Privacy Policy
- Introduction. BSH Group (“we”, “us”) is committed to complying with Singapore’s Personal Data Protection Act 2012 (PDPA). This Privacy Policy explains how we collect, use, disclose, and protect personal data through our website (bshgroup.sg) and related services.
- Data We Collect. We collect personal data you provide and data collected automatically:
- Personal Data You Provide: When you use our Contact Form, Consultation Request, Careers application, or Newsletter Signup, you may submit personal information such as your name, email address, phone number, resume/CV, and any content you include in messages.
- Automatically Collected Data: We use web analytics (e.g. Google Analytics) and cookies to gather non-personal browsing data (IP address, device info, pages visited, etc.)[3]. We may also collect browser-generated identifiers (e.g. cookies) for functionality, analytics, and marketing purposes.
- Third-Party Data: If you communicate with us via WhatsApp or social media, data sent (like phone number, messages) goes through those platforms (Meta’s privacy policy). Our site also contains social media widgets/links; data sharing is subject to those third-party terms.
- Purposes of Collection. We collect and use personal data for legitimate business purposes including:
- Communications: to respond to your inquiries, book consultations, and provide the requested services.
- Service Delivery: to perform accounting, tax, and advisory services (including issuing invoices and complying with legal obligations, e.g. IRAS record-keeping).
- Marketing (with Consent): to send newsletters or promotional materials if you opted in. You may opt out at any time (unsubscribe link in emails).
- Website Improvements and Analytics: to analyze site usage (through Google Analytics) and improve our content and user experience[3].
- Legal Compliance: to comply with Singapore laws (e.g. keeping financial records for statutory periods[2]) and for tax, audit, or regulatory requirements.
- Legal Basis. Under PDPA, we rely on the following basis for processing:
- Consent: For marketing communications and newsletter, where you have opted in, and for any uses beyond the original purpose. You can withdraw consent at any time.
- Business Interest / Contractual Necessity: For delivering our services, fulfilling a contract or engagement (e.g. accounting), and compliance with law (e.g. IRAS requires 5-year retention of financial records[2]).
- Legitimate Interests: In keeping our site secure (e.g. fraud prevention) and improving our services with analytics[3].
- Cookies and Tracking. We use cookies and similar technologies. Some cookies are essential for site operation; others are for analytics or marketing. Cookies may collect personal data (e.g. IP address[3]). In line with PDPC guidance, cookies that collect personal data are subject to PDPA[3]. We deploy:
- Essential Cookies: to enable site functionality (no personal data beyond technical info).
- Analytics Cookies: (e.g. Google Analytics) to understand site usage. We use [Blocking opt-out or anonymization] for privacy. (See Google’s Privacy Policy.)
- Marketing Cookies: to personalize content and ads. These are not used without consent. You can manage cookie preferences via your browser settings.
Cookie Banner: On your first visit, a banner informs you of cookie use (e.g. “We use cookies to enhance your experience and for analytics/marketing. By continuing, you consent to our use of cookies as described in our Privacy Policy.”).
- Disclosure to Third Parties. We may share personal data with:
- Service Providers: Our IT/hosting providers, accountants, and external consultants under duty of confidentiality. For example, our analytics data is shared with Google (adhering to Google’s safeguards).
- WhatsApp: If you chat via WhatsApp, messages go to Meta’s servers (outside Singapore). We have ensured through our provider that Meta applies comparable protections[4].
- Email and Marketing Providers: If we use a third-party email marketing platform (e.g. Mailchimp), your contact info is stored under contractual safeguards.
- Regulatory Authorities: If required by law or government agencies (e.g. PDPC or IRAS requests). We do not sell personal data to third parties.
Under PDPA Section 26 (Transfer Limitation Obligation), any overseas data transfer (e.g. Google in the USA) will be subject to our due diligence to ensure the recipient provides PDPA-comparable protection[4].
- Data Security. We implement industry-standard safeguards (encryption, access controls, regular audits) to protect personal data from unauthorized access or breaches. We also have organizational controls (staff training, NDAs) to maintain confidentiality. In line with PDPA, we will notify affected individuals and PDPC of any data breach as required.
- Data Retention. We retain personal data no longer than necessary for the purposes collected. Specifically:
- Accounting/Financial Records: Kept for 5 years (as required by IRAS)[2].
- Contact/Inquiry Data: Retained for up to 2 years after last interaction.
- Newsletter Subscribers: Retained until you unsubscribe, plus 1 year for record-keeping.
- Job Applicant Data: Retained for 2 years after application or last contact. Once data is no longer needed for any valid purpose, we will securely delete or anonymize it[5].
|
Data Type |
Retention Period |
|
Accounting/financial records |
At least 5 years (per IRAS requirements)[2] |
|
Contact form inquiries |
2 years from last correspondence |
|
Newsletter subscription |
Until unsubscribed, plus 1 year |
|
Job applicant records |
2 years after application/last contact |
- Individual Rights. Under PDPA, you have the right to:
- Access: Request to know what personal data we hold about you, and request a copy[1].
- Correction: Request correction of inaccurate or incomplete data about you[1].
- Withdraw Consent: Where processing is by consent (e.g. marketing), you can withdraw consent at any time; we will cease the related processing.
- File a Complaint: If you believe we have breached PDPA, you may contact our Data Protection Officer or PDPC (contact details below). PDPA does not provide a general “right to erasure” of all data, but once the retention period expires or you withdraw consent, we will delete the data in line with our Retention Policy[5].
To exercise your rights, email enquiry@bshgroup.com.sg (Data Protection Officer).
- Marketing Communications. We will only send promotional emails to you if you have explicitly opted in (e.g. checked a newsletter box). Each marketing email will include an unsubscribe link. We comply with PDPC’s advisory guidance: we do not send unsolicited marketing messages without consent.
- Changes to Privacy Policy. We may update this policy to reflect changes in law or our practices. The revised policy will have a new “Effective Date.” We encourage you to review this page periodically. Continued use of our site implies acceptance of any changes.
- Governing Law and Contact. This Privacy Policy is governed by Singapore law. For questions or complaints about privacy, contact us at:
Data Protection Officer
BSH Group of Companies
180B Bencoolen St, #12-05, The Bencoolen, Singapore 189648
Email: enquiry@bshgroup.com.sg
PDPC: For unresolved disputes, you may also contact the Personal Data Protection Commission (www.pdpc.gov.sg).
Implementation Checklist
- Publish Documents: Post the new Terms and Conditions and Privacy Policy at permanent URLs (linked from footer) for all website pages.
- Footer Links: Ensure visible “Terms and Conditions” and “Privacy Policy” links in the site footer (as already indicated).
- Cookie Consent Banner: Install a cookie banner on the website with the provided boilerplate text linking to the Privacy Policy.
- Data Processing Procedures: Set up processes for handling data subject requests (access/correction), withdrawal of consent, and data breaches, as required by PDPA[1][5].
- Contact Details: Ensure the Data Protection Officer or contact person’s email (enquiry@bshgroup.com.sg) is current on the site and in policies.
- Review Third-Party Contracts: Confirm that any third-party service providers (e.g. analytics, email marketing, cloud hosting) have PDPA-compliant terms (Transfer Limitation Obligation).
- Staff Training: Inform relevant staff about the new policies, data handling procedures, and PDPA obligations.
- Cookie Settings: Configure analytics and marketing tools to anonymize data (where possible) and respect opt-outs.