Privacy Policy

1 – Introduction

This Privacy Policy applies to all MarketBridge digital and offline channels, including websites, mobile apps, kiosks, partner portals and back-office systems.

It explains our obligations under the PDPA 2012 and how we embed personal data protection into loyalty programme design, campaign management and transactional workflows.

MarketBridge acts as data controller for data you provide directly and engages processors under binding contracts that enforce PDPA-equivalent safeguards.

All employees, contractors and third-party partners must adhere to this Policy and supporting procedures.

2 – How We Collect Your Personal Data
We collect data directly, indirectly and by automated means through:
  • Website and mobile app forms when you register, subscribe or request demos
  • Offline sign-up sheets, in-store kiosks and paper contracts for loyalty and consultancy services
  • CRM imports and partner referrals under written agreement
  • Marketing outreach via EDMs, webinars, events and call-back requests
  • Cookies, web analytics and device identifiers during website visits
  • Email, chat, social media and telephone interactions recorded in our case-management system
3 – Types of Personal Data We Collect
We classify personal data into these categories:
  • Identification and contact (name; email; phone; mailing and business address)
  • Demographics and profile (gender; date of birth; nationality)
  • Government IDs for KYC (NRIC; passport)
  • Employment and financial history (salary; billing; credit record)
  • Loyalty programme details (transaction timestamps; point balances; redemption history; preference tags; geolocation for offers)
  • Technical metadata (device type; IP address; browser settings)
4 – How We Use Your Personal Data
We process your data to:
  • Deliver contracted services, loyalty points and rewards fulfilment
  • Authenticate users and verify KYC for high-value redemptions
  • Segment audiences and drive precision marketing, campaign triggers and dynamic offer generation
  • Perform billing, accounts receivable/payable and credit assessments
  • Analyse web usage, measure engagement and optimize user experience
  • Produce regulatory reports, audit trails and management dashboards
  • Collaborate with partners on joint promotions and cross-channel communications
  • Investigate, detect and prevent fraud, disputes or security incidents
  • Comply with or fulfil legal obligations and regulatory requirements
5 – Disclosure of Your Personal Data
Data may be shared with:
  • Regulatory and enforcement agencies under legal obligation
  • Credit bureaus (Experian) for underwriting and due diligence
  • Professional advisers (auditors; tax agents; legal counsel) under confidentiality agreements
  • Cloud, email and loyalty-platform vendors bound by PDPA-equivalent contractual clauses
  • Participating merchants and analytics partners for rewards fulfilment and behavioral insights
  • Internal recipients on a strict need-to-know basis, enforced by role-based access controls
All disclosures are logged, auditable and subject to periodic review.
6 – Consent Management
6.1 Notice and Choice
We notify purpose statements at point of collection and record consent events with timestamps and source channels.
6.2 Deemed and Explicit Consent
Written or electronic opt-in is obtained for sensitive uses (profiling; targeted marketing). Deemed consent applies only where PDPA exceptions permit.
6.3 Withdrawal and Opt-Out
Requests can be submitted via email, postal letter or our unsubscribe link. Withdrawal triggers downstream suppression, documented in our marketing database.
6.4 Cookie and Tracking Controls
A cookie banner appears on first visit. Visitors can granularly opt-in or out of analytics, advertising and functional cookies via our Cookie Preference Centre.
6.5 Controller vs Processor
MarketBridge is data controller for frontline collection. Service providers act as processors under standard contractual clauses, audited annually for PDPA compliance.
7 – Accuracy of Your Personal Data

We will take reasonable steps to ensure that the personal data we collect about you is accurate, complete, not misleading and kept up to date.

From time to time, we may do a data verification exercise for you to update us on any changes to the personal data we hold about you. If we are in an ongoing relationship with you, it is important that you update us of any changes to your personal data (such as a change in your mailing address).

8 – Protection of Your Personal Data
We have implemented appropriate information security and technical measures to protect the personal data we hold about you against loss, misuse, destruction, unauthorised alteration/modification, access, disclosure, or similar risks. We have also put in place reasonable and appropriate organisational measures to maintain the confidentiality and integrity of your personal data and will only share your data with authorised persons on a ‘need to know’ basis. When we engage third-party data processors to process personal data on our behalf, we will ensure that they provide sufficient guarantees to us to have implemented the necessary organisational and technical security measures and have taken reasonable steps to comply with these measures.
9 – Retention of Personal Data

We have a document retention policy that keeps track of the retention schedules of the personal data you provide us, in paper or electronic forms. We will not retain any of your personal data when it is no longer needed for any business or legal purposes.

We will dispose of or destroy such documents containing your personal data in a proper and secure manner when the retention limit is reached.

10 – Data Subject Rights
You have rights to:
  • Access: submit a request form; receive data extract within 30 days
  • Correction: request amendments; approval or rejection logged with rationale
  • Portability: export data in machine-readable format where technically feasible
  • Withdrawal: stop processing for marketing or profiling; implement suppression lists
  • Objection: opt out of automated decision-making and profiling
  • Requests incur a processing fee only if PDPC guidelines permit, and require identity verification.
11 – Transfer of Personal Data
Cross-border transfers occur under:
  • Adequacy decisions for jurisdictions with PDPA-equivalent laws
  • Standard contractual clauses referencing ASEAN Model Clauses
  • Binding corporate rules for intra-group transfers, approved by PDPC where required
  • Transfer logs maintained and reviewed semi-annually for compliance
12 – Data Breach Notification and Response
Our breach protocol:
  • Assemble Incident Response Team (IRT) with clear roles and escalation matrix
  • Contain threat, perform root-cause forensics and document findings
  • Notify PDPC and affected individuals within statutory timelines (72 hours for significant breaches)
  • Deploy remediation plans, update controls and conduct post-mortem review
All incidents are recorded in our GRC platform, with follow-up audits.
13 – Contacting Us

If you have any queries or feedback regarding this Notice, or any complaint you have relating to how we manage your personal data, you may contact our Data Protection Officer (DPO) at: dpo@marketbridge.com.sg

Any query or complaint should include, at least, the following details:
  • Your full name and contact information
  • Brief description of your query or complaint
14 – Changes to This Privacy Notice
Updates to this Policy follow our governance process:
  • Version control with change log and effective date
  • Notification via website banner and direct email to registered contacts for material changes
  • Annual compliance review and sign-off by senior management
15 – Privacy-By-Design and Ongoing Assessments
We integrate privacy into product lifecycles by:
  • Conducting Privacy Impact Assessments (PIAs) at project initiation
  • Embedding data-minimisation, purpose limitation and retention rules into system design
Version 2 and effective date 25 September 2025.