1.1ShipEbag Pte. Ltd. ("ShipEbag", "we", "us", "our") is a Singapore-registered maritime e-commerce marketplace (UEN: 202617075G) operating at shipebag.com. We are committed to protecting personal data in accordance with Singapore's Personal Data Protection Act 2012 ("PDPA").
1.2This Privacy Policy applies to all personal data collected, used, disclosed, and stored by ShipEbag including data relating to:
(a)seafarer customers who browse, register, and place orders;
(b)vendor partners who register and sell products;
(c)visitors to shipebag.com and related mobile applications; and
(d)employees, contractors, and service providers of ShipEbag.
1.3This Policy should be read together with our Vendor Partnership Agreement and Platform Terms of Service.
1.4ShipEbag is accountable for all personal data under its possession or control, including data transferred to third-party data intermediaries.
2.1Under the PDPA, ShipEbag acts as: (a) Data Controller — for personal data collected directly from seafarers, visitors, and the public; and (b) Data Intermediary — when processing personal data on behalf of vendor partners for order fulfilment.
2.2Vendor partners who access customer data through the Platform are acting as data intermediaries of ShipEbag and are contractually bound to comply with PDPA obligations.
2.3ShipEbag ensures all third-party data intermediaries provide sufficient guarantees to implement appropriate data protection measures.
3.1 Seafarer Customers
| Category | Data Elements |
|---|
| Identity | Full name, nationality, seafarer identity document / passport number |
| Contact | Email address, mobile number |
| Vessel & Delivery | Vessel name, IMO number, anchorage position, delivery instructions |
| Account | Username, encrypted password, preferences |
| Transaction | Order history, payment records |
| Technical | IP address, device type, browser, cookies |
3.2 Vendor Partners
| Category | Data Elements |
|---|
| Business Identity | Business name, UEN, ACRA BizFile, business address |
| Individual Identity | Director name, NRIC or passport number |
| Financial | Bank account details, PayNow UEN, GST registration |
| Compliance | Sanctions screening results, due diligence records |
3.3 Mandatory vs Optional Data
| Data Type | Status |
|---|
| Name & Contact Details | Mandatory — required to create account and process orders |
| Vessel & Delivery Details | Mandatory — required for last-mile delivery |
| Payment Information | Mandatory — required to process transactions |
| Marketing Preferences | Optional — you may opt out at any time |
Failure to provide mandatory data may result in our inability to create your account or process your order.
4.1ShipEbag collects personal data: (a) directly from you when you register or place orders; (b) automatically through cookies and tracking technologies; (c) from third parties including payment processors, logistics partners, and ship agents; and (d) from public sources including ACRA BizFile for vendor due diligence.
4.2ShipEbag adheres to the principle of data minimisation — we collect only data necessary for our specified purposes.
| Purpose | Legal Basis |
|---|
| Account registration & management | Contractual necessity |
| Processing and fulfilling orders | Contractual necessity |
| Last-mile delivery to vessels | Contractual necessity |
| Vendor onboarding & due diligence | Legal obligation (AML / PDPA) |
| Sanctions & compliance screening | Legal obligation (CDSA / MAS) |
| Platform security & fraud prevention | Legitimate interest |
| Marketing communications | Consent (opt-in only) |
| Tax and audit record keeping | Legal obligation (IRAS / 5-year retention) |
6.1We treat all vessel and delivery-related information as strictly confidential and use it solely for fulfilling orders and arranging last-mile delivery to vessels at anchorage.
6.2Vessel location data is retained only as long as necessary to complete the relevant order and is not used for tracking or profiling.
6.3Access to vessel and crew delivery data is restricted on a strict need-to-know basis to ShipEbag staff and authorised logistics partners.
7.1 Disclosure to Vendors
7.1.1Customer data is shared with vendors only to the extent strictly necessary to fulfil the specific order. Vendors are contractually prohibited from using customer data for any other purpose.
7.1.2Vendors do not have access to customer payment card details.
7.2 Service Providers
| Provider | Purpose |
|---|
| Stripe | Payment processing |
| AWS (ap-southeast-1) | Cloud hosting in Singapore |
| Resend | Transactional emails |
| Ship agents & launch operators | Last-mile delivery to vessels |
7.3 Third-Party Links
7.3.1ShipEbag is not responsible for the privacy practices of third-party websites linked from our platform. We encourage you to review their privacy policies.
⚠️ Important: ShipEbag does not store your payment card number, CVV, or expiry date. All card transactions are processed exclusively by Stripe.
8.1Payment processing is handled exclusively by Stripe. ShipEbag retains only transaction records (amounts, dates, reference numbers) for 5 years as required by Singapore tax law.
| Data Category | Retention Period & Justification |
|---|
| Customer account data | Duration of account + 2 years (dispute resolution) |
| Order & transaction records | 5 years (IRAS tax compliance) |
| Vendor due diligence records | 5 years post-termination (AML / CDSA) |
| Sanctions screening records | 5 years (MAS AML requirements) |
| Technical / access logs | 12 months (security monitoring) |
| Employee personal data | 7 years post-employment (MOM) |
10.1ShipEbag may use automated systems to detect fraud and suspicious activity. Flagged orders may be suspended pending manual review. Contact support.shipebag@gmail.com to request a review. 10.2We may use anonymised aggregated data for analytics. ShipEbag does not make legally significant automated decisions without human oversight.
| Cookie Type | Purpose |
|---|
| Essential Cookies | Platform login, session management, security |
| Functional Cookies | User preferences and settings |
| Analytics Cookies | Platform usage analysis (anonymised) |
| Marketing Cookies | Relevant content delivery (consent only) |
11.1You may control cookies through your browser settings. We do not sell cookie data to third parties.
12.1Our primary infrastructure is hosted on AWS Singapore (ap-southeast-1). Where transfers outside Singapore are necessary, we ensure comparable protection standards and adequate contractual safeguards are in place.
- Data encryption in transit (HTTPS/TLS) and at rest
- JWT-based authentication with 24-hour session expiry
- Role-based access control (RBAC) for all internal systems
- AWS security groups, IAM policies, and VPC configurations
- Rate limiting and brute-force protection on all endpoints
- Regular security reviews and vulnerability assessments
14.1For notifiable breaches (significant harm or 500+ individuals affected), ShipEbag will notify the PDPC within 3 calendar days and affected individuals as soon as practicable.
15.1We only send marketing communications to individuals who have explicitly opted in. We comply with Singapore's Do Not Call (DNC) Registry provisions and will not send unsolicited messages to DNC-registered numbers.
15.2Withdraw marketing consent anytime by: clicking Unsubscribe in emails, replying STOP to SMS/WhatsApp, or emailing support.shipebag@gmail.com. 16.1The ShipEbag Platform is intended for individuals 18 years of age or older. We do not knowingly collect data from minors. If we discover such data has been collected, we will delete it promptly.
17.1You are responsible for ensuring personal data provided is accurate and up to date. Notify us of any changes at support.shipebag@gmail.com. 18.1You have the right to request access to or correction of personal data we hold about you. Submit requests to support.shipebag@gmail.com with subject "Personal Data Access Request". We will respond within 30 calendar days. 19.1You may withdraw consent to data processing at any time by contacting support.shipebag@gmail.com. Note that withdrawal of consent to mandatory data processing may affect our ability to provide services. 21.1Material changes will be communicated via email and Platform notice at least 14 days before taking effect. The current version is always available at shipebag.com/privacy. 22.1This Policy is governed by the laws of Singapore. Complaints may be lodged with the PDPC at pdpc.gov.sg or 1800-835-6060 if not resolved within 30 days.
