Privacy Statement

Table of Contents

1. Introduction
2. Data Protection Officer
3. How We Collect and Use Your Personal Data
4. Use of the Axium Website
5. Cookies and Tracking Technologies
6. Use of Axium Services (SupplyOS)
7. When and How We Share Information with Third Parties
8. Cross-Border Transfers of Personal Data
9. Your Rights as a Data Subject
10. Security of Your Information
11. Data Storage and Retention
12. Data Breach Notification
13. Do Not Call (DNC) Registry — Singapore
14. Questions, Concerns, or Complaints

1. Introduction

Axium Industries Pte. Ltd. (“Axium”, “we”, “us”, or “our”) is a supply-chain intelligence and operations company headquartered in Singapore, with operations in Malaysia. We design, deliver, and operate SupplyOS — an enterprise platform that helps industrial, manufacturing, and logistics organisations plan, execute, and optimise their supply-chain operations.

We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Statement describes Axium’s policies and practices regarding the collection, use, disclosure, and protection of your personal data, and sets out your privacy rights under applicable law.

This Privacy Statement is designed to comply with:

• The Singapore Personal Data Protection Act 2012 (SG PDPA) and its amendments, administered by the Personal Data Protection Commission (PDPC); and
• The Malaysia Personal Data Protection Act 2010 (MY PDPA), administered by the Department of Personal Data Protection (JPDP).

Where the two regimes impose different standards on the same matter, Axium applies the stricter requirement across all operations. Where a requirement is jurisdiction-specific, it is clearly identified.

We recognise that information privacy is an ongoing responsibility. We will update this Privacy Statement from time to time as we undertake new personal data practices, introduce new services, or as applicable law changes. The current version is always available at axium.com/privacy.

2. Data Protection Officer

Axium is headquartered in Singapore. As required under Section 11(3) of the SG PDPA, Axium has appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Statement and applicable data protection laws in both Singapore and Malaysia.

If you have any questions or concerns about Axium’s personal data policies or practices, or if you would like to exercise your privacy rights, please direct your query to Axium’s Data Protection Officer. The DPO’s contact information is as follows:

The DPO’s business contact information is registered with the PDPC (Singapore) as required. For Malaysian data subjects, the DPO also serves as the primary point of contact for JPDP-related matters.

All privacy requests, access requests, correction requests, and complaints should be directed to the DPO in the first instance.

3. How We Collect and Use Your Personal Data

Axium collects personal data about its website visitors, clients, business contacts, platform users, and job applicants. Axium operates a business-to-business model; the personal data we collect is, in most cases, limited to information about individuals acting in a professional or business capacity on behalf of an organisation.

With limited exceptions, the personal data we collect is generally limited to:

• Full name
• Job title
• Employer name
• Work address
• Work email address
• Work telephone number
• Account credentials and platform usage data (for SupplyOS users)
• Recruitment information (for job applicants only — see below)

We use this information to provide prospects, clients, and users with our services, to manage our business relationships, and to fulfil our legal and contractual obligations.

We do not sell personal data to anyone. We share personal data with third parties only where necessary to facilitate the delivery of our services, as described in Section 7.

3.1 Purposes of Collection, Use, and Disclosure

Under both the SG PDPA and MY PDPA, organisations must inform individuals of the purposes for which their personal data is collected, used, or disclosed. Axium collects and uses personal data for the following purposes:

We will not use your personal data for purposes materially different from those stated above without notifying you in advance and, where required, obtaining your consent.

3.2 Collection from Third Parties

From time to time, Axium receives personal data about individuals from third parties. This typically includes further details about your employer, role, or industry. We may also collect your personal data from publicly available sources such as LinkedIn or company websites, relying on the publicly available data exception under the SG PDPA and equivalent provisions under the MY PDPA, for legitimate business development purposes.

Where personal data is collected from third parties, we take reasonable steps to ensure it was collected lawfully and that its use by Axium is consistent with the purposes for which it was originally collected.

3.3 National Identification Numbers

Axium does not collect NRIC numbers, FIN numbers, MyKad numbers, or other national identification numbers for general business purposes. We collect such information only where strictly required by law (e.g. statutory employment, payroll, or tax obligations), in accordance with the PDPC’s Advisory Guidelines on the PDPA for NRIC and Other National Identification Numbers (Singapore) and equivalent JPDP guidance (Malaysia).

3.4 Sensitive Personal Data

Axium does not routinely collect sensitive personal data, including health, biometric, racial or ethnic origin, religious belief, or political opinion data. We will only collect such data where strictly necessary and supported by explicit consent or a clear legal obligation.

4. Use of the Axium Website

As is true of most websites, Axium’s website (axium.com) collects certain information automatically and stores it in log files. The information may include:

• Internet protocol (IP) addresses
• The region or general location from which your device is accessing the internet
• Browser type and version
• Operating system
• Pages viewed, referring URL, and session duration
• Other usage information about your interaction with the Axium website

We use this information to help us design and improve our website to better suit our users’ needs. We may also use your IP address to help diagnose problems with our servers, administer our website, analyse trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

Axium has a legitimate interest (under the SG PDPA) in understanding how clients, prospects, and visitors use its website. This assists Axium with providing more relevant products and services, communicating value to our stakeholders, and providing appropriate staffing to meet client and user needs. Under the MY PDPA, this processing is supported by consent obtained through your continued use of the website, as disclosed in our Cookie Notice (see Section 5).

Axium does not use website usage data to make automated decisions that produce legal or similarly significant effects on individuals.

5. Cookies and Tracking Technologies

Axium makes available a comprehensive Cookie Notice that describes the cookies and tracking technologies used on the Axium website and provides information on how users can accept or reject them.

To view the Cookie Notice, please visit: <COOKIE_NOTICE_URL — TO BE CONFIRMED>

In summary, Axium uses cookies and similar technologies for the following purposes:

• Strictly necessary cookies — to enable core website and platform functionality (no consent required)
• Performance and analytics cookies — to measure website traffic and user behaviour
• Functional cookies — to remember your preferences and settings
• Marketing and targeting cookies — to deliver relevant advertising and measure campaign effectiveness

Where required by applicable law, Axium obtains your consent before placing non-essential cookies on your device. You may withdraw your consent or change your cookie preferences at any time through the cookie preference centre available on our website.

Please note that disabling certain cookies may affect the functionality of the Axium website or SupplyOS platform.

6. Use of Axium Services (SupplyOS)

The personal data that Axium collects from clients and users is stored in databases hosted by carefully selected cloud infrastructure providers. These providers do not use or have access to personal data for any purpose other than cloud storage, retrieval, and the provision of infrastructure services to Axium.

When authorised users access SupplyOS or related Axium services, we process personal data necessary to:

• Authenticate the user and enforce access controls
• Deliver the contracted functionality (e.g. data integration, analytics, workflow automation, reporting)
• Maintain audit logs for security, compliance, and traceability purposes
• Provide technical support, training, and incident response
• Monitor platform performance, capacity, and reliability
• Fulfil our contractual obligations to the client organisation

6.1 Client Data — Axium as Data Intermediary / Data Processor

Axium’s clients upload operational and transactional data to SupplyOS while using the platform. This data may include supply-chain transactions, inventory records, supplier information, employee records, and other business data that may contain personal data.

In respect of such data, Axium acts:

• As a data intermediary under the SG PDPA (Sections 4(2) and 4(3)) — processing personal data on behalf of and for the purposes of the client organisation; and
• As a data processor under equivalent frameworks applicable to our clients (including the GDPR where our clients are subject to it).

Axium does not use client data for any purpose other than delivering the contracted services, except where required by law or explicitly authorised in writing by the client. The detailed terms governing this processing are set out in the Data Processing Addendum (DPA) attached to each client’s Master Services Agreement.

If you are an authorised SupplyOS user and wish to exercise your privacy rights in relation to data processed on behalf of your employer, please direct your request to your employer (the data controller / organisation responsible) in the first instance. Axium will support our client in fulfilling your request.

7. When and How We Share Information with Third Parties

The personal data Axium collects is stored in databases hosted by third-party cloud infrastructure providers located in Singapore, Malaysia, and other jurisdictions (see Section 8). These providers do not use or have access to your personal data for any purpose other than cloud storage and retrieval.

From time to time, Axium engages third parties to send information to you, including information about our products, services, and events.

A current list of our third-party sub-processors can be found at: <SUBPROCESSORS_URL — TO BE CONFIRMED>

Axium does not sell personal data. We do not share personal data with third parties for their own independent use, except in the following circumstances:

a) Service providers and sub-processors. We share personal data with vendors and service providers who perform functions on our behalf, including cloud hosting, IT support, customer communications, analytics, payment processing, and event management. All such parties are bound by written contractual obligations to:

• Process personal data only on Axium’s documented instructions;
• Maintain security standards equivalent to those described in Section 10;
• Comply with applicable data protection law (SG PDPA, MY PDPA, and GDPR where applicable); and
• Delete or return personal data upon termination of the engagement.

b) Legal or regulatory requirements. We may disclose personal data where required to comply with applicable law, including in response to a valid court order, subpoena, regulatory demand, or law enforcement request under the SG PDPA, MY PDPA, the Criminal Procedure Code (Singapore), the Criminal Procedure Code (Malaysia), or other applicable legislation.

c) Protection of rights, property, or safety. We may disclose personal data where necessary to protect the rights, property, or safety of Axium, our employees, our clients, or others — including to address fraud, misuse of our services, or security incidents.

d) Business asset transactions. In the event of a merger, acquisition, restructuring, or sale of all or part of Axium’s business, personal data may be disclosed to the relevant parties as part of the transaction, subject to confidentiality obligations and equivalent data protection standards. This disclosure is made in accordance with the business asset transaction exception under the SG PDPA (First Schedule, Part 4) and equivalent provisions under the MY PDPA.

e) With your consent. We may share personal data with third parties for any other purpose with your prior consent.

f) Aggregated or de-identified data. We may share aggregated or de-identified data that cannot reasonably be used to identify an individual for benchmarking, research, marketing, or industry insight purposes, consistent with PDPC and JPDP guidance on anonymisation.

Where Axium’s website or SupplyOS integrates with third-party services (e.g. identity providers, analytics tools, or productivity platforms), your interactions with those services are governed by their own privacy policies. Axium is not responsible for the privacy practices of third-party services.

8. Cross-Border Transfers of Personal Data

Axium is headquartered in Singapore and operates in Malaysia. Depending on the service, your personal data may be transferred to and processed in countries outside Singapore or Malaysia, including but not limited to the United States, the European Economic Area, Australia, Japan, and other jurisdictions where our infrastructure providers or sub-processors operate.

Before transferring personal data outside its country of origin, Axium ensures that the recipient is bound by legally enforceable obligations to provide a standard of protection for personal data that is at least comparable to the protection under applicable law in the originating jurisdiction.

Axium achieves this through one or more of the following mechanisms:

By using Axium’s website or services, you acknowledge that your personal data may be processed in jurisdictions outside Singapore or Malaysia, under the safeguards described above.

If you would like further information about the specific safeguards applied to a particular transfer, please contact our DPO (see Section 2).

9. Your Rights as a Data Subject

Depending on the jurisdiction in which you reside and the legal basis on which your personal data is processed, you have the following rights:

9.1 Rights under the Singapore PDPA

• Right of Access (Section 21). You may request confirmation of whether Axium holds personal data about you, and a copy of that data together with information about how it has been used or disclosed in the past 12 months.
• Right of Correction (Section 22). You may request that personal data about you that is inaccurate, incomplete, or misleading be corrected as soon as practicable.
• Right to Withdraw Consent (Section 16). You may withdraw consent previously given for the collection, use, or disclosure of your personal data at any time, subject to reasonable notice. Axium will inform you of the likely consequences of withdrawal before acting on your request.
• Right to Data Portability. Once the relevant SG PDPA provisions come into full effect per the PDPC’s schedule, you may request that Axium transmit your personal data to another organisation in a commonly used machine-readable format, where technically feasible.

9.2 Rights under the Malaysia PDPA

• Right of Access (Section 30). You may request access to your personal data held by Axium.
• Right of Correction (Section 34). You may request correction of personal data that is inaccurate, incomplete, misleading, or not up to date.
• Right to Withdraw Consent (Section 38). You may withdraw consent to the processing of your personal data at any time.

Note: Data portability is not yet legislated under the MY PDPA. Axium will extend portability rights to Malaysian data subjects on a voluntary basis where technically feasible.

9.3 How to Exercise Your Rights

To exercise any of the above rights, please contact our DPO at contact@axium-industries.com (see Section 2). Please include:

• Your full name and contact details;
• A description of the right you wish to exercise; and
• Sufficient information to verify your identity.

Axium will respond to all valid requests within 30 days of receipt. If more time is required, we will notify you within 30 days and provide an estimated completion date and the reason for the delay.

A reasonable administrative fee may be charged for access requests, in line with PDPC and JPDP guidance.

9.4 Limitations

Certain rights are subject to limitations under applicable law. For example, Axium may decline an access or correction request where:

• Complying would reveal personal data about another individual;
• The request is frivolous or vexatious;
• Complying would be contrary to national interest or law enforcement purposes; or
• The data is subject to legal professional privilege.

Where a request is declined, Axium will inform you of the reason, to the extent permitted by law.

10. Security of Your Information

Axium takes the security of personal data seriously. We maintain a comprehensive information security programme designed to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks, in compliance with:

• SG PDPA Section 24 — Protection Obligation; and
• MY PDPA Section 9 — Security Principle.

Our security measures include, but are not limited to:

Technical controls

• Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Role-based access control (RBAC) with least-privilege provisioning
• Multi-factor authentication (MFA) for all system and administrative access
• Network segmentation, firewalling, and intrusion detection and prevention systems
• Continuous security logging, monitoring, and alerting
• Regular vulnerability scanning and penetration testing
• Secure software development lifecycle (SSDLC), including code review and dependency management

Organisational controls

• Annual security and privacy awareness training for all personnel
• Background screening for personnel with access to personal data
• Vendor due diligence and security assessments for all sub-processors handling personal data
• Documented incident response and data breach notification procedures
• Regular internal privacy audits and risk assessments
• Disciplinary procedures for personnel who breach privacy or security obligations

Axium aligns its security practices with the PDPC’s Guide to Securing Personal Data in Electronic Medium, ISO/IEC 27001, and the AICPA SOC 2 Trust Services Criteria.

While Axium takes all reasonable steps to protect your personal data, no system or transmission over the internet can be guaranteed to be completely secure. In the event of a personal data breach, Axium will follow the procedure described in Section 12.

11. Data Storage and Retention

Axium retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required or authorised by applicable law — in compliance with:

• SG PDPA Section 25 — Retention Limitation Obligation; and
• MY PDPA Section 10 — Retention Principle.

The following table sets out Axium’s indicative retention periods. These periods may be extended where required by law or shortened where personal data is no longer needed.

When personal data is no longer required and no legal obligation requires its retention, Axium will securely delete, anonymise, or physically destroy it in accordance with:

• The PDPC’s Guide to Disposal of Personal Data on Physical Medium (Singapore); and
• Equivalent JPDP guidance (Malaysia).

Disposal is documented and records of disposal are maintained for accountability purposes.

12. Data Breach Notification

12.1 Singapore — Mandatory Notification

In accordance with the SG PDPA’s Data Breach Notification Obligation (Sections 26A–26E, in force since 1 February 2021), if Axium experiences a data breach that is likely to result in significant harm to affected individuals, or that affects 500 or more individuals, Axium will:

• Assess the breach as soon as practicable, generally within 30 days of becoming aware of it;
• Notify the PDPC within 3 calendar days of assessing that the notification threshold is met;
• Notify affected individuals as soon as reasonably practicable, unless an exception applies (e.g. remedial action has been taken, technological protections render the data unintelligible, or law enforcement has instructed otherwise); and
• Document the breach, our assessment, our response, and all notifications for accountability and audit purposes.

12.2 Malaysia — Voluntary Best Practice

The MY PDPA does not currently impose a mandatory data breach notification obligation. However, Axium applies the Singapore standard as a baseline for all operations, including Malaysian operations. We will notify affected Malaysian individuals and relevant authorities on a voluntary basis where a breach poses a material risk of harm.

This approach ensures that all individuals — regardless of jurisdiction — receive equivalent protection in the event of a breach.

13. Do Not Call (DNC) Registry — Singapore

For Singapore telephone numbers, Axium complies with the Do Not Call (DNC) Provisions of the SG PDPA (Part IX). Before sending specified marketing messages (voice calls, SMS, or fax) to Singapore telephone numbers, Axium checks the relevant DNC Registers maintained by the PDPC, unless:

• You have given Axium clear and unambiguous written consent to receive such messages; or
• Axium has an ongoing relationship with you and the message relates to the subject matter of that relationship, and you have not opted out.

You may opt out of receiving marketing messages from Axium at any time by:

• Using the unsubscribe link in any marketing email;
• Replying STOP to any marketing SMS; or
• Contacting our DPO at contact@axium-industries.com.

Opt-out requests will be actioned within 30 days, as required by the SG PDPA.

Malaysia: While the MY PDPA does not include an equivalent DNC Registry, Axium applies the same opt-out standards to Malaysian contacts as a matter of policy.

14. Questions, Concerns, or Complaints

If you have any questions or concerns about this Privacy Statement or about how Axium processes your personal data, please contact our Data Protection Officer in the first instance (see Section 2).

If you are not satisfied with Axium’s response, you have the right to lodge a complaint with the relevant data protection authority:

Singapore: Personal Data Protection Commission (PDPC). Website: www.pdpc.gov.sg. The PDPC requires complainants to first attempt to resolve the matter directly with the organisation before escalating.

Malaysia: Department of Personal Data Protection (JPDP). Website: www.pdp.gov.my. Complaints may be submitted via the JPDP portal or in writing to the Director General of Personal Data Protection.

EEA / UK (where applicable): If your concern relates to personal data processed under the GDPR or UK GDPR, you may also lodge a complaint with your local supervisory authority (e.g. the UK Information Commissioner’s Office at ico.org.uk).