Nothing in this Policy should be read as appointing a representative, data protection officer, agent for service, local establishment or other regulated role unless that appointment is expressly confirmed in writing.

We have not appointed a statutory Data Protection Officer for all processing activities unless expressly stated elsewhere. Privacy enquiries may be sent to contact@tradebz.asia. If GDPR applies and you wish to contact us about a GDPR matter, include "GDPR request" or similar wording in the subject line, identify the relevant order or relationship, state whether you are a customer representative, recipient, supplier contact or other person, and describe the right or issue involved. We may request identity verification and, where the request relates to a corporate customer's data, may coordinate with that customer.

A Data Protection Impact Assessment may be required under GDPR where processing is likely to result in a high risk to individuals' rights and freedoms. Ordinary corporate-gift fulfilment will often not require a formal DPIA by us, particularly where recipient data is limited to name, address and contact details for delivery. However, if a customer proposes an unusual project involving sensitive personal data, large-scale profiling, vulnerable individuals, high-risk monitoring, regulated recipients, hidden tracking, or other risk factors, we may require the customer to conduct its own assessment, reduce the data, alter the process, provide additional safeguards or abandon the proposed arrangement.

Security measures are selected in light of the nature of the data, the risk, the systems used and the practical realities of fulfilment. Measures may include access controls, limited disclosure to suppliers, payment-provider segregation, avoidance of raw card data, role-based handling, password-protected files where appropriate, secure deletion practices, vendor selection, incident review and employee confidentiality expectations. Security is not represented as absolute. No email system, spreadsheet, courier platform, payment dashboard or human approval chain is immune from error. We therefore ask customers to minimise data, verify files, avoid unnecessary sensitive data and promptly report suspected issues.

If a personal-data incident occurs, we will assess the facts, affected data, risk of harm, containment steps, legal notification obligations and relevant contracts. Where GDPR, UK GDPR, Singapore PDPA or another law requires notification to a supervisory authority, customer, processor, controller, affected individual or other party, we will handle notification according to the applicable obligation and our role. If we are a processor for a corporate customer, we may notify the customer so the customer can assess its own obligations. If we are controller, we will assess our obligations directly.

Where GDPR applies, you may have the right to lodge a complaint with a supervisory authority in an EU Member State, or with the UK Information Commissioner's Office where UK GDPR applies. We encourage you to contact us first so we can attempt to understand and resolve the issue, but contacting us first may not be required by law. Because we are established in Singapore, questions may also arise under Singapore's Personal Data Protection Act and the Personal Data Protection Commission. The identity of the relevant authority depends on the processing, the individual, the establishment, the applicable law and the role of the parties.

We do not waive jurisdictional arguments, legal defences or applicability positions by including this GDPR annex. The annex is intended to improve transparency, not to voluntarily submit every Singapore-based corporate-gifting operation to every foreign law in every possible respect. Where a law applies, we will assess and address it in good faith. Where a law does not apply, we may still use it as a useful benchmark for good practice, but a benchmark is not an admission that every obligation under that law applies to every processing activity described in this Policy.

If a corporate customer is subject to GDPR and provides personal data to us as a processor, the customer should request an appropriate data-processing agreement before transferring the data. Such an agreement may cover subject matter, duration, nature and purpose of processing, categories of data, categories of data subjects, documented instructions, confidentiality, security, sub-processors, assistance with rights, assistance with security incidents, deletion or return, audits and international transfer terms. We will consider reasonable terms proportionate to the order and data involved.

We may reject or negotiate terms that are disproportionate, inaccurate, unrelated to the service, inconsistent with payment or courier operations, or infeasible for a small bespoke fulfilment order. For example, a term requiring us to guarantee deletion from every courier backup within twenty-four hours, to permit unlimited onsite audits without notice, to store all data only in one country while arranging international delivery, or to accept unlimited liability for a customer's own recipient-list errors is unlikely to be commercially workable. Privacy contracts should protect data subjects while remaining proportionate to the processing, the order value, the risk level and the operational role performed by each party.

The corporate customer remains responsible for its own lawful basis, notices, transparency to employees or recipients, accuracy of recipient data, data minimisation, internal approval process, and response to requests where it controls the underlying relationship. If a customer supplies the wrong recipient or address, that is not a GDPR failure by us merely because personal data was involved. It is first an accuracy failure by the customer, with privacy consequences that must be handled by the party responsible for the inaccurate instruction.

Where we act as a processor, our sub-processors may include hosting providers, email providers, cloud storage providers, payment administration tools, print vendors, packaging vendors, logistics providers, couriers, IT support providers and other service providers needed to perform the order. Not every provider receives every category of data. A print vendor may receive artwork and quantity, while a courier may receive recipient address and phone number, while a payment processor may receive payer and transaction data. The data follows the task, not a desire for maximal distribution.

Where required by a data-processing agreement, we may provide information about categories of sub-processors and material changes. We are not required to disclose commercially sensitive supplier information where not legally required, particularly where the provider does not process personal data or where disclosure would undermine supplier confidentiality. We will, however, use reasonable care to ensure that service providers receiving personal data are appropriate for their role and are instructed to use the data for the relevant service.

Where GDPR or UK electronic-communications rules apply to marketing, we will consider the applicable lawful basis and consent or soft opt-in rules before sending electronic marketing. B2B marketing rules differ by jurisdiction and recipient type. A message about an active quote, invoice, sample, order, delivery or policy is operational, not marketing. A later email about new catalogue options, seasonal gift sets or related corporate-gifting services may be marketing. We will provide opt-out mechanisms where required and will honour marketing objections.

Opting out of marketing does not prevent us from sending operational communications, legal notices, payment reminders, delivery questions, refund responses, chargeback evidence requests, security notices or messages required to complete an existing relationship. A marketing objection does not apply to communications that are necessary to perform an existing order, deliver goods, resolve a payment issue, administer a refund, preserve evidence, comply with law or protect legitimate interests. Privacy rights will be respected according to their proper legal scope and the purpose of the processing involved.

At present, the website is a lightweight static site. If we add analytics, advertising pixels, live chat, catalogue-download tracking, hosted checkout, customer accounts or other tools involving cookies or similar technologies, we will assess whether cookie consent, preference management, updated notices or additional documentation is required. Essential technologies needed to load the site, secure the service or remember limited choices may be treated differently from advertising or analytics technologies, depending on applicable law.

If a third-party embedded service sets cookies or processes data, that provider may have its own role and notice. We do not intend to obscure material tracking or analytics activity through unclear wording. If tracking becomes materially more complex, this Policy should be updated, and additional consent, notice, preference or cookie-management mechanisms should be implemented where required by applicable law.

GDPR rights requests sometimes arrive during an order, after delivery, during a refund review, while a chargeback is open, or when legal claims are threatened. In those situations, we may need to preserve data that would otherwise be deleted or restricted. The establishment, exercise or defence of legal claims is a recognised reason under GDPR concepts to retain data in appropriate circumstances. Payment disputes also require evidence. If a customer opens a chargeback and simultaneously asks us to erase the proof that the goods were approved and delivered, we may retain the relevant evidence to the extent permitted by law and necessary for the dispute.

Where possible, we may separate data needed for legal or dispute purposes from data no longer needed for ordinary operations. We may restrict access, mark records as disputed, retain only necessary fields, redact third-party data, or preserve a record until the limitation period, dispute window, accounting period or processor review period expires. The result may be that deletion, restriction or erasure is partial, delayed or limited where lawful retention grounds continue to apply.

This GDPR annex is designed to be helpful, specific and processor-review friendly, but it is not legal advice to customers, recipients or suppliers. Customers operating in the EEA, United Kingdom or other regulated jurisdictions should obtain their own advice about their roles, notices, lawful bases, transfer tools, employee communications and procurement obligations. We can describe how we process data for corporate-gifting services, but each customer remains responsible for its own controller obligations, internal notices, employee communications, procurement approvals and lawful transfer decisions.

Where this annex conflicts with a signed data-processing agreement, the signed agreement governs the specific processing relationship to the extent of the conflict. Where this annex conflicts with mandatory law, mandatory law prevails. Where this annex is longer than anyone expected, the blame belongs jointly to modern data-protection law, cross-border commerce, payment-provider onboarding expectations and the enduring human suspicion that if a thing is not said in triplicate, it has not been said at all.

When we receive a GDPR-style request, we first classify the request. The request may be a right of access request, a rectification request, an erasure request, an objection, a restriction request, a portability request, a complaint, a consent withdrawal, a marketing opt-out, a security concern, a processor instruction from a customer, or a communication that requires clarification before the applicable right can be identified. We then identify the requester, the relevant order, the relevant role, the relevant data source, the applicable law asserted, and whether we are acting as controller, processor, independent controller, merchant of record, fulfilment provider or recipient of another party's instruction. This classification determines whether we answer directly, ask for verification, coordinate with a customer, involve a processor or decline a request that is not ours to fulfil.

Identity verification may be required before we disclose or alter personal data. We may ask for information sufficient to confirm that the requester is the person whose data is involved, an authorised representative, a corporate customer contact, or a person entitled to act for the relevant organisation. The verification required will depend on risk. A request to stop marketing to a business email address may require very little. A request for a copy of delivery records tied to multiple recipients, invoices, payment records or internal approval trails may require more. We do not disclose personal data merely because a message arrives with urgency, capital letters or a signature block that looks impressive.

If a request is made by an authorised agent, representative, solicitor, consultant, parent company, agency or procurement intermediary, we may require proof of authority. Where the authority is unclear, we may respond to the data subject directly or ask the agent to provide written authorisation. If the request concerns a corporate customer recipient list, we may need to notify or consult the corporate customer because the customer may control the list and may need to handle the request under its own obligations. This is particularly important where a recipient is an employee or customer of the corporate customer rather than a direct customer of Tradebz.

We will search systems that are reasonably likely to contain relevant data. These may include quote-form records, email, order folders, invoice records, payment dashboards, fulfilment spreadsheets, courier files, customer-service notes, artwork approval files, backup or archive locations where reasonably accessible, and dispute records. We are not required to conduct a limitless search through every obsolete temporary file, every deleted backup fragment, every supplier system we do not control, or every handwritten note that cannot reasonably be linked to the requester. The search must be reasonable, proportionate and directed to systems likely to contain relevant personal data.

Where records contain multiple people, business confidential information or legal material, we may redact or withhold portions before disclosure. For example, an email thread may contain one person's request, another person's phone number, supplier pricing, payment-risk notes, internal legal advice, courier account information and a recipient address. A right of access does not transform all of that into unrestricted reading material. We will try to provide the requester's personal data while protecting other rights, interests and legal privileges.

If a request is manifestly unfounded, excessive, repetitive, abusive, aimed at disrupting operations, or unrelated to data-protection rights, applicable law may permit us to refuse the request, charge a reasonable fee or limit the response. We will not treat ordinary rights requests as hostile merely because they require work. However, a privacy right is not a mechanism for obtaining commercial concessions unrelated to personal data. A request that combines a data-protection request with a refund demand, contractual complaint or payment dispute will be separated into its privacy component and its commercial component so that each can be handled under the applicable policy and law.

Where a request conflicts with retention required for accounting, tax, payment, fraud, chargeback, contract, product-liability, courier, customs or legal-claim purposes, we may retain the relevant record while restricting non-essential use. This may mean that a business contact is removed from marketing but retained in invoice history; a recipient address is no longer used for dispatch but retained in proof-of-delivery evidence; an artwork approver is removed from future communications but retained in the approval record; or a payment dispute file is preserved until the dispute and related limitation periods expire. Privacy law recognises that records may have continuing lawful functions even after ordinary operational use has ended.

When correcting data, we may preserve the original inaccurate record where the fact of correction matters. For example, if a customer supplied an incorrect address and later corrected it, the original address may remain in the audit trail to explain a failed delivery or re-delivery fee. If an invoice contact changes, the old contact may remain attached to historical invoices. If artwork approval contained a misspelling, the approved version may remain in the production record even if future reorders use a corrected version. Accuracy may therefore require a correction note or updated record rather than deletion of the historical record where the historical record remains relevant evidence.

When restricting data, we may mark records, limit access, pause optional processing, remove data from active fulfilment or suppress marketing while preserving core records. Restriction is not always the same as deletion. It is a way to hold data in a reduced-use state while a dispute, accuracy issue, objection or legal assessment is resolved. Where a parcel is already in transit, restriction may not stop the courier from completing delivery, because the courier's operational process may already be underway. We will take reasonable steps within our role and systems, but external logistics systems, payment systems and supplier systems may require separate handling or may have already processed the relevant instruction.

Portability requests are likely to be narrow in this business. We do not maintain a consumer platform where individuals upload extensive structured account data for reuse elsewhere. Where portability applies, the portable set may include information provided by the data subject in a form, such as name, email, phone number and message. It is unlikely to include internal notes, supplier pricing, payment-risk analysis, legal correspondence, processor data, third-party recipient details or documents created by us as part of business administration. Portability is a right to receive certain data in an appropriate format where the legal conditions are met, not a right to receive every operational record, legal analysis or supplier record connected with the business.

Objections based on legitimate interests will be assessed by balancing the reason for processing against the data subject's rights and circumstances. For direct marketing, objection is straightforward: we stop the marketing. For fraud prevention, chargeback evidence, legal claims, accounting, security or active order fulfilment, we may have compelling grounds to continue. We will explain the outcome where required. If an objection concerns a corporate customer's processing, we may refer the person to the customer or ask the customer for instructions.

Consent withdrawal will be honoured for consent-based processing. Withdrawal does not affect processing based on contract, legal obligation, legitimate interests, legal claims or processor instructions. If consent is withdrawn for optional promotional messages, we stop such messages. If consent is withdrawn for a delivery address already supplied by a corporate customer as part of an employee gift programme, we may need to consult the customer because our legal basis may not be consent from the recipient at all. Legal bases must be assessed specifically by purpose, data category, data subject relationship and processing role.

If a request arrives through social media, a phone call, a reply to a marketing email, a courier note, a payment dispute channel or an informal chat, we may ask the requester to send it to contact@tradebz.asia so it can be tracked and handled properly. This is not an attempt to avoid the request. It is a measure intended to ensure that privacy requests are recorded, assigned, verified, answered and retained consistently rather than being dispersed across informal channels that may not preserve the necessary audit trail.

We may keep a record of rights requests and responses. Such records may include the request, identity verification, analysis, correspondence, deadlines, decision, data disclosed, data withheld, legal basis, and completion notes. We retain request records to demonstrate compliance, prevent repeated processing errors, defend against complaints and manage future correspondence. The record of a deletion request may therefore survive the deletion request, because otherwise we could not prove that the request was received, assessed and handled.

If a data subject complains to a supervisory authority, regulator, customer, processor, payment provider or public channel, we may use relevant personal data and records to respond. We may disclose information to advisers, insurers, regulators, authorities, processors or customers where necessary for that response. The existence of a complaint does not suspend our right to explain the relevant facts, rely on applicable lawful bases, preserve evidence, assert legal defences or correct inaccurate statements.

Where deadlines apply, we will calculate them in accordance with applicable law and the nature of the request. Complex requests, multiple requests, unclear identity, third-party data, archived records, processor coordination or legal review may affect timing. We may extend time where permitted. We may ask for clarification, and where clarification is necessary, the response may depend on receiving it. A request that asks for "everything about everything" may need narrowing before a meaningful response can be produced.

If we are a processor and receive a request directly from a data subject, we may notify the relevant controller and await instructions unless applicable law requires direct action. The controller may be the corporate customer that provided the recipient list. If the controller instructs deletion, correction or disclosure, we will act according to the contract and applicable law. If the controller instructs us to do something unlawful, impossible, ambiguous, disproportionate or inconsistent with another legal obligation, we may decline, seek clarification or request a documented instruction that can be implemented lawfully.

If multiple laws appear to apply, we will assess them together. Singapore PDPA, GDPR, UK GDPR, contract terms, payment rules, tax rules and courier obligations may overlap. The outcome may require satisfying several obligations at once, not selecting the most convenient one and ignoring the rest. Where conflict is genuine, we may seek legal advice, prioritise mandatory obligations, preserve evidence and communicate the practical result. Compliance may require reconciliation of parallel obligations concerning retention, deletion, disclosure, audit evidence, payment dispute records and customer instructions.

This Schedule A is intentionally procedural, redundant and detailed. Its purpose is to make clear that requests are not ignored, and that they are not handled by intuition alone. They are classified, verified, searched, assessed, balanced, responded to and recorded. That process is intended to produce consistent outcomes, preserve legal evidence, protect third-party rights and demonstrate accountability where a supervisory authority, customer, processor, court, payment provider or internal reviewer later asks how the request was handled.

If an EEA or UK employer asks us to ship onboarding kits to employees in multiple countries, the employer may be the controller for employee data and we may be a processor for fulfilment. The employer should provide employee notices, identify its lawful basis, ensure minimisation, confirm transfer mechanisms and provide accurate recipient data. We will use the data to pack, label, dispatch, track and support the shipment. We will not use the employee list to market unrelated products to employees, sell the list or infer anything about employee performance or employment status.

If an EEA or UK customer representative requests a quote for goods to be delivered to a Singapore event, we may be controller of that representative's business contact data. Lawful bases may include pre-contract steps, contract performance, legitimate interests and legal obligations. The representative may have rights, but those rights are balanced against business records and legal retention. If the representative later leaves the company, we may update future contact details while retaining historical records showing who approved the quote or artwork at the time.

If an EEA or UK recipient contacts us directly to ask why we have their address, we may explain that the address was supplied by the corporate customer for fulfilment, subject to verification and confidentiality limits. We may refer the recipient to the corporate customer for questions about the original collection and lawful basis. We may also correct or suppress the address for future deliveries if appropriate. We will not necessarily disclose the entire corporate customer's order history to the recipient where doing so would reveal third-party data, business confidential information or records unrelated to that recipient's personal data.

If a processor or bank asks whether our privacy notice mentions GDPR, lawful basis, transfers, rights, retention and complaints, this annex addresses those topics. If the reviewer then asks whether we can provide a data-processing agreement for a specific customer transfer, we can consider a proportionate agreement in context. Public policy, contract terms, processor instructions, transfer documentation and operational controls are different layers; this website notice is not itself a full data-processing agreement and should not be treated as a substitute for order-specific data-processing terms where those terms are required.

For clarity, we do not use personal data supplied for a quote to determine a person's employment prospects, creditworthiness, insurance eligibility, medical status, political reliability, immigration status or suitability for any opportunity outside the corporate-gifting transaction. We use the data for the commercial purposes described in this Policy. If a customer supplies a recipient note, we process it to print, pack, review, deliver or support the note if appropriate; we do not use the note for unrelated profiling, automated eligibility determinations or behavioural analysis outside the disclosed purposes.

We do not intentionally collect children's data. If a school, family event organiser or youth programme requests gifts, the organisational customer must ensure any child-related data is lawful, minimised and supplied only where necessary. We prefer non-personal fulfilment wherever possible, such as bulk delivery to an authorised adult contact rather than individual child-level delivery lists. If individual minor recipient data is unavoidable, additional care, minimisation, restricted access and customer responsibility apply.

If personal data is anonymised so that an individual is no longer reasonably identifiable, we may use the anonymised information for analysis, stock planning, category demand, average lead time, defect trends, courier performance, quote conversion, pricing strategy and service improvement. We may also aggregate order data to understand how many customers request drinkware, technology items, stationery, umbrellas, appointment-only sample reviews or multi-recipient delivery. Aggregated analysis helps us operate the business without needing to stare unnecessarily at any one person's address label.

If we receive a legal hold, regulator enquiry, court process, processor investigation, insurer request, police request, tax audit or formal complaint, we may suspend ordinary deletion schedules and preserve relevant data. Preservation may include records that would otherwise be deleted, because deletion after a dispute, investigation or legal hold arises may conflict with legal, contractual, evidentiary or regulatory obligations. Once the preservation need ends, ordinary retention review resumes.

If a customer wants heightened controls for a project involving EEA or UK recipients, it should tell us before transferring data. Possible controls may include file password protection, reduced data fields, recipient-code references, customer-managed delivery notices, restricted supplier visibility, agreed deletion timing, signed data-processing terms, limited access contacts, or a single consolidated delivery point. Some controls may add cost or reduce delivery convenience. Heightened privacy controls are most effective when planned before data is collected, transferred, packed, dispatched or disclosed to fulfilment partners.

This final privacy schedule records that data protection is not a single approval step. It is a chain of decisions about necessity, notice, lawful basis, security, disclosure, transfer, retention, rights and accountability. Accordingly, customers should minimise data before transmission, confirm recipient accuracy before dispatch, avoid unnecessary sensitive data, use secure channels for large lists, and ensure that the persons whose data they supply receive any notices required by the customer in its capacity as controller or equivalent role.

If any provision of this Policy is read alongside a shorter notice, banner, form label, invoice statement, payment-link statement, processor notice or customer-provided employee notice, the documents should be read harmoniously where possible. A short form label may identify the field being collected, while this Policy explains why the field is collected, what happens after collection, who may see it, how long it may be kept and what rights may exist. Where a shorter notice is inconsistent with this Policy, the parties should consider the context, the time of collection and any mandatory law applicable to the specific processing activity.

We may update this privacy architecture as the business changes. If we add account logins, live payment checkout, analytics, newsletter subscriptions, catalogue-download gates, customer portals, warehouse integrations, CRM automation, AI-assisted support, automated address validation or recurring corporate-gift programmes, the data flows may change and this Policy may be updated. A privacy notice is a statement of processing practices at a point in time and may be revised as operations, technology, law, vendors and payment requirements change. Customers should check the effective date when relying on the Policy for procurement, processor review or recipient notices.

The overriding rule remains minimisation. Send only the information needed. Use role-based business contacts where possible. Avoid sensitive data. Keep recipient lists accurate. Tell recipients what is happening where you control the relationship. Use secure channels for large files. Do not email payment credentials. Contact us early if something is wrong. These operational requirements are intended to reduce privacy risk, support accurate delivery, preserve payment and order records, and allow rights requests to be handled without unnecessary processing of irrelevant personal data.

Short operational summary: We collect the information needed to quote, customise, take payment for, pack and deliver corporate gifts. Payment providers such as Stripe or Airwallex may process payment and compliance data under their own terms. Do not email card details. Recipient lists should contain only what is needed for fulfilment.

1. Scope and interpretive posture

2. Controller and contact

3. Personal data we process

4. Purposes and legal grounds

5. Payments, Stripe, Airwallex and financial intermediaries

6. Disclosure and recipients

7. Cross-border transfers

8. Retention and deletion

9. Security

10. Rights and choices

11. Cookies, analytics and embedded services

12. Minors and unsuitable submissions

13. Changes to this Policy

14. Questions, complaints and privacy contact

15. Supplemental long-form provisions for payment, fulfilment and processor-facing transparency

16. Practical data map for a typical corporate-gifting transaction

17. Recipient lists, employee gifts and distributed shipments

18. Fraud, sanctions, misuse and restricted activity screening

19. Communications, recordings and correspondence records

20. Expanded retention explanation

21. Relationship between our role and the role of service providers

22. Business representatives and corporate contact data

23. No disguised guarantee about third-party payment services

24. Operational privacy annex with detailed processing specificity

25. Edge cases, mistaken submissions and excessive data

26. GDPR, UK GDPR and EEA/UK supplemental privacy annex

27. GDPR lawful bases, Article 6 and Article 9

28. GDPR transparency, Articles 12 to 14 and extended notice structure

29. GDPR data subject rights, DSAR process and response boundaries

30. Automated decision-making, profiling and payment-risk tooling

31. International transfers, Standard Contractual Clauses and cross-border safeguards

32. EU representative, UK representative and data-protection contact

33. Data Protection Impact Assessment, security and risk management

34. Complaints, supervisory authority and jurisdictional humility

35. Data-processing agreements and corporate customer responsibilities

36. Sub-processors, suppliers and fulfilment vendors

37. GDPR and business-to-business marketing communications

38. GDPR, cookies and future tracking technologies

39. Retention when rights requests, chargebacks and legal claims overlap

40. Final GDPR caveat written with maximal procedural solemnity

41. Schedule A: GDPR request handling, verification, exceptions and procedural choreography

42. Schedule B: EEA and UK recipient-list scenario analysis

43. Schedule C: supplemental privacy limitation recital

44. Codicil of final privacy elaboration