GDPR Compliance Statement

Last Updated: May 22, 2026

Our Commitment to Data Protection

UrbanKey is committed to protecting the personal data of all individuals, including those in the European Economic Area (EEA), in accordance with the General Data Protection Regulation (GDPR). This statement outlines how we comply with GDPR requirements and protect your rights.

Legal Basis for Processing

We process personal data only when we have a legal basis to do so. Our legal bases include:

Consent

When you provide explicit consent for us to process your personal data for specific purposes, such as marketing communications or newsletter subscriptions.

Contractual Necessity

When processing is necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract.

Legitimate Interests

When we have a legitimate business interest that does not override your fundamental rights and freedoms. This includes fraud prevention, direct marketing, and improving our services.

Legal Obligation

When we are required to process your data to comply with legal or regulatory obligations.

Your Rights Under GDPR

As a data subject, you have the following rights:

Right to Access

You have the right to request access to the personal data we hold about you and obtain information about how we process it.

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain situations.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object

You have the right to object to the processing of your personal data in certain circumstances, including processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates GDPR.

How to Exercise Your Rights

To exercise any of your rights under GDPR, please contact us at:

Email: [email protected]

Address: 152 Beach Road, Gateway East, Level 18, Unit 03, Singapore 189721

We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months, and we will inform you of any such extension.

Data Protection Officer

We have appointed a Data Protection Officer to oversee our GDPR compliance. You can contact our Data Protection Officer at the email address provided above.

International Data Transfers

When we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions recognizing that certain countries provide adequate data protection
• Binding corporate rules for transfers within our organization

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security assessments and audits
• Access controls and authentication mechanisms
• Staff training on data protection and security
• Incident response and breach notification procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal, regulatory, or internal policy requirements. Our specific retention periods are:

• Client records: 7 years after the end of the business relationship
• Marketing communications: Until you withdraw consent or object to processing
• Website analytics data: 26 months
• Transaction records: As required by applicable laws and regulations

Third-Party Processors

We work with third-party service providers who process personal data on our behalf. We ensure that all processors:

• Provide sufficient guarantees of GDPR compliance
• Process personal data only on our documented instructions
• Implement appropriate technical and organizational security measures
• Assist us in responding to data subject requests
• Notify us of any personal data breaches

Children's Data

Our services are not directed at children under 16 years of age. We do not knowingly collect or process personal data from children. If you believe we have collected data from a child, please contact us immediately so we can delete it.

Updates to This Statement

We may update this GDPR Compliance Statement to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated statement on our website.

Contact Information

For any questions or concerns regarding our GDPR compliance or data protection practices, please contact us:

Email: [email protected]

Address: 152 Beach Road, Gateway East, Level 18, Unit 03, Singapore 189721