InterVal Solution Pte Ltd Data Privacy and Data Protection Policy

I. Introduction

At InterVal Solution Private Limited (IV), we are committed to protecting the privacy and security of personal data. This Data Privacy and Data Protection Policy outlines our responsibilities in collecting, processing, and safeguarding personal information, and ensures compliance with applicable data protection regulations, including the General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA) of 2012.

This policy applies to all employees, contractors, consultants, officers, and any other individuals or entities acting on behalf of IV. Failure to comply with this policy may result in disciplinary action and potential legal consequences.

‍

II. Policy Objectives

This Data Privacy and Data Protection Policy aims to:

• Ensure compliance with local laws and alignment with international standards regarding the handling of personal data.
• Define the responsibilities of IV employees and officers in protecting personal data.
• Outline best practices and guidelines on data collection, processing, and storage to safeguard individuals’ privacy rights.
• Protect IV’s reputation and ensure that personal data is processed with the highest standards of security and integrity.

‍

1. Compliance with Data Privacy Laws and Standards

IV is committed to full compliance with all applicable data protection laws and international standards. These include:

• General Data Protection Regulation (GDPR) – Provides comprehensive data protection standards for the European Union and regulates the collection, processing, and storage of personal data.
• Personal Data Protection Act (PDPA), 2012 – Governs the processing and protection of personal data in Singapore
• ISO/IEC 27001 – An international standard that outlines best practices for information security management systems.

IV’s commitment to these laws ensures that personal data is handled with the utmost care and security, regardless of where we operate.

‍

2. Definition of Personal Data

Personal Data refers to any information relating to an identifiable individual. This includes, but is not limited to:

• Basic Identifiers: Names, addresses, telephone numbers, identification numbers (e.g., passport, social security).
• Contact Information: Email addresses, phone numbers, or other contact details.
• Financial Information: Bank account details, payment records, and credit card information.
• Sensitive Personal Data: Data related to health, ethnicity, political opinions, religious beliefs, or other sensitive information as defined by applicable law.

Personal data can be stored in physical or digital form, and this policy covers all such data processed by IV.

‍

3. Principles of Data Protection

IV is committed to upholding the following principles when processing personal data:

• Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently, ensuring that individuals understand how their data is being used.
• Purpose Limitation: Data must only be collected for specific, explicit, and legitimate purposes and must not be processed for other purposes unless further consent is obtained.
• Data Minimization: Personal data should be adequate, relevant, and limited to what is necessary for the intended purpose.
• Accuracy: Personal data must be kept accurate and up to date. Inaccurate data must be corrected or deleted without delay.
• Storage Limitation: Personal data must not be kept for longer than is necessary to fulfill the purposes for which it was collected.
• Integrity and Confidentiality: Personal data must be processed securely to protect against unauthorized access, loss, or destruction.
• Accountability: IV must demonstrate compliance with all relevant data protection laws and take responsibility for safeguarding personal data.

‍

4. Data Collection and Processing

IV collects and processes personal data in accordance with applicable laws, including the GDPR and PDPA. Personal data may be collected through various means, including website forms, applications, contracts, or business interactions.

• Lawful Basis for Processing: IV will process personal data only when there is a legitimate basis for doing so, including:
  • Consent: Where the individual has given clear consent for processing.
  • Contractual Necessity: When processing is necessary to fulfill a contractual obligation.
  • Legal Obligation: When processing is required by law.
  • Legitimate Interest: When processing is necessary for the legitimate interests of IV, unless these are overridden by the rights of the data subject.
• Data Subject Rights: Individuals have the right to:
  • Access their personal data.
  • Request corrections to inaccurate or incomplete data.
  • Request the deletion or restriction of their data.
  • Object to the processing of their data.
  • Withdraw consent at any time.
  • Lodge a complaint with the relevant data protection authority.
• ‍

5. Data Storage, Retention, and Disposal

• Data Storage: IV ensures that all personal data is stored securely, whether electronically or physically. Electronic data is stored on secure servers, and physical records are kept in secure, access-controlled environments.
• Data Retention: Personal data will only be retained for as long as necessary to fulfill the purpose for which it was collected. Once the data is no longer required, it will be securely deleted or anonymized.
• Data Disposal: Personal data that is no longer needed will be securely disposed of through methods such as shredding physical documents or securely deleting digital records.

IV will review its data retention policies regularly to ensure compliance with applicable data protection laws.

‍

6. Data Security

IV takes the security of personal data seriously and implements robust technical and organizational measures to protect it. These include:

• Encryption: All sensitive personal data is encrypted both in transit and at rest to protect it from unauthorized access.
• Access Controls: Access to personal data is restricted to authorized personnel only, with access granted based on the principle of least privilege.
• Regular Audits: Regular security audits and vulnerability assessments are conducted to identify and address potential security risks.
• Incident Response: IV has an established data breach response plan. In the event of a data breach, affected individuals will be notified promptly, and necessary remedial actions will be taken.

‍

7. Data Sharing and Third-Party Relationships

IV may share personal data with third parties, including service providers, business partners, or regulatory authorities, but only where necessary and in compliance with data protection laws. Data will only be shared when:

• There is a legitimate basis for sharing, such as fulfilling a contractual obligation or complying with legal requirements.
• The third party has entered into a Data Processing Agreement (DPA) that outlines their responsibilities in safeguarding personal data.
• Data transfers comply with international data transfer laws, including restrictions on transferring data outside the European Economic Area (EEA) under the GDPR.

IV will monitor and audit third-party relationships to ensure they adhere to our data protection standards.

‍

8. Date Breach Notification

In the event of a data breach that poses a risk to the rights and freedoms of individuals, IV will:

• Notify the Data Protection Authority within 72 hours of becoming aware of the breach.
• Inform Affected Individuals: Where the breach is likely to result in significant harm, IV will promptly notify affected individuals, explaining the nature of the breach and any actions they can take to mitigate risks.

The breach response plan will include measures to contain the breach, assess its impact, and prevent recurrence.

‍

9. Data Subject Requests

IV will respond promptly to any requests from individuals regarding their personal data, including requests for access, correction, or deletion. Data subjects can make requests by:

• Contacting IV’s Data Protection Officer (DPO), who will be responsible for responding to inquiries and ensuring that rights are upheld.
• Retain documentation related to third-party due diligence, training sessions, and investigations for a set period, as required by law.

‍

10. Protection of Customer Intellectual Property (IP) and Brand Assets

IV is committed to safeguarding all customer intellectual property (IP) and brand assets, including but not limited to names, logos, trademarks, proprietary designs, and confidential data. The Company will adhere to the following principles when handling these assets:

• Usage and Permissions:
  Customer IP and brand assets will only be used with explicit permission, as granted through written agreements or contracts. Any unauthorized use, alteration, or reproduction is strictly prohibited.
• Confidentiality:
  IV recognizes that customer IP and brand assets are sensitive and proprietary. All employees, contractors, and partners handling such assets are bound by confidentiality agreements to ensure the information is protected and not disclosed to unauthorized parties.
• Data Security:
  Customer brand assets, including digital logos and designs, will be stored securely in access-controlled environments. Electronic data will be encrypted both in transit and at rest to prevent unauthorized access or breaches.
• Third-Party Disclosure:
  IV will not share customer brand assets with third parties unless required for fulfilling contractual obligations. In such cases, third-party vendors must sign a Data Processing Agreement (DPA), ensuring that they adhere to the same confidentiality and data protection standards.
• Respect for Brand Integrity:
  IV will ensure that all uses of customer logos, trademarks, and brand identifiers are consistent with the customer’s brand guidelines and do not harm or distort their reputation.
• Compliance with Legal and Regulatory Standards:
  IV will comply with all applicable local and international IP laws and regulations, including those governing trademarks, copyrights, and confidential information. This includes maintaining proper documentation of usage rights and ensuring compliance with data protection laws.
• Data Retention and Disposal:
  Customer IP and brand assets will be retained only for the duration necessary to fulfill contractual obligations and will be securely deleted or returned upon request or when no longer required, in line with the Company’s data retention policy.

11. Employee Training and Awareness

IV will ensure that all employees and officers who handle personal data receive regular training on data protection laws, company policies, and security measures. Training will cover:

• Best practices for handling personal data.
• How to respond to data subject requests.
• Procedures for reporting data breaches.
• The importance of maintaining confidentiality and security.

Employees are required to complete training sessions regularly to ensure ongoing compliance with this policy.

‍

12. Monitoring and Compliance

IV will monitor compliance with this policy and conduct regular audits to identify any potential areas of non-compliance. This includes:

• Internal Audits: Conducting periodic audits to ensure that personal data is being handled in accordance with applicable laws.
• Compliance Reporting: Ensuring that employees report any violations or concerns to the Data Protection Officer.
• Policy Review: Regularly reviewing and updating this policy to reflect changes in data protection laws and industry best practices.

‍

13. Disciplinary Measures

Any employee found to have violated this policy may face disciplinary action, including:

• Warnings: Verbal or written warnings for minor violations.
• Suspension or Termination: For serious breaches, particularly those involving unauthorized access or disclosure of personal data.
• Legal Action: Where violations of this policy also breach applicable data protection laws, IV may initiate legal action and report the incident to authorities.

III. Commitment

InterVal Solution Private Limited is fully committed to safeguarding personal data and ensuring compliance with all relevant data protection laws. Through continuous monitoring, robust security measures, and comprehensive training, IV will continue to uphold the highest standards of data privacy and security.