Privacy Policy

Last updated: 12 July 2026 · Singapore Personal Data Protection Act 2012 (PDPA)

GemXcal Holdings Pte. Ltd. (UEN 202608346C) operates HrCleo Marketing. This policy explains how we collect, use, disclose and protect personal data in accordance with the Singapore PDPA.

1. What we collect

Account data: name, email address, and authentication identifiers when you sign up or log in.

Workspace content: brand packs, campaign briefs, drafts, and approval records you create in the Service.

Contact data you upload: names, email addresses and phone numbers of your subscribers and leads, imported by you into audiences. For this data you are the controlling organisation and we process it on your instructions.

Usage data: page analytics (Google Analytics 4, IP-anonymised), audit logs of actions in your workspace, and support tickets you submit.

2. How we use it

To provide the Service: generating drafts, sending approved emails and messages, publishing approved posts, billing via Stripe, and responding to support requests.

To keep records required for compliance, including a log of AI-assisted content published through the Service (retained 12 months).

We do not sell personal data. We do not use your contact lists for our own marketing.

3. Consent and marketing messages

Emails and messages sent through HrCleo-M include an unsubscribe mechanism, and opt-outs are honoured automatically. When you import a contact list, you confirm the contacts gave consent (or another lawful basis applies) to receive your messages. Cold or advertisement sends are labelled in accordance with the Spam Control Act where applicable.

4. Disclosure to processors

We share data only with the processors needed to run the Service: Supabase (database and authentication), Stripe (payments), Brevo (email delivery), Upload-Post (social publishing), and Google Analytics (usage statistics). Each processes data under its own contractual safeguards. Some processors store data outside Singapore; we ensure comparable protection as required by the PDPA's transfer limitation obligation.

5. Protection and retention

Data is encrypted in transit, isolated per tenant with row-level security, and access-logged. We retain personal data only as long as needed for the purposes above or as required by law, then delete or anonymise it. Deleted records are first soft-deleted (retained, but hidden from your workspace) and are permanently purged on request — email our Data Protection Officer and we will complete the purge within 30 days.

6. Your rights

You may request access to or correction of your personal data, or withdraw consent, by emailing our Data Protection Officer at ops@gemxcal.com. We respond within 30 days. Withdrawing consent for essential processing may mean we can no longer provide the Service to you.

7. Cookies

We use cookies for login sessions and to remember your language, theme, and text-size preferences. Analytics cookies are used only for aggregate usage statistics.