Kalibra Data Protection Policy
Part 1: Overview
The purpose of this document is to set out Kalibra’s procedures on protection of Personal Data of individuals under the company’s custody or possession. It contains important information about how and why Kalibra collects, stores, uses, discloses, transfers and disposes of Prospects, Members, Employees and Freelancers Personal Data. This Policy takes into consideration Singapore’s Personal Data Protection Act 2012 (“PDPA”), including any amendment, replacement or re-enactment thereof for the time being in force and including any statutory instruments, rules, regulations, orders, notices, directions, consents or permissions as enacted by the authority currently charged with enforcing the provisions of the PDPA: the Personal Data Protection Commission (“PDPC”).
Part 2: Personal Data Protection Act
The PDPA establishes a data protection law in Singapore that comprises various rules governing the collection, storage use, and disclosure, transfer access to, correction, care and disposal of individuals’ Personal Data by organisations. It recognises both the rights of individuals to protect their Personal Data, including rights of access and correction and disposal, and the needs of organisations to collect, use or disclose Personal Data for legitimate and reasonable purposes. Kalibra intends to comply with all applicable provisions covering data protection by implementing suitable procedures as outlined throughout the remainder of this Policy.
Part 3: Data Protection Policy
This Policy sets out the basis upon which Kalibra may collect, use, disclose, store, transfer and dispose or otherwise Process Personal Data of our Prospects, Members, Employees and Freelancers in accordance with the PDPA. This Policy applies to Personal Data in our possession or under our control, including Personal Data in the possession of organisations which we have engaged for the above Purposes.
Part 4: Definitions
Throughout this Policy, unless there is something in the subject or context inconsistent therewith, the following terms shall have the following meanings:
- “Affiliates” means an entity which is directly or indirectly controlled by Kalibra. An entity that otherwise qualifies under this definition is included within the meaning of Affiliate even though it qualifies after this Policy comes into effect.
- “Third Party Service Providers” means any third-party provider or vendor appointed by Kalibra to assist in delivery of the Services for Kalibra’s Members;
- “Prospect” means any individual who has contacted Kalibra through any means to find out more about any goods or Services we provide;
- “Data Protection Officer” or “DPO” refers to the individual appointed by Kalibra to carry out the specific duties described in section 19 of this Policy;
- “Employee” means all individuals who may or have entered into a contract of service with Kalibra and shall include all current and former Employees;
- “Freelancer” means individuals who may or have entered into a contract for service with Kalibra and shall include all current and former Freelancers;
- “Kalibra” means Kalibra Pte Ltd, a company incorporated in Singapore and registered office address of 160, Robinson Road, #14-04, Singapore 068914;
- “Member” means any Prospective Customer who has entered into a contract with Kalibra for the supply of Our Services;
- “Personal Data” refers to data, whether true or not, about Prospects, Members, Employees and Freelancers who can be identified from that data; or from that data and other information to which Kalibra has or is likely to have access;
- Without limitation to the generality of section 4.8 of this Policy, for the purposes of Kalibra’s day-to-day activities and the various specific lawful purposes as set out in the PDPA, Kalibra will be specifically Processing Prospect Customers, Members, Employees and Freelancers Personal Data of the following nature:
identity card/passport numbers; fingerprints; names; dates of birth; gender; Nationalities; ages; marital status; photographs; telephone numbers; residential addresses; email addresses; debit/credit card information and bank details; and occupations.
Without limitation to the generality of the Personal Data described at section 4.9 and without prejudice to the specificity of the Personal Data described at section 4.10, for the purposes of Kalibra’s day-to-day activities and the various specific lawful purposes as set out in the PDPA, Kalibra will be specifically Processing sensitive Personal Data of the following nature:
- Blood biomarker data related to us by a Third Party
- Prospect or Member’s blood test results from tests done by Kalibra laboratory partners or other institutions.
- Prospects or Members may also upload previously existing blood test results obtained via their doctor or insurance company.
- We may use Prospect or Member’s blood biomarker data in a de-identified, aggregated way for Kalibra research.
3.10.2 (DBA) information is data related to a Prospect or Member’s genotype for a specific set of genes related to healthy aging, nutrition, weight, sleep and physical activity.
- Kalibra will receive Prospect or Member’s genetic information from our genetic specialist partners when a Prospect or Member buys a third party Kalibra connected DNA product.
- When a Prospect or Member purchases a DNA kit, a Prospect or Member will collect a DNA sample using the provided collection kit and send it to our partners for DNA extraction and analysis.
- If a Prospect or Member purchases a genetics add-on service, a Prospect or Member will provide a Prospect or Member genetic data from DNA tests that a Prospect or Member has previously had done.
Kalibra and its partners analyze Prospect or Member’s DNA data using an algorithm that determines a Prospect or Member’s genetic potential for certain traits. Kalibra may use Prospect or Member’s aggregated de-identified genetic data for research and development to improve future products. For research that we hope to publish in scientific publications, we will request separate permission through a Research Consent document to use Prospect or Member’s de-identified Genetic Information.
Any Research Consent is optional and voluntary. A Prospect or Member will not be required to agree to a Research Consent document in order to use the Platform or Services. Self-Reported Information includes information provided by the Prospect or Member in Kalibra questionnaires or in any other website surveys or forms, such as sex, body weight, height, diet, etc. we may use Prospects or Members Self-Reported Information in a de-identified way for research.
User Content is all information other than Genetic Information or Self-Reported Information provided by Members of the Kalibra Services and transmitted, whether publicly or privately, to Kalibra. User content may include data, text, software, music, audio, photographs, graphics, video, messages, or other materials. For example, User content includes comments made on Kalibra blogs and emails to Member support.
Behavior Information is information on how a Member uses our Platform (e.g. browser type, domains, page views, app usage etc.). We may collect this information through log files, cookies, and web beacon, analytical and advertising technologies.
Kalibra may collect non-Personal Information about a Member when a Member interacts with our Platform. Non-Personal Information may include Member browser name, type of computer, and the files a Member viewed on the Platform. Clickstream data, (i.e. a list of pages or URLs visited), and technical information about how a Member connects to the Platform, such as the operating system and the internet service providers used. We may, in some cases, need to review this automatically collected data in combination with specific registration information to identify and resolve issues for individual Users, detect fraud, etc. To the extent that we link this non-Personal Information with Member Personal Information, this Policy governs our use of such information.
“Platform” means a platform that uses artificial intelligence to learn about people and their behaviours in order to help them make intentional choices about their health including sleep, exercise, nutrition and work/life balance.
“Policy” means this data protection policy created by Kalibra, as may be revised, modified or otherwise updated from time to time.
“Processing” in relation to Personal Data means the carrying out of any operation or set of operations in relation to the Personal Data and includes any of the following:
Collection; recording; holding; organisation, adaptation and alteration; retrieval; combination;
transmission; or erasure or destruction.
“Services” means Kalibra’s Platform services including, but not limited to: AI insights and coaching for preventive health and optimizing longevity, positive habit creation, various assessments and activity/status scoring. Off the platform, Kalibra will partner up with practitioners, other platforms and medical entities to leverage their offerings in order to provide an integrated health and longevity service to its clients.
Other terms used in this Policy shall have the meanings given to them in the PDPA.
Part 5: Kalibra’s Personal Data Inventory
Kalibra utilises a Data Inventory Map (“DIM”). The DIM is an inventory of the Personal Data in the possession or under the control of Kalibra. This is an integral part of the Data Protection Management Programme (“DPMP”) that we maintain to ensure compliance with the PDPA.
Part 6: Collection of Personal Data
For explanatory purposes, Kalibra collects Personal Data of its Prospects and Members in the following ways:
- When a Prospect submits any form, including but not limited to Member inquiry forms or other forms relating to any of our Services;
- When a Prospect or Member has a conversation with our Chatbot service, or a Kalibra affiliated coach;
- When a Prospect or Member enters into any agreement or provides other documentation or information in respect of their interactions with us, or when they use our Services;
- When a Prospect or Member interacts with our staff, including Kalibra service officers, for example, via telephone calls (which may be recorded), letters, face-to-face meetings, social media platforms and emails;
- Via interaction with our websites or use Services on our websites and Platform;
- Via a request that Kalibra contacts a Prospective Customer or request that a Prospective Customer be included in an email or other mailing list;
- When a Prospective Customer or Member responds to our promotions, initiatives or to any request for additional Personal Data;
- Via submission of an employment application or when provision of documents or information including a resume and/or CVs in connection with any appointment as an officer, director, representative or any other position;
- When a Prospect or Member is contacted by, and responds to, Kalibra marketing representatives and Kalibra service officers;
- When Kalibra seeks information about, and receives Personal Data in connection with a relationship with us, including for our products and Services or job applications, for example, from business partners, public agencies, ex-employer, referral intermediaries and the relevant authorities; or
- When a Prospect or Member submits their Personal Data to us for any other reasons.
When an individual browses our website, the individual generally does so anonymously. Please see Part 15 below for information on cookies and other technologies which we have implemented on our website and apps. We do not, at our website, automatically collect Personal Data unless a Prospect provides such information to us. If a Prospect or Member provides us with any Personal Data relating to a third party (e.g. information of their spouse, children, parents, and/or employees), by submitting such information to Kalibra, they represent to Kalibra that they have obtained the consent of the third party to provide Kalibra with their Personal Data for the respective purposes.
Prospects and Members should ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on a Prospect or Member’s part to do so may result in Kalibra’s inability to provide the Services requested, or delays in providing Services requested, or processing applications. Unless otherwise permitted under the provisions of the PDPA, or any other laws, regulations and guidelines, Kalibra shall not collect Personal Data without the consent of the Prospect or Member.
Part 7: Processing of Personal Data
As a legal requirement under the PDPA, Kalibra is required to ensure all Prospects, Members, Employees and Freelancers Personal Data is Processed in such a way that at least one of the following bases applies:
- The Prospect, Member, Employee or Freelancer has given consent to the Processing of his or her Personal Data for one or more specific purposes;
- The Processing is necessary for the performance of a contract to which the Member, Employee or Freelancer is party with Kalibra or in order to take steps at the request of the Prospect, Member, Employee or Freelancer prior to entering into a contract with Kalibra;
- The Processing is necessary for compliance with a legal obligation to which we are subject;
- The Processing is necessary for the protection of the vital interests of the Prospect, Member, Employee or Freelancer or another natural person; or the Processing is necessary for the purposes of the legitimate interests pursued by Kalibra or by a third party.
Part 8: Purposes of Processing Personal Data
Kalibra collects, uses and discloses Personal Data of Prospects, Members, Employees and Freelancers (including former Prospects, Members, Employees and Freelancers unless otherwise required under the PDPA) for the following purposes:
- Prospect and Member service and support (including but not limited to Prospect and Member relationship management, screenings or checkups, contacting a Prospect or Member regarding medical reports and results, providing follow-up calls, providing a Prospect or Member with administrative support;
- Administering and processing Prospect and Member requests including creating and maintaining profiles of our Prospects and Members in our system database for administrative purposes (including tracking Prospects and Members attendance at various Kalibra Affiliates’ facilities);
- Personalising Prospect and Member experiences at Kalibra’s touchpoints and conducting market research, understanding and analysing Prospect and Member behaviour, location, preferences and demographics in order to improve our service offerings;
- Liaising with third party specialists including medical personnel such as doctors, clinics, hospitals and/or medical institutions in relation to Prospect and Member health care (including by providing them with access to Prospect and Member Personal Data with a Prospect and Member’s permission);
- Uses our mobile applications (such as the Kalibra app) or online registration and payments systems, displaying a Prospect and Member’s biomarker data, sending a Prospect or Member health-related notifications, and facilitating the provision of our services to a Prospect or Member; or Purposes which are reasonably related to the aforesaid.
If an individual is a prospective or confirmed Third Party Provider of Kalibra, their Personal Data will be processed for the following purposes:
- Assessing Third Party Provider organisation’s suitability as an external service provider or vendor for Kalibra;
- Managing project tenders and quotations, processing orders or managing the supply of Services;
- Creating and maintaining profiles of our Third Party Provider in our system database;
- Processing and payment of Third Party Provider invoices and bills;
- Facilities management (including but not limited to issuing visitor access passes and facilitating security clearance);
- And/or any other purposes which are reasonably related to the aforesaid.
Where an Employee or Freelancer submits an application to us as a candidate for employment, contractor, internships or scholarships, their Personal Data will be Processed by Kalibra for the following purposes:
- Conducting interviews;
- Processing an Employee or Freelancer’s application (including but not limited to pre-recruitment checks involving Employee or Freelancer’s qualifications and facilitating interviews);
- Obtaining references and for background screening;
- Assessing Employee or Freelancer’s suitability for the position applied for;
- Enrolling successful candidates as our Employees and Freelancers and facilitating human resource planning and management (including but not limited to preparing letters of employment, name cards and building access passes); and/or any other purposes which are reasonably related to the aforesaid.
Where an individual is an existing Employee or Freelancer of Kalibra, their Personal Data will be Processed by Kalibra for the following purposes:
- Remuneration reviewing salaries and bonuses, conducting salary benchmarking reviews, staff appraisals and evaluation, as well as recognising individuals for their services and conferring awards;
- Staff orientation and entry processing;
- Administrative and support processes relating to the Employees or Freelancers employment, including its management and termination, as well as staff benefits, including travel, manpower, business continuity and logistics management or support, processing expense claims, medical insurance applications, medical screenings and immunisations, leave administration, long-term incentive plans, training, learning and talent development, and planning and organising corporate events;
- Providing an Employee or Freelancer with tools and/or facilities to enable or facilitate the performance of his/her duties;
- Facilitating professional accreditation and complying with compliance audits;
- Compiling and publishing internal directories and emergency contact lists for business continuity;
- Managing corporate social responsibility projects;
- Conducting analytics and research for human resource planning and management, and for Kalibra to review, develop, optimise and
- Improve work-related practices, environment and productivity;
- Ensuring that the administrative and business operations of Kalibra function in a secure, efficient and effective manner (including but not limited to examining or monitoring any computer software and/or hardware installed within Kalibra, Employee or Freelancer work emails and personal digital and storage devices);
- Compliance with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities (including but not limited to disclosures to regulatory bodies, conducting audit checks or surveillance and investigation);
- Administering cessation processes; and/or any other purposes which are reasonably related to the aforesaid.
In additional to the general purposes of Processing of Prospects, Members, Third Party Providers, Employees and Freelancers Personal Data as stated within section 8 of this Policy, Kalibra also Processes Personal Data of its Prospects, Members, Employees and Freelancers for the following additional purposes:
- Taking or filming photographs and videos for corporate publicity or marketing purposes, and featuring Prospect, Member, Employee and Freelancer photographs and/or testimonials in our articles and publicity materials;
- Providing or marketing services and benefits to a Prospects and Members, including promotions, service upgrades, loyalty, reward and/or membership programmes (including affiliate programs) and sending of healthcare-related updates, event invitations, newsletters and marketing and promotional information to a Prospect or Member pursuant to such membership programmes);
- Organising roadshows, tours, campaigns (including health check or vaccination campaigns) and promotional or events and administering contests and competitions;
- Matching Personal Data with other data collected for other purposes and from other sources (including third parties) in connection with the provision or offering of Services;
- Sending details of services, clinic updates, health-related information and rewards, either to our Prospect or Members generally, or which we have identified may be of interest to a Prospect;
- Conducting market research, aggregating and analysing Prospect and Member profiles and data to determine health-related patterns and trends, understanding and analysing Prospect and Member behaviour, location, preferences and demographics for us to offer a Prospect or Member other products and services as well as special offers and marketing programmes which may be relevant to a Prospect or Member’s preferences and profile; and/or any other purposes which are reasonably related to the aforesaid.
If a Prospect or Member has provided us with Singapore telephone number(s) and have indicated consent to receiving marketing or promotional information via the Singapore telephone number(s), then from time to time, Kalibra may contact the Prospect or Member using such Singapore telephone number(s) (including via voice calls, text, social media, fax or other means) with information about our products and services.
In relation to particular Services or in a Prospect or Member’s interactions with us, we may also have specifically notified a Prospect or Member of other purposes for which we collect, use or disclose their Personal Data. If so, we will collect, use and disclose the Prospect or Member’s Personal Data for these additional purposes as well, unless we have specifically notified a Prospect or Member otherwise.
Unless permitted under the PDPA or any other laws, regulations and guidelines, Kalibra shall not use or disclose the Personal Data for any other purpose, without first identifying and documenting the other purpose and obtaining the consent of the affected Prospect, Member, Employee or Freelancer.
The purposes listed in the above sections may continue to apply even in situations where a Member, Employee or Freelancer’s relationship with Kalibra (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with a Member, Employee or Freelancer).
Part 9: Withdrawal of Consent
Consent received expressly or impliedly by a Prospect, Member, Employee or Freelancer of Kalibra for Personal Data Processing purposes stated within Part 7 of this Policy will remain valid until such time that it is withdrawn by a Prospect, Member, Employee or Freelancer in writing addressed to Kalibra’s Data Protection Officer whose details are to be found within section 19.3 of this Policy.
Upon receipt of a Prospect, Member, Employee or Freelancer’s written request to withdraw their consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within 30 business days of receiving it.
If consent is withdrawn by an Employee or Freelancer, Kalibra may need to discontinue his/her employment with the company. If consent is withdrawn by a Prospect or Member, Kalibra may no longer be able to provide the requested products or services and our relationship with the Prospect or Member may have to be terminated. Withdrawing consent does not affect Kalibra’s right to continue to collect, use and disclose Personal Data where such collection, use and disclose without consent is permitted or required under applicable laws.
A Prospect or Member may delete their account at any time by accessing our App or by visiting https://kalibra.ai/. Once deleted, a Prospect or Member’s data, including a Prospect or Member’s account, username, or any other related content, cannot be restored.
Content a Prospect or Member has shared with others, exported from the service, or that others have copied may also remain visible after a Prospect or Member has deleted a Prospect or Member account or deleted the information from their own profile. A Prospect or Member’s public profiles may be displayed in search engine results until the search engine refreshes its cache.
Part 10: Protection of Personal Data
Kalibra places great importance on ensuring the security of our Prospects, Members, Employees and Freelancers Personal Data against risks of unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction. Kalibra has implemented security measures which include appropriate administrative, physical and technical measures such as up-to-date antivirus protection, encryption and the use of privacy filters to secure all storage and transmission of Personal Data by us, and disclosing Personal Data both internally and to our authorised third party service providers and agents only on a need-to-know basis.
Kalibra will regularly review and implement appropriate security measures when processing and retaining Personal Data. While acknowledging that security cannot be guaranteed and that no method of transmission over the Internet or method of electronic storage is completely secure, Kalibra strives to protect the security of our information and is constantly reviewing and enhancing the company’s information security measures.
Employees of Kalibra are required to handle the Personal Data securely and with strict confidentiality, failing which they may be subject to disciplinary action. Further, Kalibra will impose compliance with data confidentiality requirements on our agents, third party service providers, consultants and professional advisors in our working relationships and/ or agreements with these parties.
Kalibra’s Members should recognize that protecting Personal Information is their responsibility. We ask all Members to safeguard Member’s password, secret questions and answers, and other authentication information a Member uses to access our Services. Members should not disclose their authentication information to any third party. Members should also immediately notify us of any unauthorized use of a Members password. We cannot secure Personal Information that a Customer or Member releases on their own or that a Member requests us to release. A Member may choose to disclose, through other means not associated with us, any part of their Personal Information and/or Genetic Information. A Member may share this information with friends or family members, groups of individuals, third-party service providers, doctors or other health care professionals, or other individuals. We recommend that all Members make such choices carefully.
Part 11: Disclosure of Personal Data
Kalibra and its Affiliates will take reasonable steps to protect Personal Data against unauthorised disclosure. Subject to the provisions of any applicable law, Personal Data may be disclosed, for the purposes listed in Section 8 of this Policy to the following entities or parties, whether they are located overseas or in Singapore:
- Amongst Kalibra group members and Affiliates (including their coaching staff and medical practitioners);
companies providing services relating to insurance to Kalibra;
- Agents contractors, sub-contractors or third party service providers who provide operational services to Kalibra, such as courier services, telecommunications, information technology, payment, printing, billing, debt recovery, processing, technical services, transportation, training, market research, call centre, security, or other services to Kalibra;
- Vendors or third party service providers and our marketing and business partners in connection with marketing promotions, products and services;
- Our corporate Members.
- Any business partner, investor, assignee or transferee (actual or prospective) to facilitate business asset transactions (which may extend to any merger, acquisition or asset sale);
- External credit card companies, other financial institutions and their respective service providers;
our advisers such as consultants, auditors and lawyers;
- Relevant government ministries, regulators, statutory boards or authorities or law enforcement agencies to comply with any laws, rules, guidelines and regulations or schemes imposed by any governmental authority (including the Ministry of Health); and/or
any other party to whom a Member authorises us to disclose Personal Data to.
Part 12: Access and Correction to Personal Data
A Member may make a request to access his/her Personal Data which is in Kalibra’s possession or control. The Member must complete a data access request (“DAR”) form which a Member may fill out providing all necessary information as prescribed in the DAR form. We do not charge a fee for a DAR request in normal circumstances although we may charge a reasonable fee for further copies of information already provided or for requests that are manifesting unfounded or excessive, particularly where those requests are repetitive.
Kalibra aims to revert within 30 days from the receipt of the DAR request. If Kalibra is unable to comply with the DAR requirements within the said time frame, Kalibra will have to inform the Member the reasonably soonest time by which a response will be provided in relation to the request.
A Member may make a request for correction of his/her Personal Data which is in Kalibra’s possession or control. The Member should contact Kalibra’s Data Protection Officer whose details are contained within section 19 of this Policy.
A Member may make a request for transfer of his/her Personal Data which is in Kalibra’s possession or control. The Member should contact Kalibra’s Data Protection Officer whose details are contained within section 19 of this Policy. To the extent required by PDPA, upon request by a Member, Kalibra shall provide information relating to how the Member’s Personal Data has been or may have been used or disclosed within a year before the date of such request. Kalibra may also provide a standard list of possible third parties as part of its response to all access requests for information relating to the disclosure of Personal Data during such a period.
Employees who wish to access or correct their Personal Data should contact the HR Department of Kalibra. Potential Employees who were subsequently not employed by Kalibra or former Employees of Kalibra should complete the DAR/DCR form as mentioned in section 10 above (as the case may be).
Kalibra may not be able to provide access to all of the Personal Data that we hold about an individual. For example, Kalibra may not provide access to Personal Data if such provision could reveal Personal Data about another individual, if such information is subject to legal privilege or if provision will be contrary to national interest or where such refusal is permitted under the PDPA. If access to Personal Data cannot be provided, the reasons for denying access will be provided to Member within 30 days of receipt of the DAR form, subject to any legal or regulatory constraints.
Part 13: Retention and Disposal of Personal Data
Kalibra retains such Personal Data as may be required for business or legal purposes, and such purposes do vary according to the circumstances.
Kalibra does not retain Personal Data (and in particular sensitive personal data) for any longer than necessary. The length of time over which Personal Data may be retained is dependent upon the circumstances including why the personal information was obtained in the first place.
Whilst Kalibra will securely dispose of or anonymise Personal Data which it can reasonably determine is no longer needed and does not generally hold on to Personal Data “just in case”, it is in the interests of any caregiver or person treating a Prospect or Member to be able to refer to a complete set of biomarker records to avoid risks to health and safety of a Prospect or Member.
With respect to the biomarker records of a Prospect or Member, unless specific contrary instructions from the Prospect or Member are received, Kalibra may (but is not obliged to) retain such medical records for as long as Kalibra may be potentially consulted for further follow up by (or on behalf of) the Prospect or Member even where such consultation may not occur until after a substantial period of time or there is no current or present indication that the Prospect or Member may well return for further consultation or follow up.
A Prospect or Member has the right to request that we dispose of the Personal Data we hold about them in the following circumstances:
- Where it is no longer necessary for us to retain that personal data having regard to the purpose for which it was originally collected or processed;
- Where the Prospect or Member wishes to withdraw consent to holding and Processing of Personal Data previously given to Kalibra;
- Where the Prospect or Member objects to us holding and Processing their Personal Data and no overriding legitimate interest permitting Kalibra to continue doing so exists;
- The Personal Data of the Prospect or Member has been Processed unlawfully; or Kalibra needs to dispose the personal data in order to comply with a particular legal obligation.
Unless Kalibra has reasonable grounds for refusing to erase Personal Data, all erasure requests shall be complied with within one month from the receipt of the Prospect or Member’s request. In the event that any Personal Data that is to be disposed in response to a Prospect or Member’s request has been disclosed to Affiliates or third parties, those Affiliates or third parties will be informed of the disposal unless to do so is impossible or would require disproportionate effort.
Part 14: Storage of Personal Data
Kalibra will ensure that all electronic copies of Prospects and Members Personal Data will be stored securely using passwords and appropriate data encryption. Suitable backups will be made of all Personal Data that is stored electronically. We will store two (2) backup copies on different storage media. All backups will also be encrypted.
Prospects and Members Personal Data will not be transferred to any device personally belonging to any personnel of Kalibra.
Cookies – Small text files (typically made up of letters and numbers) placed in the memory of a Prospect or Members browser or device when a Prospect or Member visits a website or views a message. Cookies allow a website to recognize a particular device or browser. There are several types of cookies: Session cookies expire at the end of a Prospect or Member’s browser session and allow us to link a Prospect or Member’s actions during that particular browser session. Persistent cookies are stored on a Prospect or Member’s devices in between browser sessions, allowing us to remember a Prospect or Member’s preferences or actions across multiple sites. First party cookies are set by the site a Prospect or Member is visiting. Third party cookies are set by a third-party site separate from the site a Prospect or Member is visiting. Cookies can be disabled or removed by tools that are available in most commercial browsers. The preferences for each browser a Prospect or Member uses will need to be set separately and different browsers offer different functionality and options.
Web beacons – small graphic images (also known as “pixel tags” or “clear GIFs”) may be included on our sites and services. Web beacons typically work in conjunction with cookies to profile each unique user and user behavior.
Similar technologies – technologies that store information in Prospect or Member’s browser or device utilizing local shared objects or local storage, such as flash cookies, HTML 5 cookies, and other web application software methods. These technologies can operate across all Prospect or Member’s browsers.
We offer certain site features and services that are available only through the use of these technologies. Prospects and Members are always free to block, delete, or disable these technologies based on their browser functionalities. However, if a Prospect or Member declines cookies or other similar technologies, a Prospect of Member may not be able to take advantage of certain site features or service tools. For more information on how a Prospect or Member can block, delete, or disable these technologies, please review browser settings.
Part 16: Transfers of Personal Data outside of Singapore
We generally do not transfer a Prospect or Members Personal Data to countries outside of Singapore. However, if we do so, we will obtain the Prospect or Member’s express consent for the transfer to be made and we will take steps to ensure that their Personal Data continues to receive a standard of protection that is at least comparable to that provided under the PDPA. For Prospect or Members outside of Singapore, we can provide locally hosted services in accordance with local regulations and laws, but in general Prospects and Members information is housed on servers in Singapore. If a Prospect or Member is located outside of Singapore, please be aware that the Personal Data we collect will be processed and stored in Singapore (the data protection and privacy laws in Singapore may offer a lower level of protections than in other countries or regions).
By using our Services and submitting Personal Data, a Prospect or Member agrees to the transfer, storage, and/or processing of a Prospect or Member’s Personal Data in Singapore. Where and as required, we will seek a Prospect or Member’s express consent as outlined in this Policy.
Part 17: Training
We will ensure that all personnel of Kalibra receive adequate training as to their data protection responsibilities and as to how to act and respond as and when they receive requests for matters such as subject access requests, objections and requests for erasure and rectification. Those whose roles require regular access to Personal Data, or who are responsible for implementing this Policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and hot to comply with them.
Part 18: Data Breaches
A data breach is any loss of data or information in whatever form it is held and by whatever means the data was lost including data that is destroyed or rendered unusable. It may take many different forms, including:
- Loss or theft of data or equipment on which Personal Data is stored;
- Unauthorised access to or use of Personal Data either by a member of staff or third party such as from hacking;
- Loss of data resulting from an equipment or systems (including hardware and software) failure;
- Human error, such as accidental deletion or alteration of data; and/or
- Deliberate attacks on IT systems, such as hacking, viruses and phishing scams.
Kalibra will ensure that any data breach which results, or is likely to result in, significant harm to an affected individual or is otherwise of a significant scale is notified within seventy-two (72) hours to the PDPC and within a reasonable amount of time as may be practicable to all Prospects or Members affected by the data breach.
Part 19: Data protection management programme (“DPMP”) and Data Protection Officer
Under the PDPA, organisations are required to develop and implement policies and practices that are necessary for the organisation to comply with the PDPA (i.e. Personal Data protection policies and practices). The DPMP is a data protection framework that helps organisations establish a robust data protection infrastructure. It covers management policies and processes for the handling of Personal Data, as well as defining roles and responsibilities of the people in the company in relation to Personal Data protection. As a company incorporated in Singapore, Kalibra is required by the PDPA to designate one or more individuals to act as the data protection officer (“DPO”) of the company. The DPO is in charge of ensuring that the organisation complies with the PDPA. This is part of the Accountability Obligation of organisations under the PDPA.
Mr. Ivan Vatchkov, Director of Kalibra, has been appointed as our DPO. He is responsible for informing and advising us on our data protection obligations, for monitoring compliance and for ensuring that we comply with our obligations in accordance with this Policy. Comments or queries concerning this Policy should be addressed to him at +65 91694054 or at email@example.com
The DPO will deal with issues relating to this Policy and the application of data protection law including:
- Issues relating to the correct lawful basis to be applied to Personal Data collected, held or processed and in particular when consent or legitimate interest is being relied upon;
- Issues relating to the use to which data can be put having regard to the purpose for which it was acquired;
- Issues relating to the periods for which Personal Data is retained;
- Privacy notices and when these are required;
- Subject access requests as set out in Part V of the PDPA;
- Actual or suspected data breaches or issues relating to security arrangements;
- Sharing data with third parties and transferring data from outside Singapore;
- Where processing uses new technologies and is likely to result in a high risk to the rights and freedoms of natural persons and a data protection impact assessment is required;
- In relation to automated processing, including profiling or automated decision making; and
- In relation to information which is deemed to be special category data or data relating to children (for the avoidance of doubt, Kalibra’s products and services are not designed and aimed at children under the age of 18 and it is Kalibra’s policy to immediately delete children’s Personal Data where this is discovered to be the case).