Kodifly Limited (“Sifu”, “we”, “us”, or “our”) is committed to protecting the personal data of individuals who use the Sifu platform (“Platform” or “Services”). This Privacy Policy explains how we collect, use, store, share, and protect your personal data, and describes the rights you have with respect to your data.
This Policy applies to all users of the Platform, including construction project managers, field team members, organisation administrators, and visitors to our website, regardless of where they are located. We operate across Hong Kong, Southeast Asia (including Singapore, Malaysia, Thailand, the Philippines, and Indonesia), and the Middle East & North Africa (including the UAE, Saudi Arabia, Qatar, and Bahrain).
By using the Platform, you acknowledge that you have read and understood this Privacy Policy.
We act as controller for account, billing, website, security, support, service communications, analytics and marketing data. For project records, site data, worker/subcontractor data, connected or imported communications and other Organisation-submitted content, we generally act as processor/service provider for the relevant Organisation, except where we process such data for our own legal, security, compliance or service administration purposes.
For data subject requests or privacy inquiries, please contact us:
| Entity | Kodifly Limited |
| Registered address | Unit 327, Building 19W, No. 19 Science Park West Avenue, Hong Kong Science Park |
| Jurisdiction | Hong Kong Special Administrative Region |
| Privacy contact | info@kodifly.com |
| Data protection contact | info@kodifly.com |
3.1 Identity and Contact Data
- Full name
- Work email address
- Job title and role
- Organisation / company name
- Profile photograph (optional)
3.2 Authentication Data
- Username and encrypted password (managed via Supabase or other third-party authentication infrastructure)
- Session tokens and authentication logs
- Two-factor authentication data (if enabled)
3.3 Payment and Billing Data
- Billing contact details
- Invoice information
- Subscription plan and payment status
- Transaction records
- Payment method identifiers or tokens
- Other billing-related records
3.4 Project Location and Job Site Data
- Job site addresses, site names, and geographic identifiers entered by users
- Other site-specific information entered by users as part of project records
3.5 Business and Organisational Data
- Project names, descriptions, timelines, and statuses
- Task assignments and progress records
- Subcontractor and vendor information (where provided)
- Budget and cost-related data (if entered into the Platform)
- Communication records and annotations
3.6 User-Generated Content
- Photographs, videos, and images uploaded from job sites
- Documents, reports, and attachments
- Notes, comments, and annotations
3.7 Technical and Usage Data
- IP address, browser type, and device information
- Operating system and app version
- Pages visited, features used, and click-stream data
- Error logs and crash reports
- Session duration and timestamps
3.8 Communications Data
- Records of support requests and correspondence with our team
- Feedback and survey responses
3.9 Connected Messaging and AI Data
- Connected or imported communications, including WhatsApp or other message threads made available to the Platform by or on behalf of a User or Organisation
- Message content, sender/recipient identifiers, phone numbers or handles, timestamps, group identifiers and attachments
- Voice notes, audio files, images, videos, documents and other media or files shared in connected communications
- Extracted action items, decisions and commitments from connected or imported communications
- AI prompts, instructions and queries submitted through Platform features
- AI outputs, generated reports, recommendations, summaries, risk flags and other derived content generated through Platform features
We collect personal data through the following means:
- Directly from you: when you register an Account, complete your profile, use Platform features, submit forms, contact support, or communicate with us.
- Automatically: through cookies, web beacons, and similar tracking technologies when you interact with the Platform (see Section 11).
- From your Organisation: where your employer or Organisation administrator creates an Account on your behalf or grants you access.
- From third-party services and connected communications: where you or your Organisation connect the Platform to third-party integrations (e.g., calendar applications, file storage), messaging services or project tools, including where communications or documents are imported, pasted, exported or automatically received through integrations, APIs, webhooks or similar technical connections.
We process your personal data for the following purposes:
| Purpose | Data categories used | Legal basis |
|---|---|---|
| Account creation and authentication | Identity, authentication data | Contract / Consent |
| Providing Platform features (project management, field data, AI, connected messaging analysis) | All categories covering relevant account, project, location, user-generated, connected/imported communication and technical data | Contract |
| Processing payments and billing | Identity, payment and billing data | Contract |
| Customer support and communications | Identity, communications data | Contract / Legitimate interests |
| Security, fraud prevention, and compliance | Technical, identity data | Legitimate interests / Legal obligation |
| Product analytics and improvement | Usage and technical data (anonymised/aggregated where possible) | Consent where required / Legitimate interests |
| Sending service notifications | Identity, contact data | Contract |
| Marketing communications (with consent) | Identity, contact data | Consent |
| Legal compliance and regulatory obligations | As required by applicable law | Legal obligation |
Where we rely on consent as the legal basis, you may withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.
We retain personal data for as long as necessary to fulfil the purposes set out in this Policy, unless a longer period is required by applicable law, contract, dispute management, audit, tax or legitimate business recordkeeping requirements. Our general retention periods are typically as follows:
- Account and identity data: for the duration of your account plus 3 years after closure.
- Project and operational data (field records, documents, photos, connected/imported communications and AI-generated reports): for the duration of the subscription plus 3 years, or longer if required for legal, regulatory, contractual, dispute or audit purposes.
- Project location and site information: retained as part of project and operational data, or for such longer period as required or permitted for security, audit, legal, contractual or legitimate business recordkeeping purposes.
- Usage and technical data: 24 months from collection.
- Financial and billing records: 7 years from transaction date, in compliance with applicable accounting and tax laws.
- Communications and support records: 3 years from last interaction.
When data is no longer required, we will securely delete or anonymise it. You may request earlier deletion subject to Section 9.
As an international platform operating across HK, SEA, and MENA, your data may be transferred to, stored in, or processed in countries outside your country of residence, including but not limited to Hong Kong, Singapore, the United States, Ireland and other locations where our service providers, sub-processors or infrastructure are located, subject to applicable law and the safeguards described below.
Where required by applicable law, we take appropriate steps to ensure adequate protection when transferring data internationally, which may include:
- Transferring to countries recognised as providing adequate data protection under applicable law.
- Using contractual, organisational or technical safeguards where required or appropriate.
- Requiring service providers and sub-processors to implement equivalent data protection standards.
8.1 Hong Kong Users
For Hong Kong users, cross-border transfers are handled in accordance with the applicable requirements of the Personal Data (Privacy) Ordinance (Cap. 486) and relevant guidance from the Office of the Privacy Commissioner for Personal Data (PCPD). Although Section 33 of the PDPO has not yet commenced, we take reasonable steps to protect transferred personal data and may use PCPD-recommended model clauses or comparable contractual safeguards where appropriate.
8.2 Singapore Users
For Singapore users, cross-border transfers are conducted in accordance with the Personal Data Protection Act 2012 (PDPA) transfer limitation obligation, including by taking appropriate steps to ensure that the transferred personal data receives a standard of protection comparable to that under the PDPA.
8.3 Malaysia Users
For Malaysia users, cross-border transfers are conducted in accordance with the Personal Data Protection Act 2010 (PDPA), including where the destination country has substantially similar data protection laws, ensures an adequate level of protection, or another permitted transfer condition or exemption applies.
8.4 Thailand Users
For Thailand users, cross-border transfers are conducted in accordance with the Personal Data Protection Act B.E. 2562 (2019), including where the destination country provides adequate data protection standards, appropriate transfer safeguards are in place, or another permitted transfer condition or exemption applies.
8.5 UAE Users
For UAE users, to the extent Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data applies, cross-border transfers outside the UAE are conducted only where permitted under applicable law, where appropriate safeguards are in place, or where exemptions under that law apply.
8.6 Saudi Arabia Users
For Saudi Arabia users, to the extent the Personal Data Protection Law (PDPL) issued under Royal Decree No. M/19 and its Implementing Regulations apply, cross-border transfers are conducted only where permitted under the PDPL framework, including applicable transfer conditions, safeguards, assessments, documentation and any approval mechanisms established by the Saudi Data & AI Authority (SDAIA/NDMO).
Subject to applicable law and certain exceptions, you have the following rights regarding your personal data:
- Right of access: to request a copy of the personal data we hold about you.
- Right of correction: to request that we correct inaccurate or incomplete data.
- Right of erasure: to request deletion of your personal data where it is no longer necessary, or where you withdraw consent (where consent is the legal basis).
- Right to restriction: to request that we restrict processing in certain circumstances.
- Right to data portability: to receive your data in a structured, machine-readable format (where applicable under your jurisdiction’s law).
- Right to object / request cessation: to object to, or request cessation of, processing where available under applicable law, including for direct marketing and certain automated processing.
- Right to withdraw consent: to withdraw consent at any time where processing is based on consent.
- Right to lodge a complaint: with the relevant data protection authority in your jurisdiction.
To exercise your rights, submit a request to info@kodifly.com with sufficient information to verify your identity. We will respond within the timeframes required by applicable law (for example, 40 days for Hong Kong data access requests and generally 30 days in other cases, subject to extension where permitted for complex requests).
We will not discriminate against you for exercising your data subject rights. For Organisation-submitted data where we act as processor/service provider, we may refer your request to the relevant Organisation or handle it in accordance with that Organisation’s instructions.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, loss or destruction, including:
- Encryption of data in transit (TLS/HTTPS) and at rest.
- Access controls and role-based permissions.
- Supabase JWT-based authentication with secure token handling.
- Security assessments, vulnerability monitoring and access reviews, as appropriate.
- Staff training on data protection obligations.
Despite these measures, no method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at info@kodifly.com.
10.1 Data Breach Notification
In the event of a personal data breach, we will assess the incident and notify the relevant regulatory authority and/or affected individuals where required by applicable law:
- Hong Kong (PDPO): voluntary notification to the PCPD and affected individuals for significant breaches, in line with PCPD guidance.
- Singapore (PDPA): mandatory notification to the PDPC within 3 calendar days after determining the breach is notifiable (affecting 500+ individuals or causing/likely to cause significant harm).
- Malaysia (PDPA): mandatory notification to the Personal Data Protection Commissioner where required for breaches causing or likely to cause significant harm.
- Thailand (PDPA): notification to the PDPC without undue delay and, where feasible, within 72 hours unless the breach is unlikely to affect individuals’ rights and freedoms.
- UAE (PDPL): notification to the UAE Data Office where required by applicable law for breaches that would prejudice the privacy, confidentiality or security of personal data.
- Saudi Arabia (PDPL): notification to SDAIA/NDMO within 72 hours of becoming aware, where the breach may harm personal data or data subjects.
The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us at info@kodifly.com and we will delete such data promptly.
The Platform may contain links to third-party websites or integrate with external services. This Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you use.
We may update this Privacy Policy from time to time. Where required by applicable law or where changes are material, we may notify you via the email address associated with your Account or via a prominent notice on the Platform. Your continued use of the Platform after the effective date of a revised Policy constitutes your acceptance of the updated terms.
15.1 Hong Kong — Personal Data (Privacy) Ordinance (Cap. 486)
- To the extent applicable, we process your personal data in accordance with the six Data Protection Principles (DPPs) under the PDPO, including purpose specification, data minimisation, accuracy, retention, security, transparency and access/correction requirements.
- You have the right to request access to and correction of personal data held about you by submitting a Data Access Request (DAR) or Data Correction Request (DCR) in writing to info@kodifly.com.
- We will respond to DARs within 40 days of receipt or such other period as permitted under the PDPO.
- A fee not exceeding the maximum prescribed under the PDPO may be charged for data access requests.
- You have the right to opt out of the use of your personal data for direct marketing. To exercise this right, contact info@kodifly.com.
- You may lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) at www.pcpd.org.hk.
15.2 Singapore — Personal Data Protection Act 2012 (PDPA)
- To the extent applicable, we process personal data in accordance with the Singapore PDPA, including accountability, notification, consent/deemed consent or applicable exceptions, purpose limitation, accuracy, retention limitation, transfer limitation and data breach notification obligations.
- You have the right to withdraw consent at any time, subject to legal or contractual restrictions, by contacting info@kodifly.com.
- Where the Singapore data portability provisions apply, you may request transmission of your data to another organisation in accordance with the PDPA and applicable regulations.
- You may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.
15.3 Malaysia — Personal Data Protection Act 2010 (PDPA)
- To the extent applicable, we process personal data in accordance with the seven data protection principles under the Malaysian PDPA 2010.
- You have the right to access and correct your personal data by submitting a written request to info@kodifly.com.
- We will not process sensitive personal data (as defined under the Malaysian PDPA) without your explicit consent.
- You may direct inquiries to the Department of Personal Data Protection (JPDP) at www.pdp.gov.my.
15.4 Thailand — Personal Data Protection Act B.E. 2562 (2019)
- To the extent applicable, we process personal data in accordance with the Thai PDPA, which aligns with GDPR-style principles.
- Where we rely on consent as the legal basis, such consent is obtained freely, specifically, informedly, and unambiguously.
- You have the rights of access, rectification, erasure, restriction, data portability, and objection.
- You may lodge complaints with the Personal Data Protection Committee (PDPC Thailand).
15.5 United Arab Emirates — Federal Decree-Law No. 45/2021
- To the extent applicable, we process personal data in accordance with the UAE Personal Data Protection Law (PDPL) and any applicable implementing regulations.
- You have the right to access, correct, erase, restrict processing, request cessation of processing, object to certain automated processing and request portability of your personal data, subject to applicable law.
- You may withdraw consent at any time by contacting info@kodifly.com.
- Cross-border transfers of UAE residents’ data are conducted only where permitted under applicable law, including where the recipient country provides an adequate level of protection, appropriate safeguards are in place, or another lawful exemption applies.
- You may file a complaint with the UAE Data Office.
15.6 Saudi Arabia — Personal Data Protection Law (PDPL)
- To the extent applicable, we process personal data in accordance with the Saudi PDPL issued under Royal Decree No. M/19 and its Implementing Regulations overseen by the Saudi Data & AI Authority (SDAIA/NDMO).
- Personal data of Saudi residents is processed only for declared, specific, and legitimate purposes.
- You have rights to access, rectify, request deletion of your personal data, withdraw consent where processing is consent-based, and exercise other rights available under the Saudi PDPL, subject to applicable law.
- You may lodge a complaint with SDAIA/NDMO at www.sdaia.gov.sa.
If you have any questions, concerns, requests or complaints regarding this Privacy Policy or our data practices, please contact us using the details set out in Section 2 above.
We aim to respond to legitimate requests within 30 days, subject to any different timeframe under applicable law. We may need to verify your identity before processing your request.
Last updated: 26 May 2026 · Kodifly Limited · info@kodifly.com