Last updated: May 10, 2026
NKKTech Global Pte. Ltd. (UEN 202445701K, registered office at 18 Sin Ming Lane, #07-13, Midview City, Singapore), together with its Vietnam operating entity Nokasoft Vietnam Co., Ltd., is the joint data controller responsible for personal information collected through this website and related services. We are committed to protecting your privacy and handling your data with transparency under EU GDPR, Singapore PDPA (Act 26 of 2012), Japan APPI, and Vietnam Decree 13/2023/ND-CP.
We collect personal information that you voluntarily provide through our contact form, newsletter sign-up, capability-deck download, AI assessment, and Calendly booking — including your name, work email, company, country, project type, budget range, timeline, and free-text project description. We also collect technical data automatically (with your consent where required): IP address, user-agent, referrer, pages visited, and standard server logs. We do not knowingly collect special categories of data (health, biometrics, political opinions, etc.).
We use the information we collect to: respond to your inquiries and service requests (legal basis: contract / pre-contract steps under GDPR Art. 6(1)(b)); send newsletter updates and relevant content (legal basis: explicit consent under Art. 6(1)(a), withdrawable at any time); communicate about active projects (Art. 6(1)(b)); maintain security, prevent fraud, and improve our website (legitimate interest, Art. 6(1)(f)); and comply with legal obligations such as tax and accounting records (Art. 6(1)(c)). We never use your data for automated decision-making or profiling that produces legal effects.
We do not sell, trade, or rent your personal information. We share information only with the processors listed in Section 5 strictly to deliver the services you have requested. All processors are bound by Data Processing Agreements (DPAs) and, where data leaves the EEA / UK, by Standard Contractual Clauses (SCCs) approved under GDPR Art. 46 (or equivalent transfer mechanisms under PDPA s.26 and Vietnam Decree 13/2023). We may also disclose data when compelled by valid legal process (court order, lawful subpoena).
We rely on the following processors to operate this website and respond to your inquiries: (a) DigitalOcean LLC — primary hosting, droplet located in Singapore region (data may transit Hanoi edge); (b) Cloudflare, Inc. — DNS, CDN, WAF, bot mitigation, email obfuscation (US/EU points of presence); (c) Resend (Drift.com, Inc.) — transactional email delivery for contact-form notifications (US); (d) Calendly LLC — discovery-call scheduling embed (US); (e) Meta Platforms, Inc. — Facebook Pixel for advertising attribution, loaded only after your marketing-consent opt-in (US/EU); (f) Google LLC — Google Analytics 4 and Microsoft Clarity (Microsoft Corporation) for website analytics, loaded only after your analytics-consent opt-in (US/EU); (g) Sanity.io (Sanity AS) — headless CMS storing public marketing content only, no visitor data (US/EU); (h) Anthropic PBC — workflow automation for internal lead triage (US); (i) Notion Labs, Inc. — internal lead-board CRM and team knowledge base (US); (j) Slack Technologies, LLC (Salesforce, Inc.) — internal team notifications for inbound inquiries and ops alerts (US); (k) Apollo.io (ZenProspect, Inc.) — outbound B2B prospecting for cold-outreach campaigns (US); (l) Instantly.ai — cold-email sending infrastructure for outbound campaigns (US); (m) HubSpot, Inc. — CRM synchronization for inbound leads (US/EU). Each processor has its own privacy policy; we recommend reviewing them. International transfers are protected by SCCs (EU/UK), the EU–US Data Privacy Framework where applicable, and equivalent ASEAN contractual safeguards. We will publish updates to this list when new sub-processors are onboarded.
We retain personal data only as long as necessary for the purpose collected: contact-form submissions and lead data — 24 months from last interaction, then deleted or anonymized; newsletter subscriber data — until you unsubscribe, plus 30 days for suppression-list compliance; analytics cookies (Google Analytics 4) — 14 months by default; Microsoft Clarity session recordings — 13 months; server access logs — 90 days; backup volumes — 14 days rolling. Records required for tax or accounting purposes are kept for 10 years per Vietnamese law and applicable jurisdictions.
Under GDPR / UK GDPR, PDPA, APPI, and Decree 13/2023, you have the right to: (a) access the personal data we hold about you; (b) rectify inaccurate data; (c) request erasure ("right to be forgotten"); (d) restrict or object to processing; (e) data portability in a structured, machine-readable format; (f) withdraw any consent at any time without affecting the lawfulness of prior processing; and (g) lodge a complaint with your supervisory authority (e.g., your national EU DPA, the UK ICO, Singapore PDPC, Japan PPC, or Vietnam MPS Cybersecurity Department). To exercise any right, email [email protected] — we will respond within 30 days (GDPR/PDPA) or any shorter statutory deadline. Identity verification may be required to prevent unauthorized disclosure.
We use three categories of cookies: (1) Strictly necessary — required for site security, session integrity, and consent storage; cannot be disabled. (2) Analytics — Google Analytics 4 and Microsoft Clarity, used to measure site usage and improve UX; loaded only after you accept the "Analytics" category in our consent banner. (3) Marketing — Meta (Facebook) Pixel, used for ad attribution and remarketing audiences; loaded only after you accept the "Marketing" category. You can change or withdraw your choices at any time by clicking "Cookie preferences" in the site footer or by clearing the `nkktech_consent` entry in your browser's local storage. Browser-level Do-Not-Track and Global Privacy Control (GPC) signals are honored as a withdrawal of analytics + marketing consent.
We protect data in transit with TLS 1.2+ (HSTS preload-eligible) and at rest with industry-standard encryption on managed cloud volumes. Production secrets are stored as environment variables on a hardened VPS with 0600 file permissions, restricted to the root user, and never committed to version control. Access to production systems is limited to designated administrators and protected by SSH key authentication and fail2ban. We perform daily backups with 14-day retention. Despite our safeguards, no method of electronic transmission or storage is 100% secure; in the event of a notifiable personal-data breach we will inform affected users and the relevant supervisory authority within 72 hours as required by GDPR Art. 33–34 (and equivalent PDPA / APPI / Decree 13 timelines).
We may update this Privacy Policy to reflect changes in our practices or applicable laws; the "Last updated" date above will always reflect the current version. For privacy questions, data-subject requests, or to exercise any right described above — as well as general inquiries — please contact us at [email protected]; the inbox is monitored by the team and routed to the responsible owner. Postal mail (Singapore registered office): NKKTech Global Pte. Ltd., 18 Sin Ming Lane, #07-13, Midview City, Singapore 573960.