Back to home

Legal

Privacy Policy

Last updated: 22 March 2025

Template notice. This Privacy Policy is a draft for organisations serving users in Singapore and Hong Kong. Map every statement to your actual data practices, subprocessors, and entity roles. Obtain qualified privacy counsel review before publication.

1. Who we are

This Privacy Policy describes how the CanU operating entity (“CanU,” “we,” “us”) collects, uses, discloses, and protects personal data when you use our websites, applications, and services (the “Service”).

Privacy enquiries: privacy@canucanu.com.

2. Scope and cross-border users

The Service may be accessed from multiple countries. This Policy is designed to reflect core expectations under Singapore's Personal Data Protection Act 2012 (PDPA) and Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). If you reside elsewhere, additional local laws may also apply.

3. Personal data we may collect

Depending on how you use the Service, we may collect:

  • Account data: name, email, phone, password or auth tokens, role, organisation or family affiliation.
  • Care coordination data: information you or authorised users enter about care activities, schedules, notes, documents, or messages processed through the Service.
  • Health-related information: if users upload medical or health information, treat it as sensitive — your counsel should confirm lawful bases, consent, and safeguards under PDPA and PDPO (and sector rules, if any).
  • Technical data: IP address, device identifiers, approximate location derived from IP, logs, cookies, and analytics events.
  • Support communications: content you send when contacting us.

4. How we use personal data

We use personal data to:

  • Provide, secure, and improve the Service;
  • Authenticate users and enforce role-based access;
  • Send service, transactional, and (where permitted) product messages;
  • Detect abuse, fraud, and security incidents;
  • Comply with law and respond to lawful requests;
  • Analyse usage in aggregate or de-identified form where appropriate.

Legal bases (template — customise): Under the PDPA, purposes are typically supported by consent, deemed consent where applicable, or other permitted bases in the PDPA. Under the PDPO, we aim to comply with the Data Protection Principles (e.g. lawful and fair collection; purpose limitation; accuracy; retention; security; openness; access and correction). Replace this paragraph with your counsel-approved articulation.

5. Disclosure and subprocessors

We may share personal data with:

  • Service providers who host infrastructure, deliver messaging, analytics, or customer support — under contracts requiring appropriate confidentiality and security;
  • Other users you or your organisation authorise to see specific information within the Service;
  • Professional advisers, regulators, or law enforcement when required or permitted by law.

Publish a current list of material subprocessors (e.g. cloud region, email provider) after your security review.

6. International transfers

Personal data may be processed in Singapore, Hong Kong, and other countries where we or our providers operate. Where the PDPA or PDPO requires safeguards for cross-border transfers, we implement appropriate measures (e.g. contractual clauses or adequacy assessments) as advised by counsel. Describe your actual transfer mechanisms here.

7. Retention

We retain personal data only as long as needed for the purposes above, including legal, accounting, and dispute resolution needs. Specify default retention periods and deletion workflows after legal review.

8. Security

We implement administrative, technical, and organisational measures appropriate to the risk (e.g. access controls, encryption in transit where standard). No method of transmission or storage is completely secure; we encourage strong passwords and device security.

9. Your rights — Singapore (PDPA)

Subject to the PDPA and our verification procedures, you may have rights to access and correct certain personal data, and in some circumstances to withdraw consent or object to processing. You may lodge a complaint with the Personal Data Protection Commission (PDPC) where permitted. Provide your designated data protection contact and expected response timelines after counsel review.

10. Your rights — Hong Kong (PDPO)

Subject to the PDPO, you may have the right to request access to and correction of personal data we hold about you. You may contact the Office of the Privacy Commissioner for Personal Data (PCPD) for guidance or complaints where applicable. Insert your internal process for data access requests (DAR) and correction requests (DCR) after legal review.

11. Cookies and similar technologies

We may use cookies and similar technologies for session management, preferences, security, and analytics. Describe categories, purposes, and how users can manage preferences. If you use non-essential cookies, align notice and consent with your lawyer's advice for SG/HK expectations.

12. Children

The Service is not directed to children. If you believe a child has provided personal data, contact us to request deletion. Counsel should confirm any additional requirements for minors in your markets.

13. Automated decision-making and AI features

If the Service includes summaries or suggestions produced by automated means, describe what is automated, human oversight, accuracy limitations, and any rights users have. This is increasingly material for transparency expectations in both jurisdictions.

14. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the revised version and update the “Last updated” date. Material changes may require additional notice or consent where mandated by law.

15. Contact

Privacy questions and requests: privacy@canucanu.com. For Hong Kong data access/correction requests, you may also use [designated channel].

Related: Terms & Conditions.