How It Works Services Why Us Our Team Join as Professional Get Started
Portal Login Client Portal Professional Portal
HomePrivacy Policy
Legal

Privacy Policy

Effective: 9 June 2026  ·  Last updated: 9 June 2026

Last updated: 9 June 2026
01

About This Policy

This Privacy Policy explains how MyCompany (Singapore) Pte Ltd ("MyCo", "we", "us", "our") collects, uses, discloses, and protects your personal data when you use our website (www.myco.com.sg), our client and professional portals, and the services we provide.

We are committed to protecting your personal data in compliance with the Personal Data Protection Act 2012 (PDPA) of Singapore and other applicable laws. By using our website or services, you acknowledge that you have read and understood this policy.

For our formal statutory data protection notice under the PDPA, see our PDPA Notice.

02

Personal Data We Collect

Data you provide to us

When you engage MyCo for professional services, create a platform account, or contact us, you may provide:

  • Identity data: full name, NRIC or passport number (where required for KYC or statutory filing purposes)
  • Contact data: email address, phone number, mailing address
  • Business data: company name, UEN number, registered address, financial year end, nature of business
  • Financial data: retainer amounts, invoice details, and financial documents uploaded for service delivery
  • Account credentials: email address and password (stored in encrypted form via Supabase Auth)
  • Documents: financial records, statutory filings, and other files uploaded to the document vault
  • Communications: messages exchanged through the platform messaging system or by email

Data generated through platform use

  • Session tokens and authentication records used to maintain your login state
  • Agreement acceptance records (timestamp, typed name) under the Electronic Transactions Act 2010
  • Platform audit logs (for security and accountability purposes)

Data received from third parties

In the course of providing corporate secretarial services, we may receive or verify company information (registered address, directorship, share structure) from the Accounting and Corporate Regulatory Authority (ACRA) or similar public registries.

We do not collect sensitive personal data — including race, religion, health information, biometric data, or political views — unless specifically required for a statutory filing.

03

How We Use Your Data

We use your personal data for the following purposes:

  • Service delivery: to provide accounting, tax, corporate secretarial, payroll, and advisory services under your Letter of Engagement
  • Account management: to create and maintain your platform account, assign your dedicated professional, and manage your engagement lifecycle
  • Billing and payments: to generate invoices, process payments, and maintain financial records
  • Regulatory compliance services: to perform KYC and AML/CFT checks; to prepare and file statutory returns with ACRA, IRAS, CPF Board, MOM, and other authorities on your behalf
  • Communications: to send deadline reminders, agreement links, invoice notifications, and service updates
  • Legal and regulatory obligations: to comply with our own statutory requirements and respond to lawful requests from authorities
  • Platform security: to detect and prevent unauthorized access, fraud, and other security threats

We process your personal data on the basis of contractual necessity (to deliver your engagement), legal obligation (statutory requirements), and legitimate interest (platform security and firm operations). Where we rely on consent, you may withdraw it at any time — see Your Rights.

04

Who We Share Your Data With

Your assigned professional

Your client data is shared with your dedicated assigned professional on a strict need-to-know basis to enable service delivery under your Letter of Engagement. All professionals on the MyCo platform are bound by confidentiality obligations under their Professional Services Agreement with us.

Infrastructure providers

We use Supabase Inc. (United States) to host our database, authentication system, and platform infrastructure. Your data is stored on Supabase servers. See our International Transfers section and Supabase's privacy policy for further details.

Email services

We operate an email server at mail.myco.com.sg to send platform notifications — including agreement documents, invoice copies, and deadline reminders — via TLS-encrypted connections.

Regulatory and statutory bodies

We may be required — and in many cases professionally obligated — to disclose your personal data and company information to ACRA, IRAS, CPF Board, MOM, or other Singapore authorities in the course of providing our services or in response to lawful requests.

Legal advisors

In the event of a legal dispute, we may share relevant data with our legal advisors under strict confidentiality obligations.

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes.

05

International Data Transfers

Our platform infrastructure is hosted by Supabase Inc., a company incorporated in the United States. By using our platform, you acknowledge that your personal data is transferred to and stored in the United States.

We have taken steps to ensure adequate protections are in place for such transfers, including contractual safeguards with our data processors. Supabase complies with applicable international data protection frameworks.

Subject to the above, your personal data is otherwise retained within Singapore and is not transferred to other overseas recipients without your consent or as required by law.

06

Data Retention

We retain your personal data for as long as necessary for the purposes set out in this policy and to comply with applicable Singapore law. Key retention periods are:

Data CategoryRetention PeriodLegal Basis
Client accounting and financial records5 years from end of relevant financial yearCompanies Act (Cap. 50) s.199; Income Tax Act (Cap. 134A)
Signed agreements and LOE acceptance records7 years from date of agreementLimitation Act (Cap. 163)
Invoice and billing records5 years from date of invoiceIncome Tax Act; ACRA requirements
Platform account dataDuration of engagement + 3 years after terminationContractual; PDPA
Platform messages and communications3 years from date of communicationLegitimate interest
KYC and AML/CFT records5 years from end of business relationshipACRA AML/CFT Notice

After the applicable retention period, your data will be securely deleted or irreversibly anonymized.

07

Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encrypted data transmission over HTTPS/TLS for all platform communications
  • Row Level Security (RLS) at the database level, ensuring users can only access data within their own scope
  • Hashed password storage — passwords are never stored in plaintext
  • Email OTP magic link authentication and optional password-based login
  • Role-based access controls (admin, client, professional) limiting data access to relevant scopes

While we take these measures seriously, no digital system is entirely secure. If you believe your account or our platform has been compromised, contact us immediately at hello@myco.com.sg.

In the event of a data breach likely to result in significant harm, we will notify you and the Personal Data Protection Commission (PDPC) as required under the PDPA Notification Obligation.

08

Your Rights Under the PDPA

Under the Personal Data Protection Act 2012 (Singapore), you have the following rights in respect of your personal data held by us:

  • Right of access: you may request a copy of the personal data we hold about you, and information about how it has been used and disclosed in the past year
  • Right of correction: you may request that we correct any personal data that is inaccurate, incomplete, or misleading
  • Right to withdraw consent: where we rely on your consent to process your data, you may withdraw that consent at any time. Note that withdrawing consent to processing necessary for service delivery may mean we are unable to continue those services.
  • Right to breach notification: we will notify you if a data breach is likely to result in significant harm to you, in compliance with the PDPA Notification Obligation

To exercise any of these rights, contact our Data Protection Officer at the details below. We will acknowledge your request within 3 business days and respond within 30 calendar days. A reasonable administrative fee may apply to requests that are manifestly unfounded or excessive.

09

Cookies

We use only strictly necessary cookies — specifically, authentication session tokens set by our platform infrastructure to keep you securely logged in. We do not use analytics, advertising, or third-party tracking cookies.

For full details on the cookies we use and how to manage them, see our Cookie Policy.

10

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users via the platform or by email to the address on file.

The "Last updated" date at the top of this page will always reflect the most recent revision. We encourage you to review this policy periodically.

11

Contact Us

For privacy-related queries, to exercise your PDPA rights, or to raise a data protection concern, please contact our Data Protection Officer:

The Data Protection Officer
MyCompany (Singapore) Pte Ltd
📧  hello@myco.com.sg
📍  111 Somerset Road, #03-09, Singapore 238164
🏢  UEN: 202023844E
Other Legal Documents
Legal
Terms of Service
Legal
PDPA Notice
Legal
Cookie Policy