Privacy Policy

1 – Introduction

This Privacy Policy applies to all MarketBridge digital and offline channels, including websites, mobile apps, kiosks, partner portals and back-office systems.

It explains our obligations under the PDPA 2012 and how we embed personal data protection into loyalty programme design, campaign management and transactional workflows.

MarketBridge acts as data controller for data you provide directly and engages processors under binding contracts that enforce PDPA-equivalent safeguards.

All employees, contractors and third-party partners must adhere to this Policy and supporting procedures.

2 – How We Collect Your Personal Data

We collect data directly, indirectly and by automated means through:

Website and mobile app forms when you register, subscribe or request demos

Offline sign-up sheets, in-store kiosks and paper contracts for loyalty and consultancy services

CRM imports and partner referrals under written agreement

Marketing outreach via EDMs, webinars, events and call-back requests

Cookies, web analytics and device identifiers during website visits

Email, chat, social media and telephone interactions recorded in our case-management system

3 – Types of Personal Data We Collect
 
We classify personal data into these categories:
 
  • Identification and contact (name; email; phone; mailing and business address)
  • Demographics and profile (gender; date of birth; nationality)
  • Government IDs for KYC (NRIC; passport)
  • Employment and financial history (salary; billing; credit record)
  • Loyalty programme details (transaction timestamps; point balances; redemption history; preference tags; geolocation for offers)
  • Technical metadata (device type; IP address; browser settings)
 
4 – How We Use Your Personal Data
 
We process your data to:
 
  • Deliver contracted services, loyalty points and rewards fulfilment
  • Authenticate users and verify KYC for high-value redemptions
  • Segment audiences and drive precision marketing, campaign triggers and dynamic offer generation
  • Perform billing, accounts receivable/payable and credit assessments
  • Analyse web usage, measure engagement and optimize user experience
  • Produce regulatory reports, audit trails and management dashboards
  • Collaborate with partners on joint promotions and cross-channel communications
  • Investigate, detect and prevent fraud, disputes or security incidents
 
5 – Disclosure of Your Personal Data
 
Data may be shared with:
 
  • Regulatory and enforcement agencies under legal obligation
  • Credit bureaus (Experian) for underwriting and due diligence
  • Professional advisers (auditors; tax agents; legal counsel) under confidentiality agreements
  • Cloud, email and loyalty-platform vendors bound by PDPA-equivalent contractual clauses
  • Participating merchants and analytics partners for rewards fulfilment and behavioral insights
  • Internal recipients on a strict need-to-know basis, enforced by role-based access controls
  • All disclosures are logged, auditable and subject to periodic review.
 
6 – Consent Management
 
6.1 Notice and Choice
We notify purpose statements at point of collection and record consent events with timestamps and source channels.
 
6.2 Deemed and Explicit Consent
Written or electronic opt-in is obtained for sensitive uses (profiling; targeted marketing). Deemed consent applies only where PDPA exceptions permit.
 
6.3 Withdrawal and Opt-Out
Requests can be submitted via email, postal letter or our unsubscribe link. Withdrawal triggers downstream suppression, documented in our marketing database.
 
6.4 Cookie and Tracking Controls
A cookie banner appears on first visit. Visitors can granularly opt-in or out of analytics, advertising and functional cookies via our Cookie Preference Centre.
 
6.5 Controller vs Processor
MarketBridge is data controller for frontline collection. Service providers act as processors under standard contractual clauses, audited annually for PDPA compliance.
 
7 – Accuracy of Your Personal Data
 
We maintain accuracy by:
 
  • Performing quarterly data-verification campaigns via email or SMS prompts
  • Providing a self-service portal for you to view and update your profile in real time
  • Validating identification documents at onboarding and high-value redemption points
  • Logging all changes with user ID, timestamp and change reason for auditability
 
8 – Protection of Your Personal Data
 
Technical and organizational
safeguards include:
 
  • Encryption of data at rest and in transit
  • Role-based access controls with periodic privilege reviews
  • Mandatory PDPA and information-security training for all staff
 

Retention of Personal Data

Data Category Retention Period Disposal Method
Employee and payroll records 7 years after termination Secure shredding / digital wipe
Client and prospect contact information 3 years after last interaction Secure deletion
Loyalty programme transactional and profile 5 years after membership expiry Secure deletion
Financial, billing and credit history 7 years Secure deletion
 
Retention triggers and disposal events are automated, with quarterly reviews and audit logs.

10 – Data Subject Rights

You have rights to:

  • Access: submit a request form; receive data extract within 30 days
  • Correction: request amendments; approval or rejection logged with rationale
  • Portability: export data in machine-readable format where technically feasible
  • Withdrawal: stop processing for marketing or profiling; implement suppression lists
  • Objection: opt out of automated decision-making and profiling

Requests incur a processing fee only if PDPC guidelines permit, and require identity verification.

11 – Transfer of Personal Data

Cross-border transfers occur under:

  • Adequacy decisions for jurisdictions with PDPA-equivalent laws
  • Standard contractual clauses referencing ASEAN Model Clauses
  • Binding corporate rules for intra-group transfers, approved by PDPC where required
  • Transfer logs maintained and reviewed semi-annually for compliance

12 – Data Breach Notification and Response

Our breach protocol:

  • Assemble Incident Response Team (IRT) with clear roles and escalation matrix
  • Contain threat, perform root-cause forensics and document findings
  • Notify PDPC and affected individuals within statutory timelines (72 hours for significant breaches)
  • Deploy remediation plans, update controls and conduct post-mortem review

All incidents are recorded in our GRC platform, with follow-up audits.

13 – Contacting Us

For questions, requests or complaints, contact:
Data Protection Officer
Name: Andrew Quek
Email: dpo@marketbridge.com.sg
Phone: +65 6242 2490

14 – Changes to This Privacy Notice

Updates to this Policy follow our governance process:

  • Version control with change log and effective date
  • Notification via website banner and direct email to registered contacts for material changes
  • Annual compliance review and sign-off by senior management

15 – Privacy-By-Design and Ongoing Assessments

We integrate privacy into product lifecycles by:

  • Conducting Privacy Impact Assessments (PIAs) at project initiation
  • Embedding data-minimisation, purpose limitation and retention rules into system design