Privacy Policy

Effective date: 3 June 2025 (last revised: 9 June 2025)

This Privacy Policy explains how Oxprep Pte. Ltd. ("Oxprep", "we", "our", "us") collects, uses, discloses and protects your personal data when you visit www.oxprep.com and/or join our wait‑list mailing list. It is designed to satisfy the most stringent data‑protection regimes that apply to us, including:

  • Singapore Personal Data Protection Act 2012 (PDPA)
  • EU General Data Protection Regulation 2016/679 (EU GDPR)
  • UK GDPR & Data Protection Act 2018
  • Overseas frameworks with extraterritorial reach as listed in §13 "Regional addenda".

By providing personal data to Oxprep you agree to the practices described below.

1 Who we are — controller details

  • Controller: Oxprep Pte. Ltd. (UEN 202448860Z)
  • Address: 20 Collyer Quay, #11‑05, Singapore 049319
  • Email: privacy@oxprep.com

Data‑Protection Officer

Sheerwan O'Shea‑Nejad — privacy@oxprep.com | +65 8846 2250

Article 27 Representatives

RegionRepresentativeAddressEmail
EU/EEADataRepThe Cube, Monahan Road, Cork, T12 H1XY, Irelanddigitalrequest@datarep.com
UKDataRep107–111 Fleet Street, London, EC4A 2AB, UKdigitalrequest@datarep.com
CHDataRepLeutschenbachstrasse 95, Zurich, 8050, Switzerlanddigitalrequest@datarep.com

ICO Registration (UK): ZB905167 (valid until 28 May 2026)

2 What personal data we collect

ChannelData itemSource
Wait‑list form (Step 1)Email address; optional nameDirect from you
Optional profile form (Step 2)Role, school name, country/region, intended subjectDirect from you (optional)
Marketing emailsOpen/click metrics (tracking pixel), IP address, user‑agentGenerated automatically
Website server logsIP address, browser headers, request URL, HubSpot cookiesCollected automatically
Geolocation serviceIP address (country-level geolocation only, local CSV file)Collected automatically

We do not knowingly collect special‑category data (GDPR Art 9).

3 Why we collect it — purposes & legal bases

PurposePDPA basisEU/UK legal basis
Send product news, study resources, early‑access invitationsExpress consentConsent — GDPR Art 6 (1)(a) (double opt‑in)
Tailor content using optional profile detailsExpress consent (submission of optional form)Consent — Art 6 (1)(a)
Measure email engagement & remove inactive addressesExpress consentConsent — Art 6 (1)(a)
Operate and secure the website (logs, cookies)Deemed consent for securityLegitimate interests — Art 6 (1)(f)
Geolocate country for form/banner regionalisationDeemed consentLegitimate interests — Art 6 (1)(f)
Fulfil legal obligationsStatutory exceptionLegal obligation — Art 6 (1)(c)

4 How we share your data

We never sell personal data. Transfers are limited to:

RecipientFunctionLocationSafeguard
HubSpot Inc.Email list management & deliveryUSA2021 SCCs & PIPL SCC annex
Google LLCGoogle Sheets analyticsUSA2021 SCCs & PIPL SCC annex
Replit Inc. (Google Cloud)Website hosting & logsUSA2021 SCCs & PIPL SCC annex
Regulators/courtsLegal requirement only

5 International transfers

All personal data is stored in Singapore and the United States. Transfers outside the EU/UK are protected by the EU & UK Standard Contractual Clauses 2021/914 plus encryption, MFA and role‑based access. Transfers from other jurisdictions use equivalent contractual safeguards or explicit consent (see §13).

6 Retention

Data setRetention rule
Mailing‑list records (incl. engagement logs)Delete 24 months after last open/click or immediately on unsubscribe
Optional profile detailsSame as linked email record
Server logsRaw logs 30 days → anonymised stats 12 months
Consent records6 years to defend legal claims

7 Cookies & tracking

We use HubSpot cookies for analytics and to remember banner choices. EU/UK visitors see a banner that blocks non‑essential cookies until accepted. Marketing emails contain a 1‑pixel GIF that records opens/clicks; consent for this tracking is captured in the sign‑up form.

8 Security measures

  • TLS 1.2+ in transit, AES‑256 at rest
  • HubSpot & Google Workspace enforced MFA and role‑based access
  • Monthly permission reviews and audit logs
  • Firewall + managed WAF (Replit / Google Cloud Armor)
  • Annual vulnerability scan & remediation

9 Your rights

RegionRights
Singapore (PDPA)Access, Correction, Withdrawal of consent, Complaint to PDPC
EU/UK GDPRAccess, Rectification, Erasure, Restriction, Portability, Objection, Complaint to a supervisory authority

Email privacy@oxprep.com to exercise any right. EU, UK or Swiss residents may also contact our representative, DataRep, listed in Section 12. We respond within 30 days (1 month under GDPR).

You may unsubscribe via the link in any marketing email.

10 Children

Our website is not directed to children under 13. If we discover we have collected data from a child without parental consent, we will delete it promptly.

11 Changes to this Policy

We may update this Policy periodically. Material changes will be flagged on the website or by email; the "Effective date" will always reflect the latest version.

12 Contact us

If you have any questions or concerns about your personal data, or if you would like to exercise your rights under applicable privacy laws, you may contact:

Oxprep Pte. Ltd.
20 Collyer Quay, #11‑05, Singapore 049319
E‑mail: privacy@oxprep.com

If you are based in the EU/EEA, UK or Switzerland, you may also contact our GDPR representative, DataRep, who acts on our behalf regarding data protection matters in those regions:

These addresses are for exercising data rights only. For general enquiries, please use privacy@oxprep.com.

13 Regional addenda (extra disclosures required by certain non‑EU laws)

Egypt (Law 151/2020) — You have rights of access, correction and deletion. Cross‑border transfer occurs with your explicit consent.

Indonesia (PDP Law 27/2022) — Indonesian residents may access, correct, delete or withdraw consent at any time by contacting privacy@oxprep.com.

Japan (APPI) — Your data is stored in Singapore and the United States under contractual safeguards. You may access, correct or delete your data at any time.

Mainland‑China (PIPL) — By submitting the form you give explicit consent to transfer your data to Singapore and the United States. You may request access, copy, correction or deletion via privacy@oxprep.com. Our person in charge of personal‑information protection is Sheerwan O'Shea‑Nejad.

Philippines (Data‑Privacy Act 2012) — You have rights of access, correction, blocking/erasure and portability. Data is stored in Singapore/USA under contractual safeguards.

South Korea (PIPA) — Your data is stored in Singapore/USA under contractual safeguards. You may access, correct or delete it at any time.

Thailand (PDPA) — You have rights of access, rectification, erasure, portability and objection. Contact privacy@oxprep.com.

United Arab Emirates (Federal PDPL) — You may access, correct, erase or port your data and withdraw consent at any time.

Vietnam (PDP Decree 13/2023) — We maintain a transfer‑impact assessment for Vietnamese data and can provide a summary on request.

Other jurisdictions — You have comparable rights of access, correction, deletion and portability under your local law. Oxprep does not sell or share your information for advertising. Contact privacy@oxprep.com to exercise any right.

© 2025 OxPrep. All rights reserved.Privacy Policy