Legal

    Global Privacy Policy & Data Processing Notice

    Last Updated: February 15, 2026

    Introduction

    XpandEast ("We," "Our," "The Firm") is committed to the highest standards of data protection and corporate confidentiality. This Global Privacy Policy details how we collect, use, transfer, and protect personal and corporate data across our geopolitical market access, pipeline generation, and physical operational services.

    Depending on the context of our engagement, XpandEast may act as a Data Controller (when you visit our website or engage us directly) or a Data Processor (when we execute localized outbound pipelines and process target account data on behalf of your organization).

    1. The Information We Collect

    In the execution of our B2B services, XpandEast collects and processes specific categories of personal data. We do not collect consumer data. We exclusively process professional and business-related data ("Business Contact Information").

    Information You Provide Directly

    When you submit a market inquiry, register for a strategic briefing, or execute a Master Services Agreement, we collect your name, corporate email, professional title, company details, and operational requirements.

    Data Processed on Behalf of Clients

    When acting as a Data Processor, we may process business contact information, CRM data, and professional profiles provided by our clients to execute localized Go-To-Market pipelines.

    Market Intelligence & Signal Mining

    In the course of our business activities, we lawfully acquire data from third-party intelligence vendors, public corporate registries, and professional networking platforms. This includes professional history, regional association memberships, and publicly available corporate footprint data used to generate market signals.

    2. Purpose and Legal Basis for Processing

    We process personal data only when we have a valid legal basis to do so, strictly aligned with regional data protection frameworks. Our purposes include:

    Execution of Contracts

    To deliver the services outlined in your Master Services Agreement, including securing commercial real estate, facilitating local vendor procurement, and deploying regional representatives.

    Legitimate Business Interests

    To analyze regional market trends, conduct B2B signal mining, and protect our IT infrastructure against cyber threats. Where relied upon, we ensure our legitimate interests do not override your fundamental privacy rights.

    Consent

    Where mandated by specific regional laws (such as in Malaysia and Saudi Arabia), we obtain your explicit consent prior to processing your personal data for direct marketing or specialized cross-border transfers.

    3. Cross-Border Data Transfers

    XpandEast operates interconnected regional hubs in Singapore, Malaysia, Indonesia, and Saudi Arabia. To execute our cross-border mandates, your data may be transferred to and processed in jurisdictions outside of your home country.

    When transferring data internationally, XpandEast ensures compliance by utilizing legally approved transfer mechanisms, such as Standard Contractual Clauses (SCCs), binding corporate rules, or explicit data subject consent, ensuring the receiving jurisdiction offers a comparable level of data protection.

    4. Regional Privacy Law Compliance

    XpandEast strictly adheres to the statutory requirements of the jurisdictions in which we maintain physical operations and execute client mandates:

    A. Singapore (PDPA)

    • For data processed within or transferred from Singapore, we comply with the Personal Data Protection Act 2012 (PDPA), including the 2020 Amendments.
    • We rely on legitimate interests, business improvement exceptions, and consent to process data.
    • We maintain a strict data breach management framework. In the event of a notifiable data breach likely to result in significant harm, we will notify the Personal Data Protection Commission (PDPC) no later than three (3) calendar days after the assessment, and notify affected individuals as legally required.

    B. Indonesia (PDP Law)

    • For operations in Indonesia, we comply with the Personal Data Protection Law (Law No. 27 of 2022).
    • We recognize and adhere to our distinct statutory obligations whether acting as a Data Controller or Data Processor.
    • In the event of a qualifying data incident, we are committed to notifying the Ministry of Communications and Information (MOCI) and affected data subjects within the mandated 14-day statutory timeframe.
    • We enforce strict vendor assessments before initiating international data transfers to ensure compliance with Indonesian cross-border data transfer standards.

    C. Malaysia (PDPA)

    • For commercial transactions in Malaysia, we comply with the Personal Data Protection Act 2010 (PDPA).
    • We process personal data exclusively for lawful commercial purposes and ensure explicit consent is obtained prior to the collection or processing of data, as required by the Act.
    • We implement robust technical and organizational security standards to protect personal data from unauthorized access, accidental loss, or unauthorized disclosure.

    D. Saudi Arabia (PDPL)

    • For market access operations within the Kingdom of Saudi Arabia, we strictly adhere to the Personal Data Protection Law (PDPL).
    • We obtain explicit consent for the processing of personal data unless an alternative statutory basis applies.
    • We adhere to strict data localization mandates. International transfers of Saudi residents' data are conducted only upon obtaining the necessary approvals from the competent regulatory authorities.
    • We do not systematically collect or process "specific personal data" (sensitive data) as defined by the PDPL, unless strictly necessary for the execution of authorized operational logistics (e.g., executive relocation) and only with explicit consent.

    5. Data Security and Retention

    XpandEast employs enterprise-grade technical, administrative, and physical security measures to protect corporate and personal data. We mandate encryption for data at rest and data in transit, strictly limit access to personal data to authorized practitioners, and enforce continuous security training for all local representatives.

    We retain personal data only for as long as necessary to fulfill the operational purposes outlined in this Policy, or as required to satisfy legal, accounting, or regulatory obligations.

    6. B2B Client Obligations (When XpandEast is the Processor)

    When XpandEast executes Go-To-Market pipelines and acts as a Data Processor, the Client (the Data Controller) warrants that all databases, contact lists, and target account data provided to XpandEast have been lawfully acquired. The Client retains absolute responsibility for ensuring they possess the legal right, including required consents or legitimate interests, to share such data with XpandEast for localized outreach.

    7. Your Data Subject Rights

    Depending on your jurisdiction, you possess specific legal rights regarding your personal data. These generally include:

    • The Right to Access: You may request a copy of the personal data we hold about you.
    • The Right to Rectification: You may request that we correct any inaccurate or incomplete data.
    • The Right to Erasure / Deletion: You may request the deletion of your personal data, subject to our legal retention requirements.
    • The Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
    • The Right to Data Portability: You may request the transfer of your data to another entity in a structured, commonly used format.

    To exercise these rights, please contact our Data Protection Officer using the details below. We verify the identity of all requestors before fulfilling data subject requests to ensure absolute corporate security.

    8. Changes to This Privacy Policy

    We reserve the right to update this Privacy Policy to reflect changes in regional laws, our operational hubs, or our data practices. We will post any updates to this page and revise the "Last Updated" date at the top of the policy.

    9. Contact Our Data Protection Officer

    XpandEast has appointed a Data Protection Officer (DPO) to oversee our global compliance with regional data privacy laws. If you have any questions about this Privacy Policy, our data handling practices, or wish to exercise your data subject rights, please contact our DPO at:

    Data Protection Officer

    XpandEast

    privacy@xpandeast.com