Legal

PDPA Compliance

Last updated: April 2026

Our Commitment

ReferMe is built with data protection at its core. We comply with the Personal Data Protection Act 2012 of Singapore ("PDPA") and its 2020 amendments across every aspect of our platform. This page explains how we meet each of the PDPA's data protection obligations.

1. Consent Obligation

We collect explicit, informed consent for each specific data processing activity before collecting or using your personal data. Consent items are presented individually in plain language during registration. They are never bundled into a single terms-and-conditions acceptance.

Each consent record includes the timestamp, consent version, specific items consented to, and the action taken. You can view, modify, or withdraw consent at any time from your account settings. Withdrawal takes effect within 24 hours.

2. Purpose Limitation Obligation

We collect and use personal data only for the purposes stated at the time of collection. These purposes include: account management, peer referral facilitation, AI-powered assessment, Greenlight Profile generation, payment processing, and platform notifications. We do not use your data for purposes beyond what you have consented to.

3. Notification Obligation

We inform you of the purposes for which we collect your data at the point of collection. Our Privacy Policy provides a comprehensive overview of all data processing activities. Any changes to how we use your data are communicated through the platform or by email before they take effect.

4. Access and Correction Obligation

You can access all personal data we hold about you through your account dashboard. You can correct inaccurate data directly through your profile settings. You can also request a complete copy of your personal data in a machine-readable format (JSON) from your account settings.

5. Accuracy Obligation

We take reasonable steps to ensure that personal data we collect and use is accurate and complete. Profile information is provided and maintained by you. AI assessment data is generated through structured analysis with confidence scores indicating reliability. We encourage you to keep your profile information current.

6. Protection Obligation

We implement security measures proportional to the sensitivity of the data we handle:

  • All data encrypted in transit using TLS 1.2 or higher
  • All personal data encrypted at rest using AES-256
  • Vouch session recordings encrypted with AWS KMS-managed keys
  • Role-based access control following the principle of least privilege
  • Multi-factor authentication for administrative accounts
  • Comprehensive audit logging of all data access and modifications
  • Sensitive credentials stored in AWS Secrets Manager, never in code
  • HTTPS enforced for all communications

7. Retention Limitation Obligation

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • User profiles: duration of account plus 1 year after deletion
  • Vouch session recordings: 2 years from session date
  • Audit logs: 5 years (compliance requirement)
  • Financial records: 7 years (legal requirement)

When retention periods expire, data is automatically deleted or anonymised. You can request deletion of your account and associated data at any time through your account settings.

8. Transfer Limitation Obligation

All data is stored and processed within the AWS Asia Pacific (Singapore) region (ap-southeast-1). We do not transfer personal data outside of Singapore except where necessary for platform operation (for example, Stripe payment processing) and only to jurisdictions with adequate data protection standards or under contractual safeguards.

9. Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals or involves the data of 500 or more individuals, we will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of assessment. Affected individuals will be notified as soon as practicable.

Our platform includes automated breach detection that alerts our Data Protection Officer and administrative team within 1 hour of detecting a potential breach.

10. Data Protection Officer

We have appointed a Data Protection Officer responsible for ensuring compliance with the PDPA. For any questions, concerns, or requests related to your personal data, contact our DPO at refermesg@gmail.com.

11. AI Governance

Our AI vetting engine follows the Model AI Governance Framework published by IMDA and PDPC. Specifically:

  • AI assessments evaluate only job-relevant competencies
  • Protected characteristics (race, gender, age, religion, marital status, disability) are excluded from assessment
  • A human-in-the-loop review step is required before awarding Greenlight status
  • Candidates can view their assessment scores and request clarification
  • AI decisions are transparent, with confidence scores indicating reliability

This approach aligns with the Tripartite Guidelines on Fair Employment Practices (TGFEP) which require fair, merit-based hiring practices.

12. Your Rights Under PDPA

You have the right to:

  • Know what personal data we hold about you and how it is used
  • Access your personal data
  • Correct inaccurate personal data
  • Withdraw consent for specific processing activities
  • Request deletion of your personal data (subject to legal retention requirements)
  • Request a copy of your data in a portable format
  • Lodge a complaint with the PDPC if you believe your data has been mishandled