Privacy Policy

This Privacy Policy describes how CoolRIOTS Pte Ltd ("CoolRIOTS", "we", "us", or "our") collects, uses, and protects personal data in connection with our website at coolriots.ai and the BeX AI Platform. We comply with the Singapore Personal Data Protection Act 2012 (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR) 2016/679.

1. Who We Are

CoolRIOTS Pte Ltd is the data controller for personal data collected through our website and platform. We are incorporated in Singapore and our principal place of business is in Singapore.

For data protection enquiries, contact us at [email protected].

2. Data We Collect

We collect the following categories of personal data:

a) Data you provide directly

Name, email address, and company name (via contact form or account registration)
Messages and enquiries submitted through our contact form
Documents and files uploaded to the BeX AI Platform (e.g. insurance claim documents, legal contracts)
Event and workshop registration details for CoolRIOTS programmes

b) Data collected automatically

IP address, browser type, operating system, and device identifiers
Pages visited, referring URL, and time spent on pages
Interaction logs with the BeX AI Platform (prompts, responses, session identifiers)

c) Data from third parties

Analytics data from Cloudflare Web Analytics (privacy-first, cookie-free)
Bot-protection signals from Cloudflare Turnstile

3. How We Use Your Data

We use personal data for the following purposes:

Service delivery — to operate, maintain, and improve the BeX AI Platform and related services.
Communication — to respond to enquiries, send confirmations, and provide support.
Account management — to manage event registrations and BeX AI Platform access.
Security and fraud prevention — to protect the integrity of our systems and users.
Analytics — to understand usage patterns and improve our website and platform.
Legal compliance — to meet our obligations under applicable law.
Marketing — with your consent, to send relevant updates about our products and events.

We will not use your personal data for automated decision-making that produces legal or similarly significant effects without your explicit consent.

4. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases under Article 6 GDPR:

Contract performance (Art. 6(1)(b)) — processing necessary to deliver services you have requested or agreed to.

Legitimate interests (Art. 6(1)(f)) — operating and improving our platform, preventing fraud, and communicating with business contacts. Our legitimate interests are balanced against your rights and do not override them.

Legal obligation (Art. 6(1)(c)) — where processing is required by law.

Consent (Art. 6(1)(a)) — for marketing communications and any optional processing. You may withdraw consent at any time by contacting us at [email protected].

5. PDPA Obligations (Singapore)

As a Singapore-incorporated entity, we comply with the PDPA and its subsidiary legislation, including the Do Not Call (DNC) Provisions and the Data Breach Notification Obligation.

Consent — we collect personal data only with your knowledge and, where required, your consent.
Purpose limitation — personal data is collected only for purposes that a reasonable person would consider appropriate in the circumstances.
Notification — we notify you of the purposes for which data is collected at or before collection.
Access and correction — you may request access to or correction of your personal data held by us.
Data Portability — subject to PDPA provisions, you may request that we send your data to another organisation in a portable format.
Data Protection Officer — our Data Protection Contact can be reached at [email protected].
Data Breach — we will notify the Personal Data Protection Commission (PDPC) and affected individuals of any notifiable data breach within the required timeframes.

7. International Data Transfers

Your data may be processed outside Singapore or the EEA — for example, on Cloudflare's global network or Anthropic's infrastructure in the United States. Where such transfers occur, we ensure equivalent protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Binding Corporate Rules or equivalent safeguards

For PDPA purposes, we take contractual or other steps to ensure overseas recipients protect personal data to a standard comparable to the PDPA.

8. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy:

Data Type	Retention Period
Contact form submissions	2 years from submission, unless an ongoing relationship exists
Platform session logs	90 days, then anonymised
Uploaded documents (insurance etc.)	30 days after claim/session close, then deleted from cloud storage
Event and programme registrations	2 years from the event date
Marketing consent records	Until consent is withdrawn, plus 1 year
Legal and tax records	7 years as required by Singapore law

9. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

Access — Request a copy of the personal data we hold about you.

Correction — Ask us to correct inaccurate or incomplete data.

Erasure — (GDPR) Request deletion of your data where there is no overriding legal basis for retention.

Restriction — (GDPR) Ask us to restrict processing in certain circumstances.

Portability — (GDPR / PDPA) Receive your data in a structured, machine-readable format.

Objection — (GDPR) Object to processing based on legitimate interests or for direct marketing.

Withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

Complaints — Lodge a complaint with the PDPC (Singapore) at www.pdpc.gov.sg, or your local supervisory authority (EEA/UK).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (GDPR) or 30 business days (PDPA).

10. Cookies & Analytics

Our website uses Cloudflare Web Analytics — a privacy-first, cookie-free analytics solution that does not track individuals across sites or use persistent identifiers. No marketing or tracking cookies are set.

We also use Cloudflare Turnstile for bot protection on our contact form. Turnstile may process minimal telemetry signals but does not place persistent cookies or build user profiles.

If we introduce additional cookies in future, we will update this Policy and, where required, obtain your consent through a cookie banner.

11. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include encryption in transit (TLS), access controls, and regular security reviews. However, no transmission over the internet is completely secure, and we cannot guarantee absolute security.

12. Children

Our website and platform are directed at businesses and professionals. We do not knowingly collect personal data from individuals under 18 years of age. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by posting the revised Policy on this page with an updated effective date. Where required by law, we will seek fresh consent. Continued use of our services after the effective date constitutes acceptance of the revised Policy.

14. Contact Us

For any privacy-related questions, requests, or complaints:

CoolRIOTS Pte Ltd

Data Protection Contact

Email: [email protected]

Web: coolriots.ai/contact