Chainup-logo
Request a Demo

Privacy Policy

Privacy Policy for ChainUp Pte. Ltd.
Updated: 21 April 2026

1. Introduction

ChainUp Pte. Ltd. (“ChainUp”, “we”, “us” or “our”) i a private company limited by shares incorporated in Singapore (UEN 201903588G) and whose registered office address is 3 Temasek Avenue, #22-01 Centennial Tower Singapore 039190. We provide technology services to users globally and may process personal data across multiple jurisdictions.
We are committed to processing personal data in a lawful, fair and transparent manner, taking into account applicable data protection laws depending on the location of the individual and the nature of the services provided.
This Privacy Policy explains how we collect, use, disclose and safeguard personal data in accordance with:

    • the Personal Data Protection Act 2012 (Singapore) (“PDPA”) as our primary framework;
    • the Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”), where applicable; and
    • applicable internal control and record-keeping requirements, in relation to financial reporting integrity where relevant.

This Policy applies to personal data collected through our platforms, products, services and websites globally.

2. Our Role

Depending on the nature of the services provided, ChainUp may act as:

    • a data controller, where we determine the purposes and means of processing;
    • a data processor, where we process personal data on behalf of our clients; or
    • a hybrid role, where both apply.

Where we act as a processor, we process personal data strictly in accordance with our client’s documented instructions and applicable law.

3. Categories of Personal Data

We may collect and process the following categories of personal data (to the extent relevant and permitted by law):

    • Identity Data: name, date of birth, nationality, government-issued identifiers (for KYC/AML purposes)
    • Contact Data: email address, phone number, residential or business address
    • Technical Data: IP address, device identifiers, browser type, system logs and usage data
    • Financial / Transaction Data: wallet addresses, transaction records, blockchain interaction data, fiat or digital asset payment details
    • Compliance Data: information required for sanctions screening, AML/CFT checks and regulatory reporting

We do not knowingly collect excessive or irrelevant personal data. We do not intentionally collect personal data from minors.

4. Legal Bases for Processing

We process personal data in accordance with applicable laws, which may vary depending on your location.

PDPA
We rely on:

    • consent (including deemed consent where applicable);
    • contractual necessity; and
    • statutory exceptions (e.g. legal obligation, fraud prevention, investigations, business operations).

GDPR – where applicable
We rely on:

    • performance of a contract;
    • compliance with legal obligations;
    • legitimate interests (e.g. platform security, fraud prevention), subject to balancing tests; and
    • consent, where required (e.g. marketing).

Where applicable, personal data forming part of financial records is processed to support:

    • accurate books and records;
    • internal controls over financial reporting; and
    • auditability, traceability and integrity of financial information.

5. Purposes of Processing

We process personal data only for legitimate and specific purposes, including:

    • Service Provision – onboarding, account management and delivery of platform services
    • Regulatory Compliance – KYC/AML, sanctions screening and regulatory reporting
    • Security and Risk Management – fraud detection, abuse prevention and system integrity
    • Business Operations – analytics, troubleshooting and service improvement
    • Financial Reporting and Audit – maintaining accurate records and supporting audit and compliance processes

Personal data collected for regulatory purposes (e.g. KYC/AML) is used strictly for compliance and risk management and is not used for unrelated commercial profiling.

Failure to provide required personal data (e.g. for KYC) may result in our inability to provide services.

6. Disclosure of Personal Data

We do not sell personal data.

We may disclose personal data on a need-to-know basis to:

    • Service Providers / Data Processors
      (e.g. cloud hosting, KYC providers), subject to contractual obligations, audit rights, and appropriate security controls
    • Affiliates and Group Entities
      for operational, compliance or risk management purposes
    • Regulators, Law Enforcement or Government Authorities
      where required by law or lawful request
    • Professional Advisors and Auditors
      including for legal, regulatory and audit purposes

We may disclose personal data across jurisdictions where necessary, subject to applicable safeguards.

7. Cross-Border Transfers

Given the global nature of our services, personal data may be transferred, stored or processed outside your country of residence.

Where such transfers occur, we implement appropriate safeguards, including:

    • Standard Contractual Clauses (SCCs) or equivalent mechanisms
    • contractual obligations ensuring a comparable standard of protection
    • internal policies governing secure cross-border data handling

You may contact us for further information on such safeguards.

8. Blockchain and Transparency Risks

Where our services involve blockchain or distributed ledger technology, certain transaction data (which may include wallet addresses or other identifiers) may be recorded on public or permissioned ledgers. Such records are typically immutable and may not be capable of deletion, modification, or restriction once recorded.

As a result, while we will take reasonable steps to facilitate the exercise of your data protection rights in accordance with applicable laws, certain rights (including the right to erasure, rectification, or restriction of processing) may be limited or not fully exercisable in respect of data recorded on-chain.

You acknowledge and accept these technical limitations when using our services.

9. Data Security and Integrity

We implement appropriate technical and organisational measures, including:

    • encryption in transit and at rest
    • role-based access controls and least-privilege principles
    • monitoring, logging and incident response procedures

For financial and transaction-related data, we maintain:

    • audit trails of access and changes;
    • controls supporting data integrity and traceability; and
    • segregation of duties in financial systems

While we take reasonable steps, no system can be guaranteed to be completely secure.

10. Data Retention

We retain personal data only for as long as necessary for the purposes outlined or as required by law.

Typical retention periods include:

    • KYC/AML data: 5–7 years after account closure
    • Financial and audit records: up to 7 years (or longer where required)
    • Technical logs: up to 2 years, unless required for investigations

We may retain data longer where necessary for legal claims, dispute resolution or regulatory obligations.

11. Your Rights

Your rights depend on applicable laws in your jurisdiction.

Under PDPA (Singapore)

    • access to personal data
    • correction of inaccurate data
    • withdrawal of consent (subject to legal limitations)

 

Under GDPR (where applicable)

    • access, rectification and erasure
    • restriction of processing
    • data portability
    • objection to processing based on legitimate interests
    • rights relating to automated decision-making (where applicable)

Certain rights may be limited where data must be retained for legal, regulatory or audit purposes, or where technically infeasible (e.g. blockchain records).

12. Automated Processing

We may use automated tools for purposes such as fraud detection, transaction monitoring or compliance screening.

These are not intended to produce solely automated decisions with legal or similarly significant effects without human review.

13. Data Breach Notification

In the event of a data breach, we will assess the impact and notify regulators and affected individuals where required under applicable laws.

14. Contact and Data Protection Officer

If you have questions or wish to exercise your rights, please contact:

Data Protection Officer (DPO)
ChainUp Pte. Ltd.
Email: [email protected]
Address: 3 Temasek Avenue, #22-01 Centennial Tower Singapore 039190

15. Updates to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified where required by law.

16. Important Notice

This Privacy Policy is for general information only and does not create contractual rights beyond those required by applicable law.

Ooi Sang Kuang

Chairman, Non-Executive Director

Mr. Ooi is the former Chairman of the Board of Directors of OCBC Bank, Singapore. He served as a Special Advisor in Bank Negara Malaysia and, prior to that, was the Deputy Governor and a Member of the Board of Directors.

ChainUp: Leading Provider of Digital Asset Exchange & Custody Solutions
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.