ZapLah Data Deletion Policy

1. Purpose of This Policy

This Data Deletion Policy explains how ZapLah Pte. Ltd. (“ZapLah”, “we”, “our”, or “us”) handles the deletion, anonymization, and retention of personal data in accordance with:

The Singapore Personal Data Protection Act (PDPA)
PDPC Advisory Guidelines
IMDA digital services guidance
IRAS financial record-keeping requirements
MAS Technology Risk Management (TRM) Guidelines
International standards such as GDPR data minimization and erasure principles

This Policy applies to all users of the ZapLah mobile application, website, and related services (“Services”).

2. Definitions

For clarity and compliance, the following definitions apply:

“Personal Data” — Any data that identifies or can reasonably be used to identify an individual.
“Deletion” — The irreversible erasure or destruction of Personal Data so it cannot be restored or reconstructed.
“Anonymization” — The permanent removal of identifying elements so that data can no longer be linked to a specific individual.
“Retention Obligation” — A legal or regulatory requirement mandating the preservation of certain data for a defined period.
“Legal Hold” — A protective measure that suspends deletion to comply with active disputes, investigations, or statutory requirements.

3. How You Can Request Deletion

Users may request deletion through:

In-app account deletion settings
Emailing support@zaplah.com
Submitting a formal PDPA request for withdrawal of consent

ZapLah will guide users through the verification steps required before processing any deletion request.

4. Identity Verification Requirements

To prevent unauthorized deletions and meet PDPA’s Protection Obligation, ZapLah may require:

Email confirmation
SMS or device verification
A one-time identity confirmation check
Submission of supporting proof for suspicious or high-risk cases

Deletion requests will not be processed until the user’s identity is verified.

5. What Happens Immediately After a Deletion Request

Once a deletion request is validated:

Access to the account is immediately disabled
Listings, offers, and chats become unavailable
The account enters “pending deletion” status
Deletion is permanent and cannot be reversed
Users cannot log in or recover previously stored information

ZapLah may notify other involved parties where necessary to prevent transaction disruption.

6. Data That Will Be Deleted

ZapLah permanently deletes:

Profile details (name, contact information, photo)
Non-essential chat messages and attachments
User-generated content (requests, offers, uploads)
Saved searches, preferences, and app settings
Analytics identifiers and marketing cookies
General operational logs not subject to regulatory retention

All deleted data is destroyed using secure erasure methods consistent with PDPC and MAS expectations.

7. Data That Must Be Retained (Statutory & Compliance Requirements)

Certain data cannot be deleted immediately due to legal obligations. ZapLah must retain:

Financial transaction records (IRAS requirement: 5–7 years)
AML/CFT-related markers and fraud-risk flags (MAS guidelines)
Payout records and dispute evidence (mandatory for audit and reconciliation)
Cybersecurity logs (MAS TRM guidelines)
Legal correspondence or investigation materials
Historical account activity necessary for fraud prevention

These records are access-restricted and stored solely for compliance.

8. Backup & Disaster Recovery Retention

Personal data may continue to exist temporarily in encrypted backup archives. ZapLah ensures:

Backups follow strict retention windows (typically 30–90 days)
Backups are encrypted, access-controlled, and isolated
Backups are never used to reinstate deleted accounts
Backups are purged automatically on their scheduled cycle

9. Data That Will Be Anonymized

Certain datasets may be anonymized rather than deleted to support platform safety and operational intelligence:

Demand trends and usage analytics
Fraud patterns and behavioural signals
Aggregated platform performance metrics

Anonymization is irreversible and cannot identify any individual.

10. Timeline for Data Deletion

ZapLah aims to complete deletion within:

Standard deletion: Within 14 days
Full erasure/anonymization (including backups): 30–90 days
Cases under investigation, dispute, or legal hold: Timelines may be extended until obligations are fulfilled

Users will be informed where necessary.

11. Situations Where Deletion Cannot Proceed

Deletion will be paused or refused if any of the following apply:

Active disputes between users
Pending payouts, refunds, or chargebacks
Ongoing fraud or security investigations
Regulatory or court retention orders
Outstanding legal or financial obligations
Risks that deletion would undermine platform security or compliance

ZapLah will notify users where a deletion request is restricted.

12. Withdrawal of Consent

Users may withdraw consent at any time. However:

Withdrawal does not override statutory retention obligations
Certain data must still be retained for compliance
Service features dependent on deleted data may no longer function

Account deletion is treated as full withdrawal of consent.

13. Children’s Data

ZapLah does not allow users under 18. If such data is discovered:

The account will be suspended
The data will be deleted where legally permissible
Additional safeguards may be applied

14. Cross-Border Storage & Transfers

ZapLah may store or process data in overseas cloud regions. All transfers comply with PDPA’s Transfer Limitation Obligation, including:

Contractual Data Protection Addendums (DPAs)
Overseas data centre security assessments
Limited access on a strict need-to-know basis
Ongoing security controls and monitoring

15. Amendments to This Policy

ZapLah may amend this Policy to reflect regulatory changes, platform updates, or best practices. Users will be notified of material updates.

16. Contact Us

For deletion requests, PDPA inquiries, or compliance matters:

Email: support@zaplah.com

↑ Back to top