Legal

Privacy Policy

Last updated: April 2026

1. Introduction

ReferMe Pte. Ltd. ("ReferMe", "we", "us", "our") is committed to protecting the personal data of our users in accordance with the Personal Data Protection Act 2012 of Singapore ("PDPA"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our platform.

2. Data We Collect

We collect the following categories of personal data:

Account information. When you register, we collect your name, email address, and role selection (candidate, referrer, or company representative). We store a hashed version of your password. We never store passwords in plain text.

Profile information. Depending on your role, we collect professional summaries, employment history, education credentials, skills, industry expertise, LinkedIn profile URLs, company information, and profile photographs.

Vouch session recordings. When you participate in a vouch session, the audio and video of the session are recorded with your explicit consent. These recordings are used for AI-powered assessment and quality assurance.

AI assessment data. Our AI vetting engine analyses vouch session recordings to generate scores across four assessment pillars. These scores, along with supporting signals and analysis, are stored as part of your Greenlight Profile.

Usage data. We collect information about how you interact with the platform, including pages visited, features used, and timestamps. This data is used to improve the platform and is not shared with third parties.

Payment information. Payment processing is handled by Stripe. We do not store credit card numbers or bank account details on our servers. We store transaction records including amounts, dates, and payment status.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To create and manage your account
  • To facilitate peer referrals and vouch sessions
  • To generate AI-powered assessments and Greenlight Profiles
  • To enable companies to discover and evaluate candidates
  • To process payments, referral commissions, and advisory session fees
  • To send notifications about platform activity relevant to your role
  • To maintain platform security and prevent abuse
  • To comply with legal obligations

4. Consent

We collect your consent for each specific data processing activity separately. Consent items are presented in plain language during registration and can be reviewed and modified at any time from your account settings.

You may withdraw consent for any specific processing activity at any time. Withdrawal of consent will take effect within 24 hours. We will notify you of any consequences of withdrawing consent before processing your request.

5. Data Sharing

With companies. If you are a candidate with Greenlight status and have granted consent for profile sharing, your Greenlight Profile (including assessment scores, referrer vouch details, and key signals) will be visible to registered hiring companies on the platform.

With service providers. We use third-party services to operate the platform, including Amazon Web Services (infrastructure), Stripe (payments), and Daily.co (video sessions). These providers process data on our behalf under contractual obligations to protect your data.

We do not sell your personal data. We do not share your data with third parties for marketing purposes.

6. Data Security

All data is encrypted in transit using TLS 1.2 or higher. All personal data is encrypted at rest using AES-256 encryption. Vouch session recordings are encrypted with keys managed through AWS Key Management Service. Access to personal data is controlled through role-based access following the principle of least privilege.

7. Data Retention

We retain your data for the following periods:

  • User profiles: duration of your account plus 1 year after deletion
  • Vouch session recordings: 2 years from the session date
  • Audit logs: 5 years (required for compliance)
  • Financial transaction records: 7 years (required by law)

When a retention period expires, the associated data is automatically deleted or anonymised.

8. Your Rights

Under the PDPA, you have the right to:

  • Access your personal data held by us
  • Correct inaccurate personal data
  • Withdraw consent for specific processing activities
  • Request deletion of your personal data
  • Download a copy of your personal data in a machine-readable format

To exercise any of these rights, use the settings in your account dashboard or contact our Data Protection Officer.

9. Data Protection Officer

Our Data Protection Officer can be contacted at refermesg@gmail.com for any questions or concerns about how we handle your personal data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes through the platform or by email. Your continued use of the platform after changes take effect constitutes acceptance of the updated policy.