← Back to Home

Data Protection Policy

Effective date: 16 February 2026

Last updated: 16 February 2026

1. Purpose

This Data Protection Policy outlines TCG.SG's internal procedures for handling, protecting, and managing personal data in compliance with the Personal Data Protection Act 2012 ("PDPA") of Singapore. It establishes the framework and guidelines that govern how TCG.SG collects, uses, discloses, and safeguards personal data entrusted to us.

2. Scope

This policy applies to all personal data collected, used, disclosed, or stored by TCG.SG, including but not limited to data from:

• Users of the TCG.SG platform
• Business partners and affiliates
• Third-party service providers

All individuals who interact with TCG.SG's services are covered under this policy, regardless of the medium through which their personal data is collected.

3. Definitions

• Personal Data — Data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
• Data Subject — An individual whose personal data is collected, used, or disclosed by TCG.SG.
• Data Processing — Any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, or destruction.
• Data Controller — TCG.SG, as the entity that determines the purposes and means of processing personal data.
• Data Breach — Any unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar action involving personal data.
• DPO (Data Protection Officer) — The individual appointed by TCG.SG to oversee compliance with the PDPA and manage all data protection matters.

4. Data Protection Officer (DPO)

TCG.SG has appointed a Data Protection Officer (DPO) who is responsible for overseeing and ensuring the organisation's compliance with the PDPA.

DPO Responsibilities

• Ensuring TCG.SG's compliance with the PDPA and related regulations
• Handling and responding to data access and correction requests from data subjects
• Managing data breach response procedures, including notifications and investigations
• Conducting data protection impact assessments for new projects, features, or data processing activities
• Serving as the primary point of contact for data protection inquiries and complaints

5. Data Collection Principles

TCG.SG adheres to the following principles when collecting personal data:

• Consent — We obtain consent from individuals before collecting, using, or disclosing their personal data. Consent is obtained through clear and affirmative actions, such as account registration or acceptance of our Privacy Policy.
• Purpose Limitation — Personal data is collected only for purposes that are clearly stated and communicated to the individual. Data is not used for purposes beyond what was originally specified without obtaining further consent.
• Notification — Individuals are informed of what personal data is being collected, the purposes for which it will be used, and to whom it may be disclosed. This is communicated through our Privacy Policy and relevant notices.
• Minimization — We collect only the personal data that is necessary and relevant for the stated purposes. Excessive or unnecessary data collection is avoided.

6. Data Protection Measures

6.1 Technical Measures

• Encryption (TLS/HTTPS) — All data transmitted between users' browsers and our servers is encrypted using HTTPS/TLS protocols to prevent interception.
• Password Hashing (bcrypt) — User passwords are securely hashed using bcrypt. Plaintext passwords are never stored or accessible.
• Secure Session Management — Sessions are managed using secure, HTTP-only cookies with appropriate expiry settings to prevent session hijacking.
• CSRF Protection — Cross-Site Request Forgery (CSRF) tokens are implemented across all forms and state-changing requests to prevent unauthorised actions.
• Rate Limiting — Rate limiting mechanisms are in place to prevent brute-force attacks, abuse, and denial-of-service attempts.
• Cloudflare Security — Cloudflare is used for DDoS protection, Web Application Firewall (WAF), bot mitigation (Turnstile), and DNS security.

6.2 Organisational Measures

• Access Control — Role-based access permissions are enforced to ensure that personal data is accessible only to authorised personnel who require it for their duties.
• Staff Awareness — All personnel with access to personal data are made aware of their data protection responsibilities and the importance of safeguarding personal data.
• Regular Reviews — Security practices, access controls, and data protection measures are reviewed periodically to identify and address potential vulnerabilities.

7. Data Access & Correction Requests

Under the PDPA, individuals have the right to request access to and correction of their personal data held by TCG.SG.

• Requests must be submitted in writing to the DPO at dpo (at) tcg dot sg.
• TCG.SG will respond to all access and correction requests within 30 business days of receipt.
• Verification of the requester's identity is required before any personal data is disclosed or corrected.
• Reasonable fees may apply for access requests, as permitted under the PDPA, to cover the cost of providing access to the requested data.

8. Data Breach Management

TCG.SG has established procedures for managing and responding to data breaches in accordance with the PDPA's Mandatory Data Breach Notification requirements.

Notification Procedures

• Assess breach severity — Upon discovery of a data breach, the DPO will immediately assess the nature, scope, and severity of the breach.
• Notify affected individuals — If the breach is likely to result in significant harm to affected individuals, TCG.SG will notify them as soon as practicable.
• Notify PDPC — For notifiable data breaches, TCG.SG will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of assessing that the breach is notifiable.
• Document all breaches — All data breaches, regardless of severity, are documented in an internal breach register, including details of the breach, its impact, and remedial actions taken.

9. Data Retention & Disposal

TCG.SG retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

• Active accounts — Personal data is retained for as long as the user's account remains active on the platform.
• Deleted accounts — Upon account deletion, personal data is removed from our systems within 90 days, except where retention is required by law.
• Transaction records — Transaction and financial records are retained for a minimum of 7 years in accordance with Singapore regulatory requirements (including the Income Tax Act and Companies Act).
• Secure disposal — When personal data is no longer required, it is securely disposed of by wiping data from all systems and backups to prevent unauthorised access or recovery.

10. Third-Party Data Processors

TCG.SG engages third-party service providers to support platform operations. All third-party processors are assessed for PDPA compliance before engagement.

• Brevo (formerly Sendinblue) — Transactional and notification email delivery
• OpenAI — AI-powered card scanning, identification, grading analysis, and content moderation
• PayPal — Payment processing services
• Cloudflare — Security, DDoS protection, and bot prevention (Turnstile)

Data processing agreements are in place with all third-party processors to ensure that personal data is handled in accordance with the PDPA. TCG.SG regularly reviews the security practices of its third-party service providers.

11. Cross-Border Data Transfers

In the course of providing our services, personal data may be transferred to and processed in countries outside of Singapore. TCG.SG ensures that adequate protection is in place for all cross-border data transfers in compliance with the PDPA's Transfer Limitation Obligation.

Countries and regions where data may be transferred include:

• United States — OpenAI, PayPal, Cloudflare
• France — Brevo (formerly Sendinblue)

Appropriate safeguards, including contractual protections, are in place to ensure that transferred data receives a standard of protection comparable to that under Singapore law.

12. Complaint Handling

TCG.SG takes all complaints regarding data handling seriously and has established procedures for addressing them.

• Users may lodge complaints about data handling practices by contacting the DPO at dpo (at) tcg dot sg.
• All complaints will be investigated internally, and a response will be provided within 30 business days.
• If you are unsatisfied with the outcome of our investigation, you may escalate your complaint to the Personal Data Protection Commission (PDPC).

13. Policy Review

This Data Protection Policy is reviewed annually and updated as needed to reflect changes in our data handling practices, regulatory requirements, or operational procedures. Any material changes will be communicated through updates to this page.

14. Contact

If you have any questions about this Data Protection Policy or wish to exercise your data protection rights, please contact: