Privacy & Cookie Policy

1) Who we are

Soma Works (UEN: [UEN]), registered at [Address, Singapore/Registered Address] ("we", "us", or "our"), operates [Website URL] and related services (the "Services"). We are responsible for the collection, use and disclosure of personal data under Singapore’s Personal Data Protection Act 2012 (the PDPA).

We have appointed a Data Protection Officer (DPO):

• Name: [DPO Name]
• Email: [DPO Email]
• Postal Address: [DPO Postal Address]

‍

2) Scope

This policy explains how we handle personal data when you use our website, mobile site and any online products that link to this policy. It also describes our use of cookies and similar technologies.

‍

3) Personal data we collect

We collect the following categories of personal data, depending on how you interact with us:

• Identifiers & contact details: name, email address, phone number, postal address, account identifiers.
• Transactional & usage data: pages viewed, actions taken, timestamps, referring/exit pages.
• Device & technical data: IP address, device type, operating system, browser type, approximate location (e.g., city-level), unique identifiers, and cookie IDs.
• Communications & support: content of enquiries, chat transcripts, feedback forms.
• Marketing preferences: newsletter and notification settings, opt-in/opt-out status.
• Third‑party data: where permitted, we may receive information from service providers (e.g., analytics, payment processors) or business partners.

‍

4) How we use personal data (purposes)

We collect, use and disclose personal data for the following purposes:

• Service delivery: providing and operating the website, enabling features, processing transactions.
• Account & support: creating and managing accounts, responding to enquiries, providing troubleshooting.
• Security & fraud prevention: detecting, investigating and preventing malicious or illegal activities, and enforcing our terms.
• Analytics & improvements: measuring performance, understanding usage, and improving our Services.
• Marketing & promotions: sending updates or offers by email/SMS/phone (with required consents); personalising content and ads.
• Compliance: meeting legal, regulatory and audit obligations, and responding to lawful requests.

‍

5) Marketing and the Do Not Call (DNC) provisions

If we send marketing messages (SMS, MMS, WhatsApp, calls, or fax) to Singapore telephone numbers, we will comply with the PDPA’s Do Not Call provisions. This includes screening numbers against the DNC Registry and/or obtaining clear and unambiguous consent. You can withdraw consent or opt out of marketing at any time via the instructions in our messages or by contacting our DPO (see Section 14).

‍

6) Cookies and similar technologies

We use cookies, web beacons, pixel tags, SDKs and local storage to run the site and understand how it is used. Cookies are small files placed on your device. We classify our cookies as:

• Strictly necessary: required for core site functionality (e.g., session management, security). These cannot be switched off in our systems.
• Performance/analytics: help us measure traffic and improve performance (e.g., page load metrics, popular pages).
• Functional: remember choices (e.g., language, region) and provide enhanced features.
• Advertising/targeting: deliver and measure ads, and build audiences. These may be set by us or our advertising partners.

Your choices

• Cookie banner & preferences: On your first visit (and periodically thereafter), we show a banner that lets you accept all, reject non‑essential, or manage granular preferences. You can change your choices anytime at [Link/Button: “Cookie Settings”].
• Browser settings: You may block or delete cookies via your browser or device settings. If you block strictly necessary cookies, parts of the site may not work.
• Mobile SDKs: To limit ad tracking on mobile, adjust device settings (e.g., "Limit Ad Tracking" on iOS or "Opt out of Ads Personalization" on Android).

We only place non‑essential cookies (e.g., analytics/advertising) after you have provided consent via the banner or your browser/device settings, where applicable.

‍

7) Our basis for handling personal data under the PDPA

We rely on one or more of the following:

• Consent: You have been notified of the purposes and you consented.
• Deemed consent: Where collection/use/disclosure is reasonably necessary to provide a requested product/service or to conclude/perform a contract with you; or where you have been notified and given a reasonable opportunity to opt out (deemed consent by notification), where appropriate.
• PDPA exceptions: For example, where necessary for legitimate interests (after assessing and mitigating any likely adverse effects), to prevent or detect fraud, to ensure network or information security, for business improvement, or for research where conditions are met.

‍

8) Cross‑border transfers

If we transfer personal data outside Singapore, we will ensure the receiving organisation provides a standard of protection comparable to the PDPA, by using appropriate contractual safeguards or other legally permitted mechanisms.

‍

9) Disclosure to third parties

We share personal data with:

• Service providers/Processors: hosting, storage, analytics, security, customer support, email/SMS delivery, payment processing, ad tech partners.
• Business partners: where you use co‑branded services or participate in joint promotions.
• Authorities or legal recipients: where required by law, regulation or court order, or to protect our legal rights or those of others.
• Corporate transactions: in connection with a merger, acquisition, financing or sale of assets, subject to appropriate confidentiality and data protection safeguards.

We do not sell personal data.

‍

10) Data retention

We retain personal data only for so long as is reasonably necessary for the purposes stated above or to satisfy legal and business requirements (e.g., record‑keeping). We will securely delete or anonymise data when it is no longer needed.

‍

11) Security

We implement administrative, technical and physical safeguards appropriate to the nature of the personal data we handle. These include access controls, encryption in transit and at rest where appropriate, secure software development practices, and vendor due diligence.

‍

12) Your rights and choices

Under the PDPA, you may:

• Access your personal data in our possession or control and information about how it has been used or disclosed in the past year.
• Request correction of errors or omissions in your personal data.
• Withdraw consent to our use or disclosure of your personal data for any purpose.

To exercise your rights, contact our DPO (Section 14). We may need to verify your identity and may charge a reasonable fee for processing access requests where permitted.

‍

13) Data breaches

We assess suspected data breaches and, where required, notify the Personal Data Protection Commission (PDPC) and affected individuals as soon as practicable. Our notifications will describe the breach, what we are doing about it, and steps you can take to protect yourself.

‍

14) Contacting our DPO

For any request, concern or complaint about how we handle your personal data, please contact:

Data Protection Officer
[Company Name]
Email: [DPO Email]
Address: [DPO Postal Address]

We will respond within a reasonable time. If you are not satisfied with our response, you may also contact the PDPC.

‍

15) Third‑party sites and services

Our Services may contain links to third‑party websites, plug‑ins or applications. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing any personal data.

‍

16) Children

Our Services are [not intended for children under 13 / insert age policy]. If you are a parent or guardian and believe your child has provided personal data, please contact us to request deletion.

‍

17) Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you via the website or by other appropriate means. Your continued use of the Services after the effective date means you acknowledge the updated policy.

Cookie Details (example)

Replace with your actual vendors and durations, or link to a cookie list generated by your CMP.

Category

Example Provider

Purpose

Cookie Name(s)

Duration

Strictly Necessary

[First‑party]

Session management, load balancing

[session_id]

Session

Performance/Analytics

[e.g., Google Analytics 4]

Measure site usage and performance

_ga, _ga_*

1–24 months

Functional

[e.g., Intercom/Helpdesk]

Remember chat state and user preferences

[intercom-*]

Up to 12 months

Advertising/Targeting

[e.g., Meta/Google Ads]

Deliver and measure personalised ads

_fbp, IDE

3–24 months

How to manage cookies: Use [Cookie Settings] or adjust your browser settings to block or delete cookies. Mobile users can limit ad tracking in device settings.