PDPA Singapore 2012

Privacy Policy

Effective: 1 January 2026 · Governing law: Singapore PDPA 2012

1. Data Controller

The data controller responsible for the processing of your personal data under this Policy is:

MOVO-X Pte. Ltd.
Operating as: MOVO-X Singapore
Website: singapore.movo-x.com
Data Protection Officer: dpo.sg@movo-x.com

2. Governing Law

This Privacy Policy is governed by the Personal Data Protection Act 2012 (PDPA) of Singapore, administered by the Personal Data Protection Commission (PDPC). We comply with all obligations under the PDPA including consent, notification, access, correction, data portability, and data breach notification obligations.

3. Data We Collect

MOVO-X collects the following categories of data when you use our clinic kiosk, web application, or related services:

  • Clinic administrator information: name, email, phone, role
  • NRIC reference: encrypted reference (not stored in plain text) used for patient identity matching during check-in
  • Queue metadata: check-in timestamp, service type, queue position, wait time, department
  • Appointment timestamps: scheduled and actual appointment times
  • Payment records: transaction amount, payment method, MediSave/CHAS reference numbers — processed via PCI DSS compliant payment processor
  • Contact information: mobile number for WhatsApp/SMS queue notifications
  • PDPA consent records: timestamp and version of consent captured at first visit

Note: MOVO-X does not store clinical records, diagnoses, prescriptions, or medical history. Clinical data remains in the facility's own EMR/HIS system.

4. Purpose of Collection

We collect personal data for the following purposes, each of which you consent to at point of first use:

  • Patient queue management and check-in processing
  • WhatsApp/SMS queue call-up notifications
  • Payment processing and receipt generation
  • NEHR read access (Enterprise tier — separate consent required)
  • HealthHub appointment synchronisation
  • PDPA SG compliance record-keeping
  • Service improvement and analytics (anonymised and aggregated)

5. Data Residency

All personal data collected by MOVO-X Singapore is stored exclusively in Supabase Singapore (AWS ap-southeast-1). No personal data is transferred outside Singapore. Backups are retained within the Singapore region only.

6. Data Retention

Queue and check-in records3 years
Payment transaction records5 years (MAS TRM + IRAS)
Audit logs5 years (MAS TRM + PDPA SG)
PDPA consent records7 years
NRIC references (hashed)Duration of patient relationship + 1 year

7. Data Breach Notification

In the event of a notifiable data breach under the PDPA SG, we will:

  • 1.Notify the PDPC within 3 calendar days of determining the breach is notifiable
  • 2.Notify affected individuals within 72 hours of PDPC notification (or earlier if practicable)
  • 3.Provide a breach summary including affected data categories, likely consequences, and remediation steps

8. Your Rights (PDPA SG)

Under the PDPA Singapore 2012, you have the right to:

  • Access: request a copy of personal data we hold about you
  • Correction: request correction of inaccurate or incomplete data
  • Withdrawal of consent: withdraw consent for non-essential data processing
  • Data portability: receive your data in a machine-readable format

To exercise any of these rights, contact our DPO at dpo.sg@movo-x.com. We will respond within 30 days.

9. Cookies & Tracking

singapore.movo-x.com uses only essential cookies for session management (httpOnly, sameSite=lax). No third-party tracking cookies are deployed. Analytics are anonymised and aggregated.

10. Changes to this Policy

Material changes to this Privacy Policy will be communicated to clinic administrators by email at least 30 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact

Questions about this Privacy Policy or our data handling practices: