🔥 Free Global Shipping on All Orders

Vaynera Privacy, Cookie & Buyer Protection Policy

ELAXCA Privacy Policy

Last Modified: 8 April 2026
Document Version: 3.0
Effective Date: 8 April 2026
Applicable Regions: Global (with specific focus on Malaysia, Singapore, EU, and international markets)
Platform: ELAXCA Global E-commerce Platform


INTRODUCTION & COMMITMENT

ELAXCA (“ELAXCA”, “we”, “our”, or “us”) is a Singapore-based global e-commerce platform committed to protecting your personal data and providing a secure, transparent, and reliable shopping experience across all our digital platforms. Our core values are “Built on Trust. Designed for Global Confidence.”

This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you use our website, mobile applications, services, and features. It also describes your rights regarding your personal data and how you can exercise those rights.

This policy is designed in accordance with global data protection standards and regional regulations:
Singapore: Personal Data Protection Act 2012 (PDPA)
Malaysia: Personal Data Protection Act 2010 (PDPA)
European Union: General Data Protection Regulation (GDPR) 2016/679
International Standards: ISO/IEC 27001 Information Security Management, PCI DSS Level 1 Payment Security
Insurance Compliance: Great Eastern Insurance partnership requirements


SCOPE & APPLICABILITY

1.1 Who This Policy Applies To
This policy applies to all individuals who access or use ELAXCA’s platform, including:
Visitors to our website and mobile applications
Registered users and account holders
Buyers and customers worldwide
Sellers and merchants on our platform
Individuals who interact with our customer support, insurance claims, or marketing communications

1.2 What This Policy Covers
This policy covers:
Collection, use, and processing of personal data for e-commerce transactions
Insurance claim processing and related data handling
Global logistics and delivery information management
Cookies and tracking technologies
Data security and protection measures including ISO 27001 and PCI DSS compliance
Your rights and choices regarding personal data
Cross-border data transfers across our global warehouse network
Contact information for privacy inquiries and data protection officer

1.3 Related Policies
Terms & Conditions: Link to ELAXCA Terms & Conditions
Shipping & Delivery Policy: Link to Shipping Policy with global warehouse details
Returns & Refunds Policy: Link to Returns Policy with insurance claim process
Cookie Policy: Link to Cookie Policy
Insurance Coverage Policy: Link to Great Eastern Insurance coverage details


PERSONAL DATA WE COLLECT

2.1 Categories of Personal Data
We collect the following categories of personal data:

2.1.1 Identity and Contact Information
Full legal name (as per government-issued identification)
Email address for account communication
Contact phone number(s) for delivery coordination
Shipping and billing addresses across multiple countries
Country of residence and preferred shipping destinations
Preferred language (English, Chinese, Malay, French, German) and currency

2.1.2 Transaction and Insurance Information
Order details, purchase history, and transaction records
Payment method details (processed securely via Stripe)
Insurance claim data when applicable
Delivery and shipping information across global warehouse network
Returns, refunds, and exchange records with insurance documentation

2.1.3 Account and Platform Usage Information
Username and password (encrypted and securely stored)
Account preferences, settings, and communication choices
Profile information (if provided voluntarily)
Platform usage patterns, search queries, and browsing behavior

2.1.4 Technical and Device Information
IP address and approximate geographical location for warehouse selection
Device information (type, model, operating system)
Browser type, version, and configuration
Pages visited, time spent, and navigation patterns
Referring website or marketing campaign sources
Cookie data and tracking information for platform optimization

2.1.5 Communication and Support Information
Customer support inquiries and resolution details
Insurance claim submissions and correspondence
Feedback, product reviews, and ratings
Survey responses (when voluntarily participated)
Marketing communication preferences and opt-in/opt-out status

2.1.6 Logistics and Delivery Information
Preferred delivery addresses and time windows
Customs declaration information for international shipments
Proof of delivery signatures and confirmation
Warehouse selection data based on geographical optimization

2.2 Payment Information Security
CRITICAL SECURITY NOTICE: ELAXCA does not store sensitive payment information such as full credit card numbers, CVV codes, or bank account details. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment provider:
PCI DSS Level 1 compliant payment processing infrastructure
256-bit SSL encryption for all transaction communications
Secure tokenization for payment data transmission
Regular security audits and vulnerability assessments
Fraud detection and prevention systems

2.3 Data from Third Parties
We may receive personal data from authorized third parties including:
Payment service providers (Stripe) for transaction confirmation and fraud prevention
Logistics and delivery partners (DHL, FedEx, local carriers) for shipment tracking
Insurance provider (Great Eastern Insurance) for claim processing coordination
Marketing partners (with explicit user consent and within legal boundaries)
Social media platforms (when using social login features with user permission)
Customs and regulatory authorities for international shipment compliance

2.4 Special Category Data
We do not intentionally collect “special category” data as defined by GDPR (e.g., racial or ethnic origin, political opinions, religious beliefs, health data). If such data is inadvertently provided, it will be handled with additional safeguards and deleted unless required for specific legitimate purposes.


PURPOSE OF DATA PROCESSING

3.1 Legal Basis for Processing
We process personal data based on one or more of the following legal bases under applicable regulations:
Contractual necessity: To fulfill orders, process payments, and provide requested e-commerce services
Legal obligation: To comply with applicable laws, regulations, and tax requirements across jurisdictions
Legitimate interests: To improve our services, prevent fraud, ensure platform security, and optimize user experience
Consent: For specific purposes where explicit, informed consent is obtained and documented

3.2 Specific Processing Purposes
Personal data is collected and used for the following legitimate business purposes:

3.2.1 Order Fulfillment and Delivery
Processing orders, payments, and financial transactions
Managing global shipping, logistics, and warehouse operations
Coordinating with insurance partners for coverage verification
Handling returns, refunds, exchanges, and insurance claims
Providing order confirmation, tracking, and delivery updates
Optimizing warehouse selection for fastest delivery times

3.2.2 Customer Service and Insurance Support
Responding to inquiries, support requests, and technical issues
Processing insurance claims through Great Eastern Insurance partnership
Resolving disputes, complaints, and service quality concerns
Providing account management and technical assistance
Sending service-related communications and platform updates

3.2.3 Platform Operations and Security
Maintaining, improving, and securing platform functionality
Preventing fraudulent activity, unauthorized access, and security breaches
Conducting analytics, performance monitoring, and quality assurance
Testing, developing, and deploying new features and services
Ensuring compliance with ISO 27001 information security standards

3.2.4 Legal and Regulatory Compliance
Complying with tax, accounting, and financial reporting requirements
Responding to legal requests, investigations, and regulatory inquiries
Enforcing Terms & Conditions, policies, and platform rules
Protecting rights, property, safety of users, and platform integrity
Maintaining records for legal, regulatory, and audit purposes

3.2.5 Marketing and Communications (with explicit user consent)
Sending promotional offers, updates, and platform announcements
Personalizing marketing communications based on preferences
Conducting surveys, market research, and user feedback collection
Analyzing customer preferences, behavior, and shopping patterns
Measuring marketing campaign effectiveness and ROI

3.2.6 Business Operations and Development
Managing supplier, partner, and merchant relationships
Conducting internal audits, compliance checks, and risk assessments
Supporting business planning, strategy development, and growth initiatives
Maintaining operational records, performance metrics, and quality standards
Facilitating business transfers, mergers, acquisitions, or restructuring

3.2.7 Insurance and Risk Management
Processing insurance claims through Great Eastern Insurance partnership
Coordinating insurance coverage verification and claim documentation
Managing risk assessment and fraud prevention for insured transactions
Maintaining insurance compliance records and audit trails
Facilitating communication between customers and insurance providers


CONSENT & USER CHOICES

4.1 Obtaining Consent
We obtain explicit, informed consent for processing personal data where required by applicable laws
Consent is obtained through clear, affirmative action (e.g., ticking an unchecked box)
Consent requests specify the exact purpose, scope, and duration of data processing
Users can review and modify consent preferences at any time through account settings

4.2 Managing Consent and Preferences
You have the right to:
Withdraw consent at any time through your account settings or by contacting our Data Protection Team
Opt-out of marketing communications using unsubscribe links in emails or platform preferences
Manage cookie preferences through browser settings or our cookie consent management tool
Control data sharing preferences for third-party marketing and analytics partners
Set communication preferences for different types of messages and notifications

4.3 Consequences of Withdrawal
Withdrawing consent may limit our ability to provide certain services, but will not affect:
The lawfulness of processing based on consent before withdrawal
Processing based on other legal grounds (e.g., contractual necessity, legal obligation)
Continued processing of anonymized or aggregated data for statistical purposes
Our ability to maintain necessary records for legal and regulatory compliance

4.4 Age of Consent
By using ELAXCA’s platform, you confirm that you are at least 18 years old, or have obtained parental/guardian consent if between 13-17 years old. We do not knowingly collect data from children under 13 without verifiable parental consent.


DISCLOSURE OF PERSONAL DATA

5.1 ELAXCA’s Commitment
ELAXCA does not sell, rent, or trade personal data to third parties for their independent marketing purposes. We only share data as necessary to provide our services, with appropriate safeguards and contractual obligations.

5.2 Categories of Recipients
Personal data may be disclosed to authorized third parties in these categories:

5.2.1 Essential Service Providers
Payment processors (Stripe) for secure transaction processing
Logistics and delivery partners for global shipment handling
IT infrastructure and hosting service providers
Customer support and communication platforms
Analytics and performance monitoring services
Insurance partners (Great Eastern Insurance) for claim processing

5.2.2 Professional and Advisory Services
Legal counsel and compliance advisors
Financial auditors, accountants, and tax consultants
Business consultants, partners, and strategic advisors
Technical consultants and development partners

5.2.3 Legal and Regulatory Authorities
When required by law, court order, or legal process
To comply with government, regulatory, or law enforcement requests
To protect rights, property, safety, or platform integrity
For tax, customs, or international trade compliance

5.2.4 Business Transfers and Transactions
In connection with mergers, acquisitions, or asset sales
During due diligence processes for business transactions
As part of business restructuring, reorganization, or transfer
To potential investors, partners, or successors in interest

5.2.5 Insurance and Risk Management Partners
Great Eastern Insurance for claim processing and verification
Risk assessment and fraud prevention services
Insurance regulatory authorities as required
Claims investigation and resolution services

5.3 Data Processing Agreements
All third-party service providers are subject to strict contractual obligations including:
Comprehensive Data Processing Agreements (DPAs) with GDPR/PDPA compliance
Requirement to implement appropriate technical and organizational security measures
Limitation to using data only for specified, authorized purposes
Obligation to comply with applicable data protection laws and regulations
Regular security audits, compliance checks, and performance monitoring
Notification requirements for data breaches or security incidents

5.4 International Data Transfers
As a global platform, data may be transferred to service providers in different countries. All international transfers are conducted with appropriate safeguards:
Standard Contractual Clauses (SCCs) for EU/EEA data transfers
Binding Corporate Rules where applicable
Adequacy decisions for countries with approved data protection standards
Technical safeguards including encryption and access controls


DATA SECURITY & PROTECTION

6.1 Comprehensive Security Framework
We implement a multi-layered security framework aligned with ISO 27001 standards:

6.1.1 Technical Security Measures
256-bit SSL/TLS encryption for all data transmission
Enterprise-grade firewalls and intrusion detection/prevention systems
Regular security audits, vulnerability assessments, and penetration testing
Secure data storage with role-based access controls and authentication
Encryption of sensitive data at rest in databases and backup systems
PCI DSS Level 1 compliance for payment processing infrastructure
Web application firewalls and DDoS protection mechanisms

6.1.2 Organizational Security Measures
Comprehensive employee training on data protection and security practices
Strict access controls, authentication mechanisms, and privilege management
Incident response, breach notification, and disaster recovery procedures
Regular review, update, and testing of security policies and procedures
Security awareness programs and phishing prevention training
Vendor risk management and third-party security assessments

6.1.3 Physical Security Measures
Secure data center facilities with 24/7 monitoring and access controls
Environmental controls, fire suppression, and power backup systems
Secure disposal procedures for physical records and storage media
Restricted physical access to server rooms and infrastructure facilities
Inventory management and asset tracking for physical infrastructure

6.2 Data Retention Policy
Personal data is retained only as long as necessary for legitimate business purposes:

6.2.1 Business Purpose Retention Periods
Active customer accounts: While account remains active plus 2 years
Transaction records: 7 years for tax, legal, and financial compliance
Customer service records: 3 years from resolution for quality assurance
Marketing data: Until consent is withdrawn or 2 years from last interaction
Insurance claim records: 7 years for legal and regulatory compliance
Logistics and delivery records: 3 years for operational and quality purposes

6.2.2 Legal and Regulatory Requirements
Legal obligations may require longer retention periods for specific data types
Data may be retained for legal claims, disputes, or investigations
Archived data is securely stored with limited access and enhanced protections
Retention periods are regularly reviewed and updated based on legal changes

6.3 Secure Data Deletion
When retention periods expire, personal data is securely deleted using approved methods:
Secure deletion using industry-standard data erasure techniques
Physical destruction of storage media for physical records
Anonymization for statistical, research, or analytical purposes
Archiving in accordance with legal, regulatory, or business requirements
Verification processes to ensure complete and secure deletion
Documentation of deletion activities for audit and compliance purposes

6.4 Security Certifications and Compliance
ELAXCA maintains the following security certifications and compliance standards:
PCI DSS Level 1: Payment Card Industry Data Security Standard
ISO/IEC 27001: Information Security Management System
GDPR Compliance: European Union General Data Protection Regulation
PDPA Compliance: Singapore and Malaysia Personal Data Protection Acts
SSL/TLS Encryption: Industry-standard encryption for data transmission
Regular Security Audits: Third-party security assessments and penetration tests


COOKIES & TRACKING TECHNOLOGIES

7.1 Types of Cookies Used

7.1.1 Essential Cookies (Required)
Required for basic website functionality and security
Enable login, authentication, shopping cart, and checkout processes
Support platform security, fraud prevention, and abuse detection
Cannot be disabled without affecting core platform functions

7.1.2 Performance Cookies (Optional)
Collect anonymous usage data for analytics and optimization
Help improve website performance, speed, and user experience
Enable A/B testing, user behavior analysis, and performance monitoring
Can be disabled through browser settings or preference tools

7.1.3 Functional Cookies (Optional)
Remember user preferences, settings, and customization choices
Personalize user experience based on language, currency, and location
Enable enhanced features, saved searches, and shopping lists
Can be managed through browser settings or platform preferences

7.1.4 Marketing Cookies (Require Explicit Consent)
Used for targeted advertising, retargeting, and campaign tracking
Track marketing campaign effectiveness, conversion rates, and ROI
Support personalized recommendations and product suggestions
Require explicit user consent before activation

7.2 Cookie Management Options
You can manage cookies through multiple methods:
Browser Settings: Configure cookie preferences in Chrome, Firefox, Safari, Edge, etc.
Cookie Consent Tool: Use our built-in cookie preference center (when available)
Third-Party Opt-Out Tools: Use industry tools for advertising cookie opt-out
Platform Settings: Adjust tracking preferences in your account settings
Do Not Track Signals: Configure browser Do Not Track settings

7.3 Do Not Track and Privacy Signals
We respect “Do Not Track” (DNT) browser signals where technically feasible, but cannot guarantee complete opt-out from all tracking technologies. Our response to DNT signals includes:
Reducing non-essential tracking where possible
Limiting data collection to essential functions
Providing clear information about tracking practices
Offering alternative privacy controls and preference settings

7.4 Third-Party Tracking and Analytics
We use authorized third-party analytics and tracking services with appropriate safeguards:
Service providers are subject to strict data processing agreements
Tracking is limited to approved purposes and data minimization principles
Users can opt-out of specific tracking through provided mechanisms
Anonymization and aggregation are used where possible for analytics


CROSS-BORDER DATA TRANSFERS

8.1 Global Operations Framework
As a global e-commerce platform with warehouses in multiple countries, ELAXCA may transfer personal data internationally to:
Service providers in different jurisdictions for operational support
Affiliated companies, partners, and subsidiaries worldwide
Cloud storage, processing, and infrastructure facilities globally
Logistics and delivery partners across international borders
Insurance providers and regulatory authorities as required

8.2 Transfer Safeguards and Mechanisms
All international data transfers are conducted with appropriate legal and technical safeguards:

8.2.1 Legal Transfer Mechanisms
Standard Contractual Clauses (SCCs): EU-approved clauses for data transfers
Binding Corporate Rules (BCRs): For intra-group transfers where applicable
Adequacy Decisions: Transfers to countries with approved data protection standards
Derogations: Specific derogations under GDPR Article 49 where applicable
Consent: Explicit consent for specific transfers where required

8.2.2 Technical Safeguards
Encryption during transmission using TLS 1.2+ protocols
Secure storage in certified data centers with access controls
Regular security assessments and vulnerability management
Data minimization and anonymization for international transfers
Access controls, authentication, and monitoring for cross-border access

8.2.3 Organizational Safeguards
Comprehensive Data Processing Agreements with international partners
Regular audits and compliance checks for cross-border data flows
Training and awareness for staff handling international data transfers
Incident response procedures for cross-border data breaches
Documentation and record-keeping for transfer mechanisms and justifications

8.3 Your Rights Regarding International Transfers
You have the right to:
Request information about specific international data transfers
Obtain details about transfer mechanisms and safeguards
Object to specific transfers where legally permitted
Request additional protections for your data in international transfers
Withdraw consent for transfers based on consent where applicable

8.4 Regional Compliance
ELAXCA complies with regional data transfer requirements including:
EU/EEA: GDPR Chapter V requirements for international transfers
Singapore: PDPA cross-border data transfer provisions
Malaysia: PDPA requirements for data transfers outside Malaysia
Other Jurisdictions: Local data protection laws and regulations


USER RIGHTS

9.1 Comprehensive Rights Under Applicable Laws

9.1.1 Right to Information and Access
Request confirmation of whether we process your personal data
Obtain copies of your personal data in our possession
Receive information about processing purposes, categories, and recipients
Access information about data retention periods and security measures

9.1.2 Right to Correction and Completion
Request correction of inaccurate or incomplete personal data
Request completion of incomplete personal data with supplementary statements
Update personal information directly through account settings
Request verification of corrections made to your data

9.1.3 Right to Processing Controls
Withdraw consent for processing based on consent at any time
Object to processing for direct marketing purposes
Request restriction of processing in specific circumstances
Object to processing based on legitimate interests where applicable

9.1.4 Right to Data Portability
Receive your personal data in a structured, commonly used, machine-readable format
Request transfer of your data to another controller where technically feasible
Obtain your data for personal use or transfer to alternative services

9.1.5 Right to Erasure (Right to be Forgotten)
Request erasure of your personal data in specific circumstances
Subject to legal retention requirements and legitimate business needs
Applicable when data is no longer necessary, consent is withdrawn, or processing is unlawful
Consideration of competing rights, freedoms, and legal obligations

9.1.6 Right to Object and Automated Decisions
Object to processing for direct marketing (absolute right)
Object to processing based on legitimate interests (relative right)
Request human intervention in automated decision-making processes
Contest decisions based solely on automated processing where applicable

9.2 Exercising Your Rights
To exercise your data protection rights:

Step 1: Submit Request
Use your account settings for common requests (updates, preferences)
Contact our Data Protection Team for complex or specific requests
Use designated web forms or communication channels where available

Step 2: Verification Process
Provide sufficient information for identity verification
Submit supporting documentation if required for verification
Cooperate with reasonable verification procedures to prevent unauthorized access

Step 3: Processing Timeline
Allow reasonable time for request processing (typically 30 days)
Complex requests may require additional time (up to 60 days)
Receive notification of extensions, reasons, and expected completion dates

Step 4: Response and Resolution
Receive clear, transparent responses to all requests
Obtain explanations for any request limitations or denials
Receive information about appeal processes and regulatory complaint options

9.3 Verification and Fee Policy
We may request reasonable verification of identity for security purposes
No fees for standard, reasonable data subject requests
Reasonable administrative fees may apply for excessive, repetitive, or unfounded requests
Fee structure is transparent, proportionate, and based on actual administrative costs
Fee waivers available for legitimate financial hardship circumstances

9.4 Right to Lodge Complaints
You have the right to lodge complaints with relevant data protection authorities:
Singapore: Personal Data Protection Commission (PDPC)
Malaysia: Personal Data Protection Commissioner
European Union: Relevant national data protection authority
Other Jurisdictions: Appropriate regulatory or supervisory bodies
Internal Process: Attempt resolution through our Data Protection Team first

9.5 Children’s Rights
Special protections apply to children’s personal data:
Enhanced verification for children’s data requests
Parental/guardian consent requirements for certain requests
Additional safeguards for processing children’s data
Age-appropriate privacy notices and communications


CHILDREN’S PRIVACY

10.1 Age Restrictions and Protections
ELAXCA does not knowingly collect personal data from individuals under:
18 years for general platform use and account registration
13 years for any purpose without verifiable parental consent
Any age for special category data without explicit legal basis

10.2 Parental Controls and Responsibilities
Parents or guardians who believe their child has provided personal data should:
Contact our Data Protection Team immediately for investigation
Request review, correction, or deletion of the child’s data
Provide appropriate documentation for verification purposes
Consider implementing parental controls, monitoring tools, and privacy settings
Educate children about online privacy and safe internet practices

10.3 Age Verification Measures
We implement reasonable measures to prevent underage data collection:
Age verification during account registration and checkout processes
Monitoring for suspicious or potentially underage account activity
Responsive procedures for age-related concerns and reports
Collaboration with parents, guardians, and educational resources
Regular review and enhancement of age verification mechanisms

10.4 Educational Resources
We provide resources to support children’s online privacy:
Age-appropriate privacy information and guidance
Parental control recommendations and best practices
Educational materials about online safety and privacy
Collaboration with child protection organizations and initiatives


INSURANCE AND CLAIMS DATA PROCESSING

11.1 Insurance Partnership Framework
ELAXCA partners with Great Eastern Insurance to provide comprehensive purchase protection:

11.1.1 Insurance Coverage Scope
Transportation and handling damage coverage
Manufacturing defects discovered after delivery
Non-delivery or lost shipment protection
Incorrect item delivery resolution
Fraudulent transaction investigation support

11.1.2 Claims Processing Data Requirements
Order details and purchase verification
Damage documentation and photographic evidence
Delivery confirmation and tracking information
Communication records and resolution attempts
Personal information for claim processing and payout

11.2 Claims Data Processing
Step 1: Claim Submission
Submit claim through platform portal or customer support
Provide required documentation and evidence
Authorize data sharing with insurance partner as needed
Receive claim reference number and processing timeline

Step 2: Claim Review and Verification
Review by ELAXCA support team for completeness
Transfer to Great Eastern Insurance for assessment
Additional information requests if required
Communication throughout review process

Step 3: Resolution and Payout
Approved claims: Processing through original payment method
Partial approvals: Proportional compensation based on assessment
Denied claims: Explanation with reasoning and appeal options
Timeline: Typically 5-10 business days for standard claims

11.3 Data Sharing with Insurance Partner
Data shared with Great Eastern Insurance includes:
Minimum necessary information for claim processing
Secure transmission through encrypted channels
Limited to claim-related purposes only
Subject to strict data processing agreements
Deletion after claim resolution and retention periods

11.4 Insurance Data Rights
You have rights regarding insurance claim data including:
Access to claim data and processing status
Correction of inaccurate claim information
Portability of claim data to alternative providers
Erasure rights subject to legal and regulatory requirements
Objection to specific processing activities where applicable


GLOBAL LOGISTICS DATA PROCESSING

12.1 Warehouse Network Data Flow
ELAXCA operates a global warehouse network requiring international data transfers:

12.1.1 Warehouse Locations
Singapore Central Warehouse (20 Jurong Port Road)
Kuala Lumpur Warehouse (Persiaran TRX)
Los Angeles Warehouse (123 Commerce St)
London Warehouse (45 Park Royal Road)
Frankfurt Warehouse (Am Hauptbahnhof 10)

12.1.2 Logistics Data Categories
Shipping addresses and delivery instructions
Customs declaration information for international shipments
Inventory allocation and warehouse selection data
Delivery time preferences and scheduling information
Proof of delivery and confirmation records

12.2 Customs and Regulatory Compliance
International shipments require data sharing with authorities:
Customs declaration data for border clearance
Regulatory compliance information for restricted items
Tax and duty calculation information
Security screening data as required by law
Export control and trade compliance documentation

12.3 Logistics Partner Data Sharing
We share necessary data with logistics partners including:
Delivery addresses and contact information
Package dimensions, weight, and value
Customs documentation for international shipments
Tracking and delivery status updates
Limited to operational requirements with appropriate safeguards

12.4 Delivery Optimization Data
We use data to optimize delivery performance:
Geographical analysis for warehouse selection
Delivery time estimation and route optimization
Performance monitoring across logistics partners
Continuous improvement of delivery experience
Anonymized analytics for network optimization


DATA BREACH NOTIFICATION

13.1 Breach Response Protocol
In the event of a personal data breach, ELAXCA will:

13.1.1 Immediate Response Actions
Activate incident response team within 1 hour of detection
Contain breach and prevent further unauthorized access
Preserve evidence for investigation and remediation
Assess scope, impact, and risk to individuals’ rights

13.1.2 Investigation and Assessment
Determine cause, method, and extent of breach
Identify affected individuals and data categories
Assess risk to rights and freedoms of affected individuals
Evaluate necessary notification requirements and timelines

13.2 Notification Requirements and Timelines

13.2.1 Regulatory Authority Notification
GDPR Requirements: Within 72 hours where feasible
PDPA Requirements: As soon as practicable after discovery
Other Jurisdictions: According to local legal requirements
Content: Nature of breach, categories and approximate number of affected individuals, likely consequences, measures taken or proposed

13.2.2 Individual Notification
When Required: When breach is likely to result in high risk to rights and freedoms
Timeline: Without undue delay after breach discovery
Method: Direct communication (email, platform notification, etc.)
Content: Nature of breach, contact details for further information, measures taken, recommendations for mitigation

13.2.3 Public Disclosure
When necessary for transparency or public interest
Coordinated with regulatory guidance and legal counsel
Balanced with security considerations and investigation integrity
Clear, accurate, and proportionate communication

13.3 Post-Breach Remediation
Following breach resolution, we implement:
Comprehensive remediation plan to address root causes
Enhanced security measures to prevent recurrence
Monitoring and verification of remediation effectiveness
Review and update of policies, procedures, and controls
Training and awareness updates based on lessons learned
Documentation for audit, compliance, and continuous improvement

13.4 Breach Preparedness
We maintain ongoing breach preparedness including:
Regular incident response plan testing and updates
Employee training on breach detection and response
Technical monitoring and detection capabilities
Relationships with cybersecurity and legal experts
Insurance coverage for data breach incidents


POLICY UPDATES

14.1 Update Process and Triggers
ELAXCA reserves the right to update this policy to reflect:
Changes in our services, features, or business operations
Legal, regulatory, or compliance requirement changes
Industry standards, best practices, or technological developments
Organizational changes, mergers, acquisitions, or restructuring
User feedback, requests, or evolving privacy expectations

14.2 Notification of Material Changes
Material changes will be communicated through:

14.2.1 Platform Notifications
Updated policy posted with new “Last Modified” date
Prominent notices on platform for significant changes
Account notifications and announcements for registered users
Banner messages or in-app notifications for active users

14.2.2 Direct Communications
Email notifications to registered users for material changes
Summary of changes and effective dates provided
Options to review, accept, or discuss changes
Contact information for questions or concerns

14.2.3 Advance Notice
Reasonable advance notice for significant changes
Opportunity for review and preparation before effective dates
Consideration of user feedback during review periods
Transparency about change rationale and impacts

14.3 Acceptance and Continued Use
Continued use of platform after changes constitutes acceptance
Users can discontinue use if they do not accept changes
Historical versions archived for reference and compliance
Clear version tracking and change documentation

14.4 Review and Feedback Cycle
We maintain ongoing policy review including:
Annual comprehensive privacy policy review
Quarterly updates based on legal and regulatory changes
User feedback collection and consideration
Industry benchmarking and best practice analysis
Stakeholder consultation for significant changes


CONTACT INFORMATION

15.1 Data Protection Team
For privacy-related inquiries, requests, or concerns:

ELAXCA – Data Protection & Privacy Team
Privacy Inquiries: privacy@elaxca.com
Data Subject Requests: datarequest@elaxca.com
Security Concerns: security@elaxca.com
General Support: support@elaxca.com

15.2 Data Protection Officer
ELAXCA Data Protection Officer
DPO Contact: dpo@elaxca.com
Role: Independent oversight of data protection compliance
Responsibilities: Monitoring, advising, and ensuring GDPR/PDPA compliance
Availability: Regular business hours with emergency contact procedures

15.3 Postal Address
ELAXCA Pte Ltd
Registered Office Address
Singapore
Postal Code

Global Headquarters
Operational Address – To be configured based on deployment

15.4 Response Times and Service Levels
General Inquiries: Within 48 business hours
Data Subject Requests: Within 30 calendar days (as required by law)
Urgent Matters: Priority handling with expedited processes
Complex Requests: Timeline communicated with expected completion
Emergency Security Issues: 24/7 response for critical security incidents

15.5 Business Hours
Singapore Time (GMT+8): Monday-Friday 9:00 AM – 6:00 PM
Saturday: 10:00 AM – 2:00 PM (limited support)
Sunday & Public Holidays: Emergency support only
Global Coverage: Extended hours for international markets
Emergency Contact: 24/7 for security incidents and critical issues

15.6 Alternative Contact Methods
Online Form: Link to data request web form
Platform Chat: Integrated support chat during business hours
Phone Support: To be configured based on regional requirements
Postal Mail: Registered mail for formal communications
In-Person: By appointment at registered office

15.7 Regional Contact Points
European Union
EU Representative: To be appointed if required under GDPR
Contact: eurep@elaxca.com

United Kingdom
UK Representative: To be appointed if required
Contact: ukrep@elaxca.com

Other Regions
Local contacts based on operational requirements
Language-specific support as platform expands


DOCUMENT INFORMATION

Document Version: 3.0
Last Updated: 8 April 2026
Effective Date: 8 April 2026
Applicable Regions: Global (Singapore, Malaysia, EU, International)
Previous Version: 2.0 (Vaynera Privacy Policy)
Update Contact: privacy@elaxca.com
Review Cycle: Annual comprehensive review
Next Review Date: 8 April 2027

Related Documents:
ELAXCA Terms & Conditions (Version 3.0)
ELAXCA Cookie Policy (Version 2.0)
ELAXCA Security Policy (Version 2.0)
ELAXCA Data Processing Agreements
Great Eastern Insurance Partnership Agreement

Approval Signatures:
Data Protection Officer:    HAZLIDA HUSAINI ALI
Legal Counsel:  HAZLIDA HUSAINI ALI
Chief Executive Officer:  HAZLIDA HUSAINI ALI

Distribution:
Internal: All employees, contractors, and partners
External: Website publication, user acceptance, regulatory filing
Archived: Version control and historical reference


ELAXCA Privacy Commitment Statement

ELAXCA is committed to protecting your privacy and personal data. Our privacy practices are built on transparency, security, and respect for individual rights. We continuously work to maintain the highest standards of data protection across our global operations.

This policy reflects our commitment to comply with applicable data protection laws including Singapore’s PDPA, Malaysia’s PDPA, the EU’s GDPR, and international best practices.

We welcome your feedback and questions about our privacy practices. Contact our Data Protection Team at privacy@elaxca.com with any concerns or suggestions.

ELAXCA reserves the right to periodically update this policy to reflect changes in our services, legal requirements, or industry standards. Customers will be notified of significant changes through appropriate channels.

This document is available in multiple languages. In case of discrepancies, the English version shall prevail.

Copyright Notice: © 2026 ELAXCA Pte Ltd. All rights reserved.
Confidentiality: This document contains confidential information of ELAXCA Pte Ltd.