LEGAL // DOC-PP-001
Privacy Policy
Who We Are
This website and associated platforms are operated by Joburn Pte. Ltd., a company registered in Singapore, trading as “Funnel Futurist.”
References to “we,” “us,” or “our” in this policy refer to Joburn Pte. Ltd.
Scope
This policy applies to all personal data collected through our websites, applications, quizzes, assessments, roadmap tools, booking forms, chat interfaces, and any other digital surfaces operated by Joburn Pte. Ltd., including but not limited to:
- ›joburn.com
- ›funnelfuturist.com
- ›quiz.funnelfuturist.com
- ›audits.funnelfuturist.com
- ›portal.funnelfuturist.com
Personal Data We Collect
When you interact with our platforms, we may collect the following categories of personal data:
| Category | Details | Basis / Action |
|---|---|---|
| Identity data | First name, last name, email address, phone number | To deliver services and communicate with you |
| Assessment responses | Quiz answers, self-assessment scores, diagnostic inputs | To generate personalized results, roadmaps, or recommendations |
| Technical data | IP address, device type, browser, timezone, operating system | Platform functionality, security, and fraud prevention |
| Usage data | Pages viewed, time on page, scroll depth, click patterns | To improve platform experience |
| Communication data | Chat messages, form submissions, email correspondence | To respond to inquiries and deliver requested services |
| Advertising data | Ad click identifiers, UTM parameters, conversion events | To measure advertising effectiveness |
| Payment data | Transaction records, subscription status (card details handled by Stripe) | Payment processing and invoicing |
| Meeting data | Call recordings, transcripts (with notice at time of recording) | Quality assurance and record-keeping |
| Communication preferences | Marketing consent status, opt-in/opt-out choices | To respect your communication choices |
We do not collect NRIC, FIN, passport numbers, or sensitive personal data (health, race, religion) unless directly relevant to a service you have requested.
How We Use Your Data
We use your personal data only for the purposes consented to at the point of collection:
| Category | Details | Basis / Action |
|---|---|---|
| Service delivery | Deliver quiz results, personalized roadmaps, audits, and consulting services | Consent (provided at submission) |
| Communications | Respond to inquiries, send requested information, appointment confirmations | Consent (explicit opt-in) |
| Marketing | Newsletters, product updates, promotional offers | Consent (separate explicit opt-in — never pre-ticked) |
| Analytics | Platform performance, user experience optimization | Legitimate business purpose (anonymized/aggregated) |
| Advertising measurement | Conversion tracking, audience insights, campaign optimization | Consent (cookie/pixel consent) |
| Legal compliance | Tax records, regulatory obligations, dispute resolution | Legal requirement |
| Security | Fraud detection, abuse prevention, access control | Legitimate business purpose |
We will never use your data for a purpose you did not consent to without first obtaining your additional consent.
How We Share Your Data
We share personal data only with trusted service providers who assist in delivering our services:
| Category | Details | Basis / Action |
|---|---|---|
| Supabase (AWS US) | Database hosting | DPA in place; encryption at rest (AES-256) and in transit (TLS 1.3) |
| Vercel (US/EU edge) | Platform hosting and delivery | DPA in place; SOC 2 Type II certified |
| Stripe (US) | Payment processing | PCI DSS Level 1 certified; we do not store card numbers |
| GoHighLevel (US) | CRM and communication delivery | Data processed per our service agreements |
| Meta Platforms (US) | Conversion event data (hashed identifiers via CAPI) | Data Processing Terms accepted; PII hashed with SHA-256 before transmission |
| Google Workspace (US) | Email, calendar, document collaboration | DPA in place; SOC 2 Type II certified |
| Fireflies.ai (US) | Meeting transcription (with prior notice and consent) | Data processed per service terms |
| Analytics providers | Aggregated, anonymized usage data only | No personal data shared with analytics providers |
We do not sell personal data. We do not share personal data with third-party advertisers beyond the hashed conversion events described above.
When data is shared with a client of ours through our CRM platform (e.g., when you submit a form on a client’s behalf), that client becomes a joint controller of the data within their isolated account. Client accounts are segregated at the database level using row-level security.
Our Role: Controller vs. Processor
Depending on the context, Joburn Pte. Ltd. operates in different data protection roles:
| Category | Details | Basis / Action |
|---|---|---|
| Data Controller | When you interact directly with joburn.com, our quizzes, roadmaps, terminal chat, or booking forms | We determine the purposes and means of processing your data |
| Data Processor | When we access Meta Marketing API data, CRM data, or advertising platform data on behalf of our clients | Our client is the controller; we process data per their instructions and our service agreement |
| Joint Controller | When a prospect submits data via a client-branded form that feeds into our shared infrastructure | Both Joburn and the client determine purposes; governed by our Master Services Agreement (Section 8) |
When acting as a data processor on behalf of clients, our processing activities are governed by Data Processing Agreements and our Master Services Agreement. We do not use client data for our own purposes beyond the services contracted.
Meta Platform Data
We use Meta (Facebook/Instagram) APIs to provide advertising performance reporting, audience insights, and campaign management services to our clients. This includes access to:
- ›Ad performance metrics (impressions, clicks, conversions, spend)
- ›Campaign and ad set configuration data
- ›Audience insights (aggregated, non-personally-identifiable)
- ›Conversion event data via the Conversions API (CAPI)
Our use of Meta Platform data is subject to Meta Platform Terms and Meta Developer Policies. All personally identifiable information transmitted to Meta via CAPI is hashed using SHA-256 before transmission. We do not store raw Facebook user IDs or access tokens beyond what is necessary for authorized API operations.
To request deletion of data associated with your Facebook or Instagram interactions with our services, see Section 11: Data Deletion Requests.
How We Obtain Your Consent
We obtain consent through clear, affirmative actions appropriate to each data collection surface:
| Category | Details | Basis / Action |
|---|---|---|
| Contact / booking forms | Checkbox: "I agree to the Privacy Policy" (never pre-ticked) + separate optional marketing opt-in | Explicit consent before submission |
| Quizzes and assessments | Consent statement above submit button: "By submitting, you agree to our Privacy Policy. Your responses will be used to generate personalized results." | Explicit consent; covers downstream roadmap delivery |
| Roadmap / results pages | Covered by quiz submission consent (same session, same stated purpose) | No additional consent required for same-session delivery |
| Terminal chat | Anonymous until PII is provided. If you enter your name or email, consent is requested before data is stored. | Consent triggered at point of PII collection, not before |
| Meeting recordings | Verbal notice at meeting start + written notice in calendar invitation. Recording bot announces itself upon joining. | Informed consent; participants may request recording be stopped |
| Cookies and tracking | Cookie consent banner on first visit with accept/decline options for non-essential tracking | Opt-in for analytics and advertising cookies |
You may withdraw consent at any time by emailing john@joburn.com or clicking “Unsubscribe” in any marketing email. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal, nor does it affect services already delivered.
International Data Transfers
Your data is stored on servers in the United States (AWS US-East-1 via Supabase) and may be processed in the United States and European Union (Vercel edge network).
Under Section 26 of the PDPA, we ensure comparable protection through:
- ›Contractual safeguards — Data Processing Agreements with all cloud providers imposing PDPA-comparable obligations
- ›Encryption — All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- ›Access controls — Role-based, least-privilege access across all systems
Data Retention
We retain personal data only as long as necessary for the stated purpose:
| Category | Details | Basis / Action |
|---|---|---|
| Client engagement data | Duration of engagement + 7 years | Contractual and tax/legal obligations (IRAS) |
| Lead/prospect data | 24 months from last interaction | Permanently deleted or anonymized after period |
| Quiz/assessment responses | 24 months from last interaction | Permanently deleted or anonymized after period |
| Payment records | 7 years | IRAS compliance requirements |
| Meeting recordings | 12 months | Deleted after quality assurance review |
| Technical/usage data | 12 months | Anonymized and aggregated after period |
| Consent records | 7 years | Archived securely, then deleted |
| Cold outreach data | 6 months from last contact | Permanently deleted after period |
“Last interaction” means any of: submitting a form, viewing a roadmap, clicking a link in our emails, booking a call, or contacting us.
Your Rights
Under the Personal Data Protection Act (PDPA), you have the right to:
| Category | Details | Basis / Action |
|---|---|---|
| Access | Request a copy of your personal data | Email john@joburn.com |
| Correction | Request correction of inaccurate data | Email john@joburn.com |
| Withdrawal of consent | Withdraw consent for marketing or data processing | Click "Unsubscribe" in any email, or email john@joburn.com |
| Disclosure | Know how your data has been used or disclosed in the past year | Email john@joburn.com |
| Data deletion | Request deletion of your personal data | Email john@joburn.com |
We will respond to access and correction requests within 30 calendar days. If we cannot comply (e.g., legal obligation to retain), we will explain why.
Withdrawing consent for marketing will not affect the delivery of services you have already requested.
Additional Rights for EU/EEA Residents
If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) provides you with additional rights:
- ›Right to erasure ("right to be forgotten") — Request complete deletion of your data
- ›Right to data portability — Receive your data in a machine-readable format
- ›Right to restrict processing — Request limitation of data processing in certain circumstances
- ›Right to object — Object to processing based on legitimate interests, including profiling
- ›Right to lodge a complaint — Contact your local EU supervisory authority
For GDPR-specific requests, contact john@joburn.com. We will respond within 30 days.
Data Deletion Requests
You may request the deletion of your personal data at any time by emailing john@joburn.com with the subject line “Data Deletion Request.”
We will confirm receipt within 5 business days, complete the deletion within 30 calendar days, and provide written confirmation once complete. Where data must be retained for legal obligations (e.g., tax records), we will explain which data is retained and why.
If you have interacted with our services through Facebook or Instagram, you may also submit a deletion request through your Facebook Settings under “Apps and Websites.”
Data Security
We implement reasonable technical and organizational measures to protect your personal data:
- ›Encryption in transit (TLS 1.3) and at rest (AES-256)
- ›Row-level security on databases (client data isolation)
- ›Role-based access controls (least-privilege principle)
- ›Regular security reviews and vulnerability assessments
- ›Incident response plan with breach notification procedures
No system is 100% secure. If we discover a data breach that may affect you, we will notify you and the Personal Data Protection Commission (PDPC) within 3 calendar days of assessment, in accordance with the PDPA’s mandatory breach notification requirements.
Do Not Call Registry
We comply with Singapore’s Do Not Call (DNC) Registry provisions. We will check the DNC Registry before sending telemarketing messages via voice calls, SMS, or fax to Singapore telephone numbers. You may register your number on the DNC Registry at www.dnc.gov.sg.
Children
Our platforms are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has submitted data through our platforms, contact us immediately and we will delete the data.
Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email (if we have your contact information) or a prominent notice on our platforms.
The effective date at the top of this page indicates when this policy was last revised.
Contact Us
For any questions about this privacy policy or your personal data:
You may also contact the Personal Data Protection Commission (PDPC) if you believe we have not adequately addressed your concern: