Privacy Policy

This Privacy Policy describes how Captain.Legal collects, uses, discloses, retains and protects your personal data, in accordance with Singapore's Personal Data Protection Act 2012 (the “PDPA”) and the guidelines issued by the Personal Data Protection Commission (the “PDPC”). It explains the choices available to you regarding your personal data and how you may contact us.

Captain Legal LLC, the publisher of the site, is the organisation responsible for the personal data collected through this website. In accordance with section 11 of the PDPA, we have designated a Data Protection Officer (DPO) responsible for ensuring our compliance with the PDPA. For any question, to make a request, or to contact our DPO, please use our contact form.

“Personal data” means data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access. We only collect the personal data necessary for the purposes described below:

• Identification data: email address, first name, last name
• Data entered in forms: information needed to generate a document (which may relate to third parties, under your responsibility)
• Order and billing data: documents purchased, amount, date, history
• Payment data: processed directly by PayPal and Stripe; we never access your full payment card details
• Technical and connection data: IP address, access logs, pages visited, session duration

Under the PDPA, we collect, use or disclose your personal data only with your consent, or where collection, use or disclosure without consent is required or authorised by law. By providing your personal data to us and using our services, you consent to the collection, use and disclosure of your personal data for the purposes set out in this Policy.

In certain circumstances your consent may be deemed — for example, where you voluntarily provide your personal data for a transaction and it is reasonable that you would do so (deemed consent by conduct), or following notification of a purpose. You may withdraw your consent at any time by giving us reasonable notice through our contact form; we will inform you of the likely consequences of withdrawal before processing your request.

In accordance with the Purpose Limitation and Notification Obligations under the PDPA, we collect, use and disclose your personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that have been notified to you:

• Processing and delivering your order, and sending your invoice
• Managing your account and the customer relationship
• Retaining invoices to meet our legal and tax obligations
• Security, fraud prevention and service improvement
• Marketing communications and non-essential cookies — with your consent, withdrawable at any time

Your personal data is never sold. It may be disclosed to service providers acting as data intermediaries on our behalf and bound by confidentiality and data-protection obligations: PayPal and Stripe (payments), OVH SAS (hosting), an email delivery provider, technical and analytics providers. Personal data may also be disclosed where required or authorised under the PDPA or any other written law, or at the request of a competent authority.

Where we transfer personal data outside Singapore, we comply with the Transfer Limitation Obligation under the PDPA. We take reasonable steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA — for example through contractual clauses with our service providers. Hosting is carried out within the European Union by OVH SAS.

In accordance with the Retention Limitation Obligation, we cease to retain personal data, or remove the means by which it can be associated with you, as soon as it is reasonable to assume that the purpose for which it was collected is no longer served and retention is no longer necessary for legal or business purposes:

• Account data: up to 3 years after the last activity
• Order and billing data: 10 years (legal obligation)
• Data entered in forms: for the time of the service, unless linked to an order
• Marketing data: 3 years from the last contact
• Connection data: 12 months

After these periods, personal data is deleted or anonymised.

In accordance with the Protection Obligation, we implement reasonable security arrangements (HTTPS/TLS encryption, access control, secure hosting, PCI-DSS compliant payment providers) to protect your personal data from unauthorised access, collection, use, disclosure, copying, modification or disposal. In the event of a notifiable data breach, we will notify the PDPC and affected individuals as required under the PDPA's Data Breach Notification Obligation.

Under the PDPA you have the right to request access to the personal data we hold about you and information about the ways it has been or may have been used or disclosed within the preceding year, and the right to request correction of any error or omission in your personal data.

To exercise these rights, submit a request through our contact form. We will respond as soon as reasonably possible. A reasonable fee may apply to access requests, of which we will inform you in advance; correction requests are free of charge.

The PDPA's Do Not Call provisions allow individuals with a Singapore telephone number to register that number with the national Do Not Call Registry to opt out of marketing messages (voice calls, text and fax). We will check the DNC Registry before sending any specified marketing message to a Singapore telephone number, unless we have your clear and unambiguous consent in writing. You may also opt out of our marketing communications at any time through our contact form.

Our site uses cookies whose nature, purpose and duration are detailed in our Cookie Policy. Non-essential cookies are only set after obtaining your consent, which you may withdraw at any time.

The site is not intended for children. We do not knowingly collect the personal data of minors without the consent of a parent or guardian. Where consent is required from a minor, we rely on the consent of the individual with parental responsibility, consistent with PDPC guidance.

This policy may be modified at any time; the date of the latest update is shown at the top of the document. For any question, to contact our Data Protection Officer, or to make a complaint, please use our contact form. You may also lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.