Shrobon — Omnichannel Customer Engagement Platform

Global Privacy Policy

Effective Date: 1 November 2025  |  Last Updated: 1 November 2025

Version 2.0  —  Issued by: Oleyn Pte. Ltd. (UEN: 202432609R), Singapore

Primary jurisdiction: Singapore — Personal Data Protection Act 2012 (PDPA)

Additional jurisdictions: EU/EEA (GDPR), UK (UK GDPR), Australia (Privacy Act 1988), Bangladesh, USA/California (CCPA/CPRA), Canada (PIPEDA), ASEAN

DPO Contact: dpo@oleyn.ai  |  +65 8960 1986

1. About Shrobon and This Policy

Shrobon is an omnichannel customer engagement platform operated by Oleyn Pte. Ltd., a company incorporated in Singapore. Shrobon enables businesses — primarily e-commerce merchants — to manage customer conversations across channels including WhatsApp, Instagram, Facebook Messenger, email, and web chat, supported by artificial intelligence (AI) features including automated triage, routing, and response suggestions.

This Global Privacy Policy describes how we collect, use, disclose, store, and protect personal data across all jurisdictions in which we operate. It is structured in two parts:

  • Part A (Sections 1–12): Universal provisions that apply to all users, clients, and end users regardless of location, built to the highest common standard across applicable laws.
  • Part B (Section 13): Jurisdiction-specific addenda setting out additional rights and obligations for specific regions. Where Part B conflicts with Part A, Part B prevails for users in that jurisdiction.

Our primary legal obligations are under Singapore’s Personal Data Protection Act 2012 (PDPA). We also comply with applicable data protection laws in every jurisdiction where we have clients or process personal data.

2. Who This Policy Covers

2.1 Business Clients

Companies and merchants that subscribe to the Shrobon platform (“Clients”). Shrobon acts as a data controller for Client account data, and as a data intermediary/processor for End User personal data processed on behalf of Clients.

2.2 End Users

Customers of our Clients whose personal data is processed through Shrobon-powered channels (“End Users”). The Client is the primary data controller for End User data. Shrobon processes this data on the Client’s behalf and under their instructions.

2.3 Website Visitors

Individuals who visit shrobon.com or enterprise.shrobon.com.

Note to End Users: Your primary data controller is the business (our Client) you are communicating with. For rights requests and complaints about how your information was used in a conversation, please contact that business first. For platform-level concerns, contact dpo@oleyn.ai.

3. Our Role Under Data Protection Law

Shrobon’s legal role varies depending on the data involved:

Data & Scenario Shrobon’s Role Applicable Obligations
End User conversations processed for Clients Data Processor / Intermediary Protection & Retention; DPA obligations to Client
Client account, billing & contact data Data Controller Full obligations under PDPA and applicable laws
AI triage/routing of conversation data Data Processor / Intermediary PDPC AI Guidelines; GDPR Art.22 where applicable
Website visitor analytics Data Controller PDPA; GDPR (for EU visitors); CCPA (for CA visitors)

As a data processor/intermediary, Shrobon processes End User personal data solely on the documented instructions of the Client. Clients remain responsible for ensuring their End Users are lawfully informed about how their personal data is used.

4. Personal Data We Collect

4.1 From Business Clients

  • Account and contact information: name, business email, phone number, job title, company name, UEN/registration number, registered address
  • Billing information: processed via our payment providers; Shrobon does not store full card numbers
  • Technical configuration data: API keys, webhook settings, channel credentials, integration configurations
  • Usage analytics: login events, feature usage, session data, support interactions

4.2 From End Users (via Client Channels)

  • Communication data: messages, chat transcripts, media files, documents shared in conversations
  • Contact identifiers: phone numbers, email addresses, social media handles (as shared on the channel)
  • Interaction metadata: timestamps, channel type, device/platform type, conversation status
  • Any personal data voluntarily shared by End Users in the course of a conversation

Shrobon does not determine what personal data End Users share. This is governed by the Client’s service terms and the End User’s choices.

4.3 From Website Visitors

  • Standard web server logs: IP address, browser type, language preference, referring URL, date and time of access
  • Cookie data: see Section 9 for full disclosure
  • Information submitted through contact, demo request, or sign-up forms

4.4 Data We Do Not Collect

Shrobon does not intentionally collect through its platform interface: government-issued identification numbers (NRIC, passport, Social Security, Aadhaar), financial account or payment card numbers, biometric data, or medical/health records. If such data appears in a conversation, the Client bears responsibility for appropriate handling.

5. Artificial Intelligence — Disclosure and Governance

In accordance with applicable AI governance frameworks including the PDPC’s Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems (March 2024), IMDA’s Model AI Governance Framework for Generative AI (2024), and equivalent standards in other jurisdictions, Shrobon discloses the following:

5.1 AI Features Deployed

  • Automated triage and routing: AI classifies message intent and routes conversations to appropriate teams or agents
  • Response suggestions: AI generates candidate replies for human agents to review before sending — never sent autonomously
  • Sentiment and priority detection: AI flags conversations requiring urgent attention or human escalation
  • Analytics and summarisation: AI aggregates conversation data to surface performance insights and trends

5.2 Human Oversight Commitment

All AI-generated routing decisions, response suggestions, and priority flags are reviewed by human agents before action is taken. Shrobon’s AI does not make final binding decisions affecting End Users without human involvement. Clients can configure the level of automation applied to their channels, but the platform is designed with human-in-the-loop as the default.

5.3 Data Used to Power AI

AI models process conversation text and associated metadata to generate outputs. All processing occurs on infrastructure hosted in Singapore. Shrobon does not use End User personal data to train, fine-tune, or improve foundational AI models without explicit written consent from the Client.

5.4 Automated Decision-Making

Where AI routing or prioritisation could be considered an automated decision affecting an individual, Shrobon ensures a human agent remains responsible for any consequential action. Users in jurisdictions with specific automated decision-making rights (EU, UK, Australia from 2026) may contact dpo@oleyn.ai to request human review of any AI-influenced outcome.

5.5 Transparency to End Users

Clients using Shrobon’s AI features are required to disclose AI involvement in their customer communications in accordance with applicable platform policies and regulatory guidance. Shrobon provides disclosure template language to Clients upon request.

6. Legal Bases for Processing

We process personal data under the following legal bases, as applicable in each jurisdiction:

Basis When Applied Applicable Law
Contract performance Necessary to deliver services to Clients under our subscription agreement PDPA; GDPR Art.6(1)(b); APPs
Legitimate interests Platform security, fraud prevention, service improvement, internal analytics PDPA; GDPR Art.6(1)(f); APPs
Consent Direct marketing to prospects; optional analytics features; certain cross-border transfers All jurisdictions — consent must be freely given, specific, informed and withdrawable
Legal obligation Complying with court orders, regulatory requests, tax obligations All jurisdictions
Vital interests Life/safety emergencies where no other basis applies GDPR Art.6(1)(d); equivalent provisions

For End Users: The legal basis for processing your data through a Client’s channel is determined by the Client as data controller. Refer to the Client’s own privacy policy for details.

7. How We Store, Protect, and Transfer Data

7.1 Data Location — Primary Infrastructure

All personal data collected and processed by Shrobon is stored on servers located in Singapore. This is our primary and default processing location for all Clients regardless of their jurisdiction.

7.2 Sub-Processors and Cross-Border Transfers

Shrobon engages a limited number of vetted third-party sub-processors (e.g. cloud infrastructure, transactional email, error monitoring). Where a sub-processor is located outside Singapore, we ensure:

  • A written data processing agreement (DPA) is in place requiring the sub-processor to maintain data protection standards equivalent to the PDPA
  • For GDPR-covered transfers: Standard Contractual Clauses (SCCs) (Commission Decision 2021/914) are executed as the transfer mechanism
  • For Australian-covered data: APP 8 contractual safeguards apply

A current list of Shrobon’s sub-processors is available upon request to dpo@oleyn.ai.

7.3 Security Measures

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256
  • Role-based access controls (RBAC) limiting data access to authorised personnel
  • Multi-factor authentication (MFA) for all administrative and production access
  • Regular vulnerability assessments and penetration testing
  • Continuous security monitoring and anomaly detection
  • Annual data protection training for all staff with data access
  • Documented incident response procedures aligned with breach notification requirements across jurisdictions

7.4 Client Responsibilities

Clients are responsible for: securing their Shrobon workspace credentials; managing user access and permissions within their account; configuring data retention and deletion settings; and ensuring their own compliance with applicable laws when instructing Shrobon to process personal data.

8. Data Retention

Personal data is retained only as long as necessary for the stated purpose, or as required by applicable law.

Data Category Retention Period Basis
Client account and profile data Duration of contract + 3 years Contractual / legal obligations
End User conversation logs 24 months from conversation date (configurable by Client down to 3 months) Service delivery; Client instruction
Website visitor and analytics logs 12 months Security monitoring; service improvement
Billing and financial records 5–7 years depending on jurisdiction Tax and accounting obligations (IRAS, ATO, CRA etc.)
Security and access audit logs 12 months Security monitoring; regulatory compliance
Consent records 7 years (or duration of consent + 3 years) Legal accountability; regulatory requirements
Data breach incident records 5 years Regulatory accountability

Upon account termination or a verified deletion request, Shrobon will securely delete or anonymise personal data within 30 days, subject to any applicable legal hold obligations. Clients may request earlier deletion at any time.

9. Cookies and Tracking Technologies

Shrobon uses the following categories of cookies and tracking technologies on our websites:

Category Purpose Can Be Disabled?
Strictly Necessary Authentication sessions, CSRF protection, security tokens — platform cannot function without these No
Functional / Preference Remembering your language, display settings, or dashboard preferences Yes
Analytics Aggregate, anonymised usage data to improve platform performance — no individual tracking Yes
Marketing / Advertising NOT USED — Shrobon does not use advertising or cross-site tracking cookies N/A

You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may impair platform functionality. For EU/UK users, we obtain consent before placing non-essential cookies.

10. Disclosure of Personal Data

Shrobon does not sell, rent, or trade personal data to third parties. We may share data in the following circumstances:

10.1 Service Delivery (Sub-Processors)

We share data with vetted sub-processors that support platform operations, under enforceable DPAs. Categories include: cloud infrastructure, transactional email delivery, error and performance monitoring, and payment processing. Full list available on request.

10.2 Client Access

Each Client accesses only data associated with their own Shrobon workspace. Shrobon does not grant cross-Client data access under any circumstances.

10.3 Legal Compulsion

We may disclose personal data where required by applicable law, a court order, or a regulatory request from authorities such as the PDPC (SG), OAIC (AU), ICO (UK), EDPB (EU), or other applicable regulatory bodies. Where legally permissible, we will notify affected Clients before complying.

10.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of Oleyn Pte. Ltd. or Shrobon, personal data may transfer as part of the transaction. We will notify Clients at least 30 days in advance and provide options to request data deletion.

10.5 Safety and Public Interest

In exceptional circumstances, we may disclose personal data to prevent serious harm to individuals or the public. We will document the basis for any such disclosure.

11. Data Breach Response

Shrobon maintains a documented, tested Data Breach Response Plan. Our breach notification commitments are:

Jurisdiction Notification Deadline Notify Who
Singapore (PDPA) 3 business days of breach assessment PDPC; affected Clients (for relay to End Users)
EU/EEA (GDPR) 72 hours of becoming aware Lead Supervisory Authority; data subjects if high risk
UK (UK GDPR) 72 hours ICO; data subjects if high risk
Australia (Privacy Act) As soon as practicable OAIC; affected individuals if eligible data breach
Canada (PIPEDA) As soon as feasible OPC; affected individuals

In all cases, Shrobon will notify the affected Client immediately upon discovering a breach involving data processed on their behalf, so the Client can fulfil their own notification obligations to regulators and individuals.

To report a suspected breach: dpo@oleyn.ai — subject line: URGENT — DATA BREACH.

12. Your Rights

The following core rights apply to all users regardless of jurisdiction. Additional jurisdiction-specific rights are set out in Section 13.

Right What It Means How to Exercise
Access Know what personal data we hold about you Email dpo@oleyn.ai
Correction Correct inaccurate or incomplete data Email dpo@oleyn.ai or update in-account
Deletion / Erasure Request deletion of your data (subject to legal retention) Email dpo@oleyn.ai
Portability Receive your data in a machine-readable format Email dpo@oleyn.ai
Objection / Opt-out Object to processing for direct marketing or legitimate interests Email dpo@oleyn.ai or use in-email unsubscribe
Withdraw Consent Withdraw consent for any consent-based processing at any time Email dpo@oleyn.ai
Restrict Processing Request restriction while a dispute is resolved Email dpo@oleyn.ai

We respond to all rights requests within 30 days. For complex or high-volume requests, we may extend by a further 30 days with written notice. Rights requests are free of charge; manifestly unfounded or excessive requests may incur a reasonable fee.

End Users should direct requests to the Client in the first instance. Shrobon will cooperate with Clients to fulfil rights requests involving data we process on their behalf.

PART B — JURISDICTION-SPECIFIC PROVISIONS

The provisions below apply in addition to Part A for users in the indicated jurisdictions. Where Part B conflicts with Part A, Part B prevails.

13. Jurisdiction-Specific Provisions

13.1 Singapore — Personal Data Protection Act 2012 (PDPA)

Singapore is Shrobon’s primary jurisdiction of incorporation and operation. The PDPA governs all processing of personal data in Singapore and applies to Oleyn Pte. Ltd. as both a data controller (for Client data) and data intermediary (for End User data).

Applicable Framework

  • Personal Data Protection Act 2012 (Cap. 26F), as amended
  • PDPC Advisory Guidelines on Key Concepts in the PDPA
  • PDPC Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems (March 2024)
  • IMDA Model AI Governance Framework for Generative AI (May 2024)
  • SS 714:2025 — Singapore Standard for Data Protection (Shrobon benchmarks to this standard)

Key Obligations

  • Appointed Data Protection Officer (DPO): dpo@oleyn.ai
  • Mandatory breach notification to PDPC within 3 business days of assessing that a breach is notifiable
  • Data intermediary obligations: Shrobon binds itself to Protection and Retention obligations under PDPA ss.24–25 when processing End User data for Clients
  • AI transparency: Consistent with PDPC AI Advisory Guidelines, Shrobon discloses AI use, maintains human oversight, and supports Clients in meeting their AI accountability obligations

Singapore-Resident Rights

  • Right of access to personal data held by Shrobon
  • Right to correction of inaccurate personal data
  • Right to withdraw consent for consent-based processing
  • Right to lodge a complaint with the PDPC at www.pdpc.gov.sg

Note: PDPA rights vest in individuals whose personal data is collected. End Users of our Clients’ platforms should first contact the relevant Client as their data controller.

13.2 European Union / European Economic Area — GDPR

Where Shrobon processes personal data of individuals located in the EU/EEA — whether as a data controller or data processor acting on behalf of a Client — the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applies.

Legal Basis (GDPR)

  • Art. 6(1)(b): Contract performance — processing necessary to deliver services to EU Clients
  • Art. 6(1)(f): Legitimate interests — platform security, fraud prevention, service improvement
  • Art. 6(1)(a): Consent — direct marketing; non-essential cookies for EU visitors
  • Art. 6(1)(c): Legal obligation — compliance with applicable law

Data Transfers Outside the EU/EEA

Personal data of EU/EEA residents is processed on Shrobon’s Singapore-based infrastructure. Singapore does not currently hold an EU adequacy decision. The transfer mechanism relied upon is the EU Standard Contractual Clauses (SCCs) (Commission Decision 2021/914) incorporated into Shrobon’s Data Processing Agreement with EU Clients. A Transfer Impact Assessment (TIA) is conducted for Singapore as the destination country.

GDPR Rights (Articles 15–22)

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / “right to be forgotten” (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object — including to automated decision-making and profiling (Arts. 21–22)
  • Right to withdraw consent at any time without prejudice to prior processing (Art. 7(3))
  • Right to lodge a complaint with your national Data Protection Authority (DPA)

Data Processing Agreement (DPA)

Shrobon provides a GDPR-compliant Data Processing Agreement to all EU/EEA Clients. This DPA satisfies the requirements of GDPR Article 28 and covers: subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and obligations of both parties. Contact dpo@oleyn.ai to obtain the DPA.

Representative: Shrobon does not currently maintain a formal EU Art. 27 representative. EU Clients processing significant volumes of EU personal data through Shrobon should raise any representative requirement with our DPO.

Breach notification: Where Shrobon becomes aware of a personal data breach affecting EU/EEA individuals, we will notify the affected Client within 24 hours to enable the Client to fulfil their 72-hour regulatory notification obligation.

13.3 United Kingdom — UK GDPR and Data Protection Act 2018

The UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018 apply to processing of personal data of individuals located in the United Kingdom.

Shrobon’s commitments under UK GDPR mirror those described in Section 13.2 (EU GDPR) with the following differences:

  • Transfer mechanism: Shrobon relies on the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs for transfers of UK personal data to Singapore
  • Supervisory authority: The Information Commissioner’s Office (ICO) at ico.org.uk
  • Breach notification: Shrobon will notify affected Clients within 24 hours to enable their 72-hour ICO notification
  • UK GDPR representative: Contact dpo@oleyn.ai for information on our UK representative position

UK Resident Rights

UK residents hold the same rights as EU residents (Art. 15–22 equivalent), and may lodge complaints with the ICO. Subject Access Requests should be directed to dpo@oleyn.ai with subject line “UK SAR”.

13.4 Australia — Privacy Act 1988 (Cth), Australian Privacy Principles (APPs)

The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) apply to Shrobon’s processing of personal information of individuals in Australia. Shrobon is subject to the Privacy Act as an overseas organisation that collects personal information from individuals in Australia and carries on business in Australia through its Australian Clients.

The Privacy and Other Legislation Amendment Act 2024 strengthened Australia’s privacy framework effective December 2024. Key updates affecting Shrobon include:

  • Strengthened APP 8 cross-border disclosure obligations: Shrobon’s contracts with Australian Clients include enforceable APP-equivalent privacy obligations as the APP 8.1 transfer mechanism
  • New doxxing criminal offence: Shrobon’s terms prohibit any use of the platform to publish personal information to cause harm
  • Statutory privacy tort (in force June 2025): Individuals may sue for serious invasions of privacy — Shrobon’s practices are designed to prevent such intrusions
  • Automated decision-making disclosure (effective December 2026): Shrobon will assist Australian Clients in meeting forthcoming disclosure obligations for significant automated decisions

Cross-Border Transfers (APP 8)

Australian Clients’ personal information is processed on Shrobon’s Singapore-based infrastructure. Shrobon addresses APP 8 through contractual safeguards in its Australian Client agreements, binding Shrobon to handle Australian personal information in a manner consistent with the APPs.

Notifiable Data Breaches (NDB) Scheme

Shrobon will notify affected Australian Clients promptly upon discovering an eligible data breach involving Australian personal information. This enables the Client to assess their NDB obligations and, where required, notify the OAIC and affected individuals. OAIC contact: www.oaic.gov.au.

Australian Privacy Rights

  • Right to know what personal information is held and to access it (APP 12)
  • Right to correct inaccurate, out-of-date, incomplete, irrelevant or misleading personal information (APP 13)
  • Right to complain to the Office of the Australian Information Commissioner (OAIC)
  • Right to seek review of a decision refusing access or correction

Australian Clients and End Users may direct privacy inquiries to dpo@oleyn.ai with subject line “Australian Privacy Request”. We respond within 30 days.

13.5 Bangladesh

As of the effective date of this policy, Bangladesh does not have a fully enacted comprehensive personal data protection law. The draft Personal Data Protection Act received Cabinet approval in principle in November 2023, and a Data Protection Ordinance 2025 has been proposed but not yet enacted. The primary applicable legal framework comprises the Cyber Security Act 2023 and the Information and Communication Technology Act 2006.

Shrobon’s Approach for Bangladeshi Clients

  • Shrobon voluntarily applies its full PDPA-standard data protection practices to all personal data processed on behalf of Bangladeshi Clients, in the absence of a locally equivalent legal requirement
  • Personal data of Bangladeshi end users is stored on Singapore-based infrastructure. No enacted Bangladeshi law currently restricts the transfer of personal data to Singapore
  • Shrobon continuously monitors legislative developments in Bangladesh. When a comprehensive data protection law is enacted, Shrobon will promptly update its practices and Data Processing Agreement to ensure compliance
  • Bangladeshi Clients are encouraged to ensure their own users are informed about data collection and use in a manner consistent with emerging Bangladeshi data protection principles
  • Prospective notice: If Bangladeshi data protection legislation is enacted and imposes requirements that affect Shrobon’s practices, Shrobon will notify Bangladeshi Clients at least 60 days before implementing changes to ensure a smooth transition

13.6 United States — CCPA/CPRA (California) and General

Shrobon does not currently have a significant presence in the United States and does not actively market to US consumers. However, to the extent that Shrobon processes personal information of California residents on behalf of Clients, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) may apply.

CCPA/CPRA — Shrobon’s Role

Where a California-based Client processes personal information of California consumers through Shrobon, the Client is the “Business” under CCPA and Shrobon is a “Service Provider”. Shrobon does not:

  • Sell personal information to third parties
  • Share personal information for cross-context behavioural advertising
  • Use personal information collected under a service provider relationship for any purpose other than providing the contracted service

California Consumer Rights

  • Right to Know: What categories of personal information are collected, used, or shared
  • Right to Delete: Request deletion of personal information
  • Right to Correct: Correct inaccurate personal information
  • Right to Opt-Out of Sale or Sharing (not applicable — Shrobon does not sell or share data)
  • Right to Non-Discrimination: Exercising CCPA rights will not result in different service levels
  • Right to Limit Use of Sensitive Personal Information (if applicable)

California residents may submit requests to dpo@oleyn.ai with subject line “California Privacy Request”. We will respond within 45 days, extendable by a further 45 days with notice.

Other US States

Shrobon monitors the expanding patchwork of US state privacy laws (Virginia CDPA, Colorado CPA, Texas TDPSA, etc.) and will update this policy as these laws materially affect our operations. Shrobon’s universal practices — data minimisation, purpose limitation, security, and user rights — align with the core requirements of enacted US state privacy laws.

13.7 Canada — PIPEDA and Quebec Law 25

Where Shrobon processes personal information of Canadian individuals in the course of commercial activities, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws apply. For Quebec-resident individuals, Law 25 (Act to Modernize Legislative Provisions as regards the Protection of Personal Information) imposes additional requirements.

Shrobon’s Commitments for Canadian Users

  • Personal information is collected with knowledge and consent, and used only for the purposes identified
  • Individuals may access personal information held about them and challenge its accuracy
  • Personal information is protected by security safeguards appropriate to its sensitivity
  • A Privacy Officer / DPO is designated — contact dpo@oleyn.ai
  • Privacy practices are available upon request

Quebec Law 25 — Additional Requirements

  • Privacy Impact Assessments (PIAs) are conducted before any new collection or use of personal information
  • Explicit consent is obtained for collection and communication of personal information to third parties
  • A privacy policy is published and kept up to date — this document satisfies that requirement
  • Personal information is anonymised when the purposes for which it was collected are achieved

Canadian Privacy Rights

  • Right to access personal information held by Shrobon
  • Right to challenge the accuracy and completeness of personal information
  • Right to withdraw consent (subject to legal and contractual limitations)
  • Right to lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca, or with the Commission d’accès à l’information (CAI) for Quebec residents

13.8 ASEAN — Malaysia, Philippines, Thailand, Indonesia, and Others

Shrobon may process personal data of individuals in other ASEAN member states where Clients operate. Shrobon applies its PDPA-standard baseline practices across all ASEAN jurisdictions and additionally monitors and aligns with country-specific requirements:

Country Primary Law Key Requirement for Shrobon
Malaysia Personal Data Protection Act 2010 (PDPA MY) Seven data protection principles; no cross-border transfer to non-whitelisted countries without consent — Singapore is permitted
Philippines Data Privacy Act 2012 (DPA PH) NPC registration for data processors; data subject rights; 72-hour breach notification
Thailand Personal Data Protection Act 2019 (PDPA TH) Consent-heavy framework; DPO requirement for large-scale processing; cross-border transfer restrictions
Indonesia Personal Data Protection Law 2022 Data controller/processor distinction; consent; breach notification within 14 days; DPO for high-risk processing
Vietnam Decree 13/2023/ND-CP Consent and processing purpose transparency; cross-border transfer approval may be required

Where a specific ASEAN jurisdiction’s law imposes requirements more stringent than Shrobon’s PDPA baseline, Shrobon will implement those requirements for data processed on behalf of Clients in that jurisdiction. Clients with operations in specific ASEAN countries should confirm compliance requirements with their local legal counsel and contact dpo@oleyn.ai to discuss any specific contractual needs.

14. Children’s Data

Shrobon is a business-to-business platform not directed at children. We do not knowingly collect personal data from children under 13 years of age. Where applicable laws set a higher minimum age (e.g., 16 under GDPR, 18 under Bangladesh’s draft PDPA), we apply the locally applicable standard for Clients operating in those jurisdictions.

Clients deploying Shrobon in consumer-facing contexts where children may be users are responsible for:

  • Obtaining appropriate parental or guardian consent in accordance with applicable local law
  • Complying with the PDPC’s Advisory Guidelines on the PDPA for Children’s Personal Data in the Digital Environment (March 2024) for Singapore operations
  • Complying with equivalent children’s data protection requirements in other jurisdictions (GDPR Art.8, Australia’s forthcoming Children’s Online Privacy Code)
  • Configuring age verification and parental consent mechanisms in their own systems before processing children’s data through Shrobon

15. Changes to This Policy

We may update this Global Privacy Policy periodically to reflect changes in our services, technology, or legal obligations across jurisdictions. We will:

  • Notify Clients of material changes by email at least 14 days before the effective date
  • Maintain a version history of this policy at enterprise.shrobon.com/privacy-policy
  • Provide a summary of key changes for any major update

Your continued use of Shrobon after the effective date of an update constitutes acceptance of the revised policy. If you do not accept a material change, you may terminate your subscription in accordance with our Terms of Service.

16. Contact Us

DATA PROTECTION OFFICER

Oleyn Pte. Ltd. (UEN: 202432609R)

Singapore

Email: dpo@oleyn.ai  |  Phone: +65 8960 1986

For privacy enquiries: Subject line: “Privacy Concern”

For data rights requests: Subject line: “Data Rights Request — [your jurisdiction]”

For breach reports: Subject line: “URGENT — DATA BREACH”

We aim to acknowledge all privacy enquiries within 2 business days and provide a substantive response within 30 days.

This Global Privacy Policy is governed by the laws of the Republic of Singapore, without prejudice to mandatory consumer protection provisions in other applicable jurisdictions.

Version 2.0  |  Effective 1 November 2025

Return to Home