Privacy Policy

1. Introduction

Halcyon ("we", "us", "our") is committed to handling personal data responsibly and in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore. This Privacy Policy explains how we collect, use, disclose and protect personal data obtained through our website and through our consulting engagements.

If you have questions about this policy or about how we handle your data, please contact us at [email protected].

2. Data We Collect

We collect personal data in the following ways:

• Contact form submissions: name, email address, phone number (optional) and any information included in the message field.
• Engagement delivery: during readiness assessments, we conduct stakeholder interviews. Names and roles of interviewees are collected with the knowledge of the engagement sponsor. Specific quotes may be attributed to roles rather than individuals in the written deliverable, depending on the scope agreed.
• Website analytics: if cookies are accepted, standard analytics data including page views, session duration and referral sources. See our Cookie Policy for details.
• Email correspondence: data contained in emails sent to us directly.

3. How We Use Personal Data

Personal data is used for the following purposes:

• Responding to enquiries submitted through the contact form
• Delivering the specific consulting service engaged
• Invoicing and payment administration
• Maintaining engagement records for quality review purposes
• Improving our website and services based on aggregated analytics

We do not use personal data for marketing without explicit consent, and we do not sell personal data to third parties under any circumstances.

4. Legal Basis for Processing

We process personal data on the following bases under the PDPA:

• Consent: where you have submitted a contact form or agreed to cookie use
• Contractual necessity: where data is required to deliver an engagement you have engaged us to perform
• Legitimate interests: for internal quality review and record-keeping purposes

5. Data Retention

Personal data is retained for the following periods:

• Contact form enquiries that do not lead to an engagement: deleted after 12 months
• Engagement records (scope outlines, deliverables, correspondence): retained for 5 years from engagement close, then securely deleted
• Financial records: retained for 7 years in accordance with Singapore accounting and tax requirements
• Analytics data: aggregated and anonymised after 26 months in line with our analytics provider's standard retention policy

6. Third-Party Services

We use a limited number of third-party services that may process personal data on our behalf:

• Website analytics: a third-party analytics provider to understand how the site is used. This is only active if analytics cookies are accepted.
• Email service provider: for email delivery and management. Emails sent to our address are processed through our hosted email service.
• Cloud storage: engagement documents are stored in a cloud environment with access restricted to the engagement team.

We do not use advertising networks, social media tracking pixels or any third-party services that collect data for profiling purposes.

7. Cookies

We use cookies on this website. Please refer to our Cookie Policy for a full explanation of what cookies we use, their purpose and how to manage your preferences.

8. Your Rights

Under the PDPA, you have the right to:

• Request access to personal data we hold about you
• Request correction of inaccurate personal data
• Withdraw consent to data processing (where consent is the basis for processing)
• Request that we cease processing your data for certain purposes

To exercise any of these rights, contact us at [email protected]. We will respond within 10 business days.

If you are not satisfied with our handling of a data request, you may contact the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg.

9. Data Security

We maintain reasonable security measures to protect personal data from unauthorised access, disclosure or loss. These include:

• Access controls limiting data to the people directly involved in the engagement
• Encrypted storage for engagement documents
• TLS encryption for website data transmission
• Regular review of third-party providers' data handling practices

In the event of a data breach affecting your personal data, we will notify you and the PDPC in accordance with mandatory breach notification requirements under the PDPA.

10. Third-Party Links

This website may contain links to external sites. We are not responsible for the privacy practices of those sites and recommend reviewing their privacy policies separately.

11. Children's Privacy

Our services are directed at organisations and are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The most recent version will be posted on this page with the updated date shown at the top. Continued use of this website following any changes constitutes acceptance of the revised policy.

13. Contact

For all privacy-related enquiries:

• Email: [email protected]
• Address: 1 Raffles Place, #36-08, One Raffles Place Tower 1, Singapore 048616