PRIVACY NOTICE OF HEART SPACE 

Heart Space of UEN 53437144B , also trading as “Kit Creations”, (hereinafter referred to “Heart Space”; “we”; “us”; “our”) is committed to safeguarding the personal data entrusted to it by individuals. This Privacy Notice (“Notice”) explains how Heart Space collects, uses and discloses your personal data so we can serve you better. It also sets out how you can update us or request to be unsubscribed from our records. 

By visiting our website, using our services, or providing us with your Personal Data, you acknowledge that you have read and understand the practices, terms and conditions described in this Privacy Notice. 

1. Your Personal Data 

In this Notice and under the Personal Data Protection Act (2012) (“PDPA”), “Personal Data” refers to any data or information (whether true or not) about you from which you can be identified, either (i) from that data; or (ii) from that data and other information to which we have or are likely to have access. It includes information such as an individual’s name, identification number, address, mobile phone number, email addresses, photos and video images of a person. 

2. Collection, Use and Disclosure of Personal Data 

2.1. Purposes for Personal Data collection, use and disclosure 

Heart Space may collect, use and/or disclose your Personal Data for the purposes listed below as well as for other purposes you specifically consent to: 

a) Registration, assessment, and servicing purposes, including but not limited to the following:

• To register you as a client of Heart Space so that we can perform the services that you have engaged us to perform, and to administer, update, suspend or cancel such registration, as the case may be;

• To assess your mental state, capacity and constitution, and/or your circumstances; and/or

• To recommend or otherwise prescribe an appropriate course of  a therapeutic intervention programme, and/or administer, perform, evaluate, update, vary, amend, suspend or terminate such course of  therapeutic intervention programme, as the case may be.

2.1(a).1. Without limiting the definition of “Personal Data” or the generality thereof as described in the preceding Section 1, in order that we are able to provide you with services, we may ask that you provide any or all of the following information depending on the services that you have requested for: your gender, birth date, age, marital status, residential address, family background information, medical history, health history (including medications that you are taking), psychotherapy history (including the therapies that you have received and those that you are receiving) and emergency contact information. Please ensure that you are legally authorised to share with us any information that contains the Personal Data of another person.

2.1(a).2. Except as expressly provided for in Section 2.1(a).3 below, we do not knowingly collect, use or disclose Personal Data of minors under the age of 18 without the consent of their parents or legal guardians. If you become aware or suspect that such information has been inadvertently collected, please inform us immediately by contacting our Data Protection Officer (DPO) (refer to Section 9 (Contacting Us)). 

2.1(a).3. For the purposes of Section 2.1(a).3, 

• the terms “child”, “ward” and “vulnerable adult” shall each be referred to as “Charge”;

• the terms “vulnerable adult” and “family member” shall have the meanings ascribed to them in Section 2(1) of the Vulnerable Adults Act (2018); and/or

• the terms “deputy” or “donee” shall have the meanings ascribed to them in Section 2(1) of the Mental Capacity Act (2008).

If you are a parent or legal guardian acting on the behalf of your child or ward who is under the age of 18, or if you are a family member or deputy or donee acting on behalf of a vulnerable adult, you agree that you have all rights to: 

• engage us to provide services in respect of your Charge and to execute all agreements to evidence such engagement;

• disclose Personal Data pertaining to your Charge;

• authorise us to collect, use and store such Personal Data in the manner provided in this Notice to provide services to your Charge; and

• exercise all rights afforded to or in relation to your Charge under this Notice or under any applicable law on behalf of your Charge. 

If you act on behalf of your Charge pursuant to this Section 2.1(a).3, the words “you” and “your” as used in this Privacy Notice shall be deemed to mean and reference you and/or your Charge, as the case may be.  For example, the phrase “your Personal Data” means the Personal Data of you and/or your Charge, as the case may be.

b) Marketing and advocacy purposes, including but not limited to the following: 

• To inform you about the products, services, events and activities of Heart Space and its related organisations, or other information which may be of interest to you. 

You have the right to ask us not to process your Personal Information for marketing purposes. Before collecting your Personal Information, we will inform you if we intend to use it for marketing purposes, or if we intend to disclose it to any third party for marketing purposes.

We will give you choices about your Personal Information. Some choices are presented up front in the form of opt-in notices or acceptance boxes for marketing to you or sharing your Personal Information with third parties. You always have the choice to opt-out if you later change your mind. One form of opt-out is clicking the Unsubscribe link in a marketing email. This will take you off our marketing email list. If you do not wish to receive direct marketing material from us or a third party, in addition to following the “Unsubscribe” instructions in a marketing email, you can inform our DPO at the contact details provided below [refer to Section 9 (Contacting Us)].

c) Administration and other servicing purposes, including but not limited to the following: 

• To verify your identity; 

• To communicate with you, carry out your instructions or respond to your queries/comments; 

• To provide referrals to other healthcare professionals and/or institutions as agreed with you in writing;

• To ensure safety and protection of life, where disclosure is deemed necessary by us, where we assess there to be a risk of harm to you or to others;

• To process and administer payments, billings, accounts, benefits/entitlements, credit and reference checks, debt-recovery matters; 

• To perform internal operations necessary to provide our services, including troubleshooting software bugs and operational problems, conducting data analysis, testing and research, monitoring and analysing usage and activity trends; 

• For compliance monitoring and audit reviews;

• To investigate allegations or suspicions of fraud, misconduct, any unlawful action or omission; 

• To archive, back-up or destroy Personal Data; and/or

• To inform you of changes and updates to our services, policies, terms and conditions and other administrative information.

d) Analytics, research, business development and improvement purposes, including but not limited to the following: 

• To understand and improve your user experience with our services, websites and mobile applications; 

• To derive further attributes relating to you based on your Personal Data, in order to provide you with more targeted and/or relevant information; 

• To improve the layout or content of the pages of our websites/mobile applications, and customise them for existing and prospective users; 

• To conduct surveys, data analysis of usage and activity trends, testing and monitoring and other research, for example, research on demographics and behaviour; 

• To improve, enhance and develop our current technology, operations and services; 

• To improve, enhance or develop new services, websites or mobile applications and new methods or processes for business operations; and/or

• To learn or understand behaviour and preferences of existing or prospective users and identify goods or services that may be suitable for them. 

e) To comply with applicable rules, laws and regulations as well as the legal process or legal requirements of any court of competent jurisdiction, government agency or law enforcement authority. 

The purposes listed in this Section 2.1 may continue to apply even in situations where your relationship with us has been terminated or altered in any way, for a reasonable period thereafter.

2.2. How we collect your Personal Data 

Heart Space may collect your Personal Data in various ways, including without limitation, when you: 

a) visit our premises, which are monitored by CCTV surveillance; 

b) visit our websites or use our mobile applications; 

c) allow us to visit your premises and take photos, video and/or audio recordings, with your consent;

d) attend/participate in our events, as photos and/or video recordings may be taken; 

e) intern with Heart Space or through our websites or mobile applications;

f) register with us for our services or events/activities; 

g) interact with any of our employees, interns, board and committee members, for example via meetings (physical and online), emails or telephone calls; 

h) respond to our requests for additional Personal Data; 

i) request that we contact you, for example to be included in a mailing list;

j) respond to our initiatives or programmes; and/or

k) participate in any research and/or survey conducted by us or our partners/vendors. 

We may also collect Personal Data where required or permitted by laws or regulations binding on Heart Space for any purpose. 

We do not sell or rent any Personal Data that we collect and store.

2.3. Who we may disclose your Personal Data to 

We may provide your Personal Data to various third parties for the purposes mentioned above with your consent, or where permitted or required by law. Such third parties include without limitation: 

• financial institutions, payment processors and facilitators; 

• debt collectors; 

• credit bureaus and other credit reporting agencies; 

• background check and anti-money laundering service providers; 

• cloud-based service providers; 

• marketing partners and marketing platform providers; 

• data analytics providers; 

• research partners, including those performing surveys or research projects in partnership with Heart Space or on Heart Space’s behalf; 

• Heart Space’s API developers; 

• Heart Space interns;

• Professional advisors such as lawyers and auditors; 

• Any liquidator, receiver, official assignee/trustee, judicial manager or any other person appointed under or pursuant to any applicable law or court order in connection with the bankruptcy, liquidation, winding up, judicial management or any other analogous process in respect of any individual, company or business; 

• Law enforcement officials; 

• Government agencies and regulatory bodies; 

• Other third-party service providers; and/or

• Any other party to whom you authorise us to disclose your Personal Data. 

2.4. Consent 

Heart Space will always seek your consent to collect, use or disclose your Personal Data, except in specific circumstances where collection, use or disclosure without consent is authorised or required by law. Heart Space may not be able to fulfil certain services if you are unwilling to provide consent to the collection, use or disclosure of certain Personal Data. Heart Space may assume that you have consented to the collection, use and disclosure of your Personal Data in situations where you provided Personal Data for obvious purposes. 

2.5. Notification Obligation 

Either before or when we collect your Personal Data, Heart Space shall inform you of the purpose for which the Personal Data is collected, except when such Personal Data is provided by you for an obvious purpose (for example, when you provide Personal Data to register for an event, as such the purpose is for that event participation).

2.6. Accuracy Obligation 

Heart Space generally relies on the Personal Data provided by you (or your authorised representative). To ensure that your Personal Data is current, complete and accurate, please update us if there are changes to your Personal Data by informing our DPO at the contact details provided below [refer to Section 9 (Contacting Us)]. Heart Space will not be responsible for relying on inaccurate or incomplete Personal Data provided to us. Failure to provide complete and accurate information may result in our inability to provide you with services you have requested and/or other administrative delays. 

3. Security and Storage 

3.1. Protection of your Personal Data 

We will endeavour to protect your Personal Data in our possession and will guard against risks of unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction, through reasonable and appropriate security measures. We will endeavour to implement appropriate physical, electronic and managerial procedures to safeguard and secure the Personal Data in our possession. 

3.2. Storage and Transfer of your Personal Data

The Personal Data that we collect from you may be stored in Singapore or such other location as we deem necessary to efficiently render Heart Space services. We also use cloud-based applications and services to store and process your Personal Information, which may result in your Personal Information being stored outside your country of residence. By providing your Personal Information to us, you fully understand that Heart Space may transfer, process and store your Personal Information outside of your country of residence where data protection standards may be different, and disclose your Personal Information to overseas service providers who may not fully comply with the particular laws of your country.  However, even in countries whose laws provide for less protection for your Personal Information, Heart Space will still handle your Personal Information in the manner described in this Privacy Policy and in conformity with all applicable laws. 

3.3. Retention of your Personal Data and Requests to Delete your Personal Data 

We will only retain your Personal Data for as long as it is necessary for our business or legal purposes. You may request that your Personal Data be deleted by contacting our DPO [refer to Section 9 (Contacting Us)]. Do note that we will not be able to delete your Personal Data if we require it for business or legal purposes. In such circumstances, you may nevertheless withdraw your consent to the further use or disclosure of your Personal Data [refer to Section 4 (Withdrawal of Consent)]. 

4. Withdrawal of Consent 

4.1. If you wish to withdraw your consent to any collection, use or disclosure of your Personal Data as set out in this Notice, you may contact the DPO [refer to Section 9 (Contacting Us)].

4.2. Please note that if you withdraw your consent to the collection, use, and/or disclosure of your Personal Data, depending on the nature of your request, we may not be able to continue providing our services or perform our contractual obligations to you. Such withdrawal may also result in the termination of any agreements or arrangements you have with us. Heart Space’s legal rights and remedies are expressly reserved under such circumstances. 

4.3. Heart Space will strive to effect your withdrawal of consent within 10 working days of your withdrawal and will notify you if more time is required. Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws. 

5. Access to and Correction of Personal Data 

5.1. If you wish to make (a) an access request for access to a copy of the Personal Data which we hold about you or information about the ways in which we use or disclose your Personal Data, or (b) a correction request to correct or update any of your Personal Data which we hold about you, please submit your request to Heart Space’s DPO [refer to Section 9 (Contacting Us)]identifying yourself and indicating the Personal Data that the request concerns. 

5.2. Heart Space will respond to your request as soon as reasonably possible. However, please note that we may refuse your request under certain circumstances as laid out under the PDPA. Please note that a reasonable fee may be charged for an access request. If so, Heart Space will inform you of the fee before processing your request. 

5.3. If we are unable to respond to your access or correction request within 30 days after receiving your request, we will inform you in writing within 30 days of the time by which we would be able to respond to your request. 

6. Use of Cookies

6.1. We use “cookies” where a small data file is sent to your browser to store and track anonymised information about you (“Aggregate Information”) when you enter our website or use our mobile applications. You cannot be identified from Aggregate Information. Cookies are used to track information such as the number of users, their frequency of use, profiles of users, their preferred sites, their preferences, the effectiveness of a campaign, the amount of traffic on our webpages, the number of page views (or page impressions) that occur on our websites and/or mobile applications, and common entry and exit points into our websites and/or mobile applications. 

6.2. The Aggregate Information collected is used to assist us in analysing the usage of our websites and/or mobile applications and improving our websites, mobile applications and services.

6.3. Should you wish to disable the cookies associated with these technologies, you may do so by changing the setting on your browser. However, you may not be able to enter or use certain part(s) of our websites, mobile applications or services. 

6.4. Heart Space’s websites and/or mobile applications may contain social media features, such as Facebook “Share” buttons. These features may collect information about your device’s IP address, set cookies to facilitate interaction with social media features or link you to a social media website where you may post Personal Data. All interactions with social media features are governed by the privacy policy of the social media company providing the feature.

7. Third-Party Sites 

7.1. Our websites and mobile applications may contain links to other websites and applications operated by third parties for your convenience and information. You access these websites and applications at your own risk. To the fullest extent permitted under the law, we cannot be responsible for a third-party’s acts, omissions, data policies or their use of cookies nor the content or security of any third-party websites and applications, even if linked to our websites and applications. We recommend that you check the applicable data protection policy of the third party to determine how they will handle any information they collect from you. Any such liability is expressly disclaimed and excluded. 

8. Data Breach Notification 

8.1. Even with reasonable protection measures in place, there may be a possibility of a data breach. In the event the data breach is assessed to be notifiable, Heart Space will notify the affected individuals as soon as practicable, at the same time or after notifying the Personal Data Protection Commission. If the breach warrants notification to the Commission, Heart Space will make notification as soon as practicable but no later than three (3) calendar days upon our assessment. 

9. Contacting Us 

9.1. Should you have any requests, questions or feedback relating to the collection, use or disclosure of your Personal Data, or if you wish to know more about our data protection policies and practices, please contact our DPO at connect@kitcreations.co

9.2. We may ask you to verify your identity before we can act on your request or question. We may conduct an identity verification by phone call or email. Depending on your request, we may ask for information such as your name and your contact number. We may also ask you to provide a signed declaration confirming your identity. 

9.3. We treat all complaints about a breach of the privacy laws seriously. If you have made a complaint, our DPO will investigate your complaint and respond to you within a reasonable time.

10. Changes to this Privacy Notice 

10.1. We may from time to time update this Notice to ensure that it is consistent with our future developments, industry trends and/or any changes in legal or regulatory requirements. The latest version of this Notice will be posted here. Your continued use of our services constitutes your acknowledgement and acceptance of any changes to this Notice.

Version 1: Updated on 30 July 2024