PDPA Notice.

1. About this notice.

Steadbook Advisory LLP (UEN T18LL0198K) ("Steadbook", "we", "us", or "our") is committed to protecting personal data in accordance with Singapore's Personal Data Protection Act 2012 (as amended) ("PDPA") and the guidelines and advisory notes issued from time to time by the Personal Data Protection Commission ("PDPC").

This notice explains how we collect, use, disclose, transfer, and safeguard personal data when you engage our services, visit our website, correspond with us, or otherwise interact with our firm. It applies to all individuals whose personal data we handle, including clients, prospective clients, directors, shareholders, beneficial owners, employees of corporate clients, suppliers, job applicants, and website visitors.

2. Personal data we collect.

Depending on the nature of our engagement, we may collect:

• Identification data — full name, NRIC/FIN/passport number, date of birth, nationality, residential address, photograph or copy of identification documents (collected for know-your-client and anti-money-laundering purposes under the Accounting and Corporate Regulatory Authority's requirements).
• Contact data — telephone number, email address, business address.
• Engagement data — role, position, ownership interest, signing authority, source of funds and source of wealth declarations.
• Financial and tax data — accounting records, payroll records, bank statements, invoices, tax filings, and other records you provide for the purpose of our services.
• Correspondence data — emails, messages, call notes, and meeting records relating to your engagement.
• Technical data — IP address, browser type, device information, and analytics data when you visit our website.
• Client Portal access data — when you access our secure Client Portal: a unique client code we issue to your engagement, the email address on file for receiving one-time passwords (OTPs), session identifiers used to maintain your authenticated session, and any documents, files, queries, or messages you submit through the Portal.

3. How we collect personal data.

We collect personal data:

• Directly from you when you complete an enquiry form, sign an engagement letter, send us correspondence, or provide documents in the course of our work;
• From your authorised representatives, employees, directors, or service providers;
• From publicly available sources, including ACRA, IRAS, and other government registries, where reasonable and permitted by law;
• From third-party verification providers used for know-your-client, sanctions screening, and politically-exposed-person checks;
• Automatically through cookies and analytics on our website (see Section 11).
• Through your authenticated use of our secure Client Portal, including any documents, files, queries, or messages you submit through it.

4. Purposes for which we use personal data.

We use personal data only for purposes that a reasonable person would consider appropriate in the circumstances, including:

• Providing accounting, tax, payroll, corporate secretarial, finance operations, and advisory services;
• Onboarding clients, including know-your-client, anti-money-laundering, counter-terrorism financing, and sanctions checks;
• Issuing quotations, engagement letters, invoices, and receipts;
• Communicating with you about your engagement, including responding to enquiries and providing updates;
• Complying with legal, regulatory, and professional obligations imposed on us by ACRA, IRAS, the PDPC, the Monetary Authority of Singapore, the Singapore Police Force, and other competent authorities;
• Maintaining records as required by law and by our professional standards;
• Preventing, detecting, and investigating fraud, misconduct, or unlawful activity;
• Managing our internal operations, including audit, risk management, training, and quality assurance;
• Sending you firm updates, technical bulletins, and event invitations, where you have consented or where permitted under the PDPA;
• Recruitment and human resources where you apply for a role with us.
• Operating our secure Client Portal, including authenticating you via client code and one-time password (OTP), maintaining authenticated sessions, storing documents you upload in your dedicated client folder within our Microsoft 365 environment, and using AI tools to read, analyse, and reference your records in order to respond to your queries and produce insights tailored to your engagement.

5. Legal bases for processing.

We rely on one or more of the following bases under the PDPA:

• Consent — express or deemed, where you knowingly provide personal data for a purpose we have notified;
• Legitimate interests — including business administration, fraud prevention, and information security, where the benefit to our legitimate interests is not outweighed by adverse effect on the individual;
• Business improvement — for purposes such as improving our services, operational efficiency, and the quality of our deliverables;
• Legal or regulatory requirement — where processing is required under Singapore law or by an order of court or competent authority.

6. Disclosure of personal data.

We may disclose personal data, on a need-to-know basis, to:

• Our partners, employees, and contractors involved in your engagement, all of whom are bound by confidentiality obligations;
• Regulators and authorities, including ACRA, IRAS, the MAS, the Singapore Police Force, and overseas equivalents where lawfully required;
• Banks, auditors, legal counsel, insurance brokers, and other professional advisers acting for you or for us in connection with the engagement;
• Approved technology service providers, including cloud hosting, accounting software, payroll software, e-signature, document management, secure file transfer, and identity verification providers;
• Approved AI service providers, where used in accordance with Section 8 below;
• Acquirers, successors, or assignees of our business in the event of a merger, acquisition, restructuring, or transfer of all or part of our business.

We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.

7. Cross-border transfers.

Some of our service providers, including cloud and AI providers, may store or process personal data outside Singapore. Where we transfer personal data overseas, we take steps to ensure that the receiving organisation is bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA, in accordance with Section 26 of the PDPA and the Personal Data Protection Regulations 2021.

8. Use of artificial intelligence (AI).

We use AI tools — including generative AI, large language models, and AI-assisted features within our accounting, tax, payroll, document management, and productivity software — to support the delivery of our services. We do so under the following commitments:

• Human oversight. AI is used as an aid, not a substitute, for professional judgment. All deliverables, computations, filings, and advice are reviewed and approved by a qualified Steadbook professional before they are issued or relied upon. We do not accept AI output as final without human review.
• Approved tools only. We only use AI tools that have been assessed by our firm against vendor security controls, data residency, retention policies, training-on-input settings, and access governance. Personal client data is not entered into general-purpose, consumer-grade AI tools.
• No training on your data. Where we use AI providers, we configure our accounts so that client content (including personal data) is not used to train the provider's foundation models, in line with the AI Verify Foundation's Model AI Governance Framework for Generative AI and the PDPC's Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems.
• Data minimisation. We provide AI tools with the minimum information needed for the task. Where practicable, we redact, aggregate, or pseudonymise personal data before processing.
• No automated decisions with legal or significant effect. We do not use AI to make solely automated decisions that produce legal effects or similarly significant effects on individuals (for example, decisions to onboard, reject, or terminate a client). Such decisions remain with our partners and qualified staff.
• Confidentiality. AI use does not relax our confidentiality obligations. The duty of confidence owed to clients, and where applicable the protection of legally privileged information, applies equally to AI-assisted work.
• Accuracy and limitations. AI output may contain errors, omissions, or fabricated content ("hallucinations"). We treat AI output as a draft to be verified, and we remain solely responsible for the accuracy of the work we issue under our name.
• Bias and fairness. We are alert to the risk that AI tools may reflect biases present in their training data. Where AI is used in any context affecting individuals, we apply human review to mitigate this risk.
• Disclosure on request. If you would like to know whether and how AI was used in connection with your engagement, write to our Data Protection Officer at the address in Section 14.

Nothing in this section creates a service-level commitment that AI will or will not be used in any particular task. The decision to use, or not to use, an AI tool rests with the engagement partner.

Client Portal AI processing. When you access our secure Client Portal, AI tools may read, analyse, and reference the documents, files, and data stored in your dedicated client folder within our Microsoft 365 environment for the purpose of answering your queries and producing insights for you. The same commitments above — human oversight, approved tools only, no training on your data, data minimisation, no automated decisions with legal or significant effect, confidentiality, and treatment of AI output as a verification draft — apply equally to Portal use. Where the AI encounters conflicting, ambiguous, or incomplete information in your records, it will not issue a substantive answer; instead, the Portal will surface this to you and a Steadbook professional will review and follow up before any response that could be relied upon is provided.

Alignment with Singapore's Model AI Governance Framework for Agentic AI. Our AI features are designed and operated in line with the four dimensions of the framework published by the Infocomm Media Development Authority (IMDA) on 22 January 2026:

• Risk assessment and bounding. Our AI features have narrowly defined scopes. Our public chat assistant ("Adrian") answers general questions about our services; it does not execute transactions, submit filings, or commit the firm to any engagement. The Client Portal AI reads and analyses your records to answer queries; it does not modify, file, or transmit those records anywhere outside our Microsoft 365 environment.
• Human accountability. All substantive answers, computations, advice, deliverables, filings, and quotations are reviewed and approved by a qualified Steadbook professional before being relied upon. Where the AI encounters conflict, ambiguity, or incomplete information, a human review is triggered before any further response is issued.
• Technical controls. Our AI features have whitelisted access to specific data and services only — your dedicated client folder (Client Portal), and our published pricing and services information (public chat). They cannot invoke tools, services, or systems outside this whitelist. All Client Portal access and activity is logged and retained for at least two years, as set out in Section 10.
• End-user responsibility. Each AI feature carries a visible notice that AI output is draft information, not professional advice. We encourage all users to verify AI output before relying on it, and to remain alert to automation bias.

9. Data security.

We maintain reasonable administrative, physical, and technical safeguards to protect personal data, including access controls, encryption in transit and at rest where appropriate, multi-factor authentication, secure file transfer, regular access reviews, vendor risk assessments, staff training, and incident response procedures. For our secure Client Portal, additional controls include client-code and one-time-password authentication, time-bound authenticated sessions with inactivity timeouts, and audit logging of Portal access and activity. We assess our practices against the PDPC's Guide to Data Protection Practices for ICT Systems.

No method of transmission or storage is completely secure. In the event of a notifiable data breach, we will notify affected individuals and the PDPC within the timelines required by the PDPA's data breach notification obligation.

10. Retention.

We retain personal data only for as long as is reasonably necessary to fulfil the purposes for which it was collected, and to comply with our legal, regulatory, and professional record-keeping obligations — typically a minimum of five years for accounting and tax records under the Companies Act 1967 and the Income Tax Act 1947, and longer where specifically required (for example, anti-money-laundering records). Client Portal authentication, session, and access logs are retained for at least two years for security and audit purposes. When personal data is no longer required, we securely delete or anonymise it.

11. Cookies and website analytics.

Our website uses a small number of cookies and similar technologies to keep the site functioning, remember preferences, and produce aggregate analytics. You may disable cookies in your browser; some site features may not work as intended without them.

12. Your rights.

Subject to the PDPA and applicable exceptions, you have the right to:

• Access the personal data we hold about you and information about how it has been used or disclosed within the past year;
• Correct personal data that is inaccurate or incomplete;
• Withdraw consent for the collection, use, or disclosure of your personal data, on reasonable notice, subject to legal or contractual restrictions;
• Request data portability of your personal data to another organisation, where this right is in force and applicable to the data;
• Lodge a complaint with the PDPC if you believe we have not handled your personal data in accordance with the PDPA.

We may charge a reasonable fee for an access request, in accordance with the PDPA. Withdrawing consent or requesting deletion may affect our ability to continue providing services to you.

13. Children.

Our services are not directed at individuals under 13 years of age, and we do not knowingly collect personal data from children except where necessary for an engagement (for example, payroll administration involving an employee's dependants), and only with the consent of the relevant parent or guardian.

14. Data Protection Officer.

You can reach our Data Protection Officer with any question, request, or complaint relating to this notice or our handling of personal data:

Data Protection Officer
Steadbook Advisory LLP
12 Woodlands Square, #13-82/83
Woods Square, Singapore 737715
Email: contact@steadbook.com

We aim to acknowledge requests within 7 working days and respond substantively within 30 days, in line with the PDPC's Advisory Guidelines on Key Concepts in the PDPA.

15. Changes to this notice.

We review this notice at least annually and may update it from time to time to reflect changes in law, regulatory guidance, or our practices. The version and effective date appear at the top of this page. The current version is always available at this URL. Material changes will be notified to active clients by email.

This notice is provided for transparency under the PDPA and does not, by itself, create contractual rights. The terms governing each engagement are set out in the engagement letter for that engagement.