Privacy Policy

Effective Date: January 21, 2026

Last Updated: January 21, 2026

Document Version: 1.0

1. Introduction

PropAsia Pte. Ltd. ("Company," "we," "us," "our," or "Platform") is committed to protecting your privacy and ensuring you have a positive experience on our real estate platform. This Privacy Policy outlines how we collect, use, disclose, and process your personal information in compliance with applicable data protection laws, including:

General Data Protection Regulation (GDPR) - European Union
Personal Data Protection Act (PDPA) - Thailand
Personal Data Protection Act (PDPA) - Malaysia
Law on Personal Data Protection (LGPD) - Brazil
Philippine Data Privacy Act (DPA) - Philippines
Law on Personal Data Protection (LGPD) - Vietnam

We operate in multiple Southeast Asian countries: Philippines, Thailand, Malaysia, Cambodia, and Vietnam.

Important Notice: This is a template for informational purposes. Consult with a qualified attorney for legal advice specific to your situation.

2. Definitions

Personal Information means any information relating to an identified or identifiable natural person, including but not limited to:

Name, email address, phone number
Postal address and location data
Payment and financial information
Device identifiers and IP addresses
Cookies and tracking technologies
Professional information and property preferences
Communication records

Processing means any operation performed on Personal Information, such as collection, recording, organization, storage, adaptation, retrieval, use, transmission, or deletion.

Data Controller means the entity determining the purposes and means of processing Personal Information.

Data Processor means the entity processing data on behalf of the Controller.

3. Data Controller Information

Company Name: PropAsia Pte. Ltd.

Registered Address: 1 Raffles Place, #20-61 One Raffles Place Tower 2, Singapore 048616

Country of Registration: Singapore

Company Registration Number: 202400001A

Data Protection Officer: privacy@propasia.life

Email: support@propasia.life

Website: https://www.propasia.life

Note: This policy applies to all users globally. Operations are centralized in the Philippines.

4. Categories of Personal Information Collected

4.1 Information You Provide Directly

Account Registration:

Full name
Email address
Phone number
Password and authentication credentials
Date of birth
Gender
Nationality
Identification documents (ID card, passport)
Tax identification number

Profile Information:

Biography and professional background
Company/organization name and details
Job title and designation
Profile photograph
Preferred language and communication methods
Property preferences and interests

Communication Data:

Messages sent through the Platform
Inquiries about properties
Customer support communications
Feedback and survey responses
Complaints and dispute information

Property Listing Information:

Descriptions of properties
Photographs and media files
Property specifications and features
Pricing information
Lease/sale terms

Payment Information:

Credit card details (tokenized, not stored)
Bank account information
Billing address
Transaction history
Invoice and receipt data

4.2 Information Collected Automatically

Device Information:

Device type, model, and operating system
Browser type and version
Mobile app version
Screen resolution and settings

Usage Information:

Pages viewed and features accessed
Time and duration of activities
Search queries and filters used
Property interactions (views, saves, inquiries)
Links clicked
Actions performed on the Platform

Location Information:

GPS coordinates (with permission)
WiFi access point data
IP-based geolocation
Regional settings

Tracking Technologies:

Cookies (first-party and third-party)
Web beacons and pixels
Local storage and session storage
Analytics tools
Mobile identifiers (IDFA, Android ID)

4.3 Information from Third Parties

From Payment Processors:

Payment status and history
Transaction confirmations
Fraud detection flags

From Identity Verification Services:

Verification status
Validation results
Age confirmation

From Marketing Partners:

Audience segmentation data
Interest and behavior profiles
Campaign interaction data

From Property Databases:

Public property records
Market data and valuations
Neighborhood information

From Social Media:

Profile information (if linked)
Contact lists (if permitted)
Social media activity related to real estate

From Other Users:

References and reviews about your properties or transactions
Communications mentioning you
Reports about your conduct

5. Purpose of Data Processing

5.1 Service Delivery

We process your Personal Information to:

Create and maintain your account
Verify your identity and prevent fraud
Process property listings and transactions
Facilitate communication between buyers, sellers, and agents
Manage booking and scheduling of property viewings
Process payments and financial transactions
Provide customer support and technical assistance
Send transactional notifications (confirmations, updates, alerts)
Comply with contractual obligations

5.2 Platform Optimization

Analyze user behavior and platform usage patterns
Improve website and application performance
Enhance user experience and interface design
Debug technical issues and troubleshoot problems
Conduct A/B testing and optimization studies
Monitor service availability and security

5.3 Marketing and Communications

Send promotional materials and marketing communications
Provide property recommendations based on preferences
Notify you about new listings matching your criteria
Conduct market research and surveys
Request feedback and testimonials
Inform about special offers and discounts
Share company news and updates

Legal Basis: Legitimate interests or your explicit consent (depending on jurisdiction and communication type)

5.4 Analytics and Reporting

Generate statistical reports on platform usage
Analyze market trends and property data
Track campaign performance and effectiveness
Create aggregated demographic insights
Measure conversion rates and user engagement
Conduct business analysis for strategic planning

5.5 Legal and Compliance

Comply with legal obligations under applicable laws
Respond to government requests and legal processes
Prevent fraud, money laundering, and illegal activities
Enforce our Terms of Service and other agreements
Protect rights, property, and safety of all users
Maintain audit trails and compliance documentation
Resolve disputes and claims
Tax and regulatory reporting

5.6 Security and Fraud Prevention

Monitor suspicious activities and unauthorized access attempts
Implement anti-fraud mechanisms
Detect and prevent data breaches
Verify user identity and authorization
Maintain security logs and incident records

6. Legal Basis for Processing (GDPR/PDPA)

We process Personal Information based on:

Contractual Necessity - Performance of services you requested
Consent - Your explicit permission for specific processing activities
Legitimate Interests - Our business interests that don't override your rights
Legal Obligation - Compliance with laws and regulations
Public Task - Exercise of official authority
Vital Interests - Protection of life or health

6.2 PDPA Legal Bases (Thailand, Malaysia)

Contractual Performance - Fulfilling our agreement with you
Consent - Your voluntary agreement to processing
Legal Compliance - Meeting mandatory legal requirements
Legitimate Interests - Reasonable business interests
Establishment/Exercise of Legal Claims - Enforcing or defending legal positions

6.3 Philippine DPA

Consent - Your explicit authorization
Contractual Fulfillment - Service delivery obligations
Legal Obligation - Government and regulatory requirements
Vital Interests - Life-threatening emergency situations

7.1 Third-Party Service Providers

We may share Personal Information with:

Payment Processors:

Stripe, PayPal, local payment gateways
Purpose: Payment processing and fraud prevention
Data Processing Agreement: Yes

Cloud Infrastructure Providers:

AWS, Google Cloud, Azure
Purpose: Data storage and hosting
Data Processing Agreement: Yes

Analytics Providers:

Google Analytics, Mixpanel, Amplitude
Purpose: Usage analysis and performance optimization
Cookies: Yes, see Section 10

Communication Services:

Email delivery services (SendGrid, Mailgun)
SMS providers (Twilio, AWS SNS)
Push notification services
Purpose: Transactional and marketing communications

Customer Support Tools:

Zendesk, Intercom, Help Scout
Purpose: Support ticket management and live chat
Data: Name, email, communication history

Identity Verification Services:

Third-party KYC/AML providers
Purpose: User verification and fraud prevention

Mapping and Location Services:

Google Maps, Mapbox
Purpose: Property location display and navigation

7.2 Business Partners and Affiliates

Real estate agencies and brokers
Property management companies
Insurance providers
Title and escrow services
Co-marketing partners

Sharing: Limited to data necessary for specific purposes

7.3 Legal Requirements and Protection

We may disclose Personal Information when required by law:

Government agencies and law enforcement
Court orders and legal proceedings
Regulatory authorities
Compliance investigations
Protective orders and emergency situations

7.4 Business Transfers

In case of merger, acquisition, bankruptcy, or asset sale:

Your Personal Information may be transferred
You will be notified of any ownership change
Different privacy terms may apply

7.5 Aggregated and De-identified Data

Aggregated analytics (no individual identification)
Market research reports
Anonymized user behavior data
Publicly available statistics

No consent required for truly anonymized data that cannot be linked back to you.

8. International Data Transfers

8.1 Transfer Mechanisms

Intra-Regional Processing (Southeast Asia):

Data primarily processed within operational region
Servers located in country of origin when possible

Cross-Border Transfers:

For transfers outside the Southeast Asian region:

GDPR Users:

Standard Contractual Clauses (SCCs)
Adequacy decisions where applicable
Binding Corporate Rules
Explicit consent with safeguards notification

PDPA Users (Thailand/Malaysia):

Model Clauses for PDPA
Equivalent protection assurances
Country-specific Data Processing Agreements

Philippine DPA Users:

Appropriate safeguards and technical measures
Contractual obligations on recipients
Written consent when legally required

8.2 Data Location

Primary Data Centers:

Southeast Asia (Philippines, Thailand, Malaysia)
Alternative: Singapore (regional backup)
Australia/New Zealand (disaster recovery)

Personal Data Handling:

Encrypted in transit (TLS 1.2+)
Encrypted at rest (AES-256)
Minimal cross-border transfer
Anonymized when possible

9. Data Retention

9.1 Retention Periods by Category

Active User Account Data:

Retained for duration of account plus 3 years
Upon account deletion: Anonymized within 30 days
Exception: Legal obligations may extend retention

Transaction Records:

Retained for 7 years (tax and regulatory compliance)
Payment information: Purged after transaction confirmation
Invoice copies: 7 years (Philippines, Thailand, Malaysia tax law)

Communications:

Retained for 2 years after last interaction
Legal disputes: Until resolution + 1 year
Marketing opt-outs: 10 years (CAN-SPAM/CASL compliance)

Location Data:

Real-time tracking: Deleted within 24 hours
Historical location: 90 days
With persistent consent: User-controlled retention

Cookies and Tracking:

Session cookies: Deleted upon logout
Persistent cookies: 12-24 months
Analytics data: 26 months (Google Analytics default)

Identity Verification Data:

Kept for 5 years (AML/KYC compliance)
Fraud flags: Extended retention if ongoing investigation

Support and Complaint Records:

5 years (dispute resolution and legal protection)

Marketing Data:

Retained until opt-out or account deletion
Inactive contacts: Re-engagement every 12 months

9.2 Secure Deletion

Upon deletion request or retention period expiration:

Data deleted from active systems immediately
Backup archives (cold storage) retained for up to 1 year for disaster recovery
Backups are encrypted and isolated from active access
Cryptographic erasure used when applicable
Deletion confirmed in writing upon request

Important Note on Backup Retention: Due to the technical nature of backup systems, complete erasure from all backup media requires the natural rotation cycle of our backup infrastructure. During this period, your data in backups is:

Encrypted at rest (AES-256)
Access-controlled with strict audit logging
Never used for any purpose other than disaster recovery
Automatically purged when backup media is rotated

10. Cookies and Tracking Technologies

Essential Cookies:

Session management and authentication
CSRF protection
Security functions
Duration: Session-based
Consent Required: No (GDPR exception)

Performance Cookies:

Google Analytics for usage analytics
Crash reporting and stability monitoring
Duration: 26 months
Purpose: Understand user behavior
Consent Required: Yes (GDPR/PDPA)

Functional Cookies:

Save user preferences and settings
Remember login status
Duration: 12 months
Purpose: Enhanced user experience
Consent Required: No (legitimate interest) or Yes (GDPR strict)

Marketing Cookies:

Retargeting and pixel tracking
Audience segmentation
Ad campaign tracking
Providers: Facebook Pixel, Google Ads, TikTok Pixel
Duration: 12-24 months
Consent Required: Yes (explicit consent)

Third-Party Analytics:

Mixpanel, Amplitude, Hotjar
Purpose: Advanced analytics and heatmaps
Consent Required: Yes

10.2 Tracking Technologies

Web Beacons and Pixels:

Embedded images tracking page views
Email open tracking
Conversion tracking
Consent Required: Yes for non-essential

Local Storage and IndexedDB:

User preferences caching
Offline functionality
Duration: Until cleared by user

Server-Side Tracking:

Log file analysis
Conversion API tracking
Consent Required: No (server-level analytics)

User Controls:

Cookie consent banner on first visit
Settings page for cookie preferences
Ability to withdraw consent anytime
Clear instructions to manage browser cookies

Browser Settings:

Users can disable cookies in browser preferences
Effect: May limit Platform functionality

Cookie Consent Tools:

OneTrust, TrustArc, or equivalent
Granular consent by category
Consent records maintained
Easy withdrawal mechanism

10.4 Do-Not-Track (DNT) Signals

We respect browser DNT signals for personalized advertising but note that the DNT standard is not universally adopted.

11. Your Rights and Choices

11.1 General Rights (All Jurisdictions)

Right to Know/Access:

Request what Personal Information we hold
Receive copy in structured, commonly-used format
Timeline: 30 days
Fee: Free (additional copies may incur reasonable fee)

Right to Rectification/Correction:

Request correction of inaccurate data
Complete incomplete information
Timeline: 30 days

Right to Erasure/Deletion:

Request deletion of Personal Information
Exceptions: Legal obligations, legitimate business interests
Timeline: 30 days
Limited exceptions for backup retention

Right to Restrict Processing:

Request limitation on processing activities
We maintain data but limit use
Useful pending deletion or dispute resolution

Right to Data Portability:

Receive Personal Information in machine-readable format
Transfer to another service provider
Timeline: 30 days
Format: CSV, JSON, or equivalent

Right to Object:

Object to marketing communications
Object to profiling and automated decision-making
Object to legitimate interest processing
Timeline: 10 days
Automatic opt-out for marketing upon request

Right to Not Be Subject to Automated Decision-Making:

Request human review for decisions affecting rights
Exceptions: Necessary for contract, legal obligation, or explicit consent
Transparency regarding automated decisions

Right to Withdraw Consent:

Withdraw consent anytime
Does not affect lawfulness of prior processing
Effective immediately

11.3 Additional Rights (PDPA Users - Thailand/Malaysia)

Right to Know the Collection and Holding of Personal Data

Right to Request Access to Personal Data

Right to Correct Inaccurate or Outdated Personal Data

Right to Request Deletion of Personal Data

Right to Request Suspension of Personal Data Usage

Right to Lodge a Complaint with National Data Protection Authority

11.4 Additional Rights (Philippine DPA Users)

Right to Access Personal Information

Right to Rectification

Right to Object to Processing

Right to Erasure

Right to Lodge Complaint with National Privacy Commission

11.5 How to Exercise Your Rights

Submit Requests:

Email: privacy@propasia.com
Mailing Address: [Company Address]
Through Platform Settings: Account > Privacy Settings
Contact Form: www.propasia.com/privacy-request

Required Information:

Your name and verified email
Description of request
Specific data or rights involved
Preferred language for response

Response Timeline:

Acknowledgment: 3 business days
Full response: 30 calendar days
Extension: Up to 60 days for complex requests (with notice)

No Discrimination:

Exercise of rights will not result in unequal service or higher charges
Exception: Where legally permitted for service cost differences

12. Children's Privacy (COPPA)

12.1 Age Restrictions

The Platform is not intended for children under 13 years old (or equivalent age of digital responsibility in your jurisdiction).

Prohibited Use:

Children under 13 cannot create accounts
Children under 16 (EU) cannot provide consent independently

For users ages 13-16 (or equivalent):

Parental/guardian consent required
Mechanism: [Platform method to be implemented]
Affirmative consent, not opt-out
Verification required

12.3 Child Data Handling

If we inadvertently collect data from children under 13:

Immediate deletion (within 30 days)
Parent/guardian notification
No secondary use or retention
No marketing to child

12.4 Safe Practices

No behavioral advertising to users under 16
No collection of precise location from minors
Parental override controls available
Educational resources on privacy provided

13. Security Measures

13.1 Technical Safeguards

Encryption:

In Transit: TLS 1.2 or higher
At Rest: AES-256 bit encryption
Database: Column-level encryption for sensitive data

Access Controls:

Role-based access control (RBAC)
Principle of least privilege
Multi-factor authentication (MFA) for employees
API key rotation and management

Infrastructure Security:

Firewalls and intrusion detection
DDoS protection
Regular penetration testing
Security patch management (monthly)

Data Minimization:

Collect only necessary data
Tokenization of payment information
Pseudonymization where possible
Data masking in non-production environments

13.2 Organizational Safeguards

Personnel Security:

Background checks for data handlers
Confidentiality agreements and NDAs
Security awareness training (quarterly)
Data handling policy compliance

Vendor Management:

Data Processing Agreements required
Regular security audits
Sub-processor notification
Compliance certifications reviewed

Incident Response:

24/7 monitoring and alerting
Incident response plan (tested quarterly)
Breach notification within 72 hours (GDPR)
Forensic analysis and documentation

13.3 Limitations

While we implement comprehensive security measures, no system is completely secure. We cannot guarantee absolute security against all threats.

14. Data Processing Agreements

Standard Contractual Clauses (SCCs):

Included in all vendor contracts
Module-based approach (Processor to Processor, Controller to Processor)
Current version incorporating GDPR Article 28 requirements

DPA Availability:

Available upon request
Contact: privacy@propasia.com
Template: Attached to service agreements

14.2 PDPA Data Processing Agreements

Personal Data Processing Contracts:

Equivalent to GDPR DPAs
Aligned with Thai/Malaysian PDPA requirements
Template available for business partners

14.3 Sub-Processor Management

Sub-processor List:

Maintained at www.propasia.com/sub-processors
Updated within 30 days of changes
Opt-out notification for new sub-processors (GDPR users)

Sub-processor Rights:

Opportunity to object to new sub-processors
Contact privacy@propasia.com within 15 days
Alternative processing arrangements if requested

15. Privacy by Design and Default

15.1 Privacy Engineering Practices

Privacy impact assessments (DPIA) for new features
Privacy requirements in design phase
Automated consent collection and management
Legitimate interest assessments (LIA)
Regular privacy audits

15.2 Data Protection Impact Assessments (DPIA)

Conducted for:

Large-scale personal data processing
Biometric or genetic data processing
Automated decision-making with legal/significant effects
Vulnerable population processing
Cross-border data transfers

Documentation:

Available to supervisory authorities upon request
Shared with users upon request
Mitigation measures identified and implemented

15.3 Default Settings

Privacy-protective default settings
Minimal data collection active by default
Marketing opt-in (not opt-out)
Limited data sharing enabled by default
User control maximized

16. Automated Decision-Making and Profiling

16.1 Automated Decisions Using Personal Data

Property Recommendations:

Algorithm-based suggestion of listings
Based on search history, preferences, and behavior
Right to Explanation: Available upon request
Manual Review: Requestable for significant decisions

Fraud Detection and Risk Scoring:

Automated transaction risk assessment
Account activity anomaly detection
Transparency: Notification of flagged activities
Appeal Process: Available upon request

Creditworthiness Assessment:

Automated eligibility scoring for financing options
Based on transaction history, payment records
Legal Right: Automatic right to human review
Explanation: Provided upon request

16.2 Profiling and Segmentation

Marketing Profiling:

User segmentation by interests, behavior
Personalization of recommendations
Consent: Required for EU users (marketing)
Opt-out: Available anytime

Targeted Advertising:

Interest-based segmentation
Behavioral targeting
Lookalike audience creation
Control: Detailed preference settings available

16.3 User Rights in Automated Processing

Right to request human review
Right to explanation of decision logic (general terms)
Right to contest automated decisions
Appeal process available
Transparency documentation provided

17. Third-Party Links and External Services

17.1 Third-Party Services

The Platform may contain links to:

Mortgage and financing providers
Insurance companies
Property valuation services
Government registration portals
Social media platforms

Disclaimer:

We are not responsible for third-party privacy practices
Review their privacy policies independently
We do not endorse or control third-party services
Different terms may apply

Linking Your Account:

Optional account linking to Facebook, Google, Apple
Requested permissions displayed
Can unlink anytime from account settings

Data Shared:

Only publicly available profile information
Not automatic friend list or message access
Limited to what you authorize

Third-Party Analytics:

Social media platforms collect your activity
Governed by their respective privacy policies
Not under our control

18. California Privacy Rights (CCPA/CPRA)

18.1 California Consumer Privacy Act (CCPA)

For California residents, additional rights apply:

Right to Know:

Categories of Personal Information collected
Purposes of collection and use
Categories of sources
Categories of third parties receiving data

Right to Delete:

Request deletion of collected Personal Information
Exceptions: Legally required retention, contract fulfillment

Right to Opt-Out:

"Do Not Sell or Share My Personal Information"
Optional: Sale of Personal Information to third parties
Takes effect within 45 days

Right to Limit Use and Disclosure:

Limit use to necessary service provision
Opt-out of sensitive Personal Information processing

Right to Non-Discrimination:

No price differences or service degradation
Exception: Legally permitted discounts for data collection consent

18.2 California Privacy Rights Act (CPRA)

Additional CPRA rights for California residents:

Right to Correct:

Request correction of inaccurate Personal Information

Right to Delete:

Enhanced deletion rights with limited exceptions

Right to Opt-Out:

Profiling and automated decision-making

Right to Limit:

Sensitive Personal Information processing

Authorized Agent:

Authorized representative can submit requests

California Attorney General:

May enforce on behalf of consumers
Contact: www.oag.ca.gov

19. Brazilian LGPD Rights

19.1 Lei Geral de Proteção de Dados (LGPD)

For residents of Brazil, the following rights apply:

Right of Access:

Confirmation of processing
Access to Personal Information held

Right to Correct:

Request correction of inaccurate data

Right to Delete (Right to Erasure):

Request deletion under legal grounds
Exception: Data legally required to be retained

Right to Restrict Processing:

Request processing limitation

Right to Data Portability:

Receive data in structured, machine-readable format

Right to Lodge Complaint:

File complaint with ANPD (Brazilian Data Protection Authority)

Right to Object:

Object to legitimate interest processing
Object to marketing communications

20. Contact and Complaints

20.1 Privacy Questions and Requests

Primary Contact:

Email: privacy@propasia.com
Response Time: 3 business days

Mailing Address:

Propasia Privacy Team
1 Raffles Place, #20-61 One Raffles Place Tower 2, Singapore 048616

Online Form:

www.propasia.com/privacy-contact

Regional Contacts:

Philippines:

Contact: Maria Santos (Privacy Officer)
Email: ph-privacy@propasia.com
Address: Unit 3001 The Podium West Tower, 12 ADB Avenue, Ortigas Center, Mandaluyong City 1550, Metro Manila
Phone: +63 2 8888 7777

Thailand:

Contact: Somchai Prasert (Privacy Officer)
Email: th-privacy@propasia.com
Address: Level 23, AIA Sathorn Tower, 11/1 South Sathorn Road, Yannawa, Sathorn, Bangkok 10120
Phone: +66 2 000 8888

Malaysia:

Contact: Ahmad Razak (Privacy Officer)
Email: my-privacy@propasia.com
Address: Level 15, Menara Hap Seng 2, Plaza Hap Seng, Jalan P. Ramlee, 50250 Kuala Lumpur
Phone: +60 3 2000 8888

Vietnam:

Contact: Ms. Nguyen Thi Lan (Local Representative per Decree 13/2023)
Email: vn-privacy@propasia.com
Address: Floor 12, Vietcombank Tower, 198 Tran Quang Khai Street, Hoan Kiem District, Hanoi 100000
Phone: +84 24 3888 7777

Cambodia:

Contact: Sokha Vann (Privacy Officer)
Email: kh-privacy@propasia.com
Address: Level 10, Vattanac Capital Tower, No. 66, Preah Monivong Blvd, Sangkat Wat Phnom, Khan Daun Penh, Phnom Penh 12202
Phone: +855 23 888 777

20.2 Supervisory Authority Complaints

GDPR Users (EU/EEA):

National Data Protection Authority
Right to lodge complaint without prejudice to other remedies
[List of authorities by country]

PDPA Users (Thailand):

Personal Data Protection Committee (PDPC)
Website: www.pdpc.go.th
Email: complaints@pdpc.go.th

PDPA Users (Malaysia):

Personal Data Protection Commissioner (PDPC)
Website: www.pdpc.gov.my
Email: enquiry@pdpc.gov.my

Philippine DPA Users:

National Privacy Commission (NPC)
Website: www.privacy.gov.ph
dpo_sec@privacy.gov.ph

Vietnamese Users:

Ministry of Public Security
Agency: Department of Cyber Security and High-Tech Crime Investigation

Brazilian LGPD Users:

Autoridade Nacional de Proteção de Dados (ANPD)
Website: www.gov.br/cidadania/pt-br/acesso-a-informacao/lgpd
Email: [ANPD Email]

21. Privacy Policy Changes

21.1 Updates and Modifications

We may update this Privacy Policy periodically to:

Reflect changes in our practices
Accommodate new legal requirements
Improve clarity and transparency
Address emerging privacy concerns

21.2 Notification of Changes

For Material Changes:

Email notification to all users
Banner notification on Platform
Prominent notice (at least 30 days before effective date)
Opt-out opportunity for certain non-essential processing

For Minor Changes:

Posted on Platform with updated date
Notice at top of Privacy Policy

Continued Use = Acceptance:

Continued use after notification constitutes acceptance
Withdrawal of consent available before effective date
Option to delete account if changes unacceptable

Specific Consent for Material Changes:

Re-consent requested for new processing purposes
Marketing opt-in re-consent if applicable

22. Glossary

Personal Information/Personal Data: Information relating to an identified or identifiable individual
Processing: Any automated or manual operation on personal data
Consent: Freely given, specific, informed, and unambiguous permission
Legitimate Interest: Lawful reason for processing that doesn't override individual rights
Data Subject: Individual to whom personal data relates
Data Controller: Entity determining processing purposes and means
Data Processor: Entity processing data on behalf of controller
Third Party: Any entity other than data subject, controller, or processor
Recipient: Entity receiving personal data
Sub-processor: Processor engaged by primary processor
DPIA: Data Protection Impact Assessment
DPA: Data Processing Agreement
Pseudonymization: Processing data so individual not identified without additional information
Anonymization: Processing data so individual cannot be identified under any circumstance

By using the Propasia Platform, you acknowledge that:

You have read and understood this Privacy Policy
You consent to processing of your Personal Information as described
You are of legal age in your jurisdiction (18 or older, or equivalent)
You have parental consent if applicable (ages 13-16 in applicable jurisdictions)
You understand our data collection and use practices
You accept the terms and conditions herein

24. Compliance Certification

This Privacy Policy was developed in compliance with:

GDPR (Regulation (EU) 2016/679)
PDPA - Thailand (B.E. 2562 (2019))
PDPA - Malaysia (Act 709 of 2010, as amended)
DPA 2018 - United Kingdom
Philippine Data Privacy Act (RA 10173)
Law on Protection of Personal Information - Vietnam
Brazilian LGPD (Law No. 13,709/2018)
COPPA (15 U.S.C. § 6501 et seq.) - as applicable
ePrivacy Directive (2002/58/EC) - Cookie compliance

Last Legal Review: January 21, 2026

Next Review Date: July 21, 2026 (6-month review cycle)

25. Signature Block

This Privacy Policy is effective as of the date stated above and remains in effect unless and until revised.

Propasia

Date: January 21, 2026

Version: 1.0

Document ID: PP-EN-2026-01

Appendix A: Data Processing Activities

See detailed data processing matrices at: www.propasia.com/data-processing-activities

Appendix B: Sub-Processor List

Current list maintained at: www.propasia.com/sub-processors

Appendix C: Country-Specific Contact Information

Regional contacts are listed in Section 3 and Section 20.1 of this Privacy Policy.

Appendix D: DPIA Summary

[Data Protection Impact Assessment summaries for major processing activities]

IMPORTANT DISCLAIMER

This is a template for informational purposes only and does not constitute legal advice. While this document attempts to address major privacy and data protection regulations in the Southeast Asian region, laws vary by jurisdiction and change frequently. You should:

Have this document reviewed by qualified legal counsel licensed in relevant jurisdictions
Ensure all placeholder sections are completed accurately
Conduct a Data Protection Impact Assessment (DPIA) for your specific operations
Implement adequate technical and organizational safeguards
Establish data processing agreements with all vendors
Maintain documentation of compliance efforts
Consider hiring a Data Protection Officer (DPO) if required
Conduct privacy training for all staff

DO NOT rely solely on this template without professional legal review.

Document Prepared By: Propasia Legal Team

Document Date: January 21, 2026

Document Status: Template - Requires Legal Review and Customization