Privacy Policy

Last updated: 14 April 2026

Ziarah.sg ("we", "us", "the service") is operated by Kanze Pte Ltd, a private limited company registered in Singapore. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the Singapore Personal Data Protection Act 2012 ("PDPA").

1. What we collect

Publicly displayed data

When a grave record is submitted and approved, we publish:

• The deceased person's full name (English and Malay where provided)
• Date of death (Gregorian and Hijri)
• Plot number, cemetery, and section
• An optional photograph of the grave marker
• Optional notes from the submitter

Information about a deceased person is not "personal data" under the PDPA (which applies only to living individuals). We nevertheless treat it with care; see our takedown policy for removal.

Submitter data (not displayed publicly)

When you submit or flag a grave record, we collect:

• Your email address
• Your phone number
• Your IP address at the time of submission
• A timestamp

This data is stored for moderation, communication about your submission, and abuse prevention. It is never shown on public pages and never shared with third parties for marketing.

Technical data

Standard server access logs (IP, user agent, URL, timestamp) are retained for 30 days for security and debugging.

2. Why we collect it

Under PDPA, we collect data only for purposes a reasonable person would consider appropriate: to display the grave directory, to contact you about your submission, to send approval notifications if you opt in, to prevent spam and abuse, and to investigate security incidents.

3. Consent

By submitting a grave record, flagging an issue, or uploading a photograph, you consent to the collection and use of your data for the purposes above. You may withdraw consent at any time (see Section 7).

4. How long we keep it

• Approved public records: indefinite, until takedown request.
• Pending submissions: reviewed weekly; kept until approved or rejected.
• Rejected submissions: 90 days, then permanently deleted.
• Submitter PII for approved records: kept while the record is public.
• Submitter PII for rejected records: deleted with the submission after 90 days.
• Server access logs: 30 days.
• Flag records: anonymised after 1 year.

5. Who has access

Your personal data is accessible only to authorised Kanze Pte Ltd staff, and to our subprocessors: Supabase (database, Singapore region), Vercel (hosting), and Cloudflare Turnstile (CAPTCHA). We do not sell personal data. We do not use third-party analytics.

6. Where data is stored

Primary storage is in Singapore via Supabase. Hosting is via Vercel's global edge network with Singapore as the nearest point of presence.

7. Your rights

Under PDPA, you have the right to:

1. Access — request a copy of the personal data we hold about you.
2. Correct — request correction of inaccurate data.
3. Withdraw consent — request deletion of your personal data.
4. Request takedownof a deceased person's record — see our takedown policy.

To exercise these rights, email privacy@ziarah.sg. We will respond within 30 days as required by PDPA.

8. Children

The service is not directed at children under 13. We do not knowingly collect personal data from children.

9. Security

We apply reasonable security measures: row-level security on the database, HTTPS everywhere, restricted admin access, and quarterly credential rotation. No system is perfectly secure; we will notify affected users within 72 hours if a breach involving personal data occurs.

10. Changes

Material changes will be announced on the homepage at least 14 days before taking effect.

11. Contact

• Data Protection Officer: dpo@ziarah.sg
• General privacy enquiries: privacy@ziarah.sg

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC).