1. Introduction

1.1. This Notice applies to the Processing of your personal data by us. It explains how we Process your personal data when you interact with us.

1.2. This Notice may be updated from time to time, including to reflect amendments to the Personal Data Protection Act 2012 (Singapore), the Personal Data Protection Act 2010 (Malaysia), or the Personal Data (Privacy) Ordinance (Cap. 486) (Hong Kong), or to provide you with additional information about how your personal data is handled. We strongly encourage you to review this Notice periodically.

2. Personal Data

2.1. For purposes of this Notice, Personal Data means any information or combination of information, relating, directly or indirectly to you.

2.2. Depending on the nature of your interaction with us, we may collect the following information:

a) Personal identification details:

i) Name;

ii) Contact number(s); and

iii) Email address(es).

b) Account and profile information:

i) Username;

ii) Password;

iii) Profile preferences;

iv) Enquiries, feedback, comments, and ratings submitted through the platforms; and

v) Reviews and testimonial via our communication and feedback touchpoints, channels, and/or platforms.

c) Transaction data:

i) Purchases and/or payment information;

ii) Transactions records; and

iii) Subscriptions.

d) Network traffic and other related data:

i) Identification numbers;

ii) Location data;

iii) Online identifiers;

iv) IP adresss;

v) Cookies;

vi) Web beacons;

vii) Devise identification details; and

viii) Language settings.

e) Data acquired through internal and external communications:

i) Contents of email;

ii) Records of communication through bots;

iii) Messaging tools; and

iv) Mobile communications

f) Information voluntarily shared with us:

i) Feedback;

ii) Opinions;

iii) Reviews;

iv) Comments; and

v) Any information you may share with us on our social media platform, internal communication platforms and websites.

g) Cookies and tracking data: see Section 8.

2.3. Personal Data of Vulnerable Persons:

a) It is, our intention and policy to comply with law when it requires parent, guardian or legal representative’s permission before collecting, using or disclosing Personal Data of Vulnerable Persons.

b) If a parent, guardian or legal representative becomes aware that Personal Data of a child or ward has been provided by that child or ward without the consent of the relevant parent, guardian or legal representative, please contact us (contact details provided below). Such Personal Data will be disposed of from our records.

3. Collection of Personal Data

3.1. During our interactions with you, we may obtain Personal Data about you to fulfill a statutory or contractual requirement, or is required to perform or enter into a contract with you. In this case, you are obliged to provide your Personal Data. If you do not provide your Personal Data to us, we may not be able to accomplish some of the purpose for which we collect Personal Data. In other cases, decision to provide us your Personal Data may be optional.

3.2. We collect Personal Data from you in the following ways:

a) Directly:

i) when you create an account, register with us and/or submit any contact form to us;

ii) when you disclose Personal Data in face-to-face meetings, telephone conversations, emails and/or over any registration, communication or messaging platforms with our staff members;

iii) when you sign up for our marketing and promotional communications and/or events;

iv) when you interact, communicate with us and/or leave comments on our websites, mobile applications, or social media platforms;

v) when you enter into an agreement, partnership, collaboration and/or provide any other documentation or information in respect of your interactions, engagement and/or relationship with us;

vi) when you make available your Personal Data to us for any other reason;

b) Indirectly:

i) when we seek and receive your Personal Data in connection with your interaction, engagement and/or relationship with us (including, but not limited to, for our products and services or work, education and accreditation applications) from other data sources;

ii) when we receive your Personal Data from other medical service providers (whether related or third party);

iii) if you act as an intermediary or are supplying us with Personal Data and information relating to a third-party/other individual (such as a relative, friend, colleague, patient, employee, etc.), you undertake that you have obtained all necessary consents from such third-party/other individual for Processing of their Personal Data by us;

iv) as we are collecting third-party/other individual's Personal Data from you, you undertake to make such third-party/other individual aware of all matters listed in this Notice by referring them to our website or informing them of the contents of this Notice; and/or

v) any other information which we may collect from other sources.

4. Accuracy of Personal Data

4.1. We strive to maintain Personal Data in a manner that is accurate, complete and up-to-date. The Personal Data you provide to us must be accurate, complete and up-to-date, and you must inform us of any significant changes to such Personal Data provided by you.

4.2. Furthermore, if you act as an intermediary or are supplying us with Personal Data and information relating to a third party or another individual, please note that you must ensure such Personal Data is collected in compliance with the applicable data protection laws, including the Personal Data Protection Act 2012 (Singapore), the Personal Data Protection Act 2010 (Malaysia), and the Personal Data (Privacy) Ordinance (Cap. 486) (Hong Kong). For example, you should inform such third party or individual about the contents of this Notice.

5. Purposes of Personal Data Collection, Use, Disclosure, and Processing

5.1. Personal Data may be collected, used, transferred or otherwise Processed for one or more of the following purposes:

a) Business Purposes: These are legitimate purposes as appropriate to conduct our business. These include Processing necessary for the performance of contractual obligations, invoicing, billing and account management of Individuals, customer service and support, finance and accounting, research and development, internal management and control, and any other reasonably related activities.

b) Human resources and personnel management: This includes Processing necessary for the performance of an employment or other contract with an employee (or to take necessary steps at the request of an employee prior to entering into a contract), or for managing the employment-at-will relationship.

c) Compliance with legal and regulatory obligations: For Processing necessary for compliance with a legal or regulatory obligation to which we are subject;

d) Vital interests: For Processing necessary to protect your vital interests, for instance, situations that require us to protect your life or you from harm;

e) Marketing and Promotion: We may, when Processing Personal Data for marketing communications and/or promotions, either:

i) obtain your consent; and/or

ii) offer you opportunity to not proceed with the processing and/or to choose not to receive such communications. If you wish to withdraw consent to receive such materials, please contact us.

5.2. Secondary Purposes: Processing of Personal Data (including previously collected data) for secondary purposes such as:

a) transferring the Personal Data to an archive;

b) conducting internal audits or investigations;

c) implementing business controls;

d) conducting statistical, historical or scientific research as required for our business operations;

e) preparing or engaging in dispute resolution;

f) using legal or business consulting services;

g) managing insurance or other benefits related issues; and/or

h) creating de-identified, aggregated and/or anonymised data from Personal Data from which you would not be identifiable, through removal of identifiable components, obfuscation, pseudonymisation, anonymisation, or any other means for purposes including, but not limited to i) enhancing security; and/or ii) for further processing, aggregation, analysis (of the anonymised data that no longer contains your Personal Data only), for optimisation of patient care and improvement of healthcare services, products and research and developments which may include transferring such anonymised data to our affiliates and business partners in Singapore or abroad, for such purposes.

5.3. Any other reasonably related purposes.

5.4. Exceptions: Some of our obligations under this Notice may be overridden if, under the specific circumstances at issue, a pressing legitimate need exists that outweighs your interest. Such a situation exists if there is a need to:

a) protect our Business Interests including:

i) the health, security or safety of individuals;

ii) our intellectual property rights, trade secrets or reputation;

iii) the continuity of our business operations;

iv) the preservation of confidentiality in a proposed sale;

v) merger or acquisition of a business;

vi) the involvement of authorised advisors or consultants for business, legal, tax, or insurance purposes.

b) prevent or investigate suspected or actual violations of

i) law (including cooperating with law enforcement);

ii) contracts; and/or

iii) our policies.

c) otherwise protect or defend us, our personnel’s or other individual’s rights or freedoms.

6. Automated Decision-Making

6.1. Automated tools may be used by us to Process your Personal Data and/or make decisions about you. Some extent of human intervention may be involved in the automated decision-making.

6.2. Where permissible under law, we may undertake automated decision-making if:

a) the decision is made by us for purposes of entering or performing a contract provided that the underlying request leading to a decision by us was made by you;

b) you have provided explicit consent; and/or

c) the use of automated tools is otherwise required.

7. Sharing Personal Data

7.1. Your Personal Data may be shared with our employees, representatives and/or affiliates.

7.2. Access to Personal Data, will be limited to those who have a need to know the information for the purposes described in this Notice.

7.3. From time to time, we may need to share your Personal Data with external parties, which may include the following:

a) care providers, whose services you use through us: we may share your Personal Data necessary with independent contractors that have been listed as care providers on our website and that you have purchased counselling, coaching, or other services from;

b) service providers, vendors, suppliers: we contract with authorised external parties or companies that provide products and services to us necessary for our operations. These include providers of IT infrastructure, payment processing, email communications, cloud storage, analytics, and customer support. Examples include:

• Wix (website hosting, website content management, and related web services)

• Stripe (payment processing)

• Mailchimp (email communications and marketing automation)

• Google Workspace (email and document storage)

• Amazon Web Services (AWS) or Google Cloud Platform (GCP) (hosting and cloud services)

• Intercom, Zendesk, or similar (customer support platforms)

• Google Analytics (usage analytics and session tracking)

c) business and collaboration partners: we work with accredited doctors and specialists including, but not limited to, their clinic personnel and administrators, our corporate clients and/or partners (and their appointed service providers and/or customers), education and research institutes;

d) public and governmental authorities: when required by law, or as necessary to protect our rights, we may share your Personal Data to public and governmental authorities that regulate or have jurisdiction over us;

e) professional advisors and others: we work with and receive support from certain professional advisors such as banks, insurance companies, auditors, lawyers, accountants, and payroll advisors, consultants; and/or

f) other parties in connection with corporate transactions: we may also, from time to time, share your Personal Data in the course of corporate transactions, such as during a sale of a business or a part of a business to another company, or any reorganisation, merger, joint venture, or other disposition of our business, assets, or stock.

7.4. As appropriate, we will contractually protect and safeguard your interests at a similar level of protection as provided by us.

8. Cross-Border Transfer of Personal Data

8.1. Due to our international presence, your Personal Data may be accessed by or transferred to our affiliates and/or authorised external parties from various countries around the world in order for us fulfil the purposes described in this Notice.

8.2. As a result, we may transfer your Personal Data to jurisdictions located outside of Singapore, Malaysia, and Hong Kong, which may have data protection laws and requirements that differ from the standards provided under the Personal Data Protection Act 2012 (Singapore) (“PDPA”), the Personal Data Protection Act 2010 (Malaysia), and the Personal Data (Privacy) Ordinance (Cap. 486) (Hong Kong).

8.3. Personal Data may be transferred to an authorised external party, located internationally only if, we believe it is necessary or appropriate to:

a) ensure compliance with applicable data protection related laws which may include responding to requests from public and government authorities, cooperation with law enforcement agencies or other legal reasons; and/or

b) satisfy purposes for which Personal Data has been collected by us or to enforce our terms and conditions.

8.4. In all such cross-border transfers, we will take appropriate steps to ensure that your Personal Data is protected in accordance with applicable legal requirements, including:

a) under Singapore’s PDPA, ensuring that the recipient is bound by legally enforceable obligations that provide a standard of protection comparable to the PDPA, such as through contractual clauses or binding corporate rules (as per the Personal Data Protection (Transfer Limitation Obligation) Regulations 2020);

b) under the Malaysia PDPA, ensuring that personal data is only transferred to jurisdictions specified by the Malaysian government or where the data subject has provided explicit consent, or where contractual safeguards are in place to uphold privacy protection (Section 129); and

c) under Hong Kong’s PDPO, complying with Section 33 (although not yet in force), including preparing for the use of model contractual clauses, consent-based transfers, or exceptions for legal proceedings, contractual necessity, or public interest.

8.5. Where required, we will put in place data transfer agreements, standard contractual clauses, or obtain data subject consent, in line with the applicable legal framework in the jurisdiction where your data is collected or processed.

9. Storing Personal Data

9.1. We keep your Personal Data for as long as necessary to fulfil the purposes for which it was collected. We retain Personal Data only:

a) for the period required to serve the applicable Business Purpose;

b) to the extent necessary to comply with any applicable legal and/or regulatory requirement; and/or

c) as required or advised under the laws of Singapore, Malaysia, and Hong Kong, including but not limited to:

i) the Personal Data Protection Act 2012 (Singapore);

ii) the Personal Data Protection Act 2010 (Malaysia); and

iii) the Personal Data (Privacy) Ordinance (Cap. 486) (Hong Kong).

9.2. Industry-specific retention guidelines for mental healthcare data may also apply, including:

a) In Singapore, medical records must generally be retained for at least 6 years from the last patient encounter (Ministry of Health guidelines);

b) In Malaysia, healthcare providers are generally required to retain patient records for at least 7 years under the Private Healthcare Facilities and Services Regulations 2006; and

c) In Hong Kong, the Department of Health recommends retaining patient records for at least 7 years, or until a minor patient turns 21, whichever is longer.

9.3. Promptly after the applicable retention period has ended, your Personal Data will be appropriately:

a) disposed of securely in a manner that prevents further processing, unauthorised access, or disclosure; and/or

b) de-identified or anonymised, so that it can no longer be used to identify you directly or indirectly, in accordance with the applicable laws of Singapore, Malaysia, and Hong Kong.

10. Protecting Personal Data

10.1. We are committed to maintaining the security of the Personal Data processed and restrict the Processing of Personal Data to those data/information that are reasonable, adequate for, and/or relevant to the purposes described under this Notice.

10.2. To protect your Personal Data, we take appropriate measures, and we also require external parties to whom we disclose your Personal Data to, to protect the confidentiality and security of your Personal Data. Depending on the state of the art, the costs of implementation and the nature of the data/information to be protected, we have put in place physical, technical and organisational measures to prevent risks such as unauthorised access, collection, use, disclosure, copying, modification, disposal or loss.

10.3. If you have any reason to believe that your interaction with us is no longer secure, please contact us (contact details provided below).

11. Use of Cookies and Similar Technologies

11.1. We use cookies and similar tracking technologies on our Platform to enhance your user experience, understand usage patterns, and improve our services. By continuing to use our Platform, you consent to the use of cookies as described in this policy, subject to any choices you make via your browser or device settings.

11.2. Cookies are small text files stored on your device by websites you visit. They help us remember your preferences, login status, and activity on our Platform to provide a more personalized experience.

11.3. We use the following types of cookies:

• Strictly Necessary Cookies: Required for core website functionality (e.g., login, navigation).

• Performance Cookies: Help us analyze how users interact with the Platform (e.g., Google Analytics).

• Functionality Cookies: Remember your preferences and settings.

• Targeting/Advertising Cookies: Used to deliver relevant ads based on your interests (where applicable).

11.4. Our use of cookies complies with the data protection laws in Singapore (Personal Data Protection Act 2012), Malaysia (Personal Data Protection Act 2010), and Hong Kong (Personal Data (Privacy) Ordinance). Where required, we will seek your consent before placing non-essential cookies on your device.

11.5. You can control or delete cookies through your browser settings. Please note that disabling certain cookies may affect the functionality or availability of some parts of our Platform.

11.6. Some cookies on our Platform may be set by third-party service providers (e.g., analytics or advertising partners). These third parties may collect data about your online activities over time and across different websites.

11.7. We may update this cookies section from time to time to reflect changes in technology, law, or our data practices. Material changes will be notified via our Platform or other appropriate means.

12. Enquiries

12.1. With respect to Processing of your Personal Data, upon successful verification of your identity, you may:

a) obtain information on the Processing of your Personal Data over the past one year, subject to applicable fee(s) related to the costs of processing your access request;

b) request to update or correct your Personal Data, provided we are satisfied on reasonable grounds that such a correction should be made; and/or

c) withdraw your consent to use of your Personal Data. Please note that your request may affect the products and services we are able to offer to you;

12.2. If you have any inquiries, requests, feedback or complaints in relation to protecting your Personal Data, please contact the Data Protection Office via the following channels:

Data Protection Officer

Email: dataprotection@4mind.health
Address: 2 Vision Exchange, #19-21 Venture Drive, 608526 Singapore

12.3. We will do our best to respond to you within a reasonable time and no longer than 30 days from the date we receive your inquiry, request, feedback or complaint.

13. Updates to Notice

13.1. We may revise this Notice from time to time. Any changes will become effective as on the Effective Date, when we post the revised Notice on our website. You are strongly advised to review this Notice periodically for any changes