Freesheart™ Pte. Ltd. (UEN 202615266C) (“Freesheart™”, “we”, “us”, “our”) is the data controller responsible for the personal data processed through our website. This Privacy Policy is designed to comply simultaneously with Singapore’s Personal Data Protection Act 2012 (“PDPA”), the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and Indonesia’s Personal Data Protection Law (Law No. 27 of 2022) (“UU PDP”).
1. Data We Collect
We collect only the personal data you choose to provide through our intake and contact form, and limited technical data necessary to operate the Website securely. Specifically:
| Category | Data | Source |
|---|---|---|
| Identity & contact | Full name, work email address | Provided by you |
| Professional profile | Organisation, selected service area | Provided by you |
| Inquiry context | The free-text description you submit | Provided by you |
| Technical / security | IP address, browser type, and approximate geolocation (country), used for security, spam-filtering, and consent purposes | Collected automatically |
We ask that you do not submit sensitive or special-category data (such as health records, classified or state information, or confidential corporate trade secrets) through the open description field. Please see the notice presented alongside the form.
2. Lawful Basis for Processing
We process your personal data only where we have a lawful basis to do so. We rely on the following bases (which map across the PDPA, GDPR, and UU PDP):
- Consent. By submitting the form and affirmatively ticking the consent box, you provide your freely given, specific, informed, and unambiguous consent to our processing of your data for the purpose of responding to and evaluating your inquiry (GDPR Art. 6(1)(a); PDPA ss. 13–14; UU PDP Art. 20).
- Pre-contractual necessity. We process your contact details and organisational profile to take steps at your request prior to entering into a possible engagement — specifically, to assess and scope the commercial viability and fit of a prospective project (GDPR Art. 6(1)(b)).
- Legitimate interests. For limited technical and security processing (preventing spam, fraud, and abuse, and maintaining the security of the Website), we rely on our legitimate interests, balanced against your rights (GDPR Art. 6(1)(f)).
3. How We Use Your Data
- To respond to your inquiry and communicate with you about it;
- To evaluate the scope, fit, and feasibility of a prospective engagement;
- To establish and, where applicable, perform a subsequent engagement;
- To maintain the security and integrity of the Website; and
- To comply with applicable legal and regulatory obligations.
We do not sell your personal data, and we do not use it for automated decision-making that produces legal or similarly significant effects on you.
4. Cross-Border Data Transfer
Our Website and form submissions are hosted on Netlify’s global cloud server network, which may store and process data in data centres located outside your country of residence, including in Singapore, the European Union, and the United States. Where personal data is transferred across borders, we ensure an adequate and lawful level of protection through one or more of the following mechanisms:
- The European Commission’s Standard Contractual Clauses (“SCCs”) for transfers of personal data to third countries, as incorporated into our processor agreements;
- The framework of the EU–Singapore Digital Trade Agreement (“EUSDTA”) and recognised adequacy or comparable-protection arrangements between the relevant jurisdictions;
- The Global Cross-Border Privacy Rules (“CBPR”) system and the PDPA’s transfer-limitation requirements, ensuring transferred data receives a standard of protection comparable to that under Singapore law; and
- Equivalent safeguards required under the UU PDP for international transfers from Indonesia.
5. Data Retention & Minimisation
We adhere to the principle of data minimisation and retain personal data only for as long as necessary for the purposes for which it was collected.
Retention schedule. Personal data arising from inquiries that do not mature into a signed engagement is completely and permanently purged from all digital repositories within twenty-four (24) months of the last substantive contact. Where an engagement proceeds, data is retained for the duration of the engagement and any period thereafter required by applicable law (for example, tax, accounting, and limitation periods), after which it is securely deleted or anonymised.
6. Your Rights
Subject to applicable law, you hold the following rights in respect of your personal data, which we honour universally across all jurisdictions we serve:
- Right of access — to obtain confirmation of, and a copy of, the personal data we hold about you;
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible;
- Right to rectification — to have inaccurate or incomplete data corrected;
- Right to erasure (“right to be forgotten”) — to request deletion of your data where there is no overriding lawful basis to retain it;
- Right to withdraw consent — to withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
- Right to restrict or object — to restrict or object to certain processing, including processing based on legitimate interests.
7. Data Protection Officer & Response Timeline
We have appointed a Data Protection Officer (“DPO”) responsible for overseeing compliance with this policy and applicable data-protection law. You may exercise any of your rights, or raise any concern or complaint, by contacting the DPO:
Data Protection Officer
Freesheart™ Pte. Ltd.
Email: dpo@freesheart.com
We will acknowledge and substantively respond to every verified request within a mandatory maximum timeline of thirty (30) days from receipt. Where a request is complex or numerous, we will inform you within that period of any necessary extension and the reasons for it, consistent with applicable law.
If you are located in the European Union, you also have the right to lodge a complaint with your local supervisory authority. If you are located in Singapore, you may refer the matter to the Personal Data Protection Commission (PDPC). If you are located in Indonesia, you may refer the matter to the relevant authority designated under the UU PDP.
8. Cookies & Tracking
We operate the Website with privacy by default. We use only the cookies and local storage strictly necessary for the Website to function and to record your cookie-consent preference. We do not deploy advertising or profiling cookies. Any non-essential analytics or tracking technologies are blocked by default and are loaded only after you provide consent through our cookie banner. For visitors detected within the European Union and European Economic Area, all non-essential tracking remains disabled unless and until you actively opt in.
9. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including transport encryption (TLS) and access controls. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security; you transmit data to us at your own risk.
10. Changes to this Policy
We may update this Privacy Policy from time to time. The “Effective date” above indicates when it was last revised. Material changes will be notified through a prominent notice on the Website. This Privacy Policy should be read together with our Disclaimer and Terms and Conditions.
