SGBP ("we", "our", "us") respects your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you visit sgbp.tech, message us on WhatsApp, book a Calendly call, or engage us as a client.
This policy is governed by the Personal Data Protection Act 2012 of Singapore (PDPA). Where we process data of EU/UK residents, it is also aligned with the General Data Protection Regulation (GDPR).
1. Who we are (data controller)
The data controller is SGBP. Contact: connect@sgbp.tech.
Data Protection Officer. As required by PDPA §11(3), SGBP has designated a Data Protection Officer responsible for ensuring compliance with the PDPA. The DPO can be reached at connect@sgbp.tech with the subject line "PDPA Request" or "DPO". The DPO acknowledges all PDPA-related correspondence within 2 business days.
2. What we collect
2.1 Information you provide
- Name, email, phone, company, role, project brief (via Calendly, WhatsApp, project brief form).
- Billing and invoicing details (for engaged clients only).
- Any content you upload to shared spaces during a project (briefs, docs, screenshots).
2.2 Information we collect automatically
- Standard server logs (IP address, user agent, referrer, timestamp, requested URL). Retained ≤90 days.
- Analytics events via GA4 (page views, scroll depth, outbound clicks, CTA clicks). IP addresses are truncated before storage.
- Advertising attribution via Meta Pixel and Google Ads conversion tags (campaign source, click ID, conversion event).
- Cookies and similar local storage. See our Cookie Policy.
3. Why we collect it (purposes)
Each purpose below is paired with the lawful basis under the PDPA. The GDPR equivalent is shown in parentheses where applicable.
- Respond to enquiries from WhatsApp, Calendly, and forms. Basis: deemed consent by contractual necessity (PDPA §15) / pre-contract.
- Deliver services we are engaged to perform. Basis: deemed consent by contractual necessity (PDPA §15).
- Improve the website via analytics. Basis: legitimate interest exception (PDPA §17 First Schedule Part 3) — measurement of website performance is a recognised legitimate business interest.
- Marketing measurement. Remarketing and conversion attribution via Meta Pixel and Google Ads. Basis: deemed consent by notification (PDPA §15A) — this Privacy Policy and the Cookie Policy serve as that notification; you may opt out via browser controls described in the Cookie Policy.
- Legal compliance (tax records, statutory reporting under Singapore law). Basis: legal obligation (PDPA §17 First Schedule Part 3).
4. Who we share it with (processors & sub-processors)
| Recipient | Purpose | Region |
|---|---|---|
| Google (GA4, Google Ads) | Analytics, advertising | USA / global |
| Meta Platforms (Facebook Pixel, CAPI) | Advertising attribution | USA / global |
| Cloudflare | CDN, WAF, bot mitigation | Global |
| Calendly | Discovery call scheduling | USA |
| WhatsApp / Meta | Messaging | Global |
| HitPay / Stripe | Payment processing (clients only) | SG / global |
| Hosting infra (AWS / Vercel / Cloudflare) | Website hosting | SG / global |
We do not sell personal data. We share only what is needed to deliver the service requested.
5. International transfers (PDPA §26)
When personal data is transferred outside Singapore, we comply with the Transfer Limitation Obligation by ensuring the recipient is bound by contractually enforceable obligations that provide a standard of protection comparable to the PDPA. Specifically:
- Google (GA4, Google Ads). Bound by Google's Data Processing Addendum incorporating EU Standard Contractual Clauses and supplementary measures.
- Meta (Pixel, WhatsApp Business). Bound by Meta's Data Processing Terms incorporating SCCs.
- Cloudflare. Bound by Cloudflare's DPA; data may transit Singapore edge nodes before egressing.
- Calendly. Bound by Calendly's DPA; data is processed in the United States.
- HitPay / Stripe / Razorpay (payment processors, used only when invoicing). Data residency is Singapore, the United States, or India per the processor's region; in each case bound by the processor's DPA.
You may request a copy of any of these processor agreements by emailing connect@sgbp.tech.
6. How long we keep it (PDPA §25)
- Server logs: 90 days.
- Analytics events: 14 months (GA4 default retention setting).
- Advertising attribution data (Meta, Google Ads): 90 days.
- Enquiry messages (WhatsApp, Calendly, email): 24 months from the last interaction, unless you become a client.
- Client records: 7 years after engagement end (statutory retention under the Singapore Companies Act and the Income Tax Act).
Accuracy (PDPA §23). We rely on you to keep your contact details and project information up to date. If you change roles or email addresses, please let us know.
7. Your rights under PDPA
You have the following rights with respect to your personal data:
- Access (PDPA §21). Ask what personal data we hold about you. We respond within 30 days of receiving sufficient identification.
- Correction (PDPA §22). Ask us to correct an error or omission.
- Withdraw consent (PDPA §16). Withdraw consent at any time by emailing
connect@sgbp.techwith the subject "Withdraw consent". We action within 30 days, confirm in writing, and tell you if withdrawal affects your ability to use our services or our ability to deliver an ongoing engagement. - Deletion. Request deletion of personal data we no longer need to retain. We will action subject to legal retention obligations (e.g. statutory tax records).
- Data portability. Once the PDPA's Data Portability Obligation comes into force, you may request a copy of your personal data in a structured, commonly used, machine-readable format. We support this on a best-effort basis today.
Under GDPR (if you are an EU/UK resident), you additionally have rights to object to processing for direct marketing and to lodge a complaint with your national supervisory authority.
To exercise any right, email connect@sgbp.tech.
8. Children
Our services are B2B. We do not knowingly collect data from individuals under 18. If you believe we have inadvertently collected data from a minor, contact connect@sgbp.tech and we will delete it.
9. Security (PDPA §24)
We implement reasonable security arrangements appropriate to the sensitivity of the data, including: HTTPS (HSTS, TLS 1.2+), CSP, OWASP Top 10 hardening, least-privilege access controls, two-factor authentication on all admin accounts, encrypted backups, and continuous dependency scanning. See our Security & Trust page for details.
10. Data breach notification (PDPA §26A-D)
If a data breach occurs that (a) affects 500 or more individuals or (b) is likely to result in significant harm to any affected individual, we will:
- Notify the Personal Data Protection Commission within 3 calendar days of assessing the breach as notifiable.
- Notify affected individuals as soon as practicable, via the contact channel on file (typically email or WhatsApp).
- Provide a summary of the breach, the steps taken to mitigate harm, and the steps you can take to protect yourself.
We maintain an internal incident response runbook and review it at least annually.
11. Marketing communications
We do not engage in unsolicited telemarketing or unsolicited SMS marketing. If we ever expand to those channels, we will first check Singapore phone numbers against the Do Not Call Registry as required by the PDPA. You may opt out of any marketing email from us at any time using the unsubscribe link in that email or by emailing connect@sgbp.tech.
12. Changes to this policy
We may update this policy. Material changes are flagged at the top of the page with a new "Last reviewed" date. We do not retroactively reduce your rights. Material changes affecting how we use existing data will be notified to known contacts at least 14 days before they take effect.
13. Contact
Questions, requests, or complaints: connect@sgbp.tech (subject "PDPA Request" routes to the DPO).