Privacy policy

Last Updated: December 17, 2024

1. Legal Framework and Scope

1.1 Regulatory Compliance

This Privacy Policy is designed to comply with the Personal Data Protection Act 2012 (PDPA) of Singapore, and other applicable data protection laws. The comprehensive legal framework ensures that our data processing practices meet the highest standards of user privacy and data protection in Singapore.

1.2 Policy Applicability

This policy comprehensively governs all data processing activities for SQ's coworking space services. Its provisions are equally applicable to website visitors, members, day pass users, event attendees, potential customers, and all individuals engaging with our space and services through various interaction channels. The policy establishes a uniform approach to data handling and protection for all user categories.

2. Data Collection Principles

2.1 Lawful Basis for Processing

We maintain a strict and transparent approach to personal data processing. Our data collection is exclusively permitted when users provide explicit consent, when processing is necessary for contract performance, to ensure compliance with legal obligations, to protect vital interests, or to pursue legitimate business interests. Each data processing activity is carefully evaluated against these stringent criteria.

2.2 Collected Personal Information

Our data collection philosophy prioritizes minimal and necessary information gathering. We collect:

  • Identification data including full name, email address, phone number, and contact information

  • Account-related data encompassing membership type, company name, and visit preferences

  • Transactional data including payment information, booking history, and invoice details

  • Visit data including access logs, space usage, and check-in/check-out times

  • Communication data from inquiries, feedback, and customer support interactions

3. Data Collection Mechanisms

3.1 Direct Collection Methods

Direct data collection occurs through:

  • Membership registration and booking forms

  • Event registration processes

  • Payment processing systems

  • Direct communications via email, phone, or in-person interactions

  • Visitor check-in systems and access control

Each collection point is designed to be transparent and user-centric, ensuring clear consent and understanding.

3.2 Automated Collection Technologies

Google Analytics We use Google Analytics for comprehensive visitor statistics collection and analysis. Google uses this information to evaluate website usage, compile detailed reports on website activity for our team, and provide additional services related to website activity and internet usage. This allows us to understand user interactions and continuously improve our platform.

Microsoft Clarity We partner with Microsoft Clarity to capture nuanced insights into how users interact with our website. Through behavioral metrics, heatmaps, and session replay technologies, we gain valuable understanding of user experiences. Website usage data is captured using first and third-party cookies and advanced tracking technologies to determine content popularity and online activity patterns. Users can find detailed information about data collection and usage in the Microsoft Privacy Statement.

Facebook Pixel We utilize Facebook Pixel to measure the effectiveness of our marketing campaigns and deliver more relevant advertisements to potential members. This technology allows us to track conversions, optimize ads, and build targeted audiences for future campaigns. Users can control their Facebook advertising preferences through their Facebook account settings.

Our usage of these analytics technologies serves multiple purposes: site optimization, security and fraud prevention, strategic marketing, and improving our coworking space experience.

4. Purpose of Data Processing

4.1 Primary Purposes

Our data processing activities are fundamentally oriented towards:

  • Service delivery including space bookings, access management, and amenity provision

  • Membership management for account administration and member benefits

  • Payment processing for memberships, bookings, and additional services

  • Customer support to address inquiries and resolve issues

  • Community building through events, networking, and member communications

  • Facility management to maintain security and optimize space usage

Each data point serves a specific, user-centric objective designed to enhance your coworking experience.

4.2 Secondary Purposes

Secondary data processing objectives include:

  • Personalization of member experiences and service recommendations

  • Performance optimization of our space and operational efficiency

  • Marketing communications about upcoming events, promotions, and community updates

  • Analysis of space utilization patterns to improve our offerings

All secondary purposes are conducted with explicit user consent and provide clear opt-out mechanisms.

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We may share collected data with carefully selected third-party service providers who are essential to our operational infrastructure. These providers include:

  • Payment processors for secure transaction handling

  • Analytics platforms (Google Analytics, Microsoft Clarity) for website optimization

  • Marketing platforms (Facebook) for targeted advertising

  • Cloud service providers for secure data storage

  • Access control systems for facility security

  • Accounting and legal service providers for compliance and financial management

Each third-party provider is rigorously vetted to ensure they maintain equivalent data protection standards and operate under strict confidentiality agreements. Our data sharing practices are governed by the principle of minimal disclosure, ensuring that only information absolutely necessary for specific service delivery is transmitted.

5.2 Legal Disclosure

In certain circumstances, we may be required to disclose personal information in response to legitimate legal requests. These circumstances are strictly limited and include situations where disclosure is necessary to:

  • Comply with valid legal processes or government requests

  • Protect our legal rights and enforce our terms of service

  • Prevent fraudulent activities or security threats

  • Respond to compelling requests from law enforcement or regulatory authorities

When such disclosures become unavoidable, we are committed to transparency and will make every reasonable effort to notify affected users, unless prohibited by law or where notification would compromise an ongoing legal investigation.

6. User Rights and Controls

6.1 Data Subject Rights

We recognize and fully support the fundamental rights of individuals concerning their personal data under the PDPA. Users are empowered with comprehensive controls over their personal information, including:

  • Access: The right to access personal data maintained by our systems, enabling users to review and verify the information we collect. Users can request comprehensive reports detailing their stored personal information.

  • Correction: The ability to request correction of any inaccurate or incomplete personal data, ensuring the integrity and accuracy of their information.

  • Deletion: A straightforward mechanism to request complete data deletion, allowing users to remove their personal information from our systems under specified conditions.

  • Withdrawal of Consent: A simple mechanism to withdraw consent for data processing at any time, with immediate effect on future data handling practices.

  • Restriction: The option to restrict specific data processing activities, giving users granular control over how their information is utilized.

  • Objection: A clear process to object to certain types of data processing, particularly in scenarios involving direct marketing.

6.2 Consent Management

Our consent management approach is designed to be transparent, granular, and user-centric. We provide unbundled consent mechanisms that allow users to make informed, specific choices about their data. Consent is never assumed but explicitly obtained through clear, affirmative actions.

Users can easily opt out of:

  • Marketing communications through unsubscribe links in emails

  • Analytics tracking through browser settings or opt-out tools

  • Facebook Pixel tracking through Facebook advertising preferences

  • Event notifications and community updates through account settings

The consent withdrawal process is straightforward and immediate, ensuring users can modify their privacy preferences with minimal friction.

7. Data Retention and Deletion

7.1 Retention Periods

We maintain precise data retention policies aligned with legal requirements and operational necessities:

  • Active membership data is retained for the duration of membership and for 12 months after termination for service continuity and support purposes

  • Transactional records are preserved for seven years to meet financial compliance and auditing requirements under Singapore law

  • Usage logs and access records are maintained for 12 months for security and operational analysis

  • Marketing-related data is retained only until explicit consent is withdrawn

  • CCTV footage (if applicable) is retained for 30 days for security purposes

7.2 Deletion Procedures

Our data deletion processes are comprehensive and permanent:

  • Users can initiate deletion requests by contacting our Data Protection Officer

  • Automated deletion mechanisms ensure removal of personal data upon request or account termination

  • We provide clear confirmation of deletion, including documentation of the data removal process

  • Certain data may be retained for legal compliance purposes even after deletion requests

8. Security Measures

8.1 Technical Protections

Our technical security infrastructure provides comprehensive protection for user data through multiple sophisticated layers of defense:

  • Encryption: End-to-end encryption protocols secure data transmission across all system interactions. All data exchanges are conducted through TLS (Transport Layer Security) protocols.

  • Security Audits: Regular security assessments are conducted to identify and address potential vulnerabilities in our digital infrastructure.

  • Access Control: Multi-factor authentication, role-based access restrictions, and continuous monitoring systems protect against unauthorized access.

  • Secure Storage: Data is stored on secure servers with regular backups and disaster recovery protocols.

  • Physical Security: Our facility implements security measures including access control systems, surveillance (if applicable), and visitor management protocols.

8.2 Organizational Safeguards

Beyond technical measures, we maintain robust organizational protections:

  • A designated Data Protection Officer oversees all privacy and security initiatives

  • Mandatory staff training programs ensure team members understand data protection responsibilities

  • Vendor risk assessment processes ensure third-party providers meet our security standards

  • A formally documented incident response plan enables rapid action in the event of a security incident

9. International Data Transfers

As SQ operates exclusively in Singapore and serves customers within Singapore, we do not routinely transfer personal data outside of Singapore. In exceptional circumstances where international data transfer becomes necessary (such as cloud service providers with international infrastructure), we ensure:

  • Adequate protection measures are in place

  • Compliance with PDPA requirements for cross-border data transfer

  • Users are informed of such transfers where applicable

10. Children's Privacy

Our coworking space services are designed for professionals and adults aged 18 and above. We do not knowingly collect personal information from individuals under 18 years of age. In the unexpected event that we discover any personal information has been collected from a minor, we will implement immediate and permanent deletion procedures.

Parents and guardians are encouraged to monitor their children's online interactions and report any concerns directly to our Data Protection Officer.

11. Data Breach Protocol

11.1 Notification Procedures

In the unlikely event of a data breach, we are committed to immediate, transparent, and comprehensive communication:

  • User Notification: Affected users will be notified promptly through multiple communication channels, providing clear information about the nature and potential impact of the breach.

  • Regulatory Reporting: The Personal Data Protection Commission (PDPC) will be notified in accordance with PDPA requirements.

  • Detailed Communication: Our notification will include specific details about the breach, potential consequences, and the precise steps we are taking to mitigate risks.

  • Remediation Plan: A comprehensive remediation plan will be immediately implemented, focusing on preventing future occurrences and protecting user interests.

12. Cookies and Tracking Technologies

12.1 Cookie Usage

Our website uses cookies and similar tracking technologies to enhance user experience and gather analytics data. Types of cookies we use include:

  • Essential Cookies: Necessary for website functionality and security

  • Analytics Cookies: Used by Google Analytics and Microsoft Clarity to understand website usage

  • Marketing Cookies: Used by Facebook Pixel to deliver relevant advertisements

12.2 Cookie Management

Users can control cookie preferences through:

  • Browser settings to block or delete cookies

  • Opt-out tools provided by Google, Microsoft, and Facebook

  • Our cookie consent banner when first visiting the website

Disabling certain cookies may affect website functionality and user experience.

13. Changes to Privacy Policy

We are committed to maintaining a dynamic and responsive privacy policy. We conduct regular reviews to ensure our policy reflects current technological landscapes and regulatory environments.

Users will receive notification at least 30 days prior to any significant policy changes through:

  • Email notification to registered members

  • Prominent notice on our website

  • In-space notifications at our facility

Continued use of our services following policy updates implies acceptance of the new terms. Users who do not agree with updated terms may terminate their relationship with SQ.

14. Marketing Communications

14.1 Consent for Marketing

We will only send marketing communications to individuals who have provided explicit consent. Marketing communications may include:

  • Newsletters about community updates and events

  • Promotional offers for memberships and services

  • Invitations to networking events and workshops

  • Updates about new amenities and features

14.2 Opt-Out Options

Users can opt out of marketing communications at any time through:

  • Unsubscribe links in every marketing email

  • Updating preferences in their account settings

  • Contacting our team directly

  • Replying "STOP" to SMS messages (if applicable)

Opting out of marketing communications will not affect essential service communications related to bookings, payments, or account management.

15. Contact and Inquiries

Data Protection Officer

For any questions, concerns, or requests regarding your personal data, please contact us at:

Email: privacy@sq.com

Phone: [Insert Phone Number]

Postal Address: [Insert Singapore Address]

We are committed to responding to all privacy-related inquiries within 30 days.