PDPA Policy

Magnified Pte. Ltd. ("Magnified", "we", "us", or "our"), operator of the CubbyBunny platform, is committed to full compliance with the Personal Data Protection Act 2012 ("PDPA") of Singapore.

Given that CubbyBunny handles sensitive data relating to children, parents, and preschool staff, we hold ourselves to the highest standards of data protection. This policy outlines how we meet our obligations under the PDPA and how preschools using our platform can meet theirs.

We have appointed a Data Protection Officer (DPO) responsible for overseeing our PDPA compliance. All data protection queries, access requests, and complaints should be directed to:

We collect, use, and disclose personal data only with the knowledge and consent of the individual, or in accordance with the exceptions set out in the PDPA.

For Preschools (Data Controllers)

When a preschool subscribes to CubbyBunny, the preschool is the data controller for the personal data of its students, parents, and staff. The preschool is responsible for obtaining consent from parents and guardians for the collection and use of their child's data through the platform.

For CubbyBunny (Data Processor)

CubbyBunny acts as a data processor on behalf of the preschool. We process personal data strictly in accordance with the preschool's instructions and the purposes outlined in our Privacy Policy.

We collect personal data only for purposes that a reasonable person would consider appropriate in the circumstances. Specifically:

• Student and parent data is collected solely for preschool management purposes (attendance, activity tracking, parent communication, billing)
• Staff data is collected for workforce management, rostering, and CPD compliance
• Financial data is collected for invoicing, payment processing, and subsidy administration
• Technical data is collected for platform security, performance, and improvement

We do not repurpose personal data beyond the stated collection purposes without obtaining fresh consent.

We implement robust security measures to protect personal data from unauthorised access, collection, use, disclosure, copying, modification, or disposal:

Technical Safeguards

• All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Data stored exclusively in AWS Singapore (ap-southeast-1)
• Multi-factor authentication available for all accounts
• Role-based access controls ensuring staff only see data relevant to their role
• Automated daily backups with point-in-time recovery
• Regular penetration testing and vulnerability assessments

Administrative Safeguards

• All Magnified employees undergo data protection training
• Access to production data is restricted to authorised personnel only
• Comprehensive audit trails for all data access and modifications
• Incident response procedures for data breaches

We retain personal data only for as long as it is needed for the purposes for which it was collected, or as required by law.

• Active accounts: data retained for the duration of the subscription
• Cancelled accounts: data deleted within 90 days of account termination
• Financial records: retained for 5 years in accordance with IRAS requirements
• Audit logs: retained for 2 years for security purposes

Upon deletion, data is permanently removed from all systems including backups within the retention period.

Individuals have the right to request access to and correction of their personal data held by us.

How to Make a Request

• For data held by a preschool through CubbyBunny: contact the preschool directly
• For data held by Magnified directly (e.g. website enquiries): email our DPO at hello@magnified.com.sg

Response Timeline

We will respond to access and correction requests within 30 business days. If we are unable to respond within this timeframe, we will notify you of the expected response time.

In the event of a data breach that is likely to result in significant harm to affected individuals, we will:

• Notify the Personal Data Protection Commission (PDPC) within 3 business days of becoming aware of the breach
• Notify affected individuals as soon as practicable
• Notify affected preschools immediately so they can inform their parents and staff
• Take immediate steps to contain and remediate the breach
• Conduct a post-incident review and implement measures to prevent recurrence

All CubbyBunny data is stored and processed within Singapore. We do not transfer personal data outside of Singapore unless:

• The recipient country provides a comparable standard of data protection
• We have obtained the consent of the individual
• The transfer is necessary for the performance of a contract

Currently, all data processing occurs within Singapore and no cross-border data transfers are required.

CubbyBunny is designed to help preschools meet their own PDPA obligations:

• Consent management: Built-in tools for parents to provide and manage consent for data collection
• Access controls: Granular, role-based permissions ensure staff only access data relevant to their role
• Audit trails: Complete logs of who accessed what data and when
• Data export: Full data export at any time for access requests or centre transfers
• Secure communications: All parent notifications and communications are sent through secure, encrypted channels

This PDPA Policy will be reviewed and updated regularly. Material changes will be communicated to all active users. The latest version is always available on this page.

If you have questions, concerns, or complaints about how we handle personal data, please contact our Data Protection Officer:

• Email: hello@magnified.com.sg
• WhatsApp: +65 8883 8987
• Company: Magnified Pte. Ltd., Singapore

If you are unsatisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC).