Orlant International Privacy Policy
*Last Updated: 2025.3.4*
*UEN: 201803122D*
1. Legal Basis & Compliance Framework
This policy adheres to:
- **Singapore Personal Data Protection Act 2012 (PDPA)**
- **Spam Control Act** (for electronic communications)
- **EU GDPR** (for EEA residents' data processing)
2. Data Controller Information
**Orlant International Pte Ltd**
11 Woodlands Close, #08-21, Singapore 737853
Data Protection Officer: dpo@orlant.com.sg
3. Lawful Data Collection
*3.1 Collected Data Categories*
Purpose
|
Data Types
|
Legal Basis
|
Product Sales
|
Name, Address, Contact Details
|
Contractual Necessity
|
Warranty Services
|
Installation Address, Device ID
|
Legal Obligation
|
Marketing
|
Email, Usage Patterns
|
Explicit Consent
|
App Functionality
|
Geolocation (Optional)
|
User Authorization
|
*3.2 Prohibited Collections*
- Biometric data
- Racial/religious affiliations
- Government ID numbers
4. PDPA-Specific Provisions
*4.1 Consent Management*
- Opt-in checkboxes for marketing communications
- Withdrawal mechanism via [Unsubscribe Portal Link]
- Pre-ticked boxes strictly prohibited
*4.2 Data Retention Schedule*
Data Type
|
Retention Period
|
Transaction Records
|
5 years (IRAS compliance)
|
Warranty Data
|
2 years post-expiry
|
Marketing Profiles
|
24 months inactivity
|
*4.3 Cross-Border Transfers*
When transferring data to ASEAN manufacturing partners:
- Execute PDPA-compliant Data Transfer Agreements
- Maintain registry at dpo@orlant.com.sg
5. Data Subject Rights (PDPA/GDPR)
Submit requests via [Data Rights Portal]:
- **Access** : Free report within 21 days
- **Correction** : 14-day resolution cycle
- **Portability** : JSON/CSV formats available
- **Deletion** : Partial retention for legal holds
6. Security Protocols
*6.1 Technical Measures*
- AES-256 encryption for IoT device communications
- Annual penetration testing by CREST-certified auditors
- PCI-DSS compliant payment processing
*6.2 Breach Response*
- Notify PDPC within 72 hours of confirmed incidents
- Customer notification via registered channels
7. Third-Party Management
*7.1 Vendor Requirements*
All service providers must:
- Maintain ISO 27001 certification
- Undergo quarterly compliance audits
- Submit to SSAE 18 assessments
*7.2 Advertising Partners*
- Google Ads: Restricted data processing mode enabled
- Facebook Custom Audience: Hashed email matching only
8. IoT Device Specifics
*8.1 Smart App Data Flows*
- Local data processing preferred (Singapore servers)
- Remote disablement feature for lost/stolen devices
*8.2 Sensor Data Handling*
- Weight sensors: Anonymized analytics
- Usage patterns: Aggregated statistics only
9. Children's Privacy
- Strictly no collection under age 14
- Parental consent required for warranty claims by minors
10. Policy Governance
- Biannual review cycle by Drew & Napier LLC
- Version history accessible at [Archive Link]
11. Dispute Resolution
- Singapore Data Protection Mediation Centre first recourse
- ICC arbitration for international claims (Rules of Arbitration)
---
