PDPA Notice

Organisation Details

The organisation responsible for your personal data under this notice is:

Personal Data Collected

Depending on the nature of your interaction with us, we may collect the following categories of personal data:

• Identity and contact data: full name, NRIC or FIN (where required for statutory purposes), email address, phone number, correspondence address
• Business data: company name, UEN, registered address, business nature, financial year end, directorship and shareholding information
• Financial and engagement data: retainer fees, invoice details, financial statements, and supporting documents provided for the purpose of service delivery
• Platform account data: email address, authentication credentials, session records, and agreement acceptance records
• Communications: messages, instructions, and correspondence exchanged through the MyCo platform or by email
• Documents: statutory filings, financial records, and other documents uploaded to the client document vault

We do not intentionally collect sensitive personal data (including health, biometric, or religious data) unless specifically required for a statutory filing or legal purpose.

Purposes of Collection, Use, and Disclosure

Your personal data is collected, used, and disclosed for the following purposes:

1. 1Delivering the professional services you have engaged MyCo to provide, including accounting, corporate tax, personal tax, corporate secretarial, payroll, CPF administration, and advisory services, under your Letter of Engagement
2. 2Conducting Know-Your-Client (KYC) and Anti-Money Laundering / Countering the Financing of Terrorism (AML/CFT) checks, as required under ACRA's Notice for Registered Filing Agents and other applicable regulations
3. 3Creating and administering your client or professional account on the MyCo platform, including verifying your identity and matching you with your assigned professional
4. 4Billing, invoicing, and financial administration, including generating monthly retainer invoices and maintaining payment records
5. 5Preparing, lodging, and filing statutory returns and documents with ACRA, IRAS, CPF Board, MOM, and other Singapore regulatory authorities on your behalf
6. 6Communicating with you regarding your engagement, including deadline reminders, document requests, service updates, and agreement notifications
7. 7Complying with our own legal and regulatory obligations under the Companies Act, Income Tax Act, PDPA, and other applicable Singapore legislation
8. 8Responding to enquiries, complaints, and legal proceedings, and enforcing our contractual rights under the Client Master Agreement
9. 9Maintaining the security and integrity of the MyCo platform, including detecting and preventing unauthorized access and fraud

Disclosure to Third Parties

Your personal data may be disclosed to the following classes of recipients:

• Assigned professionals: independent professionals on the MyCo platform who are assigned to your account for service delivery, on a strict need-to-know basis
• Infrastructure service providers: Supabase Inc. (USA), which provides the database, authentication, and hosting infrastructure for the MyCo platform. Supabase processes data as a data processor under our instructions.
• Email service: MyCo's own email server (mail.myco.com.sg) for sending platform notifications and engagement-related communications
• Regulatory and statutory authorities: ACRA, IRAS, CPF Board, MOM, and other Singapore government bodies, where disclosure is required in the course of providing services or in response to lawful requests
• Legal advisors: where disclosure is required for the purpose of legal advice or proceedings, subject to legal professional privilege and confidentiality obligations

Cross-Border Data Transfers

As stated above, MyCo uses Supabase Inc. (incorporated in the United States) as its platform infrastructure provider. Your personal data — including account credentials, engagement data, and platform messages — is stored on Supabase servers in the United States.

We have ensured that adequate contractual safeguards are in place for this transfer in compliance with the PDPA's requirements on overseas transfers of personal data (Section 26 of the PDPA).

Apart from the above, your personal data is not transferred to other overseas recipients without your consent or where required or permitted by law.

Retention

We retain your personal data for no longer than is necessary for the purposes stated in this notice, and in compliance with applicable Singapore law. In general:

• Financial and accounting records are retained for a minimum of 5 years from the end of the relevant financial year, as required by the Companies Act (Cap. 50) and Income Tax Act (Cap. 134A)
• KYC and AML/CFT records are retained for 5 years from the end of the business relationship, as required by ACRA's AML/CFT Notice
• Signed agreements and acceptance records are retained for 7 years from the date of execution, under the Limitation Act (Cap. 163)
• Platform account data is retained for the duration of your engagement and for 3 years following termination

For full retention details, see our Privacy Policy — Data Retention section.

Your Rights Under the PDPA

Under the Personal Data Protection Act 2012, you have the right to:

• Access: request information about the personal data we hold about you and how it has been used or disclosed in the past year (Section 21 of the PDPA)
• Correction: request that we correct personal data that is inaccurate, incomplete, or misleading (Section 22 of the PDPA)
• Withdraw consent: withdraw your consent to the collection, use, or disclosure of your personal data at any time, subject to legal and contractual restrictions (Section 16 of the PDPA). Note that withdrawal of consent to processing necessary for service delivery may prevent us from continuing to provide those services.
• Data breach notification: be notified if a data breach involving your personal data is likely to result in significant harm to you (Part VIA of the PDPA)

We will acknowledge your request within 3 business days and respond fully within 30 calendar days. Response times for access requests and our right to charge a reasonable fee are subject to applicable PDPA provisions.

Contact Our Data Protection Officer

To exercise your rights, raise a data protection concern, or ask any question about how we handle your personal data, contact our Data Protection Officer:

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.