Login

Book a Demo

Privacy Policy

Last updated on 23 Jan 2025

1.  ABOUT THIS POLICY 


PsychDesk Pte. Ltd. (UEN: [TBC]) (“PsychDesk”, “we”, “us”, or “our”) is incorporated in Singapore and operates a digital mental health and psychology platform that connects individuals with licensed mental health professionals, provides psychological assessments, wellness resources, and related telehealth services (“Platform” or “Services”). 


  


This Privacy Policy ("Policy") explains how PsychDesk collects, uses, discloses, protects, and retains personal data about you in connection with your use of our Platform, in accordance with: 


  • the Personal Data Protection Act 2012 (No. 26 of 2012), as amended by the Personal Data Protection (Amendment) Act 2020 ("PDPA"); 


  • the Personal Data Protection Regulations 2021 ("PDPR"); 


  • guidelines and advisory guidelines issued by the Personal Data Protection Commission ("PDPC"), including the Advisory Guidelines on Key Concepts in the PDPA and the Advisory Guidelines on the PDPA for Healthcare Sector; 


  • the Healthcare Services Act 2020 ("HSA 2020") and subsidiary legislation thereunder; 


  • the Private Hospitals and Medical Clinics Act (Cap. 248) ("PHMC Act") where applicable; 


  • the Mental Health (Care and Treatment) Act (Cap. 178A) ("MHCTA"); 



  • the Cybersecurity Act 2018 ("CSA 2018"); 


  • the Electronic Transactions Act 2010 ("ETA"); 


  • the Computer Misuse Act 1993 (Cap. 50A); 


  • the Telehealth Framework published by the Ministry of Health ("MOH"); and 


  • all other applicable Singapore laws and regulations. 


By accessing or using our Platform, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you must not use the Platform. 

1.1  Scope of This Policy 


This Policy applies to all personal data collected from: 


  • clients, patients, and users of the Platform ("Users"); 


  • mental health professionals, psychologists, and counsellors registered on the Platform ("Practitioners"); 


  • corporate clients, employers, and organisations that subscribe to PsychDesk's enterprise services ("Corporate Clients"); 


  • job applicants, employees, and contractors; and 


  • visitors to our website(s) and mobile applications. 


  


This Policy does not apply to personal data of our employees collected in the context of employment, which is governed by a separate Employee Data Protection Notice. 


  


1.2  Amendments to This Policy 


We reserve the right to amend this Policy at any time. Material changes will be notified to you via email or prominent notice on the Platform at least fourteen (14) days before taking effect, or such longer period as required by applicable law. Your continued use of the Platform after the effective date constitutes acceptance of the revised Policy. 


3.2  Data We Do NOT Collect 


Unless explicitly required for a specific service and with your express consent, PsychDesk does not collect: 


  • biometric data (e.g., fingerprints, facial recognition data) as a primary means of identification; 


  • racial or ethnic origin; 


  • political opinions or religious beliefs; or 


  • data revealing trade union membership. 


3.3  Accuracy of Personal Data 


Pursuant to the Accuracy Obligation under section 23 of the PDPA, we take reasonable steps to ensure that personal data collected is accurate and complete. You are responsible for providing accurate information and for updating your data as circumstances change. You may update your information at any time through your account settings or by contacting our DPO.  

4.  HOW WE COLLECT PERSONAL DATA 


4.1  Direct Collection 


We collect personal data directly from you when you: 


  • register an account on the Platform; 


  • complete onboarding questionnaires or health intake forms; 


  • book, attend, or cancel appointments with Practitioners; 


  • use Platform messaging or video consultation features; 


  • complete psychological assessments or wellness check-ins; 


  • make payments or request refunds; 


  • contact our support team; 


  • respond to surveys, feedback forms, or promotional communications; 


  • apply to become a registered Practitioner; or 


  • interact with our website(s), mobile applications, or marketing communications. 



4.2  Automated Collection 


We automatically collect certain technical and usage data through: 


  • Cookies and Tracking Technologies: see Section 16 for full details, including cookie categories, opt-out mechanisms, and compliance with the PDPA Spam Control Act (Cap. 311A). 


  • Server Logs: IP addresses, request timestamps, and HTTP referrer headers automatically recorded by our web servers. 


  • Mobile SDKs: Analytics SDKs embedded in our mobile applications (e.g., Firebase Analytics, Mixpanel) which may collect device identifiers and in-app behaviour. 


  • Session Recordings: Where enabled with your consent, session recording tools (e.g., heat-mapping) that capture user interactions on our web interface. 



4.3  Collection from Third Parties 


We may receive personal data about you from: 


  • Referral Practitioners or Healthcare Providers: clinical notes or referral letters from general practitioners or specialists who refer you to PsychDesk. 


  • Corporate Clients / Employers: your name, email, and Employee Assistance Programme (EAP) eligibility when your employer subscribes to our corporate plan. 


  • Insurance Providers: policy coverage information relevant to claims processing. 


  • Identity Verification Services: SingPass/MyInfo data retrieved via the National Digital Identity framework (with your explicit authorisation through the Singpass app). 


  • Social Login Providers: basic profile data (name, email) if you choose to log in via Google or Apple ID. 


  • Payment Processors: transaction confirmation and tokenised card data from our PCI-DSS-compliant payment gateway. 


⚑ PDPA Obligation — Collection Limitation (Section 18): We collect personal data only for purposes that a reasonable person would consider appropriate in the circumstances, and only what is necessary for those purposes. We do not collect data "just in case" it may be useful in the future. 

5.  LEGAL BASIS FOR PROCESSING PERSONAL DATA 


The PDPA requires organisations to have valid grounds to collect, use, or disclose personal data. PsychDesk relies on the following legal bases: 


5.1  Consent (Sections 13–15, PDPA) 


The primary basis for processing your personal data is your consent, which we obtain: 


  • by presenting clear notification of purposes before or at the point of collection; 


  • through your affirmative action (e.g., ticking a consent checkbox, clicking "I Agree"); and 


  • separately for sensitive health and mental health data, via an additional explicit consent mechanism embedded in our intake process. 


Consent is not bundled with general terms of service where such bundling would be contrary to PDPC advisory guidelines. 



5.2  Deemed Consent by Conduct (Section 15A, PDPA) 


Where you voluntarily provide personal data and it is reasonable in the circumstances to conclude you have consented to its collection for the stated purpose (e.g., providing your phone number when booking an appointment for appointment-reminders), we rely on deemed consent by conduct. 


 

5.3  Deemed Consent by Contractual Necessity (Section 15B, PDPA) 


Where it is necessary to disclose your personal data to a third party (e.g., your insurer) for the performance of a contract to which you are a party, and it is impractical to obtain separate consent, we may rely on this ground. We will notify you of such disclosures. 


 

5.4  Legitimate Interests (Section 15C, PDPA) 


We may process personal data without consent where we have a legitimate business or public interest, subject to a three-part test: 


  1. the purpose is a legitimate interest of PsychDesk or a third party; 


  1. processing is necessary (not merely convenient) for that purpose; and 


  1. the legitimate interest is not outweighed by any adverse effect on your personal data protection rights. 


Examples include: fraud prevention, network security monitoring, and anonymised analytics for service improvement. 



5.5  Exceptions Under the Second, Third, and Fourth Schedules (PDPA) 


We may also process personal data without consent in circumstances listed in the PDPA's Schedules, including: 


  • National Interest / Life-Threatening Situations: where necessary to respond to an emergency that threatens life, health, or safety. 


  • Research and Statistics: for research or statistical purposes under conditions prescribed by PDPC, provided results do not identify individuals. 


  • Legal Proceedings: where required to comply with legal obligations, court orders, or legal proceedings. 


  • Evaluative Purposes: for evaluating an individual's suitability for employment or professional registration (for Practitioners). 


  • News Activity (Not Applicable): we do not claim this exception. 


 

8.3  No Sale of Personal Data 


PsychDesk does not sell, rent, or trade personal data to any third party for monetary or other valuable consideration. This applies without exception to health and mental health data. 


9.  TRANSFER OF PERSONAL DATA OUTSIDE SINGAPORE 


The PDPA's Transfer Limitation Obligation (section 26) prohibits the transfer of personal data outside Singapore unless the recipient country or territory ensures a standard of data protection comparable to that under the PDPA, or a prescribed exception applies. 


9.1  Default Position 


PsychDesk's primary infrastructure is hosted in Singapore (AWS Singapore / ap-southeast-1 region). We do not routinely transfer personal data outside Singapore. All mental health and clinical data is stored and processed exclusively in Singapore. 


9.2  Circumstances Where Cross-Border Transfer May Occur 


We may transfer certain non-clinical personal data (e.g., usage analytics, marketing data) to service providers in other jurisdictions, subject to: 


  • Contractual Protections: binding standard contractual clauses or model clauses prescribed under the PDPR, or clauses approved by PDPC, incorporated into our Data Intermediary agreements. 


  • ASEAN Cross-Border Privacy Rules (CBPR): where the recipient has been certified under the ASEAN CBPR system, which provides a baseline of data protection standards. 


  • Adequacy Recognition: where PDPC has recognised that the recipient jurisdiction provides equivalent protection (equivalent to the PDPA's adequacy findings). 


  • Your Consent: where we have obtained your prior, explicit, and informed consent to the specific transfer, including notification of associated risks. 

7. Children's Privacy

Our website is not directed to individuals under the age of 18. If you become aware that a child has provided us with personal information, please contact us, and we will take steps to remove such information.

10.1  Disposal Methods 


Upon expiry of the applicable retention period, personal data is disposed of securely by: 


Cookies and Web Analytics: Session cookies: deleted on browser close. Persistent cookies: max 13 months. | PDPC Guidance on Cookies 


Job Application Data (unsuccessful): 2 years from date of rejection | PDPC Advisory on Employment Practices 


CCTV Footage (physical premises): 30 days, unless required for investigation | PDPC Best Practice Guide for CCTV 


Marketing Consent Records: Until consent is withdrawn plus 3 years | Limitation Act 


Data Breach Notification Records: 5 years from date of breach notification | PDPA Part VIA / PDPC Guidance 


Communications & Support Tickets: 3 years from close of interaction | Limitation Act (Cap. 163) — 6-year limitation period for civil claims 


User Account Data (non-clinical): 3 years after account closure or last login, whichever is later | PDPA proportionality / limitation period 


Insurance Claims Records: 7 years or as required by insurer, whichever is longer | Insurance Act / contractual 


Financial / Transaction Records: 7 years from transaction date | Income Tax Act (Cap. 134) / IRAS requirement 


Minor Records (under 18 at time of treatment): Until patient turns 21 or 6 years from last consultation, whichever is longer | MOH guidelines 


Crisis / Risk Assessment Records: 7 years (extended retention given safety implications) | Internally mandated 


Session Notes and Treatment Plans: 6 years from last consultation | MOH guidelines 


Psychological Assessment Reports: 6 years from date of report | MOH guidelines (clinical record classification) 


Medical / Clinical Records (per MOH guidelines): 6 years from last consultation, or until the patient turns 21 (for minors), whichever is later | Private Hospitals and Medical Clinics Act / MOH Administrative Circular 


  • Electronic Data: cryptographic erasure (overwriting encryption keys) or secure deletion using NIST 800-88-compliant methods, as appropriate. 


  • Physical Records: cross-cut shredding using a DIN 66399 Level P-4 or higher shredder. Records containing sensitive health data are shredded at Level P-5 or higher. 


  • Cloud Storage: deletion via provider API with confirmation, supplemented by audit log of deletion action. 


⚑ Legal Hold Override: Where personal data is subject to a legal hold (e.g., pending litigation or regulatory investigation), the standard retention period is suspended. Data will not be disposed of until the legal hold is lifted by our legal team. 

11.  PROTECTION OF PERSONAL DATA 


Pursuant to the Protection Obligation (section 24, PDPA), we implement reasonable security arrangements to prevent the unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks to personal data. 


11.1  Technical Safeguards 


  • Encryption at rest: AES-256 for all databases storing personal data; AES-256-GCM for health data storage. 


  • Encryption in transit: TLS 1.3 (minimum TLS 1.2 for legacy system compatibility). HTTP Strict Transport Security (HSTS) enforced. 


  • Database access: encrypted connections only; database servers are not publicly accessible; access restricted to application servers within a private VPC. 


  • Authentication: multi-factor authentication (MFA) mandatory for all staff accessing personal data; enforced for Users accessing health records. 


  • Secrets management: AWS Secrets Manager / equivalent for credential management; no hardcoded credentials. 


  • Intrusion detection: network intrusion detection system (NIDS) and host-based intrusion detection system (HIDS) deployed. 


  • Vulnerability management: quarterly penetration testing by a third-party ISO 27001-accredited firm; monthly automated vulnerability scans; critical patches applied within 72 hours. 


  • Web application firewall (WAF): deployed in front of all public-facing APIs. 


  • API security: OAuth 2.0 / OpenID Connect for third-party integrations; rate limiting and OWASP API Security Top 10 mitigations applied. 



11.2  Organisational Safeguards 


  • Role-based access control (RBAC): access to personal data is granted on the principle of least privilege. 


  • Access logs: all access to health data is logged with user identity, timestamp, and data accessed. Logs are immutable and retained for 2 years. 


  • Background checks: all staff with access to health data undergo criminal background checks prior to employment. 


  • Data Protection Training: mandatory annual training for all staff on PDPA obligations and PsychDesk's data protection policies. 


  • Confidentiality agreements: all staff, contractors, and Practitioners are bound by signed confidentiality agreements. 


  • Data minimisation: systems are designed to collect and display only the minimum data necessary (privacy by design). 


  • Vendor due diligence: all Data Intermediaries are assessed for security posture before engagement and annually thereafter. 


11.3  Physical Safeguards 


  • Offices and server rooms are access-controlled (key card / biometric access). 


  • Clean desk policy enforced for staff handling physical documents containing personal data. 


  • Physical records containing health data are stored in locked cabinets. 


11.4  Business Continuity and Disaster Recovery 


PsychDesk maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure the availability and integrity of personal data during service disruptions. Clinical data is backed up daily with recovery point objective (RPO) of 24 hours and recovery time objective (RTO) of 4 hours. 


⚑ Cybersecurity Act 2018 (CSA): Where PsychDesk is or becomes designated as an owner or operator of a Critical Information Infrastructure (CII) under the Cybersecurity Act, we will comply with all applicable CII obligations including mandatory reporting of cybersecurity incidents to the Cybersecurity Agency of Singapore (CSA). 

12.  YOUR RIGHTS UNDER THE PDPA 


12.1  Right of Access (Section 21, PDPA) 


You have the right to request access to your personal data held by PsychDesk, including: 


  • confirmation of whether we hold any personal data about you; 


  • a copy of your personal data in a format that is generally understandable; and 


  • information about the ways in which your personal data has been or may have been used or disclosed in the one (1) year preceding your request. 


We will respond to access requests within thirty (30) calendar days of receipt. If we require additional time (up to a maximum of sixty (60) days total), we will notify you within the initial thirty-day period and provide reasons for the extension. 


We may charge a reasonable fee for processing access requests. We will notify you of any such fee before processing the request. 


We may decline to provide access in circumstances permitted by the PDPA (e.g., where disclosure would harm another person's life or safety, reveal confidential commercial information, or be contrary to national interest). 


  


12.2  Right of Correction (Section 22, PDPA) 


You have the right to request that we correct any inaccurate personal data. We will correct personal data that is shown to be factually inaccurate and notify you of the correction within thirty (30) calendar days. We may decline to make corrections if: (a) we are satisfied the personal data is accurate; or (b) the correction is of an opinion rather than a fact. 


Where we decline to make a correction, we will annotate the personal data with a note of your correction request. 


  


12.3  Right to Data Portability (Section 26H, PDPA — effective 1 February 2022) 


The PDPA's data portability obligation gives you the right to request that we transmit your personal data to another organisation ("receiving organisation") in a commonly used machine-readable format (e.g., JSON, CSV, HL7 FHIR for health data), subject to the following conditions: 


  • the data is personal data provided by you (not derived data); 


  • the data is held in electronic form; 



  • the request specifies the data to be ported and the receiving organisation; 


  • the receiving organisation is prescribed as a Porting Organisation under the Personal Data Protection (Portability) Regulations; and 


  • the request is technically feasible. 


Portability requests will be processed within sixty (60) calendar days. We will notify you if we are unable to fulfil the request and provide reasons. We may charge a reasonable fee. Portability does not apply to data held for safety, fraud prevention, or where it would adversely affect another individual. 


  


12.4  Right to Withdraw Consent (Section 16, PDPA) 


You may withdraw consent to the collection, use, or disclosure of your personal data at any time, subject to legal and contractual restrictions. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. 


To withdraw consent, you may: (a) adjust your privacy settings in your account dashboard; (b) submit a request to our DPO (see Section 19); or (c) for marketing communications, click the 'unsubscribe' link in any email or SMS. 


We will process your withdrawal request within thirty (30) calendar days and notify you of the likely consequences, which may include inability to provide certain services. Withdrawal of consent to process clinical data necessary for your care may require discontinuation of your care relationship with PsychDesk Practitioners. 


  


12.5  Do Not Contact (Opt-Out of Marketing) 


Where you have not opted in to marketing communications, or where you opt out, we will cease sending you promotional materials within ten (10) business days. This does not affect service-related communications (e.g., appointment confirmations, billing notices) which are necessary for the provision of services. 


  


12.6  How to Exercise Your Rights 


Submit a written request to our Data Protection Officer (see Section 19). Include: your full name, NRIC/FIN/Passport number (for identity verification), the specific right you are exercising, and sufficient information to identify the personal data concerned. We may verify your identity before processing the request. 

13.  MANDATORY DATA BREACH NOTIFICATION 


The Personal Data Protection (Amendment) Act 2020 introduced mandatory breach notification obligations (Part VIA of the PDPA, in force 1 February 2021). PsychDesk's obligations and procedures are set out below. 


13.1  Assessment of Data Breaches 

Upon becoming aware of a potential data breach, we will: 


  1. conduct an initial assessment within twenty-four (24) hours to determine whether a data breach has occurred and its preliminary scope; 


  1. escalate to our Data Breach Response Team, comprising the DPO, CISO, CEO, and legal counsel; 


  1. complete a full Data Breach Impact Assessment ("DBIA") within three (3) calendar days; and 


  1. determine whether the breach is a "notifiable data breach" under the PDPA. 


  

13.2  Notifiable Data Breach Criteria 


A data breach is notifiable if it results in, or is likely to result in: 


  • significant harm to affected individuals (e.g., risk of identity theft, financial fraud, physical harm, harassment, reputational damage, damage to personal relationships, or severe distress); or 


  • significant impact on PsychDesk (i.e., affecting 500 or more individuals). 


Given that PsychDesk processes health and mental health data, virtually all breaches involving clinical records are presumed to meet the significant harm threshold. 


 

13.3  PDPC Notification 


Where a breach is notifiable, PsychDesk will notify the PDPC as soon as practicable and in any case within three (3) calendar days of assessing that the breach is notifiable. Notification will be made through the PDPC's Data Breach Portal and will include: 


  • date and time of the breach (if known); 


  • nature and categories of personal data affected; 


  • number of affected individuals (estimated if exact number unknown); 


  • likely consequences of the breach; 


  • measures taken or proposed to address the breach; and 


  • contact details of the DPO. 



13.4  Individual Notification 


Where the breach is likely to result in significant harm to affected individuals, we will notify each affected individual as soon as practicable, via their registered email address and/or mobile number. Notification to individuals will include: 


  • a plain-language description of what happened; 


  • the categories of personal data affected; 


  • measures we have taken to address the breach; 


  • what the individual can do to protect themselves; and 


  • contact details for further enquiries. 


We may delay notification to affected individuals if requested by law enforcement, or where notification itself would impede investigation. 


  


13.5  Breach Involving Health Data — Additional Obligations 


In addition to PDPA obligations, breaches involving health records may trigger: 


  • notification obligations under the Healthcare Services Act 2020 to the Director of Medical Services (MOH); 


  • disclosure to affected Practitioners so that they can fulfil their own professional obligations; and 


  • activation of our Crisis Communication Protocol for media management. 


  


⚑ PDPC Guidance on Breach Notification: PsychDesk maintains a Data Breach Response Plan (DBRP) as a standalone policy document, tested annually through tabletop exercises. A copy of the DBRP is available to auditors and regulators upon request.

14.  DO NOT CALL (DNC) REGISTRY 


The PDPA's Do Not Call provisions (Part IX) regulate the sending of specified messages (telemarketing calls, SMS, fax) to Singapore telephone numbers registered on the Do Not Call Registry administered by the PDPC.  


14.1  Our DNC Compliance Obligations 


PsychDesk will: 


  • check the DNC Registry before sending any specified marketing message to a Singapore telephone number; 


  • not send specified messages to numbers registered on the DNC Registry unless we have the individual's clear and unambiguous consent to receive such messages; 


  • maintain records of all DNC Registry checks for at least three (3) years; 


  • maintain records of all consents to receive specified messages, including the date, time, and means of consent; and 


  • process opt-out requests within fourteen (14) days for SMS and other electronic messages. 



14.2  Exemptions 


The following communications are not subject to DNC obligations and may be sent regardless of DNC registration: 


  • appointment reminders and service notifications (non-marketing communications); 


  • urgent clinical communications (e.g., safety alerts, crisis outreach by a Practitioner); 


  • billing and payment notifications; and 


  • communications sent to existing customers about PsychDesk's own goods or services where there is an ongoing business relationship and a reasonable expectation of such communications. 


For the avoidance of doubt, all clinical communications are treated as service communications, not marketing, and are not subject to DNC restrictions. 


14.3  Opt-Out 


To opt out of receiving specified messages, you may: (a) reply "STOP" to any marketing SMS; (b) click the unsubscribe link in any marketing email; (c) adjust your communication preferences in your account settings; or (d) contact our DPO. Opt-out requests will be processed within ten (10) business days. 

16.  COOKIES AND TRACKING TECHNOLOGIES 


PsychDesk uses cookies, web beacons, pixel tags, local storage, and similar technologies ("Cookies") on our website and mobile applications. The PDPA and PDPC guidance on cookies require transparency and, for non-essential cookies, consent. 


Third-Party Cookies: Embedded content (e.g., video SDKs, chatbots). Governed by third-party privacy policies. We list all third-party cookie providers in our Cookie Declaration. | Yes — as applicable 


Marketing / Targeting Cookies: Personalised advertising on third-party platforms (remarketing). Currently not deployed. | Yes — opt-in consent required if deployed 


Performance / Analytics Cookies: Aggregate usage statistics (Google Analytics, Hotjar equivalent). IP addresses anonymised before processing. | Yes — opt-in consent required 


Functional Cookies: Remembering preferences (language, time zone), auto-fill, chat session state. | Yes — opt-in consent required 


Strictly Necessary Cookies: Session management, authentication, security (CSRF tokens, load balancing). Cannot be disabled — essential for the website to function. | No — exempt under legitimate interest

16.2  Cookie Management 


Upon first visit, our Consent Management Platform (CMP) presents you with a cookie consent banner. You may: (a) accept all cookies; (b) reject all non-essential cookies; or (c) configure your preferences granularly by category. Your consent is stored for twelve (12) months, after which you will be prompted to renew your preferences. 


You may also manage cookies through your browser settings or device settings. Note that disabling cookies may affect the functionality of certain features of the Platform. 


A full Cookie Declaration listing all cookies, their purpose, provider, and duration is maintained on our website and updated whenever our cookie profile changes. 

17.  USE OF ARTIFICIAL INTELLIGENCE AND AUTOMATED PROCESSING 


PsychDesk may use artificial intelligence ("AI") and machine learning ("ML") technologies to enhance its services. Given the sensitivity of mental health data, we apply the following principles derived from PDPC's Model AI Governance Framework (2nd Edition, 2020): 


Chatbot / Virtual Assistant: Used for appointment scheduling, FAQs, and crisis resource signposting only. Not used for clinical diagnosis or therapeutic intervention. Clearly identified as AI to users. 


Risk Flagging System: Analyses anonymised session data patterns to flag potential safety concerns for clinical review. Outputs are alerts to Practitioners — no automated intervention is taken. 


Natural Language Processing (NLP) in Assessments: Assists in scoring and analysing standardised validated assessment tools (e.g., PHQ-9, GAD-7). Results are reviewed by a qualified Practitioner before being acted upon. 


Practitioner Matching Algorithm: Uses anonymised clinical intake data to suggest suitable Practitioners. Final matching decision remains with the User. No individual is denied access to services based solely on automated processing. 

17.2  Transparency and Human Oversight 


We do not make significant decisions about your clinical care based solely on automated processing without human review by a qualified clinician. AI-generated insights are supplementary to, and do not replace, the professional judgment of our registered Practitioners. 


You have the right to request a human review of any AI-generated recommendation that affects your care by contacting our DPO. 


17.3  No Use of Health Data for AI Training Without Consent 


PsychDesk will not use individually identifiable health data to train AI/ML models without your explicit, separate consent. Any training dataset used for AI model development is anonymised or synthetic. 

18.  HEALTHCARE REGULATORY COMPLIANCE 


18.1  Healthcare Services Act 2020 (HSA 2020) 


Where PsychDesk's services are classified as licensable healthcare services under the Healthcare Services Act 2020 (e.g., psychological medicine, counselling services), PsychDesk will: 


  • obtain and maintain the applicable licence(s) from the Director of Medical Services; 


  • comply with licensing conditions pertaining to patient records and data management; 


  • comply with the Healthcare Services (Clinical Governance) Regulations; and 


  • contribute to NEHR as required under Section 18A of the HCSA 2020 (where applicable). 


  


18.2  MOH Telehealth Framework 


PsychDesk's telehealth services comply with MOH's Telehealth Framework (2015, updated 2022), including: 


  • verification of Practitioner registration with the Singapore Medical Council (SMC), Singapore Psychological Society (SPS), Singapore Register of Psychologists (SRP), or other relevant professional body; 


  • maintenance of clinical documentation standards equivalent to in-person consultations; 



  • ensuring continuity of care obligations are met; and 


  • compliance with restrictions on telehealth prescribing where applicable. 


  


18.3  Professional Registration and Credential Verification 


All Practitioners on the Platform are verified against the relevant professional registers (SMC Online Register, SPS-SRP Register, SSAB Register for social workers) before being permitted to provide services. Credential data is retained for the duration of the Practitioner's engagement with PsychDesk and for seven (7) years thereafter. 


  


18.4  Mental Health (Care and Treatment) Act 


Our Practitioners are aware of their obligations under the Mental Health (Care and Treatment) Act (Cap. 178A), including circumstances where involuntary psychiatric assessment or treatment may be required. PsychDesk's Emergency Protocol is aligned with MHCTA procedures. 

19.  DATA PROTECTION OFFICER 


19.1  Designation 


PsychDesk has designated a Data Protection Officer ("DPO") in accordance with section 11(3) of the PDPA. The DPO is responsible for: 


  • ensuring PsychDesk's compliance with the PDPA and this Policy; 


  • handling data protection queries, access/correction/portability requests, and complaints; 


  • conducting and maintaining a Data Protection Impact Assessment (DPIA) programme; 


  • coordinating data breach response; and 


  • maintaining PsychDesk's registration with the PDPC (where applicable). 

19.2  Contact Details 

Languages: English 


Response Time: We will acknowledge receipt within 2 business days and provide a substantive response within 30 calendar days (or 60 days for complex requests). 


Postal Address: PsychDesk Pte. Ltd., [Registered Address], Singapore [Postal Code] 


Email: dpo@psychdesk.in 


If you are unsatisfied with our response to a data protection query or complaint, you may lodge a complaint with the PDPC at www.pdpc.gov.sg or by calling the PDPC hotline at 1800-PDPA-PDPC (1800-737-2737). 

20.  LINKS TO THIRD-PARTY PLATFORMS AND SERVICES 


Our Platform may contain links to, or integrations with, third-party websites, applications, and services (e.g., Apple Health, Google Fit, insurance portals). PsychDesk is not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through our Platform. 


When you choose to share data with a third-party integration, that data is governed by the third party's privacy policy. PsychDesk will display a clear notice and seek your consent before any personal data is transmitted to a third-party integration. 


  


21.  PRIVACY BY DESIGN AND DEFAULT 


PsychDesk integrates privacy considerations into the design of its systems, products, and processes from the outset ("Privacy by Design"). Our approach includes: 


  • Data minimisation: collecting only the minimum personal data necessary for each function. 


  • Default privacy settings: the most privacy-protective settings are the default for new accounts. 


  • Data Protection Impact Assessments (DPIAs): conducted before deploying new features or processing activities that may carry high privacy risk. 


  • Privacy in procurement: all new vendors are subject to a privacy risk assessment before engagement. 


  • Developer training: all software engineers receive secure coding and privacy training as part of onboarding and annually thereafter. 


  


22.  GOVERNING LAW AND DISPUTE RESOLUTION 


This Policy is governed by the laws of the Republic of Singapore. Any dispute arising in connection with this Policy shall be submitted to the non-exclusive jurisdiction of the Singapore courts. 


For data protection complaints, the primary regulator is the Personal Data Protection Commission (PDPC). For healthcare-related complaints, the primary regulator is the Ministry of Health (MOH) and the Allied Health Professions Council (AHPC) / Singapore Medical Council (SMC) as applicable. 


  


23.  CONTACT US 


If you have any questions, concerns, or requests relating to this Privacy Policy or our personal data practices, please contact: 


Next Scheduled Review: 22 April 2027 


Version: 1.0 


Effective Date: 22 April 2026 


Website: www.psychdesk.in 


DPO Email: dpo@psychdesk.in 


General Email: tech@psychdesk.in 


Registered in: Republic of Singapore 



ANNEX A — COMPLIANCE MATRIX 


The following matrix summarises PsychDesk's compliance posture against the key obligations under Singapore's data protection and healthcare regulatory framework:  


ASEAN CBPR Framework: Cross-border data transfers within ASEAN | Section 9.2 


PDPC Model AI Governance Framework: Human oversight, transparency in AI use | Section 17 


Cybersecurity Act 2018: CII obligations, incident reporting to CSA | Section 11 (Notice) 


Private Hospitals & Medical Clinics Act: Medical record retention (6 years) | Section 10 


Mental Health (Care and Treatment) Act: Involuntary treatment procedures, confidentiality | Sections 7.3, 18.4 


Healthcare Services Act 2020: Licencing, clinical governance, NEHR | Section 18.1 


PDPC — Healthcare Sector Guidelines: Elevated protection for health data; consent requirements | Sections 7, 11 


PDPA — Legitimate Interests (s.15C): Three-part legitimate interests test | Section 5.4 


PDPA — Deemed Consent (s.15A–15C): Three grounds for deemed consent | Section 5.2–5.4 


PDPA — Do Not Call Registry (Part IX): Check DNC Registry before sending specified messages | Section 14 


PDPA — DPO Designation (s.11(3)): Appoint and register a DPO | Section 19 


PDPA — Mandatory Breach Notification (Part VIA): Notify PDPC within 3 days; affected individuals ASAP | Section 13 


PDPA — Data Portability (s.26H): Port data to another organisation on request | Section 12.3 


PDPA — Transfer Limitation (s.26): Cross-border transfers subject to adequacy/safeguards | Section 9 


PDPA — Retention Limitation (s.25): Dispose of data when no longer necessary | Section 10 


PDPA — Protection Obligation (s.24): Reasonable security arrangements | Section 11 


PDPA — Accuracy Obligation (s.23): Ensure personal data is accurate and complete | Section 3.3 


PDPA — Correction Obligation (s.22): Correct inaccurate data within 30 days | Section 12.2 


PDPA — Access Obligation (s.21): Respond to access requests within 30 days | Section 12.1 


PDPA — Notification Obligation (s.20): Notify individuals of purposes before/at collection | Sections 3, 4, 6 


PDPA — Purpose Limitation (s.18): Use data only for notified purposes | Sections 6, 7 


PDPA — Consent Obligation (s.13–15): Obtain valid consent before collection, use, or disclosure | Sections 5, 6, 7 


 


ANNEX B — GLOSSARY OF REFERENCED LEGISLATION 

 


IRAS: Inland Revenue Authority of Singapore 


AHPC: Allied Health Professions Council 


SPS / SRP: Singapore Psychological Society / Singapore Register of Psychologists 


SMC: Singapore Medical Council 


MOH: Ministry of Health, Singapore 


NEHR: National Electronic Health Record 


DPIA: Data Protection Impact Assessment 


DBIA: Data Breach Impact Assessment 


DPO: Data Protection Officer 


CBPR: Cross-Border Privacy Rules (ASEAN framework) 


Income Tax Act: Income Tax Act (Cap. 134) 


Limitation Act: Limitation Act (Cap. 163) 


NEHR Act: National Electronic Health Record Act (Cap. 194A) 


IDA: Infectious Diseases Act (Cap. 137) 


CMA: Computer Misuse Act 1993 (Cap. 50A) 


ETA: Electronic Transactions Act 2010 (Cap. 88) 


CSA 2018: Cybersecurity Act 2018 


MHCTA: Mental Health (Care and Treatment) Act (Cap. 178A) 


PHMC Act: Private Hospitals and Medical Clinics Act (Cap. 248) 


HSA 2020 / HCSA 2020: Healthcare Services Act 2020 


PDPC: Personal Data Protection Commission (Singapore) 


PDPR: Personal Data Protection Regulations 2021 


PDPA: Personal Data Protection Act 2012 (No. 26 of 2012), as amended 


  


END OF PRIVACY POLICY 


© 2026 PsychDesk Pte. Ltd. All rights reserved. 




19.2  Contact Details 

Languages: English 


Response Time: We will acknowledge receipt within 2 business days and provide a substantive response within 30 calendar days (or 60 days for complex requests). 


Postal Address: PsychDesk Pte. Ltd., [Registered Address], Singapore [Postal Code] 


Email: dpo@psychdesk.in 


If you are unsatisfied with our response to a data protection query or complaint, you may lodge a complaint with the PDPC at www.pdpc.gov.sg or by calling the PDPC hotline at 1800-PDPA-PDPC (1800-737-2737).