Privacy Policy
Last updated: 10 May 2026
This Privacy Policy explains how Keslio collects, uses, and safeguards personal data when you visit www.keslio.com(the “Website”). It is written to comply with the EU General Data Protection Regulation (“GDPR”) and applies regardless of where you are located.
1. Who controls your data
The data controller is:
Keslio Pte. Ltd.(“Keslio”, “we”, “us”, “our”)
68 Circular Road, #02-01
Singapore (049422)
Email: hello@keslio.com
We have not appointed a Data Protection Officer. All privacy enquiries should be directed to hello@keslio.com.
2. What data we collect
| Category | Examples | When |
|---|---|---|
| Identification | First name, last name, email, company | When you submit a contact form |
| Communication | Message content | When you submit a contact form |
| Technical | IP address, browser type, device info, language preference | Automatically on every visit |
| Behavioural (consent only) | Page interactions, session recordings, aggregate analytics | Only after you grant analytics consent in our cookie banner |
We do not knowingly collect data from children under 16. We do not purchase personal data from data brokers.
3. Why we process your data and the legal basis
| Purpose | Data used | Legal basis (GDPR Art 6(1)) |
|---|---|---|
| Respond to your enquiry | Identification, communication | Consent (a) and pre-contractual measures (b) |
| Operate and secure the Website | Technical | Legitimate interest (f) |
| Measure site performance and improve content | Behavioural | Consent (a) |
| Comply with legal obligations (tax, accounting, regulatory) | Identification, communication | Legal obligation (c) |
You may withdraw consent at any time without affecting the lawfulness of prior processing.
4. Who receives your data
We share data only with vetted service providers (processors) bound by data-protection agreements:
| Processor | Role | Location | Safeguard |
|---|---|---|---|
| Vercel Inc. | Website hosting and edge delivery | United States | EU-US Data Privacy Framework + EU SCCs |
| Supabase, Inc. | Database (us-west-2 / Oregon) — stores contact submissions and content | United States | EU SCCs (Module 2, controller-to-processor) |
| Google LLC (Google Analytics 4) | Aggregate analytics — only after consent | EU / United States | EU-US DPF + EU SCCs |
| Microsoft Corporation (Clarity) | Behavioural analytics and session recording — only after consent | United States | EU-US DPF + EU SCCs |
We do not sell or rent your personal data. We disclose it to authorities only when legally compelled, and only after evaluating the lawfulness of the request.
5. International transfers
Several processors are located in the United States. We rely on the EU-US Data Privacy Framework (where the processor is certified) and on the European Commission’s Standard Contractual Clauses (Decision 2021/914) to provide an essentially equivalent level of protection to the GDPR. We have considered the impact of US surveillance laws (FISA 702, EO 12333) and concluded that the contractual safeguards combined with technical measures (encryption in transit, encryption at rest, access controls) are adequate for our processing volumes and data sensitivity.
6. How long we retain your data
| Data | Retention |
|---|---|
| Contact form submissions | 24 months from your last interaction |
| Analytics events (Google Analytics 4) | 14 months (Google Analytics default) |
| Behavioural recordings (Microsoft Clarity) | 12 months (Clarity default) |
| Cookie consent record | 6 months |
| Server access logs | 30 days |
We delete or fully anonymise data once retention expires, unless a longer period is required by law (e.g. tax records).
7. Your rights
Under GDPR Articles 15–22 you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erasure (“right to be forgotten”)
- Restrict processing
- Object to processing based on legitimate interest
- Portability — receive your data in machine-readable form
- Withdraw consent at any time
- Not be subject to solely automated decisions with legal effect (we do not engage in such decisions)
To exercise any right, email hello@keslio.com. We will respond within one month per Art 12(3). Identity verification may be required to protect your data from unauthorised access.
8. Right to lodge a complaint
If you believe we have mishandled your data, you have the right to lodge a complaint with a supervisory authority:
- EU / EEA residents: your national data protection authority. The European Data Protection Board maintains a list at edpb.europa.eu/about-edpb/about-edpb/members_en
- Singapore residents: the Personal Data Protection Commission (PDPC) at pdpc.gov.sg
- Other jurisdictions: your local data-protection authority
This right exists independently of any other legal remedy.
9. Cookies
We use cookies as described in our Cookie Notice. Non-essential cookies (analytics, behavioural) are loaded only after you grant consent in the banner shown on your first visit. You can change your choice at any time via the “Cookie preferences” link in our footer.
10. Changes to this Policy
We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent change. Material changes will be flagged in our footer for at least 30 days.
11. Contact
For any privacy question or to exercise your data-protection rights:
Email: hello@keslio.com
Postal: Keslio Pte. Ltd., 68 Circular Road, #02-01, Singapore (049422)