Skip to main content
← Back

Privacy Policy

Last updated: 11 May 2026 (v2.0)

1. Who We Are

dSoulK is a product of GemXcal Holdings Pte. Ltd. (UEN: 202608346C), registered in Singapore. We are committed to protecting your personal data in compliance with the Personal Data Protection Act 2012 (PDPA) of Singapore and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Data We Collect

  • Account information: Email address, display name, and authentication provider (Google or email/password).
  • Birth details: Date of birth, time of birth (optional), and city of birth — used solely for energy calculation.
  • Usage data: Reports generated, Keys balance, and transaction history.
  • Technical data: IP address (anonymised), browser type, and page interaction data collected via Plausible Analytics (cookie-free, no personal data retained).

3. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract: Processing necessary to provide the dSoulK service you have signed up for (account creation, report generation, Keys management).
  • Consent: Where you have given explicit consent, such as for optional birth time input or marketing communications.
  • Legitimate interests: Service improvement, security monitoring, and fraud prevention, where these do not override your rights.
  • Legal obligation: Compliance with applicable laws and regulations in Singapore and other jurisdictions.

4. How We Use Your Data

  • To generate your personalised Energy Blueprint reports.
  • To manage your account and Keys balance.
  • To process payments via Stripe (we do not store card details).
  • To improve our service and calculation accuracy.
  • To comply with legal obligations and resolve disputes.

5. Cookies & Tracking

We use essential session cookies solely to maintain your authenticated session. We do not use advertising, profiling, or third-party tracking cookies. Our analytics provider (Plausible) is cookie-free and collects no personal data. A notice is shown on your first visit to confirm this.

6. Data Storage & Security

Your data is stored securely on Supabase infrastructure in the Singapore region. We use row-level security policies to ensure you can only access your own data. All connections are encrypted via HTTPS/TLS.

7. Third-Party Services

  • Supabase: Authentication and database hosting (Singapore region).
  • Stripe: Payment processing. Subject to Stripe's Privacy Policy. Stripe is certified under EU Standard Contractual Clauses.
  • Google OAuth: Optional sign-in provider. Subject to Google's Privacy Policy.
  • DigitalOcean: Website and application hosting (Singapore region).
  • Plausible Analytics: Privacy-friendly, cookie-free website analytics. No personal data is collected. Subject to Plausible's Data Policy.

8. International Data Transfers

Your data is primarily stored in Singapore. Where our third-party processors transfer data outside Singapore or the EEA, they do so under appropriate safeguards (Standard Contractual Clauses or equivalent mechanisms) in compliance with GDPR Chapter V and Singapore PDPA transfer obligations.

9. Your Rights (Singapore PDPA)

Under the PDPA, you have the right to:

  • Access your personal data held by us.
  • Request correction of inaccurate data.
  • Withdraw consent for data processing.
  • Request deletion of your account and all associated data.

10. Your Rights (EU/EEA — GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the GDPR:

  • Right of access (Art. 15): Obtain a copy of your personal data.
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”).
  • Right to restriction (Art. 18): Restrict how we process your data.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting prior lawful processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local EU data protection supervisory authority.

To exercise any GDPR right, contact us at dpo@gemxcal.com. We will respond within 30 days.

11. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data including birth details, reports, and transaction history will be permanently removed within 30 days.

12. Contact & Data Protection Officer

For all privacy-related enquiries, including data subject rights requests under PDPA or GDPR, contact our Data Protection Officer:

dpo@gemxcal.com

GemXcal Holdings Pte. Ltd., Singapore (UEN: 202608346C)