1. About This Policy
This Privacy Policy describes how Courtizy collects, uses, discloses, and protects your personal data in accordance with Singapore's Personal Data Protection Act 2012 (PDPA).
2. Information We Collect
We collect information you provide directly (name, NRIC last 4 digits where required, email, mobile, payment details) and information collected automatically (cookies, IP address, device, browser).
3. How We Use Information
We use information to operate the booking platform, process payments via Stripe Singapore, send booking confirmations and reminders, comply with GST and tax record-keeping, prevent fraud, and improve the service.
4. Disclosure of Personal Data
When you book at a venue, your booking details are shared with that venue's admin staff so they can fulfil the booking. Each venue acts as a data intermediary or independent data controller for its own customer base, depending on the booking flow.
5. Service Providers and Cross-Border Transfers
We share data with Stripe (payments), email/SMS providers, and cloud infrastructure vendors. Some processing occurs outside Singapore. We ensure recipients provide a comparable standard of protection as required under PDPA s.26.
6. Consent and Withdrawal
By using the service you consent to the collection and use of your personal data as described. You may withdraw consent by contacting our DPO; some service features will become unavailable as a result.
7. Marketing Communications
We comply with Singapore's Do Not Call (DNC) Registry. Marketing SMS and calls are sent only to numbers that have given clear and unambiguous consent. You may opt out at any time.
8. Data Retention
Booking records are retained for 7 years to comply with Singapore tax record-keeping requirements. You can request earlier deletion of your personal data; we will comply where legally permitted.
9. Your Rights Under PDPA
You have the right to access your personal data, correct inaccurate data, withdraw consent, and request information about how your data has been disclosed. Requests are addressed to our DPO and are responded to within 30 days.
10. Data Breach Notification
If a data breach is likely to result in significant harm, we will notify the Personal Data Protection Commission (PDPC) and affected individuals as soon as practicable, and within 3 calendar days of assessment.
11. Security
We use TLS encryption in transit, encryption at rest for sensitive fields, role-based access controls, multi-factor authentication for admin accounts, and regular security audits.
12. Data Protection Officer
Our Data Protection Officer can be contacted at dpo@courtizy.sg or by post at the address registered with ACRA. We aim to respond to all PDPA enquiries within 30 days.
13. Changes to This Policy
We will notify you by email of material changes at least 30 days before they take effect.