← Back to App
1. Who We Are
CompanyGold Evolution
UEN202443296N
CountrySingapore
DPOMuhd Nazrullah
Gold Evolution ("we", "us", "our") is the data controller for personal data collected through our gold trading platform. We are committed to protecting your privacy and complying with the Personal Data Protection Act 2012 (PDPA) of Singapore.
2. Data We Collect
We collect and process the following categories of personal data:
Identity & KYC Data
- Full legal name
- NRIC / FIN number (hashed — we store only the last 4 digits in plain text)
- Mobile phone number
- Email address
Financial Data
- Gold holdings balance (grams)
- Bank account name, number, and bank name (for payouts)
- Transaction history (purchases and sales)
- Payment proof images uploaded by you
- Invoices generated by the platform
Account & Technical Data
- Username and referral code
- Account creation date and login timestamps
- IP address (collected by Cloudflare for DDoS protection)
- Browser and device type (collected by Netlify/Cloudflare)
We do not collect or store full NRIC/FIN numbers in plain text. They are hashed using SHA-256 on submission and only the last 4 characters are retained for display purposes.
3. How We Use Your Data
- Account creation and authentication — to create and secure your account
- KYC / identity verification — to comply with our obligations under applicable financial regulations
- Transaction processing — to record gold purchases and sales
- Payment processing — to verify payment proof and credit your account
- Payout disbursement — to transfer funds to your registered bank account
- Fraud detection and security — to detect suspicious activity and protect your account
- Customer support — to respond to your queries
- Legal compliance — to retain records as required by law (7-year financial record-keeping)
- Platform communications — transactional emails such as account verification and password reset
We do not sell, rent, or share your personal data with third parties for marketing purposes.
4. Legal Basis for Processing
Under the PDPA, we rely on the following bases to process your personal data:
- Consent — you explicitly consent at account creation
- Contract — processing is necessary to provide our gold trading services to you
- Legal obligation — we are required to retain financial records for 7 years under Singapore law
- Legitimate interests — fraud prevention and security monitoring
5. Third-Party Processors
We use the following trusted third-party services. All have signed Data Processing Agreements (DPAs) where applicable. We remain responsible for ensuring they handle your data appropriately.
Supabase
Database, authentication, and file storage. Hosted in Singapore (ap-southeast-1). Privacy Policy
Cloudflare
DDoS protection, CDN, and bot/captcha (Turnstile). US-based. Privacy Policy
Resend
Transactional email delivery (via Supabase). US-based. Privacy Policy
Anthropic
AI-assisted payment proof screening (Claude API). US-based. Only payment proof images are analysed; no identity data is sent. Privacy Policy
GoldAPI.io
Live gold price data feed. No personal data is transmitted.
Some processors (Netlify, Cloudflare, Resend, Anthropic) are located outside Singapore. Where personal data is transferred internationally, we ensure adequate protections are in place through contractual safeguards.
6. Data Retention
We retain your personal data for as long as necessary to provide our services and comply with legal obligations:
- Active accounts — data is retained for the lifetime of your account
- Financial records (transactions, invoices, payment proofs) — retained for 7 years from the date of the transaction, in compliance with Singapore's financial record-keeping requirements
- Deleted accounts — upon a verified account deletion request, we will anonymise or delete your personal data within 30 days, except where we are legally required to retain certain records (e.g., financial records subject to the 7-year rule)
- Security logs — IP address and access logs are retained for up to 90 days
7. Your Rights Under PDPA
As a data subject under Singapore's PDPA, you have the following rights:
Right to Access
You may request a copy of the personal data we hold about you. Contact our DPO at hello@goldevolutionsg.com. We will respond within 30 days.
Right to Correction
If your data is inaccurate or incomplete, you may request corrections through your profile settings in the app, or by contacting our DPO.
Right to Withdraw Consent
You may withdraw your consent to data processing at any time. Please note that withdrawing consent may prevent us from providing our services to you.
Right to Erasure (Account Deletion)
You may request deletion of your account and personal data. Submit a request through your profile page in the app or by emailing hello@goldevolutionsg.com. We will process your request within 30 days, subject to our legal retention obligations.
Right to Data Portability
You may request an export of your personal data in a machine-readable format.
If you are dissatisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
8. Security Measures
We implement appropriate technical and organisational measures to protect your data:
- All data transmitted over HTTPS with HSTS enforcement
- NRIC/FIN hashed with SHA-256 before storage
- Row-level security on all database tables (users can only access their own data)
- Authentication managed by Supabase with brute-force protection and leaked-password detection
- Cloudflare Turnstile bot protection on sign-up, sign-in, and password reset
- Strict Content Security Policy (CSP) headers on all pages
- Service-role database credentials are never exposed to the browser
- Payment proof image analysis performed server-side via Supabase Edge Functions
- Access to admin functions protected by JWT role claims
9. Data Breach Procedure
In the event of a data breach, we follow this 5-step procedure in accordance with PDPA mandatory breach notification requirements:
-
Contain (0–2 hours) — Immediately isolate affected systems, revoke exposed credentials, and suspend relevant services to prevent further data exfiltration.
-
Assess (2–24 hours) — Identify the scope of the breach, determine what categories of personal data were affected, and estimate the number of individuals impacted.
-
Notify PDPC (within 3 days) — If the breach is likely to result in significant harm, notify the Personal Data Protection Commission (PDPC) within 3 calendar days of discovery, as required under the PDPA.
-
Notify Affected Individuals (within 3 days) — Contact affected users directly via email with a clear description of: (a) what data was compromised, (b) what we have done to address it, and (c) what steps they should take to protect themselves.
-
Review & Document (within 30 days) — Conduct a full post-incident review, document the breach in our internal data breach register, implement corrective measures, and update policies as needed.
If you suspect unauthorised access to your account, contact us immediately at
hello@goldevolutionsg.com or via WhatsApp at +65 8335 8410.
10. Cookies & Tracking
Our platform uses minimal tracking technologies:
- Session storage — used to maintain your login session within the browser. This is cleared when you close the browser tab.
- Cloudflare cookies — set by Cloudflare for security and bot detection purposes. These are strictly necessary and cannot be opted out of while using our platform.
We do not use advertising cookies, analytics tracking, or any third-party marketing pixels.
11. Children's Privacy
Our platform is intended for individuals aged 18 and above. We do not knowingly collect personal data from minors. If you believe a minor has registered an account, please contact us immediately at hello@goldevolutionsg.com and we will delete the account.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and display a notice in the app at least 14 days before the changes take effect. The "Last Updated" date at the top of this page reflects the most recent revision.
Your continued use of our services after the effective date constitutes acceptance of the updated policy.