Data Protection and Privacy Policy

Digital Benefits Pte Ltd (WiBiz) Version: 1.0 | Effective Date: 15 April 2026 | Review Date: 15 April 2027 Classification: Internal | Owner: Security Officer Approved by: Nicklaus D'Cruz, CEO

1. Purpose

This policy defines how Digital Benefits Pte Ltd ("WiBiz") collects, processes, stores, and protects personal data. It ensures compliance with the Singapore Personal Data Protection Act 2012 (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR).

WiBiz operates a SaaS platform that processes personal data on behalf of SMB clients, including customer names, contact details, conversation logs, booking records, and payment references. This policy governs all such processing activities.

2. Scope

This policy applies to:

All personal data processed by WiBiz, whether as data controller (own business operations) or data intermediary/processor (on behalf of clients)
All employees, contractors, interns, and third-party providers who handle personal data
All systems, applications, and services used to process personal data
Data in all forms: electronic, paper, verbal

3. Data Protection Officer (DPO)

WiBiz designates a Data Protection Officer responsible for:

Overseeing compliance with this policy and applicable data protection laws
Serving as the point of contact for the Personal Data Protection Commission (PDPC) in Singapore
Handling data subject requests and complaints
Conducting and reviewing Data Protection Impact Assessments (DPIAs)
Advising the business on data protection obligations

The DPO reports directly to the CEO. Contact details for the DPO are published on the WiBiz website and provided to clients during onboarding.

4. Data Classification

All data handled by WiBiz is classified into four tiers. Classification determines the controls applied.

Classification	Definition	Examples	Handling Requirements
Restricted	Data whose unauthorised disclosure would cause severe harm, legal liability, or regulatory breach	Client customer PII, health data, financial records, authentication credentials, encryption keys	Encrypted at rest and in transit. Access on strict need-to-know. Logged access. No external sharing without legal basis and DPO approval.
Confidential	Sensitive business or client data not intended for public access	Client business configurations, internal pricing, contracts, employee records, system architecture details	Encrypted in transit. Access controlled by role. No sharing outside WiBiz without authorisation.
Internal	Information for internal use that is not sensitive	Internal process documents, meeting notes, project plans, non-sensitive communications	Reasonable access controls. Not to be shared externally without review.
Public	Information explicitly approved for public distribution	Marketing materials, published pricing, website content, public documentation	No restrictions on distribution. Must be approved before classification as Public.

Default classification for all data is Confidential until explicitly classified otherwise.

5. Lawful Basis for Processing

5.1 Under PDPA (Singapore)

WiBiz processes personal data under one or more of the following bases:

Consent: Obtained before or at the time of collection, for stated purposes
Legitimate purpose: Where processing is necessary and the individual would reasonably expect it (e.g., fulfilling a service request)
Business improvement: For improving or developing products/services, with appropriate safeguards
Legal obligation: Where required by law or court order

5.2 Under GDPR (where applicable)

For personal data of EU/EEA residents, WiBiz relies on:

Consent (Article 6(1)(a)) — freely given, specific, informed, and unambiguous
Contract performance (Article 6(1)(b)) — processing necessary to fulfil a contract
Legitimate interests (Article 6(1)(f)) — where WiBiz or client interests are not overridden by data subject rights
Legal obligation (Article 6(1)(c)) — where required by applicable law

The lawful basis for each processing activity is documented in the WiBiz Data Processing Register.

6. Data Subject Rights

WiBiz honours the following rights for individuals whose data it processes:

6.1 PDPA Rights

Access: Right to request what personal data WiBiz holds and how it has been used
Correction: Right to request correction of inaccurate or incomplete data
Withdrawal of consent: Right to withdraw consent for processing, subject to legal and contractual limitations
Data portability: Right to receive personal data in a commonly used format (where applicable under PDPA amendments)

6.2 GDPR Rights (EU/EEA residents)

In addition to the above:

Erasure (Right to be forgotten): Request deletion of personal data where no lawful basis for continued processing exists
Restriction of processing: Request limitation on how data is processed
Objection: Object to processing based on legitimate interests
Automated decision-making: Right not to be subject to decisions based solely on automated processing with legal or significant effects

6.3 Handling Requests

Requests are submitted to the DPO via the published contact channel
Identity verification is required before any data is disclosed or modified
Requests are acknowledged within 3 business days and fulfilled within 30 calendar days
Where WiBiz is a data intermediary (processor), requests are forwarded to the relevant client (controller) for instruction

7. Consent Management

7.1 Collection of Consent

Consent is obtained before or at the time personal data is collected
The purpose of collection is stated clearly at the point of consent
Consent is granular — separate consent for separate purposes where required
Consent records (method, timestamp, scope) are retained

7.2 Withdrawal of Consent

Individuals can withdraw consent at any time through the published contact channel
Withdrawal is processed within 10 business days
WiBiz informs the individual of the consequences of withdrawal before processing it
Withdrawal does not affect the lawfulness of processing carried out before withdrawal

7.3 Client Platform Consent

For data processed through the WiBiz platform on behalf of clients, the client (as controller) is responsible for obtaining valid consent from their customers. WiBiz provides the technical infrastructure for consent capture and record-keeping.

8. Cross-Border Data Transfers

8.1 Transfer Safeguards

WiBiz uses cloud infrastructure and third-party services that may process data outside Singapore. All cross-border transfers are subject to:

Verification that the receiving jurisdiction provides comparable data protection, or
Implementation of contractual safeguards (Standard Contractual Clauses for GDPR, or equivalent contractual protections for PDPA)
Data Processing Agreements with all processors that handle personal data outside Singapore

8.2 Transfer Register

The DPO maintains a register of all cross-border data flows, including:

The data transferred
The destination jurisdiction
The recipient and their role (processor/sub-processor)
The safeguard mechanism in place

8.3 Known Transfer Jurisdictions

WiBiz currently transfers data to service providers in:

United States (cloud infrastructure, payment processing, AI services)
Jurisdictions where client end-users are located (as required by service delivery)

Each transfer is covered by appropriate agreements and documented in the transfer register.

9. Privacy by Design

WiBiz applies privacy by design principles across all product development and system changes:

Data minimisation: Collect only the personal data necessary for the stated purpose
Purpose limitation: Use data only for the purpose for which it was collected, unless a compatible secondary purpose exists
Storage limitation: Retain personal data only as long as necessary. Define and enforce retention periods per data category.
Access minimisation: Grant access to personal data on a need-to-know basis only
Pseudonymisation and anonymisation: Apply where practical to reduce risk
Security by default: Systems are configured with the most privacy-protective settings as default
Impact assessment: Conduct a DPIA for any new processing activity that poses high risk to individuals

10. Data Breach Notification

10.1 Definition

A data breach is any unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data, or the loss of storage media on which personal data is stored.

10.2 Internal Reporting

Any staff member who suspects or discovers a breach must report it to the Security Officer and DPO immediately (within 1 hour of discovery)
The Security Officer initiates the incident response process per the Incident Response Policy (Policy 05)

10.3 Regulatory Notification (PDPC)

Under the PDPA mandatory breach notification regime:

WiBiz assesses whether the breach is notifiable (significant harm to individuals, or significant scale — 500+ affected individuals)
If notifiable, WiBiz notifies the PDPC within 72 hours of determining the breach is notifiable
Notification includes: nature of the breach, data affected, number of individuals, remedial actions taken

10.4 Notification to Affected Individuals

Where the breach is likely to result in significant harm, affected individuals are notified as soon as practicable
Notification includes: what happened, what data was affected, what WiBiz is doing, and what the individual can do to protect themselves

10.5 Client Notification

Where WiBiz is processing data as a data intermediary and a breach occurs, the relevant client (controller) is notified within 24 hours of WiBiz becoming aware of the breach
WiBiz cooperates with the client's own breach notification obligations

10.6 GDPR Notification (where applicable)

For breaches affecting EU/EEA residents:

The relevant supervisory authority is notified within 72 hours of becoming aware of the breach (Article 33)
Affected data subjects are notified without undue delay where the breach poses a high risk to their rights (Article 34)

11. Data Retention

11.1 Retention Principles

Personal data is retained only as long as necessary to fulfil the purpose for which it was collected
Retention periods are defined per data category in the Data Retention Schedule (maintained by the DPO)
When the retention period expires, data is securely deleted or anonymised

11.2 Key Retention Periods

Data Category	Retention Period	Basis
Client account data	Duration of contract + 2 years	Contractual and legal obligations
End-user conversation logs	As defined in client agreement (default: 12 months)	Client instruction and business need
Payment records	7 years	Financial regulatory requirements
Employee/contractor records	Duration of engagement + 2 years	Employment and tax obligations
Security and access logs	12 months	Security monitoring and incident investigation
Consent records	Duration of processing + 2 years	Proof of lawful basis

11.3 Client Data on Termination

Upon termination of a client agreement:

Client data is made available for export for 30 days
After 30 days, client data is securely deleted from all production systems
Backup copies are purged within 90 days of termination

12. Third-Party Data Processing

12.1 Data Processing Agreements

WiBiz maintains Data Processing Agreements (DPAs) with all third-party providers that process personal data on its behalf or on behalf of its clients. DPAs specify:

The scope and purpose of processing
Data security obligations
Sub-processing restrictions and notification requirements
Breach notification obligations
Data return and deletion on termination

12.2 Sub-Processor Management

WiBiz maintains a list of approved sub-processors
Clients are notified of sub-processor changes with reasonable advance notice
Sub-processors are subject to equivalent security and privacy obligations

13. Enforcement and Compliance

Compliance with this policy is mandatory for all staff and contractors
The DPO conducts periodic audits of data processing activities
Violations may result in disciplinary action, up to and including termination
Where violations constitute regulatory breaches, WiBiz cooperates with relevant authorities

Document Control

Version	Date	Author	Changes
1.0	15 April 2026	Security Officer / DPO	Initial release