PRIVACY POLICY (Singapore PDPA-Aligned)
Effective date: 08 August 2025

1. Who we are
VARP ALPHA PTE. LTD. (UEN: 202533836K), registered at 60 Paya Lebar Road, #07‑54, Paya Lebar Square, Singapore 409051 (“VARP ALPHA”, “we”, “us”), provides business consulting services. This Privacy Policy describes how we collect, use, disclose and protect personal data in Singapore and in connection with visitors to our website and business contacts.

2. Scope
This Policy applies to personal data in our possession or under our control about website visitors, business contacts, prospective clients and vendors. It does not apply to employee data (handled under separate notices).

3. Key PDPA concepts we follow
We align our practices with the Personal Data Protection Act 2012 (“PDPA”), including the notification and consent framework, purpose limitation, access/correction rights, accuracy, protection, retention limitation, and transfer limitation obligations. We also comply with the Do Not Call (“DNC”) provisions for Singapore telephone numbers.
(References: PDPC overview of obligations and notification duty; DNC overview.)

4. Personal data we collect
• Identification and contact details (e.g., name, job title, company, email, phone).
• Business correspondence and meeting notes.
• Technical data when you use our site (e.g., IP address, device/browser info, pages viewed, timestamps, basic cookie identifiers).
• Any other information you choose to provide to us in the course of an enquiry or engagement.
We do not intentionally collect sensitive personal data unless you provide it or it is necessary for a clearly stated purpose.

5. How we collect personal data
• Directly from you (web forms, emails, calls, WhatsApp, meetings).
• From your organization or colleagues who introduce you.
• From publicly available sources (e.g., LinkedIn, corporate registries) to maintain accurate business contact details.
• Via cookies/analytics on our website (see “Cookies” below).

6. Purposes of collection, use and disclosure
We collect, use and disclose personal data for:
• Responding to enquiries and providing our business consulting services (non‑advisory).
• Operating our website, IT, and security systems.
• Managing business relationships, vendor management, invoicing, and compliance.
• Preparing proposals, statements of work and performing internal planning/forecasting.
• Sending service announcements and, if you have not opted out and the DNC provisions permit, business updates related to our services.
• Complying with applicable laws, regulations and guidance; establishing, exercising or defending legal claims.

7. Consent and notification
Where required, we will notify you of the purposes for which we collect, use or disclose personal data on or before such collection, use or disclosure, and obtain consent unless an exception under the PDPA applies (e.g., where necessary for legal claims, investigations, or business asset transactions). You may withdraw your consent at any time by contacting us; withdrawal may affect our ability to provide services.

8. Do Not Call (DNC) provisions
We will not send marketing messages to Singapore telephone numbers listed in the DNC Registry unless permitted under the PDPA (e.g., with clear and unambiguous consent, or where an exemption applies). We will check the DNC Registry before sending covered messages and honour opt‑outs.

9. Access and correction
You may submit a request to access the personal data we hold about you and/or to correct inaccuracies. We will respond in accordance with the PDPA, and may charge a reasonable fee for processing access requests where permitted.

10. Data retention
We retain personal data only as long as reasonably necessary for the purposes stated above, or as required by law (e.g., tax/accounting record‑keeping). When data is no longer needed, we will anonymise or securely delete it.

11. Information security
We implement reasonable administrative, physical and technical safeguards designed to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. No method of transmission or storage is completely secure; residual risk remains.

12. Cross‑border transfers
If we transfer personal data outside Singapore, we will ensure that the recipient provides a standard of protection that is comparable to the protection under the PDPA (e.g., by using appropriate contractual clauses or recognised certification mechanisms).

13. Data breach management and notification
We assess suspected personal data breaches and will notify the Personal Data Protection Commission (“PDPC”) as soon as practicable and no later than 3 calendar days after determining that a breach is notifiable. We will notify affected individuals where the breach is likely to result in significant harm, and/or if it is of a significant scale (currently prescribed as affecting 500 or more individuals).

14. Cookies and analytics
We use cookies and similar technologies to operate the site, understand engagement, and improve performance. You can control cookies via your browser settings. Blocking some cookies may impact site functionality.

15. Third‑party sites
Our site may link to third‑party sites and services. Their privacy practices are not covered by this Policy.

16. Children’s privacy
Our site and services are intended for business users. We do not knowingly collect personal data from children.

17. Contact — Data Protection Officer
Email: support@varp-alpha.com
Postal: Data Protection Officer, VARP ALPHA PTE. LTD., 60 Paya Lebar Road, #07‑54, Paya Lebar Square, Singapore 409051

18. Updates to this Policy
We may update this Policy from time to time. Material changes will be posted on this page with a new effective date.