We, Kard Tech Pte. Ltd. (“Kard”, “we”, “us” or “our”) are committed to ensuring the safety and security of the personal information of all users of our services (“Services”).
To begin with, we only collect such personal information that is necessary to provide you with the Services, understand your needs and serve you better as a whole.
The purpose of this document, Kard’s Personal Data Protection Policy (“Policy”), is to inform you as to how Kard manages, collects, uses and discloses Personal Data (as defined below). In Singapore, such activities are subject to the Personal Data Protection Act (No. 26 of 2012) (the “PDPA”). We conduct our business in compliance with the PDPA and have implemented various measures to ensure that any Personal Data remains safe and secure.
Subject to your rights at law, you agree to be bound by the prevailing terms of the Policy as updated from time to time. For the avoidance of doubt, you shall be deemed to have complied all applicable laws (whether under the PDPA or otherwise) by agreeing be bound by the prevailing terms of the Policy.
In this Policy, “Personal Data” refers to any data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access, including data in our records as may be updated from time to time.
Collection of Personal Data
The Personal Data that Kard may collect include your name, email address, phone number, date of birth, shipping address, and any other Personal Data necessary for Kard to provide you with the Services. For the avoidance of doubt, Kard will not collect or retain any of your payment information which is includes but is not limited to your credit or debit card number, bank account details, and billing address.
Typically, Kard will collect your Personal Data relating to you when you:
register for the Services and/or submit any forms relating to the Services to us;
use our Services (e.g. when making any online purchase from our business partners on any third party website and application);
sign up for alerts or newsletters;
contact us with enquiries or requests for assistance; or
are referred to us by business partners or third parties.
Apart from collecting such Personal Data directly from you, Kard may also collect Personal Data in other ways (e.g using automated technology such as click-stream data, cookies, flash cookies, web beacons and tracking links) and from third parties (e.g. your use of third party websites and applications that interact with our web-based application) or from publicly available sources.
[Please also note that our website, mobile or web-based applications may offer location-enabled services. If you use our website, mobile or web-based applications, they may receive information about your actual locations (such as GPS signals sent by your mobile device) or information that can be used to approximate a location. You will always be asked if the location-enabled service may be activated and you may also object or withdraw your consent to such location-enabled service within the respective mobile or web-based application.]
For the avoidance of doubt, in the event that any applicable law permits the collection of your Personal Data without your consent, such permission granted by the laws shall continue to apply.
Use of Personal Data
We may collect, use, disclose, and/or process your Personal Data for one (1) or more of the following purposes:
providing our Services;
internal audits and research;
security and risk management;
legal, regulatory and other compliance requirements (including providing assistance to law enforcement, judicial, regulatory or other government agencies and statutory bodies);
for marketing and advertising, and in this regard, to send you by various modes of communication marketing and promotional information and materials relating to products and/or services (including, without limitation, products and/or services of third parties) that Kard may be marketing or promoting, whether such products or services exist now or are created in the future;
other work and business related requirements; and
any other purposes which we notify you of at the time of obtaining your consent.
(collectively, the “Purposes” and each, a “Purpose”)
We will not use Personal Data for Purposes which we are not permitted to or required under local law and regulations.
Notwithstanding the above, Kard may collect any Personal Data without your consent provided that it is in accordance with any applicable laws, including but not limited to the PDPA.
Disclosure of Personal Data
We may share and disclose Personal Data with:
our partners, vendors, agents, contractors or third party service providers who provide services to Kard including but not limited to the processing of payments, and/or any merchants of goods;
our partners, licensors, vendors, agents, contractors or third party service providers who provide operational services to Kard such as courier services, telecommunications, IT, payment, printing, billing, payroll processing, technical services, training, market research, call centre, security or other such services;
our partners, licensees, agents, contractors, or third party service providers who provide operational services for and on behalf of Kard;
in the event of an actual or prospective business asset transaction (such as any merger, acquisition or asset sale), any business partner, investor, assignee, or transferee for the purposes of facilitating such a transaction; and
any relevant government regulators, statutory boards or authorities or law enforcement agencies as required by any laws, rules, guidelines and regulations or schemes imposed by any government to bodies and authorities.
Personal Data is disclosed to the above only for the Purposes or to protect the individual’s interests.
In exceptional circumstances, Kard may also be required to disclose Personal Data, where there are grounds to believe that disclosure is necessary to prevent a threat to life or health, or for law enforcement purposes.
In some cases, we shall encrypt, anonymize, and aggregate the information before sharing it. Anonymizing means stripping the information of personally identifiable features. Aggregating means presenting the information in groups or segments e.g. age groups.
We will also ensure that overseas organisations we work with observe strict confidentiality and data protection obligations.
Accuracy and Updating of Personal Data
Kard will strive to keep Personal Data accurate. You will be given the ability to review and update your Personal Data that we have in our possession.
You should ensure that all Personal Data submitted to us is complete, accurate, true and correct.
Further, when you provide us with any Personal Data relating to a third party (including your spouse, children, parents and/or employees), you represent to us that you have obtained the consent of the third party to provide us with their Personal Data unless otherwise provided in the PDPA.
If there is any Personal Data relating to you that you are unable to update and which you wish to make corrections to, you may contact our Data Protection Officer (whose contact is set out below) and we will be happy to help you as best as we can.
Access to Personal Data and Respecting Individual’s Consent
If you wish to access the Personal Data that we have relating to you, inquire about the way in which Personal Data relating to you has been used or disclosed by Kard in the past year, or wish to withdraw your consent to our use of such Personal Data, you may contact our Data Protection Officer (whose contact is set out below) and we will seek to attend to your request as best as we reasonably can. Please note that:
in order for us to provide any Personal Data we will need to verify your identity and may request further information about your request;
we may refuse access to your Personal Data if it would affect the privacy rights of other persons or if it breaches any confidentiality that attaches to that information;
we may also refuse your request where we are legally permitted to do so and give you such reasons;
we may also refuse your request where we are legally permitted to do so and give you such reasons;
we may have to charge you a reasonable administrative fee for retrieving Personal Data relating to you.
For the avoidance of doubt, if we refuse to grant you access to your Personal Data, we shall preserve a complete and accurate copy of the Personal Data for a period of 30 days after the date which we notify you of our refusal to do so.
Security of Personal Data
Safeguarding and respecting the confidentiality of Personal Data is important to Kard. We will use our best efforts to protect Personal Data.
The Personal Data provided to us are stored on secure servers. Kard also has security measures in place to protect against unauthorized access, loss, misuse and alteration of Personal Data under our control. However, please note that we will not be held liable or responsible for any loss, misuse or alteration of Personal Data that may be caused by third parties.
Transfer of Personal Data Outside Singapore
Your Personal Data may be transferred to, stored or processed outside of Singapore. 10.2 Kard will only transfer your information overseas in accordance with Privacy Laws and will ensure that overseas organisations we work with observe strict confidentiality and data protection obligations.
Kard will ensure that the overseas organisations we transfer your Personal Data to provide a standard of protection comparable to the protection under the PDPA.
Retention of personal information
We will only retain Personal Data for only as long as:
the retention of the Personal Data continues to serve any Purpose; and
there is a business or legal need.
In the event that retention of Personal Data is no longer necessary for any business or legal purposes or when the purpose for which the Personal Data was collected is no longer being served by the retention of the Personal Data, Kard will remove, destroy or anonymise the Personal Data.
Breach of Personal Data
In the event of a data breach of your Personal Data (“Breach”), we will promptly conduct an assessment of whether the Breach is notifiable to the Personal Data Protection Commission (“PDPC”) in accordance with the PDPA. If the Breach is notifiable to the PDPC, we will also notify you of the occurrence of the Breach in accordance with the PDPA.
Disclosure of personal information policy and procedure of making a complaint
If you believe that we have breached this Policy, or any other applicable privacy or data protection laws or regulations which may apply to Kard, you should make a complaint to Kard in the first instance. You should address your complaint in writing to our Data Protection Officer (whose contact is set out below), and you should include as much detail as you can about the Personal Data affected, and the circumstances that you believe amount to a breach of this Policy or the applicable privacy or data protection law or regulation.
If you have any questions about our Policy or concerns about our commitment to your privacy, please feel free to email or write to the Data Protection Officer (whose contact is set out below).
How to contact us
Please feel free to contact our Data Protection Officer at Privacy@projectarrow.co.
Changes to the Policy
Kard reserves the right to modify and update this Policy at any time to ensure it is consistent with industry trends and/or any changes in legal or regulatory requirements. Subject to your rights at law, you agree to be bound by the prevailing terms of this Policy as updated from time to time [on our website].
This Policy shall be governed in all respects by the laws of Singapore.