1. Data Controller
The data controller responsible for the processing of your personal data under this Policy is:
MOVO-X Pte. Ltd.
Operating as: MOVO-X Singapore
Website: singapore.movo-x.com
2. Governing Law
This Privacy Policy is governed by the Personal Data Protection Act 2012 (PDPA) of Singapore, administered by the Personal Data Protection Commission (PDPC). We comply with all obligations under the PDPA including consent, notification, access, correction, data portability, and data breach notification obligations.
3. Data We Collect
MOVO-X collects the following categories of data when you use our clinic kiosk, web application, or related services:
- •Clinic administrator information: name, email, phone, role
- •NRIC reference: encrypted reference (not stored in plain text) used for patient identity matching during check-in
- •Queue metadata: check-in timestamp, service type, queue position, wait time, department
- •Appointment timestamps: scheduled and actual appointment times
- •Payment records: transaction amount, payment method, MediSave/CHAS reference numbers — processed via PCI DSS compliant payment processor
- •Contact information: mobile number for WhatsApp/SMS queue notifications
- •PDPA consent records: timestamp and version of consent captured at first visit
Note: MOVO-X does not store clinical records, diagnoses, prescriptions, or medical history. Clinical data remains in the facility's own EMR/HIS system.
4. Purpose of Collection
We collect personal data for the following purposes, each of which you consent to at point of first use:
- ✓Patient queue management and check-in processing
- ✓WhatsApp/SMS queue call-up notifications
- ✓Payment processing and receipt generation
- ✓NEHR read access (Enterprise tier — separate consent required)
- ✓HealthHub appointment synchronisation
- ✓PDPA SG compliance record-keeping
- ✓Service improvement and analytics (anonymised and aggregated)
5. Data Residency
All personal data collected by MOVO-X Singapore is stored exclusively in Supabase Singapore (AWS ap-southeast-1). No personal data is transferred outside Singapore. Backups are retained within the Singapore region only.
6. Data Retention
Queue and check-in records3 years
Payment transaction records5 years (MAS TRM + IRAS)
Audit logs5 years (MAS TRM + PDPA SG)
PDPA consent records7 years
NRIC references (hashed)Duration of patient relationship + 1 year
7. Data Breach Notification
In the event of a notifiable data breach under the PDPA SG, we will:
- 1.Notify the PDPC within 3 calendar days of determining the breach is notifiable
- 2.Notify affected individuals within 72 hours of PDPC notification (or earlier if practicable)
- 3.Provide a breach summary including affected data categories, likely consequences, and remediation steps
8. Your Rights (PDPA SG)
Under the PDPA Singapore 2012, you have the right to:
- •Access: request a copy of personal data we hold about you
- •Correction: request correction of inaccurate or incomplete data
- •Withdrawal of consent: withdraw consent for non-essential data processing
- •Data portability: receive your data in a machine-readable format
To exercise any of these rights, contact our DPO at dpo.sg@movo-x.com. We will respond within 30 days.
9. Cookies & Tracking
singapore.movo-x.com uses only essential cookies for session management (httpOnly, sameSite=lax). No third-party tracking cookies are deployed. Analytics are anonymised and aggregated.
10. Changes to this Policy
Material changes to this Privacy Policy will be communicated to clinic administrators by email at least 30 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.
11. Contact
Questions about this Privacy Policy or our data handling practices: