Privacy Policy

Effective Date: 14 April 2025

Last Updated: 7 June 2026

Version: 1.6

Registered Address: 291 Joo Chiat Road, #03-01, JK Centre, Singapore 427543

Website: www.OpenOnda.com

Contact: hello@openonda.com

Data Protection Officer: dpo@openonda.com

This Privacy Policy is issued by OpenOnda Pte. Ltd. (UEN 202515980Z), a company incorporated in Singapore and governed by the Personal Data Protection Act 2012 (Singapore) (the “PDPA”). By accessing our website or engaging our services, you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy.

​

​Contents

1.   Introduction

2.   Definitions

3.   Scope of This Policy

4.   Personal Data We Collect

5.   How We Collect Personal Data

6.   Purposes for Collection, Use, and Disclosure

7.   Legal Bases for Processing

8.   Marketing Communications and the Do Not Call Registry

9.   Disclosure of Personal Data

10.  Our Role as a Data Intermediary

11.  Cross-Border Data Transfers

12.  Cookies and Tracking Technologies

13.  Third-Party Websites and Platforms

14.  Data Retention

15.  Data Accuracy

16.  Data Security

17.  Data Breach Notification

18.  Your Rights Under the PDPA

19.  How to Exercise Your Rights

20.  Children’s Personal Data

21.  Job Applicants

22.  Data Protection Officer

23.  Complaints and the PDPC

24.  Changes to This Policy

25.  Contact Us

​

​

1. Introduction

OpenOnda Pte. Ltd. (“OpenOnda”, “we”, “our”, or “us”) is a reviews and reputation management consultancy incorporated in Singapore (UEN 202515980Z). We provide services including Real Reviews Generation, Review Management, Reviews & Competitor Analysis, Negative Review Removal, and the Review Training Academy.

We are committed to protecting the personal data of our website visitors, prospective clients, clients, our clients’ customers (where we process data on their behalf), job applicants, and other individuals whose personal data we may collect, use, or disclose.

This Privacy Policy describes how we handle personal data in compliance with the Personal Data Protection Act 2012 (Singapore), its subsidiary regulations, and the Advisory Guidelines issued by the Personal Data Protection Commission (“PDPC”).

​

​

2. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set out below:

•    “PDPA” means the Personal Data Protection Act 2012 of Singapore, as amended from time to time, and all subsidiary regulations made under it.

•    “PDPC” means the Personal Data Protection Commission of Singapore.

•    “Personal Data” means data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have access.

•    “Data Intermediary” means an organisation that processes personal data on behalf of another organisation, but does not include an employee of that other organisation. In certain engagements, OpenOnda acts as a Data Intermediary for its Clients.

•    “Client” means a business or organisation that has engaged OpenOnda to provide reputation and review management services pursuant to a Client Service Agreement.

•    “Client’s Customer” means an individual whose personal data is provided to us by a Client for the purpose of delivering our services (for example, a customer of the Client whose contact details are used to request a review).

•    “Reviewer” means an individual who has posted a publicly visible review on a third-party review platform (such as Google, Facebook, or industry-specific sites).

•    “DPO” means our Data Protection Officer, appointed in accordance with Section 11(3) of the PDPA.

•    “Website” means www.OpenOnda.com and any associated subdomains operated by OpenOnda.

​

​

3. Scope of This Policy

This Privacy Policy applies to all personal data that OpenOnda collects, uses, or discloses in the course of its business operations in Singapore and elsewhere.

It governs the personal data of the following categories of individuals:

•    Visitors to our Website

​

•    Prospective clients who enquire about our services

​

•    Authorised representatives, directors, and employees of our Clients

​

•    Clients’ Customers whose personal data we process on behalf of our Clients

​

•    Reviewers whose public reviews we monitor or analyse in the course of service delivery

​

•    Job applicants and prospective contractors

​

•    Vendors, suppliers, and business partners

This Privacy Policy does not apply to anonymised, aggregated, or de-identified data from which no individual can be identified, nor to data that is excluded from the operation of the PDPA.

​

​

4. Personal Data We Collect

​

This Privacy Policy does not apply to anonymised, aggregated, or de-identified data from which no individual can be identified, nor to data that is excluded from the operation of the PDPA.​

​

The types of personal data we collect depend on the nature of your interaction with us. We collect only such personal data as is reasonably necessary to provide our services and to operate our business.

​

​4.1 From Website Visitors

•    IP address, browser type and version, operating system, and device identifiers

•    Pages visited, time and duration of visit, and referring URLs

•    Information submitted through enquiry forms, newsletter sign-ups, or contact forms

•    Cookies and similar tracking data (see Section 12)

​

​4.2 From Prospective Clients

​

•    Full name, business email, business telephone number, and job title

•    Company name, registered address, and industry sector

•    Information about your business, marketing objectives, and review-related challenges

•    Records of communications and consultations with our team

​

4.3 From Clients (and their Authorised Representatives)

​

•    Identification, contact, and business information of authorised signatories and contact persons

•    Billing details, banking information, and payment records

•    Business operational data necessary to deliver our services (e.g., access credentials to Google Business Profile, review platform accounts, brand voice guidelines)

•    Communications, meeting notes, and records of service delivery

​

4.4 From Clients’ Customers (Where We Act as Data Intermediary)

​

In the course of delivering Real Reviews Generation services, our Clients may provide us with personal data of their own customers.

This typically includes:

•    Full name

•    Email address and/or mobile telephone number

•    Service or transaction reference (e.g., date of service, branch, transaction ID)

We process this data strictly on the instructions of the Client, and only for the purposes specified in the Client Service Agreement. We do not use this data for our own purposes. Clients warrant that they have obtained all necessary consents and notifications from their customers prior to disclosing such data to us, in accordance with Section 10 of this Privacy Policy.

​

4.5 From Reviewers and Public Review Data

​

As part of our Review Management, Reviews & Competitor Analysis, and Negative Review Removal services, we collect and analyse publicly available review data from third-party platforms.

This may include:

•    The reviewer’s public display name or username

•    The text and rating of the publicly posted review

•    The date of posting and platform metadata

•    Publicly visible profile information (e.g., reviewer profile photo, location, total reviews posted)

We do not attempt to re-identify reviewers beyond what is publicly visible, and we do not collect private contact information from review platforms.

​

4.6 From Job Applicants

​

•    Name, contact details, NRIC/FIN (last 3 digits only where lawful), and date of birth

•    Curriculum vitae, education and employment history

•    Referee details, interview notes, and assessment results

​

4.7 Automatically Collected Data

​

When you visit our Website, we automatically collect technical information through cookies, server logs, and analytics tools (see Section 12).

​

​

5. How We Collect Personal Data

​

We collect personal data through the following channels:

•    Directly from you: when you submit enquiry forms, request a consultation, sign a service agreement, communicate with us by email, telephone, or messaging platform, attend meetings or workshops, or apply for a role with us.

•    From our Clients: where the Client provides us with personal data of their customers, employees, or representatives for service delivery purposes.

•    From third-party platforms: where personal data is publicly available on review platforms such as Google, Facebook, and other industry-specific review websites.

•    Automatically: through cookies, analytics services, and similar tracking technologies when you visit our Website.

•    From referrals and public sources: such as LinkedIn, business directories, ACRA records, and publicly available company information for business development purposes.

​

​

6. Purposes for Collection, Use, and Disclosure

​

We collect, use, and disclose personal data only for purposes that a reasonable person would consider appropriate, and that have been notified to the individual (where required) or that fall within an exception under the PDPA. Our purposes include:

​

6.1 Service Delivery and Client Engagement

•    Responding to enquiries and providing information about our services

•    Preparing proposals, quotations, and Client Service Agreements

•    Delivering the services set out in the Client Service Agreement, including Real Reviews Generation, Review Management, Reviews & Competitor Analysis, Negative Review Removal, and the Review Training Academy

•    Communicating service updates, reports, and operational matters to Clients

​

•    Managing Client relationships, account servicing, and quarterly strategy sessions

6.2 Business Operations

•    Issuing invoices, receipts, and processing payments

•    Maintaining accounting and tax records in accordance with Singapore law

•    Internal record-keeping, audit, and quality assurance

•    Training of staff and improvement of our services

•    Protecting our legitimate business interests and enforcing our contractual rights

6.3 Legal and Regulatory Compliance

•    Complying with applicable laws, regulations, and lawful requests from public authorities

•    Establishing, exercising, or defending legal claims

•    Cooperating with investigations conducted by the PDPC or other regulators

​

6.4 Marketing (With Consent)

•    Sending newsletters, service updates, and marketing communications about OpenOnda’s services, where you have provided consent

•    Inviting prospective clients to events, webinars, and consultations You may withdraw consent for marketing communications at any time (see Section 8).

​

6.5 Recruitment

•    Assessing job applications and conducting interviews

•    Verifying references and background information

•    Onboarding successful candidates

​

​

7. Legal Bases for Processing

​

Under the PDPA, we rely on one or more of the following legal bases to collect, use, or disclose personal data:

•    Express Consent: where you have actively given consent (e.g., by ticking a box, signing an agreement, or submitting an enquiry form).

•    Deemed Consent: where you voluntarily provide personal data for an obvious purpose, or where deemed consent by notification applies under Sections 15 and 15A of the PDPA.

•    Legitimate Interests Exception: where the collection, use, or disclosure is in our legitimate interests, the benefit to us outweighs any adverse effect on the individual, and an assessment has been conducted in accordance with the First Schedule of the PDPA. Examples include fraud prevention, IT security, and recovery of debts.

•    Business Improvement Exception: for internal purposes such as improving our services, developing new offerings, or conducting analytics on our existing customer base, in accordance with the First Schedule of the PDPA.

•    Contractual Necessity: where processing is required to perform a contract to which the individual is a party (e.g., delivering services under a Client Service Agreement).

•    Legal Obligation: where we are required to process personal data to comply with applicable law.

​

​

8. Marketing Communications and the Do Not Call Registry

​

Where we send marketing messages, we do so in compliance with the PDPA, including the Do Not Call (“DNC”) provisions in Parts 9 and 9A of the PDPA, and the Spam Control Act 2007 (Singapore).

​

8.1 Direct Marketing

We will only send you direct marketing communications by email, SMS, telephone, or post where:

•    You have given express or deemed consent to receive such communications; or

•    We have an existing ongoing relationship with you and the marketing message is related to the subject of that relationship (in line with the PDPA exemption for ongoing relationships); and

•    For voice calls, SMS, and faxes to Singapore telephone numbers, the number is not registered on the relevant DNC Register, unless an exemption applies.

8.2 Withdrawing Consent

You may withdraw consent to receive marketing communications at any time by:

•    Clicking the “unsubscribe” link in any marketing email from us

•    Replying “STOP” to any marketing SMS

•    Emailing dpo@openonda.com We will process your request within a reasonable time, typically within 10 business days.

Please note that you may continue to receive service-related communications (e.g., invoices, service reports) even after withdrawing marketing consent.

​

​

9. Disclosure of Personal Data

​​

We do not sell, rent, or trade personal data. We may disclose personal data to the following categories of recipients, only where necessary and subject to appropriate confidentiality and data protection obligations:

•    Service providers and vendors: including cloud hosting providers, customer relationship management (CRM) software, email marketing platforms, accounting software, communications platforms, and payment processors. These vendors are contractually bound to handle personal data in accordance with the PDPA and only for the purposes for which we have engaged them.

•    Professional advisers: including lawyers, accountants, auditors, and consultants, where necessary for the conduct of our business.

•    Review platforms: where required for the delivery of our services (e.g., submitting removal requests on behalf of Clients, responding to reviews).

•    Government and regulatory authorities: where disclosure is required by law, court order, or lawful request, including the PDPC, Inland Revenue Authority of Singapore (IRAS), ACRA, and law enforcement agencies.

•    Successors in a business transfer: in the event of a merger, acquisition, restructuring, or sale of business assets, subject to equivalent data protection obligations.

•    Other parties with your consent: where you have authorised us to disclose your personal data to a specific third party.

​

​

10. Our Role as a Data Intermediary

​​

In delivering certain services, particularly Real Reviews Generation, OpenOnda processes personal data of our Clients’ customers on behalf of, and for the purposes of, the Client. In these engagements, OpenOnda acts as a Data Intermediary as defined under the PDPA.

​

10.1 Allocation of Responsibilities

Where OpenOnda acts as a Data Intermediary:

•    The Client remains the data controller and retains primary responsibility for compliance with the PDPA in relation to the personal data of its customers, including obtaining all necessary consents and notifications.

•    OpenOnda is responsible for complying with the Protection Obligation (Section 24 PDPA) and the Retention Limitation Obligation (Section 25 PDPA), as well as the duty to notify the Client without undue delay of any data breach affecting such personal data.

•    All such processing is governed by a written Client Service Agreement that records the purposes, duration, and nature of the processing.

​

10.2 Client Obligations

Clients warrant and represent to OpenOnda that:

•    They have obtained all necessary consents (express or deemed) from their customers prior to disclosing personal data to OpenOnda

•    They have provided clear notice to their customers regarding the purposes for which the personal data will be used, including for review solicitation

•    The personal data provided to OpenOnda is accurate, current, and lawfully obtained

•    They will promptly notify OpenOnda of any access, correction, or withdrawal-of-consent requests received from their customers that affect data held by OpenOnda

​

10.3 Data Subject Requests

If you are a customer of one of our Clients and wish to exercise any of your rights in relation to personal data held by OpenOnda as a Data Intermediary, we encourage you to contact the Client directly. We will assist the Client in responding to such requests in accordance with the Client Service Agreement.

​

​

11. Cross-Border Data Transfers

​​

OpenOnda is based in Singapore. In the course of our business, personal data may be transferred to, stored in, or accessed from countries outside Singapore, including where our service providers (such as cloud hosting, email, or analytics providers) are located.

Where personal data is transferred out of Singapore, OpenOnda will comply with Section 26 of the PDPA and the Personal Data Protection Regulations 2021 by ensuring that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA.

This may be achieved through one or more of the following:

•    Contractual clauses imposing PDPA-equivalent obligations on the overseas recipient

•    Reliance on the ASEAN Model Contractual Clauses for Cross Border Data Flows endorsed by the PDPC, where applicable

•    Binding Corporate Rules for intra-group transfers (where relevant)

•    Certification under the APEC Cross Border Privacy Rules system (where applicable)

•    Obtaining the individual’s consent to the transfer, after providing a reasonable summary in writing of the protections that will apply

You may contact our DPO at dpo@openonda.com for further information about the countries to which your personal data may be transferred and the safeguards in place.

​

​

12. Cookies and Tracking Technologies

​​

Our Website uses cookies and similar tracking technologies (such as web beacons, pixels, and local storage) to enhance functionality, analyse usage, and improve user experience.

​

12.1 Types of Cookies We Use

•    Strictly Necessary Cookies: essential for the operation of our Website (e.g., session management, security). These cannot be disabled.

•    Performance and Analytics Cookies: help us understand how visitors use our Website by collecting aggregated, anonymised data (e.g., Google Analytics).

•    Functionality Cookies: remember your preferences and settings to provide a more personalised experience.

•    Marketing Cookies: track your activity across websites to deliver more relevant advertising. These are only used with your consent.

​

12.2 Managing Cookies

​

You can control cookies through your browser settings or through our cookie consent banner (where displayed). Disabling certain cookies may affect the functionality of our Website. By continuing to use our Website without changing your settings, you consent to our use of cookies as described in this Privacy Policy.

​

12.3 Do Not Track​

Some browsers offer a “Do Not Track” feature. Because there is no consistent industry standard for how organisations should respond to Do Not Track signals, our Website does not currently respond to such signals. We honour cookie preferences set through our cookie consent banner.

​

​

13. Third-Party Websites and Platforms

​​

Our Website may contain links to third-party websites, applications, and platforms (including Google, Facebook, LinkedIn, and review platforms). These third parties operate independently and have their own privacy policies.

OpenOnda is not responsible for the privacy practices, content, or data handling of such third parties. We recommend reviewing their privacy policies before providing any personal data. Where we use third-party platforms to deliver our services (e.g., posting responses to reviews on Google), the relevant platform’s terms of service and privacy policy will also apply.

​

​

14. Data Retention

​​

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law.

Our retention periods include:

•    Client records and transactional data: retained for a minimum of seven (7) years from the end of the financial year in which the business relationship ends, in accordance with the Income Tax Act and the Companies Act of Singapore.

•    Prospective client and enquiry data: retained for up to two (2) years from the date of last contact, unless converted into a client engagement.

•    Clients’ Customers data (held as Data Intermediary): retained only for the duration of the relevant service engagement, and securely deleted or returned to the Client within thirty (30) days of termination, unless retention is required by law.

•    Marketing data: retained until consent is withdrawn or the data subject becomes inactive for more than three (3) years.

•    Job applicant data: retained for up to one (1) year following the conclusion of the application process for unsuccessful candidates.

•    Website analytics data: retained in accordance with our analytics provider’s default retention settings (typically 14–26 months).

When personal data is no longer required, it is securely deleted, anonymised, or destroyed in accordance with our internal data destruction procedures.​​​​