Personal Data Protection Policy

Virtue Medical Pte. Ltd. Last Updated: 15 Dec 2025.

The privacy of your personal data is important to us, and we are committed to protecting your information in compliance with the Personal Data Protection Act of Singapore (the "PDPA").

This Personal Data Protection Policy ("Policy") explains how Virtue Medical Pte. Ltd. ("Virtue Medical", "we", "us", or "our") collects, uses, discloses, and processes your personal data. This Policy applies to our patients, prospective patients, vendors, suppliers, partners, contractors, and service providers (collectively "you", "your" or "yours").

By using our services, you acknowledge that you have read and understood this Policy. Where required by law, we will obtain your specific consent for certain uses of your personal data as detailed below.

What is Personal Data?

Personal data means any information relating, directly or indirectly, to an identified or identifiable individual.

Depending on your interaction with us, the personal data we collect may include:

  • Personal identification information: Name, NRIC/FIN, date of birth, gender, contact details (address, phone number, email)
  • Health and medical information: Medical history, diagnoses, treatment records, prescriptions, laboratory results, allergies, immunisation records
  • Insurance information: Insurance provider details, policy numbers, claim information
  • Financial information: Payment details, billing records
  • Employment information: Employer details, occupation (where relevant for medical purposes)
  • Other information: Appointment records, photographs or videos (for medical documentation), CCTV footage from our premises

When you provide us with personal data relating to a third party (such as family members, dependents, or emergency contacts), you represent and warrant that you have obtained all necessary consents from such third parties for us to collect, use, and disclose their personal data for the purposes outlined in this Policy, or that you have legal authority to provide such information on their behalf (e.g., as a parent or legal guardian).

Legal Basis for Processing Your Personal Data

We process your personal data under different legal bases depending on the purpose:

Contractual Necessity

When you engage us for medical services, we process your personal data as necessary to fulfill our contractual obligations to you, including:

  • Providing medical consultations, diagnoses, and treatments
  • Maintaining your medical records
  • Processing payments and billing
  • Managing appointments and clinic operations

Legal Obligations

We process your personal data to comply with legal and regulatory requirements, including:

  • Singapore Medical Council (SMC) regulations and ethical guidelines
  • Ministry of Health (MOH) requirements, including reporting of notifiable diseases
  • Tax and accounting regulations
  • Court orders and lawful requests from government authorities

Legitimate Interests

We process your personal data based on our legitimate interests in operating our clinic effectively and safely, including:

  • Appointment reminders and follow-up care communications
  • Quality improvement and staff training
  • Clinic security (CCTV surveillance)
  • Debt recovery and financial management
  • Protecting against fraud and ensuring clinic safety

Your Consent

For certain optional uses of your personal data, we will seek your specific consent, including:

  • Marketing communications (health tips, newsletters, promotional offers)
  • Sharing your information with third parties not directly involved in your care
  • Non-essential uses of your information
  • Processing of your Singapore telephone number for marketing purposes

You can withdraw your consent at any time for optional processing. However, this will not affect processing based on contractual necessity, legal obligations, or legitimate interests.

Note: Withdrawing consent for optional processing will not impact our ability to provide you with medical care based on the other legal bases listed above.

How We Collect Personal Data

We collect personal data from you in the following ways:

Directly from you:

  • When you register as a patient or create an account with us
  • During medical consultations, examinations, and treatments
  • When you complete medical forms, questionnaires, or consent forms
  • Through phone calls, emails, or messages with our staff
  • When you make appointments or enquiries
  • When you sign up for health screening packages, vaccination programmes, or other services
  • When you participate in our health programmes, workshops, or events
  • When you subscribe to our newsletters or promotional communications
  • When you visit our clinic and are captured on CCTV cameras (for security purposes). CCTV signage is displayed at our clinic entrance and in recording areas. Footage is retained for 30 days and accessed only for security, safety, and investigation purposes

Indirectly from third parties:

  • From healthcare providers (such as specialists, hospitals, or laboratories) with your consent
  • From insurance companies in connection with your medical claims
  • From your family members or authorised representatives acting on your behalf
  • From government agencies or regulatory bodies where required by law

How We Use Your Personal Data

We collect and use your personal data for the following purposes:

Medical Care and Treatment:

  • Providing medical consultations, diagnoses, treatments, and care
  • Maintaining accurate and up-to-date medical records
  • Prescribing and dispensing medications
  • Arranging referrals to specialists or other healthcare providers
  • Coordinating care with other healthcare professionals
  • Conducting follow-up care and health monitoring

Administrative Purposes:

  • Creating and maintaining patient records and accounts
  • Scheduling and managing appointments
  • Processing payments and billing
  • Managing insurance claims and verification
  • Handling enquiries, requests, and complaints
  • Conducting patient satisfaction surveys
  • Managing our clinic operations

Legal and Regulatory Compliance:

  • Complying with legal obligations under Singapore healthcare regulations
  • Responding to requests from government agencies or authorities
  • Reporting notifiable diseases to the Ministry of Health
  • Maintaining records as required by the Singapore Medical Council
  • Exercising or defending legal claims

Communication and Marketing:

  • Sending appointment reminders and follow-up communications
  • Providing health education and preventive care information
  • Informing you about new services, health programmes, or vaccination campaigns
  • Sending newsletters, health tips, and clinic updates (with your consent)
  • Conducting health awareness programmes

Quality Improvement:

  • Improving our medical services and patient care
  • Training our medical and administrative staff
  • Conducting audits and quality assurance activities
  • Analysing service utilisation and patient outcomes

Disclosure of Personal Data

We may share your personal data with:

  • Healthcare providers: Specialists, hospitals, laboratories, pharmacies, and other healthcare professionals involved in your care (with your consent)
  • Insurance companies: For processing medical claims and verification
  • Service providers: Third-party vendors who support our operations (such as IT services, billing services, medical waste disposal)
  • Government agencies: Ministry of Health, Singapore Medical Council, or other regulatory authorities as required by law
  • Legal and professional advisors: Lawyers, auditors, and consultants
  • Emergency contacts: Your designated family members or representatives in case of medical emergencies

We ensure that all third parties who receive your personal data are contractually obligated to protect your information and use it only for the specified purposes.

Marketing Communications

With your consent, we may contact you via phone calls, SMS, email, or postal mail to:

  • Inform you about health screening packages and vaccination programmes
  • Send you health tips, wellness articles, and preventive care reminders
  • Notify you about new services or special promotions
  • Invite you to health talks or community events

Do Not Call (DNC) Registry Compliance

Singapore Telephone Numbers: If you have registered your Singapore telephone number with the Do Not Call Registry, we will not send you marketing messages to that number unless:

  • You have given us clear and specific consent to receive marketing messages, OR
  • We are sending you messages related to an ongoing service relationship (such as appointment reminders or follow-up care), and you have not opted out

Even with an ongoing relationship, you can opt out of such messages at any time.

You can register your number with the DNC Registry at https://www.dnc.gov.sg or check your registration status on the same website.

How to Opt Out

You can opt out at any time by:

  • Clicking the "unsubscribe" link in our emails
  • Replying "STOP" to SMS messages
  • Contacting us (see contact details below)
  • Updating your preferences during your clinic visit

Please note that even if you opt out of marketing communications, we will still send you important service-related messages such as appointment reminders, prescription notifications, and essential health information required for your care. These are sent based on contractual necessity and our legitimate interests in providing you with medical services.

Cookies and Website Technologies

Our website may use cookies and similar technologies to:

  • Remember your preferences and settings
  • Analyse website traffic and usage patterns
  • Improve your browsing experience
  • Provide relevant content and advertisements

You can disable cookies through your browser settings, though this may affect certain website features. For more information, please refer to your browser's help documentation.

Security of Personal Data

Protecting your personal data is our priority. We implement appropriate security measures including:

  • Restricting access to personal data on a need-to-know basis
  • Using secure, password-protected systems for electronic records
  • Encrypting sensitive data during transmission
  • Maintaining physical security at our clinic premises
  • Training our staff on data protection obligations
  • Conducting regular security audits and updates
  • Secure disposal of physical and electronic records when no longer needed

Despite our safeguards, no method of transmission or storage is completely secure. We cannot guarantee absolute security but will take all reasonable steps to protect your information.

Data Breach Notification

We have implemented procedures to detect, respond to, and notify affected parties in the event of a data breach involving your personal data.

What is a Data Breach?

A data breach occurs when there is unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data, or loss of storage medium containing personal data.

Our Response to Data Breaches

If we discover or are notified of a data breach, we will:

  • Immediate Assessment and Containment (within 24-72 hours)
    • Investigate the nature and scope of the breach
    • Take immediate steps to contain the breach and prevent further unauthorised access
    • Assess the likelihood and severity of harm to affected individuals
  • Notification to Personal Data Protection Commission (PDPC) (within 3 calendar days)
    • If the breach is assessed to be a notifiable data breach (i.e., likely to result in significant harm to affected individuals or is of a significant scale), we will notify the PDPC within 3 calendar days of assessment
    • We will provide details including the nature of the breach, estimated number of affected individuals, and remedial actions taken
  • Notification to Affected Individuals (as soon as practicable)
    • If the breach is likely to result in significant harm to you, we will notify you as soon as practicable
    • Our notification will include:
      • Description of the breach and data involved
      • Recommended steps you should take to protect yourself
      • Measures we are taking to address the breach
      • Contact information
  • Remedial Actions and Prevention
    • Implement corrective measures to address vulnerabilities
    • Review and strengthen our security practices
    • Conduct post-incident analysis to prevent recurrence
    • Provide support to affected individuals (such as credit monitoring if financial data was compromised)

What You Should Do

If you suspect that your personal data held by us has been compromised, please contact us immediately at hello@virtuemedical.com.sg.

If you are notified of a data breach, follow the recommended protective measures provided in our notification, which may include:

  • Changing passwords for any accounts
  • Monitoring your financial statements
  • Being alert to potential phishing attempts
  • Contacting your bank if financial information was involved

Retention of Personal Data

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Policy and as required by law.

  • Medical records: Retained in accordance with the Singapore Medical Council's Ethical Code and Ethical Guidelines (2016):
    • For adults: Minimum of 6 years from the date of last consultation or attendance
    • For minors: Minimum of 6 years after the patient reaches 21 years of age, or 6 years from the date of last consultation or attendance, whichever is later
    • For deceased patients: Minimum of 6 years from the date of death
  • Financial and accounting records: Retained for a minimum of 5 years in accordance with the Goods and Services Tax Act and Income Tax Act
  • CCTV footage: Retained for 30 days unless required for investigation purposes
  • Other records: Retained based on business and legal requirements, typically no longer than necessary for the stated purpose

When personal data is no longer needed, we will securely delete or destroy it in accordance with our data retention and disposal procedures.

Transfer of Data Outside Singapore

We generally store and process your personal data within Singapore. However, in certain circumstances, we may need to transfer your personal data to countries outside Singapore, such as:

  • Accessing specialist medical opinions or consultations from overseas healthcare providers
  • Using cloud storage or IT service providers with servers located overseas
  • Processing insurance claims with international insurers
  • Participating in medical research or clinical studies with international partners

Legal Requirements for Overseas Transfers

In accordance with Section 26 of the PDPA, we will only transfer your personal data outside Singapore if:

  • The receiving country has comparable data protection laws: We have determined that the country provides a standard of protection to personal data that is at least comparable to the protection under Singapore's PDPA, OR
  • We have obtained your consent: We have informed you of the potential risks of the transfer and obtained your specific consent for the overseas transfer, OR
  • The transfer is necessary for performance of a contract: The transfer is necessary for the performance of a contract between you and us (such as emergency medical treatment requiring overseas consultation), OR
  • The transfer is in your interests: The transfer is for your benefit and it is not practicable to obtain your consent, OR
  • Contractual safeguards are in place: We have entered into a written contract with the overseas recipient requiring them to provide a standard of protection comparable to Singapore's PDPA

Our Commitment

Before transferring your personal data overseas, we will:

  • Conduct an adequacy assessment of the receiving country's data protection laws
  • Implement appropriate safeguards such as data protection clauses in our contracts with overseas recipients
  • Ensure the overseas recipient is contractually obligated to protect your personal data
  • Only transfer the minimum personal data necessary for the stated purpose

Your Rights and Choices

Under the PDPA, you have the right to:

Access Your Personal Data

You may request access to your personal data held by us. We will provide you with a copy of your records, subject to:

  • Verification of your identity (we may request your NRIC/FIN and other identifying information)
  • Payment of a reasonable administrative fee to cover our costs (currently capped at $50 for basic requests; we will inform you of the exact fee before processing your request)
  • Exceptions under the PDPA where we are not required to provide access (such as where disclosure would reveal confidential commercial information or threaten the safety or health of an individual)

We aim to provide access within 30 days of your request. For complex requests requiring retrieval of archived records, we may need additional time and will inform you accordingly.

Correct Your Personal Data

If you believe any personal data we hold about you is inaccurate or incomplete, please inform us immediately, and we will make the necessary corrections.

Withdraw Consent

You may withdraw your consent for us to collect, use, or disclose your personal data at any time by contacting us. Please note that withdrawing consent may:

  • Affect our ability to provide medical care or services to you
  • Result in us being unable to fulfill contractual obligations
  • Have legal or contractual consequences

We will inform you of the potential consequences before processing your withdrawal request.

Object to Processing

You may object to the processing of your personal data for direct marketing purposes at any time.

Children's Personal Data

We recognise that children require additional protection of their personal data.

Parental Consent

For individuals below the age of 18 ("minors"), we require parental or legal guardian consent before collecting, using, or disclosing their personal data, except where:

  • The processing is necessary for medical treatment and it is not practicable to obtain parental consent (e.g., emergency situations)
  • The processing is required or authorised by law
  • The minor has sufficient understanding and maturity to provide consent independently (assessed on a case-by-case basis)

Parents' and Guardians' Rights

If you are a parent or legal guardian, you have the right to:

  • Request access to your child's personal data
  • Request correction of your child's personal data
  • Withdraw consent for the collection, use, or disclosure of your child's personal data (subject to legal and contractual limitations)

Medical Records Retention for Minors

Medical records for minors are retained for a minimum of 6 years after the patient reaches 21 years of age, or 6 years from the date of last consultation or attendance, whichever is later, in accordance with Singapore Medical Council guidelines.

Educational Programmes and Marketing

We will not send marketing communications directly to minors without explicit parental consent. Health education materials and vaccination reminders may be sent to parents/guardians for the benefit of the child.

How to Contact Us

To exercise your rights or for any questions about this Policy, please contact:
Virtue Medical Pte. Ltd.
138 Robinson Road, Oxley Tower #18-04, Singapore 068906
Email: hello@virtuemedical.com.sg
Website: https://www.virtuemedical.com.sg/

When making a request, please provide:

  • Your full name and contact details
  • NRIC/FIN number (for verification)
  • Description of your request
  • Relevant dates or timeframes (for access requests)
  • Supporting documents (for correction requests)

We will respond to your request within 30 days. If we need more time, we will inform you of the extended timeline.

Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

  • Posting the updated Policy on our website
  • Displaying notices at our clinic
  • Sending you direct communications (where appropriate)

The updated Policy will be effective from the date stated at the top of this document. We encourage you to review this Policy periodically.

Questions or Concerns

Your Responsibility for Accuracy

You are responsible for ensuring that all personal data you provide to us is accurate, complete, and up-to-date. Please notify us promptly of any changes to your personal data (such as change of address, contact number, insurance details, or medical history) so that we can update our records accordingly.

Providing inaccurate or incomplete information may affect our ability to provide you with appropriate medical care and services.

Concerns About Data Protection

If you have any concerns about how we handle your personal data or believe your privacy has been compromised, please contact us immediately. We are committed to investigating and resolving any issues promptly.

Complaints to the Personal Data Protection Commission

If you are not satisfied with our response to your data protection concerns, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC):

Personal Data Protection Commission
10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438
Email: info@pdpc.gov.sg
Website: https://www.pdpc.gov.sg

The PDPC will review your complaint and may investigate if there are reasonable grounds to believe that the PDPA has been contravened.

Governing Law

This Policy is governed by the laws of Singapore, and you agree to submit to the exclusive jurisdiction of the Singapore courts.