Wenya Labs Pte Ltd


Privacy Notice

Beta Programme — All Jurisdictions


Last updated: April 2026

Version: 2.0 — Final Draft for Review

Company: Wenya Labs Pte Ltd | Reg. No. 202525666N

Registered address: 50 Chin Swee Road, #08-02, Singapore 169874

Privacy / DPO contact: info@wenyawanna.ai

Website: https://wenyawanna.ai


This Privacy Notice for Wenya Labs Pte Ltd ("we", "us", or "our") describes how and why we collect, store, use, and share ("process") your personal information when you use our services ("Services"), including when you:

  • Visit our website at https://wenyawanna.ai or any website of ours that links to this Privacy Notice;

  • Download and use our mobile application (Wenya), our AI-powered scheduling keyboard and agent; or

  • Engage with us in other related ways, including any marketing or events.


Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you have any questions or concerns, please contact us at info@wenyawanna.ai.


Summary of key points

In short: This summary provides key points from our Privacy Notice. You can find full details by reading each section below.


What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us, the choices you make, and the products and features you use.


Do we process any sensitive personal information? We do not process sensitive personal information (such as racial or ethnic origins, health data, or biometric data) as part of normal App use.


Do we collect any information from third parties? We may receive basic profile information from third-party sign-in providers (Google, Apple) if you choose to use them.


How do we process your information? We process your information to provide and improve our Services, communicate with you, for security and fraud prevention, and to comply with law. We process your information only when we have a valid legal basis to do so.


In what situations and with which parties do we share personal information? We may share information in specific situations and with specific categories of third-party processors. We do not sell your personal data.


How do we keep your information safe? We have organisational and technical processes in place to protect your personal information. However, no electronic transmission or storage technology can be guaranteed 100% secure.


What are your rights? Depending on your location, applicable privacy law may give you certain rights regarding your personal information. See Section 9 for your full rights by jurisdiction.


How do you exercise your rights? The easiest way to exercise your rights is by contacting us at info@wenyawanna.ai. We will consider and act on any request in accordance with applicable data protection law.


Table of contents

→  1. What personal data do we collect?

→  2. How do we process your information?

→  3. What legal bases do we rely on to process your personal information?

→  4. When and with whom do we share your personal information?

→  5. What is our stance on third-party websites?

→  6. Do we use cookies and other tracking technologies?

→  7. Do we offer artificial intelligence-based products?

→  8. How do we handle your social logins?

→  9. Is your information transferred internationally?

→  10. How long do we keep your information?

→  11. How do we keep your information safe?

→  12. Do we collect information from minors?

→  13. What are your privacy rights?

→  14. Controls for do-not-track features

→  15. Do United States residents have specific privacy rights?

→  16. Do Singapore residents have specific rights?

→  17. Do we make updates to this notice?

→  18. How can you contact us about this notice?

→  19. How can you review, update, or delete the data we collect from you?


1. What personal data do we collect?

In short: We collect personal information that you provide to us, information generated by your use of the App, and limited technical data collected automatically.


Personal information you disclose to us

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in our products, participate in activities on the Services, or otherwise contact us.


Personal information provided by you. Depending on how you interact with the App, the personal information we collect may include:

  • Full name

  • Email address

  • Phone number

  • Username / account name

  • Business name (business users only)

  • Promotional or referral code (if applicable)

  • Contact preferences


Sensitive information. We do not process sensitive personal information (such as racial or ethnic origins, health data, biometric data, religious beliefs, or sexual orientation) as part of normal App use.


Payment data. We may collect data necessary to process your payment with Apple, if you choose to make a purchase, such as your payment instrument reference number. All payment card data is handled and stored by our payment processor. We do not directly store full card details.


Social / third-party sign-in data. We offer you the ability to register and log in using Google Sign-In or Apple Sign-In. Where you choose to do this, we will receive certain profile information from the provider (typically your name and email address). See Section 8 for more detail..


Information generated by your use of the App

  • Scheduling preferences and meeting norms learned by the AI scheduling agent

  • Meeting types, locations, and travel mode preferences

  • Timezone settings and detected travel/future timezone data

  • Connected calendar provider(s) — we store OAuth integration tokens only, not your calendar contents

  • Connected video conferencing provider(s) — OAuth tokens only

  • Content of scheduling conversations and threads (in-app messages for scheduling purposes)

  • App usage data: features used, session frequency, error logs

  • Device type, operating system, and app version (for compatibility and debugging)


Information collected automatically

In short: Some information — such as your IP address and device characteristics — is collected automatically when you use our Services.

We automatically collect certain technical information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include:

  • Log and usage data: IP address, browser type, device information, pages or features accessed, date/time stamps, error reports

  • Device data: device model, operating system, unique device identifiers, mobile carrier

  • Location data: approximate location derived from IP address and timezone settings. We may also request permission to access your device's location for travel-aware scheduling features. You can opt out via your device settings.


Google API. Our use of information received from Google APIs (including Google Calendar and Google Maps) adheres to the Google API Services User Data Policy, including the Limited Use requirements.


Information we do NOT collect or store

  • We do not store your calendar events or calendar contents on our servers. Calendar data is accessed in real time only.

  • We do not sell your personal data to any third party.

  • We do not use your personal data for advertising profiling or behavioural advertising.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.


2. How do we process your information?

In short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We process your information only when we have a valid legal reason to do so.

We process your personal information for the following purposes:

  • To facilitate account creation and authentication and manage user accounts.

  • To deliver and facilitate delivery of services to you, including the AI scheduling keyboard, calendar integrations, and scheduling threads.

  • To respond to user enquiries and offer support.

  • To send administrative information: product updates, changes to terms and policies, and other service-related messages.

  • To fulfil and manage orders and subscriptions, including payments and billing for Pro tier users.

  • To send transactional communications via email (OTPs, meeting confirmations, invitations) through Resend, and push notifications via Apple APNs.

  • To enable AI-powered personalisation: to build and refine your personal scheduling preferences within the App. This data is used only to personalise your experience.

  • To conduct analytics and improve the App during the Beta Period, via Mixpanel and internal logging.

  • To conduct AI research and development using anonymised or aggregated data to improve our AI scheduling models.

  • For security and fraud prevention: to monitor for suspicious activity, protect against unauthorised access, and maintain the integrity of our systems.

  • To comply with applicable legal obligations in Singapore, the UK, the US, and other jurisdictions where we operate.

  • To save or protect an individual's vital interest where necessary.


3. What legal bases do we rely on to process your personal information?

In short: We only process your personal information when we have a valid legal reason to do so under applicable law, iincluding your consent, to comply with laws, to provide you with services or fulfil contractual obligations, to protect your rights, or to fulfil our legitimate business interests.


If you are located in the EU or UK

The GDPR and UK GDPR require us to explain the valid legal bases we rely on:

  • Consent (Article 6(1)(a)): Where you have given permission for a specific purpose, such as optional analytics or marketing. You may withdraw consent at any time.

  • Performance of a contract (Article 6(1)(b)): Where processing is necessary to provide the Beta service you have signed up for.

  • Legitimate interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests in improving the App, preventing fraud, and ensuring security — where these do not override your rights and freedoms.

  • Legal obligation (Article 6(1)(c)): Where processing is required by applicable law.

  • Vital interests (Article 6(1)(d)): Where processing is necessary to protect the vital interests of a person.


If you are located in Singapore

Where the Personal Data Protection Act 2012 (PDPA) applies, we collect, use, and disclose personal data only with your consent (express or deemed), or where permitted by a PDPA exception (such as the Business Improvement Exception or for research purposes). 


If you are located in Canada

We may process your information if you have given us specific or implied consent to use your personal information for a specific purpose. You may withdraw your consent at any time. In some exceptional cases, we may be legally permitted to process your information without consent, including: for fraud detection and prevention; for business transactions where certain conditions are met; where required by subpoena, warrant, or court order; or where the information is publicly available as specified by regulations.


If you are located in the United States

We process your personal information under the California Consumer Privacy Act 2018 as amended by the California Privacy Rights Act 2020 (CCPA/CPRA), and equivalent legislation in other US states. See Section 15 for full US-specific rights.


4. When and with whom do we share your personal information?

In short: We may share information in specific situations and with the following categories of third-party processors. We do not sell your personal data.


Vendors, consultants, and third-party service providers. We share your data with third-party vendors and service providers who perform services on our behalf and require access to do that work. We have contracts in place with all third-party processors, which are designed to safeguard your personal information. They cannot do anything with your personal information unless we have instructed them to do it, and they commit to protect the data they hold on our behalf.


Processor - Purpose - Data held - Location

AWS (Amazon Web Services) - Cloud infrastructure, database, storage, WAF - Account data, preferences, scheduling data -Singapore, US East, EU (Frankfurt)

OpenAI API - AI scheduling assistant (GPT-4) - Scheduling context passed at query time. zero retention - United States

Anthropic API - AI model research and development - Anonymised/aggregated scheduling data for model improvement. Zero retention 

United States - Google Calendar API - Calendar integration

OAuth tokens only (no calendar contents stored) - United States - Microsoft Graph API

Outlook/Teams integration - OAuth tokens only - United States

Zoom API - Video conferencing integration - OAuth tokens only - United States

Resend - Transactional email (OTPs, confirmations, invitations) - Email addresses, notification content - United States

Apple APNs - iOS push notifications - Device push tokens - United States

Google Maps / Places API - Location-based scheduling features - Location queries - United States

Google Analytics - Website analytics (wenyawanna.ai) - Usage/session data, anonymised where possible - United States

Mixpanel - In-app product analytics - Usage/session data, anonymised where possible - United States

Payment processor (TBC) - Payment processing for Pro subscribers - Payment reference data only - TBC


We may also need to share your personal information in the following situations:

  • Business transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or part of our business to another company. We will notify you in advance.

  • When we use Google Maps Platform APIs: We may share your information with Google Maps Platform APIs (e.g. Google Maps API, Places API) to provide location-based scheduling features. You may revoke your consent at any time by contacting us at info@wenyawanna.ai.

  • Legal disclosures: We may disclose your personal information to law enforcement or regulatory authorities where required by law or a valid legal process, to professional advisors under confidentiality obligations, or where necessary to protect our legal rights.


5. What is our stance on third-party websites?

In short: We are not responsible for the safety of any information that you share with third parties that we may link to or that are connected via our integrations, but are not affiliated with our Services.

The Services may link to or integrate with third-party websites, applications, or services (including Google Calendar, Microsoft Outlook, Zoom, and others). We do not make any guarantee regarding such third parties, and will not be liable for any loss or damage caused by their use. The inclusion of a third-party integration does not imply an endorsement by us.

Any data collected or processed by third parties is governed by their own privacy policies, not this Privacy Notice. We are not responsible for the content, privacy practices, or security practices of any third parties. You should review the privacy policies of any third-party service you choose to connect.


6. Do we use cookies and other tracking technologies?

In short: We may use cookies and similar tracking technologies to collect and store information when you interact with our website.

We may use cookies and similar tracking technologies (such as web beacons and pixels) when you visit our website (wenyawanna.ai) to maintain security, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.


Google Analytics

We use Google Analytics to track and analyse the use of our website. Google Analytics Advertising Features we may use include: Google Analytics Demographics and Interests Reporting and Google Display Network Impressions Reporting. To opt out of being tracked by Google Analytics, visit https://tools.google.com/dlpage/gaoptout. You can also opt out through Google's Ads Settings. For more information on Google's privacy practices, visit the Google Privacy & Terms page at https://policies.google.com/privacy.

To the extent any online tracking technologies are deemed to constitute a "sale" or "sharing" of personal information under applicable US state laws, you can opt out as described in Section 15 below.

Specific information about how we use tracking technologies and how you can refuse certain cookies will be set out in our Cookie Notice.


7. Do we offer artificial intelligence-based products?

In short: We offer products, features, and tools powered by artificial intelligence and machine learning. Our core product is an AI-powered scheduling keyboard and agent.

As part of our Services, we offer products, features, and tools powered by artificial intelligence and machine learning (collectively, "AI Products"). These tools are designed to enhance your scheduling experience by learning your preferences, suggesting meeting times, and automating scheduling coordination within your existing chat applications.


Use of AI technologies

We provide AI functionality through third-party AI service providers, including:

  • OpenAI (GPT-4): Powers the @Wenya AI scheduling assistant. Scheduling context (such as availability queries and thread content) may be passed to OpenAI's API to generate responses. We are working to confirm a Data Processing Agreement with OpenAI and zero-data-retention API settings.

  • Anthropic: Used for AI research, model evaluation, and product development purposes. Data passed to Anthropic is anonymised or aggregated where possible and is not used to identify individual users.

Your input, output, and personal information shared in connection with AI features will be processed by these AI service providers in accordance with their own terms and privacy policies. You must not use the AI Products in any way that violates the terms or policies of any AI service provider.


How we process your data using AI

All personal information processed using our AI Products is handled in accordance with this Privacy Notice and our agreements with third parties. The AI scheduling agent learns your scheduling preferences over time to personalise your experience — this learned data is associated with your account and deleted on account deletion. We do not use your individual scheduling data to train general AI models without your explicit consent.


8. How do we handle your social logins?

In short: If you choose to register or log in using a third-party account (Google or Apple), we may have access to certain basic profile information about you.

Our Services offer you the ability to register and log in using your Google or Apple account. Where you choose to do this, we will receive certain profile information from the provider. The profile information we receive may vary depending on the provider but will typically include your name and email address.

We will use the information we receive only for the purposes described in this Privacy Notice. We do not control, and are not responsible for, other uses of your personal information by your third-party sign-in provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information.


9. Is your information transferred internationally?

In short: We may transfer, store, and process your information in countries other than your own, including Singapore, the United States, and Germany (EU).

As a globally-operating company incorporated in Singapore, your personal data may be transferred to and processed in countries outside your country of residence. Our primary infrastructure is hosted on AWS in Singapore, US East (N. Virginia), and EU (Frankfurt, Germany).


UK users

For transfers of UK personal data to third countries, we rely on: UK Adequacy Regulations where applicable; International Data Transfer Agreements (IDTAs) approved by the UK ICO; or Standard Contractual Clauses (SCCs) with the UK Addendum. Our Standard Contractual Clauses can be provided upon request.


EEA users

For transfers of EEA personal data to third countries, we rely on: adequacy decisions issued by the European Commission (including the EU-US Data Privacy Framework where applicable); or Standard Contractual Clauses (Module 2: Controller-to-Processor) approved by the European Commission. Our SCCs can be provided upon request.


Singapore users

Transfers of personal data outside Singapore are conducted in accordance with the PDPA's transfer limitation obligation. We ensure that overseas recipients provide a standard of protection comparable to that under the PDPA, through contractual arrangements or other approved mechanisms.


US and other users

We will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law. If you are located in the EEA, UK, or Switzerland, please be aware that these countries may not have data protection laws as comprehensive as your own; however, our contractual safeguards described above apply.


10. How long do we keep your information?

In short: We keep your information for as long as necessary to fulfil the purposes outlined in this Privacy Notice, unless a longer retention period is required or permitted by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).


Data category - Retention period - Basis

Account data (name, email, phone).- Duration of account + 12 months after deletion - Legal obligation / Legitimate interests

Group scheduling - 90 days after conversation end, then deleted - Minimal retention principle

AI preference / learned norms data - Duration of account; deleted on account deletion - Contract performance

OAuth tokens (calendar, video) - Until revoked by user or account deleted - Contract performance

Usage / analytics data - Anonymised / aggregated after 12 months; raw data deleted - Legitimate interests

Payment records and transaction data - 7 years from transaction date - Financial record-keeping (legal obligation)

Security logs and IP records - 12 months - Legitimate interests / Legal obligation

Marketing consent records - Until consent withdrawn + 3 years - Legal obligation (consent records)


When we have no ongoing legitimate need to process your personal information, we will either delete or anonymise it, or — if this is not possible (for example, because it is stored in backup archives) — we will securely store your personal information and isolate it from any further processing until deletion is possible.


11. How do we keep your information safe?

In short: We aim to protect your personal information through a system of organisational and technical security measures.

We have implemented appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, alteration, or disclosure. These measures include:

  • TLS/SSL encryption in transit (ACM-managed certificates via AWS CloudFront)

  • Data encrypted at rest within Aurora PostgreSQL and S3 Storage

  • AWS WAF (Web Application Firewall) with DDoS protection

  • VPC private subnets with NAT Gateway isolating internal services

  • IAM roles and least-privilege access policies

  • JWT-based authentication and OAuth 2.0 for third-party integrations

  • AWS Secrets Manager for API keys and credentials

  • Regular automated log cleanup and data lifecycle policies

Despite our safeguards and efforts to secure your information, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. We cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. You should only access the Services within a secure environment.

In the event of a personal data breach, we will notify you and the relevant authorities as required by applicable law (UK ICO within 72 hours; PDPC within 3 calendar days; affected users without undue delay where high risk). See our Incident Response Plan for full procedures.


12. Do we collect information from minors?

In short: We do not knowingly collect data from or market to children under 16 years of age (or under 13 in the United States).

The App is not directed at children under the age of 16 (or 13 in the United States). We do not knowingly collect, solicit data from, or market to children under these ages, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 16 years of age (or 13 in the US with verifiable parental consent), or that you are the parent or guardian of such a minor and consent to the minor's use of the Services.

If we learn that personal information from users under the applicable age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under the applicable age, please contact us at info@wenyawanna.ai.

US / COPPA: If you are a parent or guardian and believe your child under 13 has used the App or provided personal information without verifiable parental consent, please contact us immediately at info@wenyawanna.ai. We will delete any such data promptly in accordance with the Children's Online Privacy Protection Act (COPPA) and FTC guidance.

California minor users: If you are a California resident under 18 and have posted content on the App, you may request removal by contacting info@wenyawanna.ai in accordance with California Business & Professions Code Section 22581.


13. What are your privacy rights?

In short: Depending on where you are located, applicable privacy law may give you certain rights regarding your personal information. You may review, change, or request deletion of your data at any time.


EEA, UK, and Switzerland users

In some regions (the EEA, UK, and Switzerland), you have certain rights under applicable data protection laws. These include the right to: (i) request access and obtain a copy of your personal information; (ii) request rectification or erasure; (iii) restrict the processing of your personal information; (iv) data portability; and (v) object to processing. If a decision that produces legal or similarly significant effects is made solely by automated means, we will inform you, explain the main factors, and offer a simple way to request human review.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you have the right to complain to your Member State data protection authority or the UK Information Commissioner's Office (ico.org.uk).

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner (edoeb.admin.ch).


Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us at info@wenyawanna.ai or updating your preferences. This will not affect the lawfulness of the processing before its withdrawal.


Opting out of marketing communications: You can unsubscribe from marketing communications at any time by clicking "unsubscribe" in any marketing email, or by contacting us. You will then be removed from the marketing list. We may still send you service-related messages necessary for the administration of your account.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All other use cases exclude text messaging originator opt-in data and consent; this information will not be shared with third parties.


Account information

If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user account, or contact us at info@wenyawanna.ai.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms, and/or comply with applicable legal requirements.


14. Controls for do-not-track features

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

California law requires us to let you know how we respond to web browser DNT signals. Because there is not currently an industry or legal standard for recognising or honouring DNT signals, we do not respond to them at this time. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.


15. Do United States residents have specific privacy rights?

In short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have specific privacy rights regarding your personal information.


Categories of personal information we collect

The table below shows the categories of personal information we have collected in the past twelve (12) months, in accordance with the CCPA/CPRA and equivalent state laws.

Category - Examples - Collected

A. Identifiers - Name, alias, email address, phone number, IP address, account name, unique personal identifier - YES

B. Personal information (California Customer Records statute) - Name, contact information, financial information - YES

C. Protected classification characteristics - Gender, age, date of birth, race and ethnicity, national origin, marital status - NO

D. Commercial information - Transaction information, subscription status, payment reference data - YES

E. Biometric information - Fingerprints and voiceprints - NO

F. Internet or network activity - Usage data, session data, features accessed, error logs - YES

G. Geolocation data - Approximate device location (from IP/timezone) - YES

H. Audio, electronic, sensory information.- Images, audio, or call recordings - NO

I. Professional or employment-related information - Business name (business users only) - YES

J. Education information - Student records - NO

K. Inferences from collected personal information - Scheduling preferences, AI-learned meeting norms, availability patterns — drawn from usage data to personalise your scheduling experience. These inferences are used solely to improve your experience within the App and are not used for advertising profiling or sold to third parties. - YES

L. Sensitive personal information - Racial/ethnic origin, health data, biometric data, precise geolocation, login credentials - NO


We may also collect other personal information outside of these categories through customer support interactions, participation in beta feedback sessions, or facilitation in the delivery of our Services.

We will use and retain the collected personal information as needed to provide the Services, or for the periods specified in Section 10.


Sources of personal information

We collect personal information directly from you (at sign-up and through App use), automatically through your use of the Services (device data, usage data, IP address), and from third-party sign-in providers (Google, Apple) where you choose to use them.


How we use and share personal information

We collect and share your personal information through the App and our website. We may collect limited data through Beacons/Pixels/Tags on our website for analytics purposes.

We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months, except:

  • Category G (Geolocation data): shared with Google Maps Platform APIs to enable location-based scheduling features.

  • Category F (Internet/network activity): shared with Google Analytics and Mixpanel for analytics purposes.

We may use your personal information for our own business purposes, such as undertaking internal research for technological development and demonstration. This is not considered to be "selling" of your personal information.


Your rights

You have rights under certain US state data protection laws. However, these rights are not absolute and we may decline your request as permitted by law. These rights include:

  • Right to know whether or not we are processing your personal data.

  • Right to access your personal data.

  • Right to correct inaccuracies in your personal data.

  • Right to request the deletion of your personal data.

  • Right to obtain a copy of the personal data you previously shared with us.

  • Right to non-discrimination for exercising your rights.

  • Right to opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.


Depending on the state where you live, you may also have:

  • Right to access the categories of personal data being processed (California, Delaware, Maryland).

  • Right to obtain a list of specific third parties to which we have disclosed personal data (Minnesota, Oregon).

  • Right to review, understand, question, and correct how personal data has been profiled (Connecticut, Minnesota).


How to exercise your rights

To exercise these rights, please contact us by emailing info@wenyawanna.ai with the subject line "US Privacy Rights Request — [Your Name]", or by submitting a data subject access request via our website.

Under certain US state laws, you can designate an authorised agent to make a request on your behalf. We may deny a request from an authorised agent that does not submit proof of valid authorisation in accordance with applicable law.


Request verification

Upon receiving your request, we will need to verify your identity to confirm you are the person about whom we hold the information. We will only use personal information provided in your request to verify your identity. If we cannot verify your identity from information we already hold, we may request additional information for verification and fraud-prevention purposes.


Appeals

Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing info@wenyawanna.ai. We will inform you in writing of any action taken or not taken in response to the appeal, including the reasons. If your appeal is denied, you may submit a complaint to your state attorney general.


California "Shine the Light" law

California Civil Code Section 1798.83, also known as the "Shine the Light" law, permits California residents to request, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes, and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please contact us in writing at info@wenyawanna.ai.


16. Do Singapore residents have specific rights?

In short: Singapore residents have rights under the Personal Data Protection Act 2012 (PDPA) to access and correct their personal data, and to withdraw consent to its collection, use, or disclosure.

Under the PDPA, Singapore residents have the right to:

  • Access personal data held about them by Wenya;

  • Correct personal data that is inaccurate or incomplete;

  • Withdraw consent for the collection, use, or disclosure of their personal data (subject to legal or contractual consequences as described at the time of consent); and

  • Lodge a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

To exercise any of these rights, please contact us at info@wenyawanna.ai with the subject line "PDPA Request — [Your Name]". We will respond within 30 days.


Data Protection Officer (DPO): Wenya Labs Pte Ltd has designated a Data Protection Officer, Thomas Beattie as required under PDPA Section 11.


17. Do we make updates to this notice?

In short: Yes, we will update this notice as necessary to stay compliant with relevant laws and to reflect changes in our practices.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated effective date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we will notify you either by prominently posting a notice of such changes or by directly sending you an email or in-app notification at least 14 days before changes take effect.

We encourage you to review this Privacy Notice periodically to stay informed about how we are protecting your information. If you do not agree with material changes, you may close your account by contacting info@wenyawanna.ai before the changes take effect.


18. How can you contact us about this notice?

If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO) or privacy team:


Company: Wenya Labs Pte Ltd

Data Protection Officer: [NAME — TO BE APPOINTED]

Address: 50 Chin Swee Road, #08-02, Singapore 169874

Email: info@wenyawanna.ai

Subject line: "Privacy Request — [Your Name]"


UK users may also contact the Information Commissioner's Office (ICO): ico.org.uk / 0303 123 1113

Singapore users may contact the PDPC: pdpc.gov.sg

California users may contact the California Privacy Protection Agency: cppa.ca.gov

Switzerland users may contact the Federal Data Protection and Information Commissioner: edoeb.admin.ch


19. How can you review, update, or delete the data we collect from you?

Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

To request to review, update, or delete your personal information, please contact us at info@wenyawanna.ai with the subject line "Data Request — [Your Name]". We will respond within 30 days (or sooner where required by law).


© 2025 Wenya Labs Pte Ltd. All rights reserved.

This is a draft document for review purposes only. Not legal advice. Seek independent legal counsel before publishing.