PRIVACY & DATA PROTECTION POLICY
Updated on: [7 October 2019]
We at Galen Growth Asia Pte. Ltd. (UEN: 201540833C), a company incorporated under the laws of Singapore, and its subsidiaries, affiliates and related corporations (“Company”, “we”, “us”, or “our”), seek to build a stronger, better and faster HealthTech ecosystem in Asia. This can only be achieved by bringing together relevant information on one platform, representing the heart of Asia’s HealthTech innovative community. Our solution, the HealthTech Alpha analytics platform, is the only place for all stakeholders to go to and get all the relevant information to understand the real players that are improving healthcare in Asia.
Whilst building this ecosystem and making sure that the community of HealthTech innovators in Asia are known to global stakeholders, we want you to trust us with your information and therefore believe that building and maintaining your trust is an important part of our mission.
We recognise the importance of safeguarding your personal data and take our responsibility to properly manage, protect and process your personal data seriously. We will comply with the Personal Data Protection Act 2012 (No. 26 of 2012) of Singapore (the “PDPA”) and other applicable data protection and privacy laws, such as the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (the “GDPR”).
We are a controller of the personal data collected from you through the Website and/or during the process of the registration as a User of the Services.
- The Platform (as defined in paragraph 1.1 below);
- Websites owned and operated by us, including healthtechalpha.asia and the associated applications and services (the “Website”);
- Mobile applications (“Apps”) on the iPhone, the iPad, and mobile devices operating with the Android, iOS and other operating systems; and
(collectively, the “Services”).
- PERSONAL DATA COLLECTED BY US
- We are a HealthTech company that is in the business of fostering a sustainable and vibrant HealthTech ecosystem across Asia in order to enable improved health outcomes, by facilitating collaboration to encourage innovators to build the next generation of healthcare solutions and services. We own and operate the HealthTech Alpha analytics platform which provides a score and distinct indices for each HealthTech startup to users, with information sourced or provided by the startups themselves, and other research sources obtained by us (the “Platform”).
- Collection – What personal data is collected?: In using the Services, you may be asked to provide us with personal data such as your name, passport or ID number, email address, residential or business address, contact phone number, any information you choose to provide when filling in a contact form on our Website, IP address or any other technical information that tells us how you use the Website, and we may collect your personal data either directly from you, your authorised representatives, and/or through our third-party service providers (e.g. partners or third-party applications) to personalise your experiences and improve our Services. In addition, during the onboarding process and for the purposes of our Know-Your-Customer (“KYC”) checks, we may have obtained information about your race and ethnicity (which are defined as special categories of personal data under the GDPR), as well as other details that may have been contained in the KYC documents you had provided to us, such as the copy of your passport.
- PURPOSES FOR COLLECTION, USE, DISCLOSURE & PROCESSING OF PERSONAL DATA
- We use your personal data to provide you with relevant Services and to operate its business. We may also use the data collected to communicate with you, for instance, to inform you about new features of the Services, security updates, or to inform you about your account. Your personal data may also be used to show you more relevant information, content, advertisements, whether through the Services or third-party applications and in combination with information from other sources.
- Some examples of how we use your personal data include:
- to process, record, monitor and fulfil your transactions or your requests;
- facilitating our provision of the Services, including but not limited to the provision of the Licensed Materials;
- communicating with you for research, marketing, advertising and promotional purposes;
- administrative matters on your purchases and/or subscriptions to the Services, managing your accounts, processing your sign-ups/registrations for mailing lists, etc.;
- diagnosis and maintenance of the Services;
- maintaining the security of the Services;
- to protect you and other users;
- enforcement of our policies and procedures;
- to permit you to submit questions, feedback or complaints; and/or
- such other purposes notified to you from time to time. When we notify you on these purposes separately, we will also provide you with the legal basis for processing of your personal data and, if necessary, will obtain your consent for such processing.
- We process your personal data for these purposes listed above on the following legal basis:
- to comply with our legal and regulatory obligations;
- to protect our legitimate interest in: (i) responding to your queries; (ii) providing services and / or information to you.
- You can indicate your objection to our processing, based on our legitimate interests, at any time by contacting us at: email@example.com. Please also refer to paragraph 5.9 below, for more details.
- The way your personal data is used will depend on the circumstances at hand, and it will be used in compliance with applicable laws and regulations.
- We may process and use your personal information to facilitate a change of control or sale of the Company or to facilitate a restructuring or other corporate rearrangement.
- SHARING YOUR PERSONAL DATA WITH THIRD PARTIES; INTERNATIONAL TRANSFERS
- It may also be necessary in certain circumstances for us to share your personal data with third parties such as our subsidiaries, affiliates, related corporations, service providers, vendors, regulatory authorities or other third parties. Such third parties processing your personal data either on our behalf or otherwise may be located in a different country from the point of collection of your personal data (e.g. transfer to servers located outside of the country you are accessing the Services from), or may have multiple physical locations and backups (e.g. cloud based services). We have carefully selected these third-party service providers and have taken steps to ensure that when we share your personal data with them, it is adequately protected. All of our service providers are bound by written contract to process personal data provided to them only for the purpose of providing the specific service to us and to maintain appropriate security measures to protect your personal data.
- Where your personal data must be shared with third parties in circumstances that are not reasonably contemplated within the normal course of our dealings with you, we would usually first seek your consent unless the disclosure:
- is required or authorised based on the applicable laws and/or regulations;
- is clearly in your interests, and if consent cannot be obtained in a timely way;
- is necessary to respond to an emergency that threatens the life, health or safety of yourself or another individual;
- is necessary for any investigation or proceedings;
- is required by a law enforcement agency;
- is to a public agency and necessary in the public interest; and/or
- where such disclosure without your consent is permitted by law.
- Where we disclose your personal data to third parties, we will employ our best efforts to require such third parties to protect your personal data and meet our data security standards, including ensuring they are bound by legally enforceable obligations to comply with all applicable personal data protection requirements while such personal data remains in its possession or under its control.
- By using our Services, you agree that the transfer of your personal data to various countries is reasonably necessary for us to provide you with these Services.
- If you resident or citizen of the European Union (“EU”), and if we do store any of your personal data in the European Economic Area (“EEA”), when we transfer the data outside the EEA under this paragraph 3, this is done either on the basis that it is necessary for the performance of our agreement(s) with you, or that the transfer is subject to the applicable laws in the EU or under the GDPR. We will only transfer your personal data outside of the EEA:
- where the transfer is to a place that is regarded by the European Commission (the “EC”) as providing adequate protection for your personal data;
- where we have put in place appropriate safeguards to ensure that your personal data is protected (e.g. where both parties involved in the transfer have signed standard data protection clauses adopted by the EC); or
- the above does not apply but we are still legally permitted to do so (e.g. if the transfer is necessary for (i) for the performance of a contract between you and us or the implementation of pre-contractual measures taken at your request; or (ii) the establishment, exercise or defence of legal claims).
- You may request for further details about the safeguards we have in place in respect of transfers of personal data outside of the EEA and where applicable a copy of the standard data protection clauses that we have in place, by contacting us at: firstname.lastname@example.org.
- THIRD PARTY LINKS
- We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party websites or services.
- RIGHTS IN RELATION TO YOUR PERSONAL DATA
- This will depend on whether the PDPA or the GDPR is applicable to you. You should obtain independent legal advice on your rights. Details of general rights which may be applicable to you are set out below. The following is not legal advice to you and should not be construed or relied upon as such.
Rights under the PDPA
- Under the PDPA, you may, by a written request to us, ascertain whether the information we hold about you is accurate and current, and you may also access and correct your personal data.
- Right to access and / or to correction of personal data:
- You may request access to or correct the personal data held by us by submitting a written request at any time to email@example.com.
- We may require further information from you to verify your identity as well as the nature of your request, to deal with your request. Handling and processing fees may be payable before we can proceed with your request.
- Once we have sufficient information to deal with your request, we will seek to provide you with the relevant personal data or information within thirty (30) days of your request, unless otherwise stated.
- There are certain circumstances in which we will decline to comply with your request under paragraph 5.3(a), which include (to the extent allowable under applicable law) situations where: (i) a government agency in Singapore or regulator with jurisdiction over us direct us not to comply with a customer’s request; (ii) the information may, in our discretion, affect the safety of any person or persons; and (iii) the data may be relevant to a regulator or official investigators as part of an investigation into criminal conduct or breach of applicable laws.
- Withdrawal of consent to use your personal data:
(a) Should you wish to withdraw your consent to our use of your personal data, please stop using the Services immediately and notify us in writing at firstname.lastname@example.org to inform us that you wish for us to stop collecting, using or sharing your personal data and we will process your request within a reasonable time from such a request. You may also elect to withdraw your consent to the use of your personal data for a specific purpose, so please ensure that your notification contains sufficient and specific information to enable us to comply with your request.
(b) However, your withdrawal of consent could result in certain legal consequences arising from such withdrawal. In this regard, depending on the extent of your withdrawal of consent for us to process your personal data, it may mean that we will not be able to continue with your existing relationship with us.
Rights of residents of the EU
- The right of data portability:
- You may request to receive the data we collect from you in a structured, commonly used and machine-readable format if processing of the data had been carried out by automatic means, and a right to request that we transfer such data to another party. The relevant subset of your data is data you provide us with your consent and will not include any data of any other person.
- If you wish for us to transfer your personal data to another party, you must give us the details we need about that party. You acknowledge that the exercise of your rights is subject to such transfer being technically feasible. We are not responsible for the security of the data or its processing once received by the third party. We also may not provide you with certain data if providing the data would reveal information about another person, or otherwise infringe on his or her right to privacy.
- The right of erasure or deletion:
- You may request that we delete the data we hold about you in the following circumstances: (i) our continued holding of your personal data is no longer necessary for the purposes for which such data had been collected; (ii) having provided your consent earlier, you now wish to withdraw your consent to our processing your data, and there is no other legal ground under which we can process the data; (iii) you do not wish to receive updates, news about promotions or marketing materials from us that have been customised using data we have about you; or (iv) the data we hold about you have been unlawfully processed in a manner not in accordance with applicable laws.
- You may exercise your right to restrict our processing of the data while we consider your request.
- Notwithstanding your requests, we may retain the data if there is a legal basis under applicable laws for us to do so although we will notify you of such a legal basis. You agree and acknowledge that if we do delete your data, you will be forgotten, and we will not be able to provide you services that are customised to your preferences.
- If we have made your personal data public, and there are grounds for deletion, we will take reasonable steps to tell others to whom we had earlier transferred your data to also delete the data.
- The right to restrict processing to storage:
- You have a right to require us to stop processing the data we hold about you other than for storage purposes in certain circumstances. However, if we stop processing the data, we may use it again if there are valid grounds under applicable laws for us to do so.
- You may request that we stop processing and only store the data we hold about you if: (i) you contest the accuracy of the data, for the period it takes for us to verify whether the data is accurate; (ii) you are of the view that the processing of your data is unlawful, and you only want us to restrict its use; (iii) we wish to erase the data as it is no longer necessary for our purposes, but you require it to be stored for the establishment, exercise or defence of legal claims; or (iv) you have objected to us processing the data we hold about you, pending verification whether our legitimate grounds override yours.
- The right to object:
You have the right to object to certain types of processing, on grounds relating to your particular situation, at any time insofar as that processing takes place for the purposes of legitimate interests pursued by us or by a third party. We will be allowed to continue to process your personal data if we can demonstrate “compelling legitimate grounds for the processing which override your interests, rights and freedoms” or we need this for the establishment, exercise or defence of legal claims.
- The right in relation to automated decision making and profiling:
- You have the right not to be subject to a decision by us based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you unless you have given your explicit consent or unless otherwise permitted under the GDPR.
- To exercise any of your rights set out in this paragraph 5 or under the GDPR, please write to us at the email address set out in paragraph 7 below. We will need to know the specific rights that you want to exercise, or the reasons for your objections, so that we can assess whether there are compelling legitimate grounds which override your interests, rights and freedoms, or so that we can determine if you have a valid basis to restrict our processing of your data. You must also provide us with proof of identity before we will respond to any requests to exercise your rights. We will respond to a request by you to exercise those rights without undue delay and at least within one (1) month (although this may be extended by a further two (2) months in certain circumstances).
- RETENTION, ADMINISTRATION & MANAGEMENT OF PERSONAL DATA
- We will take reasonable efforts to ensure that your personal data is accurate and complete, based on the information that you have provided us with. Please ensure that all information provided to us is up to date and keep us informed of any relevant changes.
- We value your privacy and have security arrangements to ensure that your personal data is adequately protected and secured. We will also put in place measures such that your personal data in our possession or under our control is destroyed and/or anonymised as soon as it is reasonable to assume that: (i) the purpose for which that personal data was collected is no longer being served by the retention of such personal data; and (ii) retention is no longer necessary for any other legal or business purposes. Otherwise, personal data collected by us is generally only retained for as long as it is reasonably necessary for the purpose for which the data provided and we may destroy or delete any information or personal data provided by you thereafter, unless required by law, regulation or other business or audit requirements. For EU residents, we will endeavour to delete data within thirty (30) days of a request for deletion or contact you if it will take longer.
- COMPLAINTS / QUERIES
E-mail address: email@example.com
Office address: HealthTech Hub, Found8, 100 Amoy Street, Singapore 069920
Att: Data Protection Officer
- UPDATES ON DATA PROTECTION POLICY
- You are encouraged to visit the above Website from time to time to ensure that you are well informed of our latest policies in relation to personal data protection.
- We may collect information from you (or others on your behalf) de-identified information to help us in our business and provide you with the relevant Services. Such anonymised and de-identified information may be transferred, disclosed, assigned, leased, licensed, sold and otherwise shared with and by our partners, service providers, advertisers and/or other third parties for purposes permitted under law.
- Cookies (small text files placed on your device that record information about your preferences and enable log-ins, provide interest-based advertising, analyse how our Services are performing) are an example of such anonymised data which we collect. While compiling information about your browsing habits, cookies can also enhance your user experience. There may also be third party cookies on our Websites. For more information on cookies, please refer to allaboutcookies.org/manage-cookies/.