Legal · PDPA-compliant
Privacy Policy
This Privacy Policy explains how TK Real Estate ("we", "us", or "our") collects, uses, discloses, and protects personal data through the PropertyAtlas platform at propertyatlas.sg and any related subdomains, dashboards, and tools (collectively, the "Platform").
This Policy is issued in accordance with Singapore's Personal Data Protection Act 2012 ("PDPA") and forms part of the terms governing your use of the Platform. By accessing or using the Platform, you acknowledge that you have read this Policy. Where the PDPA requires your consent for specific processing activities, we will obtain that consent at the point of collection.
1. Who we are
PropertyAtlas is a Singapore commercial and industrial real estate market intelligence platform operated by TK Real Estate, a Singapore-based business. We publish editorial coverage of Singapore-listed REITs and developers, asset directories, transaction data, and analytical content for property professionals, investors, brokers, and researchers.
The party responsible for personal data collected through the Platform is TK Real Estate, contactable at info@tkre.sg.
2. Data Protection Officer
In accordance with Section 11 of the PDPA, we have designated a Data Protection Officer ("DPO") to oversee our compliance with the PDPA.
You may contact our DPO at any time with questions, requests, or complaints concerning your personal data:
- Email: info@tkre.sg
- Subject line: Please mark as "DPO — [Access / Correction / Withdrawal / Complaint]" to help us route your request
We aim to acknowledge DPO enquiries within three Singapore business days and respond substantively within thirty days, in line with PDPC guidance.
3. What personal data we collect
We collect different categories of personal data depending on how you use the Platform.
3.1 Visitors (anonymous browsing — Tier 0)
When you browse the Platform without signing in, we do not collect personal data that identifies you individually. Our hosting and content-delivery infrastructure (GitHub Pages) automatically processes routine operational telemetry such as IP address, browser type, device type, referring URL, and pages visited, for the limited purposes of serving content, protecting against abuse, and basic aggregate analytics. We do not combine this telemetry with any identifying information unless you subsequently sign in or submit a form.
3.2 Registered users — Tier 1 (Sign in with Google)
When you sign in via Google OAuth, Google transmits to us the following data fields from your Google account:
- Email address
- Display name (first name and last name as recorded on your Google account)
- Profile picture URL (if you have set one on your Google account)
- A unique Google identifier ("sub" claim)
We store this data in our authentication database to identify you across sessions, personalise your signed-in experience, and grant access to features available to registered users (such as the Directory module).
3.3 Tier 1 users who self-identify as CEA salespersons (optional)
If you identify yourself as a Council for Estate Agencies ("CEA") registered salesperson during our optional onboarding flow, we additionally collect:
- Your CEA registration number (e.g. R012345A)
- Confirmation of your name as recorded on the CEA public register
- Your registered estate agent (agency) name
- Your CEA registration commencement date
- A preferred contact email address (which may differ from your Google account email)
- A preferred contact mobile number
We use this data to verify your salesperson status against the publicly available CEA Salesperson Information dataset (sourced from data.gov.sg), and to share agent-specific tools and resources as we build them. Providing this information is voluntary; you may decline the onboarding step or skip it for later.
We do not collect NRIC numbers or copies of NRIC cards. The CEA registration number is a professional licensing identifier and is treated as such, not as a national identifier.
3.4 Tier 2 subscribers (corporate accounts — future)
When we introduce paid subscription access, we will collect additional billing and corporate-identification information. A separate notification will be provided at the point of collection, and this Policy will be updated accordingly.
3.5 Enquiry and lead capture forms
When you submit an enquiry through the Platform (for example, the Stock-tab listing enquiry form), we collect:
- Your name
- Your email address
- Your phone number (if provided)
- The content of your message and the listing context (e.g. the property reference you enquired about)
This data is used solely to respond to your enquiry and is forwarded to the relevant operator inbox at TK Real Estate.
3.6 Newsletter subscribers (future)
When the PropertyAtlas newsletter launches, we will collect your email address (and optionally your name) for the purpose of delivering editorial updates. A separate consent notification will be provided at the point of subscription, and you will be able to unsubscribe at any time.
4. Purposes for which we use your personal data
Under Section 20 of the PDPA, we are required to notify you of the purposes for which we collect, use, and disclose your personal data. We use personal data for the following purposes:
- Account creation and authentication — verifying your identity, maintaining your signed-in session, and securing your account against unauthorised access.
- Service delivery — providing access to features available to your tier (Directory, Stock, Asset Directory, and other modules as they are launched).
- Communication — responding to enquiries you submit through the Platform, sending you transactional notifications (such as authentication confirmation emails or content you have explicitly requested), and where you have separately consented, sending editorial updates and product announcements.
- Salesperson verification — checking your CEA registration number against the publicly available CEA Salesperson register, with your consent, where you self-identify as a salesperson.
- Operational telemetry — running aggregated, non-identifying analytics to understand how the Platform is used and to improve content and features.
- Security and abuse prevention — detecting and preventing fraud, abuse, automated scraping, and unauthorised access.
- Legal compliance — complying with applicable Singapore law, lawful regulatory requests, and our own internal records-keeping obligations.
We do not use your personal data for purposes outside the above without first obtaining your consent.
5. Consent and withdrawal
Where consent is required under the PDPA, we obtain it either:
- Expressly, where you actively click a button, tick a box, or otherwise affirmatively confirm your agreement (for example, when you sign in via Google for the first time, when you submit an enquiry form, or when you subscribe to the newsletter); or
- By notification, where you have been given reasonable opportunity to opt out before processing begins, in accordance with the Personal Data Protection (Notification of Purpose) Regulations.
You may withdraw your consent at any time by writing to info@tkre.sg with the subject line "DPO — Withdrawal". Upon receipt of a valid withdrawal request, we will cease the relevant processing within a reasonable period (and in any event no later than thirty days), and inform you of the likely consequences of withdrawal. Note that withdrawing consent may mean we can no longer provide certain features (for example, signing out and revoking authentication consent will end your access to tier-gated content).
Withdrawal does not affect the lawfulness of processing carried out before the withdrawal took effect.
6. Disclosure to third parties
We do not sell your personal data. We disclose personal data to third parties only in the following limited circumstances:
6.1 Service providers acting as our data intermediaries
We rely on the following service providers to operate the Platform. Each is engaged under terms that require them to process personal data only on our instructions and to maintain protection comparable to the PDPA:
| Provider | Function | Data residency |
|---|---|---|
| Supabase, Inc. | Authentication, database storage of user profiles and platform data | AWS Asia Pacific (Singapore) region |
| Google LLC | Sign in with Google identity provider | United States (Singapore-residents' data processed under Google's PDPA-aligned commitments) |
| Resend | Transactional email delivery | United States |
| GitHub, Inc. (GitHub Pages) | Static site hosting | Global CDN; primary infrastructure United States |
6.2 Regulatory, legal, or law-enforcement requests
We may disclose personal data where required by Singapore law, court order, or a lawful request from a Singapore regulator or law-enforcement authority. We disclose only the minimum data necessary to comply.
6.3 Business transfers
If TK Real Estate is acquired by, merged with, or restructures into another entity, personal data may be transferred as part of that transaction. We will provide notice on the Platform before any such transfer takes effect and will require the receiving entity to maintain protection at least equivalent to this Policy.
We do not disclose your personal data to any other third party for marketing, advertising, or unrelated business purposes.
7. Overseas transfer of personal data
Some of our service providers process personal data outside Singapore (see Section 6.1). Under Section 26 of the PDPA, we ensure that overseas transfers are made only where the receiving jurisdiction or recipient provides a standard of protection comparable to the PDPA, through contractual safeguards or recognised certification frameworks (such as the APEC Cross-Border Privacy Rules).
We have selected our providers with this requirement in mind. Where you wish to know more about the safeguards in place for a specific provider, please contact us at info@tkre.sg.
8. Data retention
We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law:
- Tier 1 user accounts (Google OAuth profiles): retained for as long as your account remains active. If you have not signed in for twenty-four consecutive months, we may notify you and, absent a response, delete your account.
- CEA salesperson verification data: retained for as long as your account is active and you remain identified as a salesperson. If you later notify us that you have ceased CEA registration or wish to remove this data, we will delete it within thirty days of your request, subject to the access and correction obligations in Section 9.
- Enquiry form submissions: retained for up to twenty-four months from the date of enquiry, for record-keeping and follow-up purposes.
- Operational telemetry: retained in aggregate, non-identifying form indefinitely; identifiable raw logs retained for no more than ninety days.
Upon account deletion or a valid withdrawal request, we will remove personal data from our active systems within thirty days. Backup copies are overwritten on a rolling basis no later than ninety days following the deletion date.
9. Your rights — access and correction
Under Sections 21 and 22 of the PDPA, you have the right to:
- Request access to personal data we hold about you, and information about how we have used or disclosed it within the twelve months preceding your request.
- Request correction of any error or omission in your personal data. Upon receipt of a valid correction request, we will correct your data as soon as practicable (typically within thirty days) and inform any third parties to whom we previously disclosed the data, unless you instruct otherwise.
To make an access or correction request, write to info@tkre.sg with the subject line "DPO — Access" or "DPO — Correction" and provide sufficient information for us to identify you and the data in question. We may charge a reasonable fee for access requests where permitted under the PDPA; correction requests are free of charge.
We may decline access or correction requests in the limited circumstances permitted under the PDPA (for example, where disclosure could reveal personal data about another individual, or where the request is frivolous or vexatious). In such cases we will notify you in writing with reasons.
10. Security
We take reasonable security arrangements to protect personal data in our possession or under our control against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. These measures include:
- Encryption in transit (HTTPS / TLS 1.2 or above) for all data transmitted between your browser and our infrastructure
- Encryption at rest for all data stored in our Supabase database
- Access controls that limit which personnel can view personal data, with row-level security policies enforced at the database level
- Authentication best practices including OAuth-based sign-in, secure session management, and protection against common web vulnerabilities
- Regular review of our security posture and our service providers' security commitments
No system is perfectly secure, and we cannot guarantee absolute security. If you become aware of any actual or suspected security incident affecting your personal data, please contact us immediately at info@tkre.sg.
11. Data breach notification
In the event of a data breach that meets the notification thresholds under Sections 26C and 26D of the PDPA — namely, a breach that is likely to result in significant harm to affected individuals, or that affects 500 or more individuals — we will:
- Assess the breach within thirty days of becoming aware of it
- Notify the Personal Data Protection Commission as soon as practicable (within three calendar days of determining a notifiable breach)
- Notify affected individuals as soon as practicable, providing information about the nature of the breach, the data affected, the steps we are taking, and recommended protective actions
12. Cookies and similar technologies
The Platform uses cookies and local browser storage for essential operational purposes including session authentication (so that you remain signed in across pages) and feature preferences (for example, your tier-aware view state). We do not use third-party advertising or cross-site tracking cookies.
You may disable cookies in your browser settings, but doing so will prevent you from signing in or using tier-gated features.
13. Children's data
The Platform is intended for property professionals, investors, and researchers and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data through the Platform, please contact us at info@tkre.sg and we will delete it.
14. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, our service providers, or the law. The "Last Updated" date at the top of this Policy indicates when it was most recently changed. For material changes that affect how we use your personal data, we will provide reasonable notice through the Platform or by email to registered users before the changes take effect.
We encourage you to review this Policy periodically.
15. Complaints
If you believe we have not handled your personal data in accordance with the PDPA or this Policy, you may write to our DPO at info@tkre.sg with the subject line "DPO — Complaint". We aim to acknowledge complaints within three business days and to resolve them within thirty days.
If you are not satisfied with our response, you have the right to refer your complaint to the Personal Data Protection Commission of Singapore at www.pdpc.gov.sg.
16. Governing law
This Policy is governed by the laws of the Republic of Singapore. Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the Singapore courts.
info@tkre.sg This Privacy Policy is intended to be a clear, plain-language statement of our practices. It is not a substitute for legal advice. If you have specific concerns about how the PDPA applies to your circumstances, please consult a qualified Singapore-licensed legal practitioner.