Data Protection Notice

This Data Protection Notice (“Notice”) explains how Vena Group Pte. Ltd. (“Vena Group”, “we”, “us”, or “our”) collects, uses, discloses, and otherwise processes your personal data in accordance with the Personal Data Protection Act 2012 of Singapore (“PDPA”), the European Union’s General Data Protection Regulation (“GDPR”), where applicable, and other applicable data protection laws. It also sets out individuals’ rights in relation to the processing of their personal data.

This Notice applies to all personal data in our possession or under our control, including personal data held by third parties processing data on our behalf.

There may be additional terms, conditions and commitments that also govern how we collect, use and disclose your personal data, which should be read in conjunction with this Notice.

1. Personal Data We Collect

“Personal data” means any information relating to an identified or identifiable individual.

Depending on your relationship with us and the nature of your interactions, we may collect the following categories of personal data:

Personal identifiers and details (e.g., name, age, date of birth, gender, citizenship, occupation and marital status);
Contact details, such as current and previous address, telephone, email, in some cases both private and work related contact details;
Other personal identifiers such as names, postal addresses, e-mail addresses, and telephone numbers of others to whom you might refer when you report a complaint or provide feedback through our online forms;
Online identifiers and technical data (e.g., IP address, cookie identifiers, location data, device information, usage data);
Information you provide to us (e.g., through forms, correspondence, or participation in our events, webinars, or surveys);
Information third parties (e.g., our service providers, business partners, your employee, other persons or entities that provide personal data relating to you in connection with our businesses or publicly available sources) provide to us; and
Any other information relating to you that you provide to us or that we may collect as permitted or required by law, including financial and account information, as well as access to and attendance on our premises (such as security records about times of entry and exit, and information collected through CCTV).

We may also, from time to time, collect information that is referred to under the privacy laws of certain jurisdictions as “sensitive” personal data. Such data may include, depending on jurisdiction, information about your racial or ethnic origin, political opinion, sentiments and expression of religious or philosophical beliefs, membership of a professional or trade association, sexual orientation or practices, criminal records, biometric information, health information or medical history. As with any personal data, we will only collect and process such sensitive personal data where we have a legal basis for such collection and processing, including where permitted under applicable law or where we have your consent (where we are legally required to do so).

2. How We Collect Your Personal Data

Depending on the context, we collect your personal data from various sources, online or offline, including:

Directly from you – for example when you contact us, apply for a job with us, register for events, or use our website to provide feedback or file a complaint;
Where you are a representative of an organization or entity that is a vendor or supplier of Vena Group, and that organization or entity provides us with your personal data;
Automatically through your use of our website and digital services (e.g., via cookies and similar technologies);
From public sources such as corporate websites or social media (e.g. LinkedIn), regulatory filings and news, including where you have been interacting with us via social media or where you have been notified that your personal data is considered for recruitment or talent acquisition purposes, including via public profiles on social media;
- From other third parties (e.g., our service providers, business partners, your employees, other persons or entities that provide personal data relating to you in connection with our businesses, or publicly available sources); and
From attending in-person or virtual events organised or co-sponsored by Vena Group.

3. Purposes and Legal Bases for Processing Your Personal Data

We process personal data and, where applicable, sensitive personal data to support our business operations, manage relationships, fulfil our legal obligations, and protect our organisation and stakeholders. The below table sets out the purposes and legal bases for which we process personal data.

Business Purpose for Processing	Legal Bases for Processing	PDPA	GDPR
To conduct our business, perform contractual obligations and provide you with our services, information, and communications you request.	• Performance of a contract • Legitimate interests • Legal compliance • Your (deemed) consent, where required or applicable.	Sec. 13 (b), 17, First Schedule, Part 3 PDPA Sec. 13 (a) and 15 PDPA	Art. 6(1) lit. b Art. 6(1) lit. f Art. 6(1) lit. c Art. 6(1) lit. a
To interact with you and manage our relationship with you, including responding to your queries, requests, applications, complaints, and feedback.	• Legitimate interests (for responding to, and maintaining, our relationship) • Performance of a contract • Your (deemed) consent, where required or applicable.	Sec. 13 (b), 17, First Schedule, Part 3 PDPA Sec. 13 (a) and 15 PDPA	Art. 6(1) lit. f Art. 6(1) lit. b Art. 6(1) lit. a
To verify your identity, perform background screening and maintain security (including preventing fraud, misconduct, or other unlawful or undesirable behaviour and conduction “Know Your Customer” and other due diligence checks).	• Legitimate interests (for security, fraud prevention, business continuity) • Performance of a contract • Legal obligation (anti‑money laundering, sanctions screening, regulatory checks).	Sec. 13 (b), 17, First Schedule, Part 3 PDPA Sec. 13 (b) PDPA	Art. 6(1) lit. f Art. 6(1) lit. b Art. 6(1) lit. c
To send you marketing communications, event invitations, and information about our company.	• Your consent, where required by law • As otherwise permitted by law (e.g., where legitimate interest applies and you have the right to opt out).	Sec. 13 (a) PDPA	Art. 6(1) lit. a Art. 6(1) lit. f
To conduct recruiting, including identifying potential job applicants and evaluating candidates	• Performance of a contract • Legitimate interests • Legal compliance • Your (deemed) consent, where required or applicable.	Sec. 13 (b), 17, First Schedule, Part 3 PDPA Sec. 13 (a) and 15 PDPA	Art. 6(1) lit. b Art. 6(1) lit. f Art. 6(1) lit. c Art. 6(1) lit. a
To comply with applicable laws, regulations, codes of practice, and to assist in law‑enforcement or regulatory investigations.	• Legal compliance • Legitimate interests • Your (deemed) consent, where required or applicable.	Sec. 13 (b), 17, First Schedule, Part 3 PDPA Sec. 13 (a) and 15 PDPA	Art. 6(1) lit. c Art. 6(1) lit. f Art. 6(1) lit. a
To ensure a health and safe office and worksite environment for employees, vendors, visitors and other third parties.	• Performance of a contract • Legitimate interests • Legal compliance • Your consent, where required or applicable.	Sec. 13 (b), 17, First Schedule, Part 3 PDPA Sec. 13 (a) and 15 PDPA	Art. 6(1) lit. b Art. 6(1) lit. f Art. 6(1) lit. b Art. 6(1) lit. a
To manage and improve our website, services, and business operations (for example performance monitoring and system maintenance, risk assessments).	• Legitimate interests (business improvement, service optimisation, IT security, operations).	Sec. 13 (b), 17, First Schedule, Parts 3 and 5, Second Schedule Part 2 Division 2 PDPA	Art. 6(1) lit. f
For any other purposes for which you have provided your consent.	• Your (deemed) consent, where required or applicable.	Sec. 13 (a) and 15 PDPA	Art. 6(1) lit. a

As outlined above, sometimes we may need to collect and process sensitive personal data about you. We will only process sensitive personal data where you have explicitly provided your consent; or where otherwise permitted by applicable laws and regulations.

Where we rely on your consent to process your personal data, you may withdraw your consent at any time by contacting us (see Section 10).

4. Disclosure of Your Personal Data

We may disclose your personal data to:

Our affiliates and subsidiaries;
Third-party service providers, agents, and contractors who process data on our behalf for the purposes described in this Notice;
Professional advisors (e.g., auditors, lawyers);
Governmental, regulatory, or law enforcement authorities, as required by applicable law; and
Any other party with your consent or as permitted or required by law.

We require all third parties to respect the security of your personal data and to process it in accordance with applicable data protection laws.

5. International Transfers of Personal Data

Your personal data may be transferred to, stored, and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country. Where we transfer your personal data internationally, we will ensure that appropriate safeguards are in place to protect your data in accordance with applicable laws, including the PDPA and GDPR. These safeguards may include standard contractual clauses, binding corporate rules, or other lawful transfer mechanisms. Further details of the measures that we have taken in this regard are available by contacting us (see Section 10).

6. Data Security

We use a range of physical, electronic, and organizational measures designed to ensure a level of security appropriate to the risk of personal data processing. These measures include, but are not limited to, encryption, access controls, secure storage, and regular security reviews.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure and carries the risk of access and interception. You should not send us any personal day by open/unsecure channels over the internet. We endeavour to protect personal data but cannot guarantee the security of data transmitted to us or by us.

7. Data Accuracy

We rely on you to provide accurate and up-to-date personal data. Please inform us promptly if your personal data changes or is inaccurate, so that we can update our records accordingly.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required or permitted by law. When your personal data is no longer required, we will take reasonable steps to securely delete or anonymize it. You may request deletion of your personal data at any time, subject to legal or regulatory requirements.

9. Your Rights

In certain circumstances you may have the following rights regarding the processing of your personal data:

Access: Request access to your personal data and information about how we process it.

Rectification: Request correction of inaccurate or incomplete personal data.

Erasure: Request deletion of your personal data where we do not have a legal or regulatory obligation or other valid reason to continue to process it.

Restriction: Request restriction of processing of your personal data.

Objection: Object to processing of your personal data, if (i) we are processing your personal data on the grounds of legitimate interests or for the performance of a task in the public interest (including profiling); or (ii) if we are processing your personal data for direct marketing purposes.

Data Portability: Request a copy of your personal data in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller.

Withdraw Consent: Withdraw your consent at any time, where processing is based on consent.

Lodge a Complaint: Lodge a complaint with a supervisory authority if you believe your data protection rights have been violated

To exercise your rights, please contact our Data Protection Officer (see Section 10). Your rights may be subject to certain limitations as provided by law.

We may need to request specific information from you to help us confirm your identity and ensure your right to access to the personal requested, or to exercise any of your other rights. This is to ensure that personal is not disclosed to any person who does not have authority to receive it.

We may also request further information in relation to your request to help us to locate the personal data processed in relation to you, including, for example, the nature and location of your relationship with us.

We will respond to all legitimate requests in line with the timescales set out in applicable law.

To the extent permitted by applicable law or regulation we reserve the right to charge an appropriate fee in connection with you exercising your rights.

10. Contacting Our Data Protection Officer

If you have any questions, requests, concerns or complaints about this Notice or our data protection practices, or if you wish to exercise your rights, please contact our Data Protection Officer:

Contact: [email protected]
Address: 1 George Street #14-07 One George Street, Singapore 049145

11. Changes to This Notice

We may update this Notice from time to time to reflect changes in our practices or applicable law. The latest version will be posted on our website with the effective date. We encourage you to review this Notice periodically. Your continued use of our services or website after any changes constitutes your acceptance of the updated Notice.

12. Other Notices

This Notice applies in conjunction with any other notices, contractual terms, and consent statements that apply in relation to the collection, use, and disclosure of your personal data by us.

Cookie Notice

Please see our separate Cookie Notice.

13. Processing Under the Act on the Protection of Personal Information of Japan

Where the Act on the Protection of Personal Information of Japan (“APPI”) applies, we may jointly use your personal data pursuant to Article 27, Paragraph 5, Item (iii) of the APPI. The details of such joint use are as follows:

Personal Data to be Jointly Used

The personal data described in Section 1 (“Personal Data We Collect”) above.

Scope of Joint Users

All of the companies belonging to the Vena Group (including companies that will join the Group in the future).

Purposes of Use by Joint Users

The purposes described in Section 3 (“Purposes and Legal Bases for Processing Your Personal Data”) above.

Party Responsible for the Management of the Jointly Used Personal Data

Vena Energy Japan K.K. (https://venaenergy.co.jp/company)

Last updated: December 2025