Stoneleaf is committed to handling the personal data of its participants, enquirers, and website visitors with care and transparency. This policy explains what data we collect, how we use it, and the rights you have under Singapore's Personal Data Protection Act 2012 (PDPA).

If you have questions about this policy or how your data is handled, please contact us at [email protected].

1. Who We Are

Stoneleaf is a financial education provider based in Singapore. Our registered address is 77 Robinson Road, #13-00, Singapore 068896. We are the data controller for personal data collected through our website and programmes.

2. What Data We Collect

We collect personal data in the following ways:

• Enquiry and contact forms: name, email address, and phone number (optional), along with any message content you provide.
• Programme enrolment: name, email address, contact number, and any relevant background information you choose to share.
• Website analytics: anonymous usage data including pages visited, session duration, and browser type. This data is not linked to identifiable individuals without consent.
• Cookies: see our Cookie Policy for details on how cookies are used on this website.

We do not collect sensitive personal data (as defined under the PDPA) unless it is specifically relevant to a programme and you have provided explicit consent.

3. How We Use Your Data

Personal data is used for the following purposes:

• Responding to enquiries and providing information about our programmes
• Processing enrolments and administering programme delivery
• Sending communications relevant to the programme you are enrolled in
• Improving our programmes and website based on aggregated, anonymised feedback
• Complying with legal obligations under Singapore law

We will not use your personal data for direct marketing unless you have specifically opted in to receive such communications. We do not sell, rent, or share personal data with third parties for commercial purposes.

4. Legal Basis for Processing

Under the PDPA, we process personal data based on the following grounds:

• Consent: where you have provided your data voluntarily through a form or enrolment process
• Contractual necessity: where processing is needed to deliver the programme you have enrolled in
• Legitimate interests: for operational purposes such as programme administration and improving service quality
• Legal obligation: where we are required to retain data by law

5. Data Retention

We retain personal data for as long as it is necessary for the purpose for which it was collected, or as required by Singapore law. Typically:

• Enquiry data: 12 months from date of enquiry
• Programme participant records: 5 years from programme completion
• Financial and transactional records: 7 years in accordance with Singapore's Companies Act

After these periods, data is securely deleted or anonymised.

6. Data Protection

We take reasonable technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• Secure, encrypted storage of electronic records
• Restricted access limited to staff who need the data to perform their role
• Regular review of our data handling practices

In the event of a data breach that is likely to cause significant harm, we will notify the Personal Data Protection Commission (PDPC) and affected individuals in accordance with the PDPA's mandatory breach notification requirements.

7. Cookies

Our website uses cookies to support basic functionality and, with your consent, to collect anonymised analytics data. For full details of the cookies used and how to manage your preferences, please see our Cookie Policy.

8. Third-Party Services

We may use third-party services to support website operation and programme delivery, including analytics tools and email service providers. These parties are required to handle personal data in compliance with the PDPA and may not use it for their own purposes. Our website may contain links to external sites; we are not responsible for the privacy practices of those sites.

9. Your Rights

Under the PDPA, you have the right to:

• Access the personal data we hold about you
• Correct any inaccuracies in your personal data
• Withdraw consent to processing, where consent was the basis for collection
• Request deletion of data we no longer need for the stated purpose, subject to legal retention requirements
• Raise a complaint with the Personal Data Protection Commission (PDPC) if you believe your rights have been infringed

To exercise any of these rights, please write to us at [email protected]. We will respond within 30 days.

10. Children's Privacy

Our programmes and website are designed for adults. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us and we will take steps to remove it.

11. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. The date at the top of this page indicates when it was last revised. Continued use of our services following any update constitutes acceptance of the revised policy.

12. Contact Us

For any questions or requests relating to this privacy policy or the handling of your personal data, please contact: