Privacy Policy

1. Introduction and Scope

This Privacy Policy applies to personal data collected by Pandan Counsel ("we", "us", "our") through our website, enquiry forms, email correspondence, and in the course of providing legal and advisory services. It applies to all individuals who interact with us, including prospective clients, existing clients, and visitors to our website.

For questions or concerns regarding this policy, please contact us at [email protected].

2. Personal Data We Collect

We collect personal data that individuals provide voluntarily and data generated through use of our website. This may include:

• Identification data: Full name, job title, company or organisation name
• Contact data: Email address, telephone number, business address
• Enquiry content: The nature of your legal query or service interest as submitted through our contact form or by email
• Technical data: IP address, browser type and version, pages visited, time on site, and referral source — collected via website analytics tools
• Cookie data: Preferences saved in connection with your use of our website. See our Cookie Policy for details.

We do not knowingly collect sensitive personal data (such as NRIC numbers, financial account details, or health information) through our website or general enquiry process.

3. How Data Is Collected

Personal data is collected through the following means:

• Website contact and enquiry forms
• Direct email correspondence
• Telephone and in-person consultations
• Website analytics tools (such as Google Analytics) operating under applicable consent rules
• Cookies and similar tracking technologies as set out in our Cookie Policy

4. Legal Basis for Processing

Under the PDPA, we process personal data on the following bases:

• Consent: Where you have provided consent, such as when submitting an enquiry form or accepting non-essential cookies
• Contractual necessity: Where processing is required to deliver legal services you have engaged us to perform
• Legitimate interests: For internal administration, service improvement, and security purposes, where these do not override individual rights
• Legal obligation: Where we are required to retain or disclose information under Singapore law, including professional conduct rules applicable to legal practitioners

5. How We Use Your Data

Personal data collected is used for the following purposes:

• Responding to enquiries and providing information about our services
• Delivering legal advisory and compliance support services to clients
• Managing ongoing client relationships and matter files
• Fulfilling professional and regulatory obligations as a legal practice in Singapore
• Improving our website and understanding how visitors use it (analytics)
• Sending service-related communications where you have opted in or where a legitimate relationship exists

We do not sell personal data to third parties. We do not use personal data for automated decision-making processes that produce legal or significant effects on individuals.

6. Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, and to comply with applicable legal and professional obligations:

• Enquiry data (non-client): Up to 12 months from the date of enquiry, unless a client relationship is established
• Client matter files: A minimum of 6 years from matter closure, in accordance with Singapore legal professional practice standards
• Website analytics data: Up to 26 months, subject to Google Analytics retention settings
• Cookie consent records: Up to 12 months from the date consent was recorded

7. Data Sharing and Third Parties

We may share personal data with third parties in limited circumstances:

• Service providers: IT, hosting, and analytics providers who process data on our behalf under appropriate data processing agreements
• Professional counterparts: Where necessary for the conduct of legal matters, such as regulatory agencies or environmental consultants, with your knowledge
• Legal and regulatory requirements: Where disclosure is required by law, court order, or regulatory direction

We take reasonable steps to ensure that third-party service providers maintain appropriate data protection standards.

8. Data Protection Measures

We apply administrative, technical, and physical measures to protect personal data against unauthorised access, disclosure, alteration, or loss. These include:

• Secure, encrypted communication for data transmission (TLS/HTTPS)
• Access controls limiting staff access to personal data on a need-to-know basis
• Regular review of data handling practices and internal policies
• Data breach response procedures in line with PDPC notification requirements

In the event of a data breach that is likely to result in significant harm, we will notify the Personal Data Protection Commission (PDPC) and affected individuals in accordance with the PDPA's mandatory breach notification obligations.

9. Cookies

Our website uses cookies to support essential functionality, analyse usage patterns, and remember your preferences. You can manage your cookie preferences at any time through our Cookie Policy page, which also provides details on the types of cookies used and their purposes.

10. Your Rights Under the PDPA

As a data subject under Singapore's Personal Data Protection Act, you have the following rights:

To exercise any of these rights, please contact us at [email protected]. We will respond within 10 business days. If you are dissatisfied with our handling of a request, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

11. Third-Party Links

Our website may contain links to external websites operated by regulatory agencies, government bodies, or other organisations. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies before providing personal data.

12. Children's Privacy

Our services are directed at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has submitted personal data to us, please contact us so we can arrange deletion.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the services we provide. Material changes will be communicated on this page with an updated "Last Updated" date. Continued use of our website following the publication of any changes constitutes acceptance of those changes.

14. Contact Information

For any privacy-related queries, access requests, or complaints, please contact: