This Privacy Statement sets out the basis which Morrow Health Pte. Ltd. (UEN 201943415D) (operating as “MORROW”), Longevity & Lifestyle Medical Pte. Ltd. (UEN 202244817Z) (operating as “MORROW Medical”), (collectively referred to as “we”, “our” or “us”), may collect, use, disclose or otherwise process personal data in accordance with the Personal Data Protection Act 2012 of Singapore (“PDPA”).
In addition, this Privacy Statement sets out the basis which MORROW Medical, as a licensed healthcare services provider, complies with other applicable laws such as the Healthcare Services Act 2020, the Health Information Bill and the Ministry of Health's guidelines and circulars.
This Privacy Statement applies to you, if you fall into any of the following categories:
Visitors to our websites including any social media platforms and text messaging platforms (“websites”);
Individuals who access or use our products or services (whether in-person or online) (“services”);
Users of our member portals and mobile applications (“applications”); and/or
Persons who submit any personal data at our premises or through our websites, applications and services.
By visiting our premises, websites, services and applications or by submitting any personal data to us, you are accepting and consenting to the terms of this Privacy Statement as amended from time to time.
This Privacy Statement does not apply to business contact information provided in the course of business, when used solely for business purposes.
In this Privacy Statement, “personal data” means data, whether true or not, about a an individual who can be identified: from that data, or from that data and other information to which we have or are likely to have access. Other terms used in this Privacy Statement shall have the meanings given to them in the PDPA (where the context so permits).
Depending on the nature of your interaction with us, some examples of personal data we collect from you include the following:
Personal information, such as name, date of birth, NRIC or passport number, residential address, phone number, email address, nationality, gender, marital status and other information provided by you for onboarding and registration purposes
Medical information, diagnostic imaging, photographic films and images and any other medical history provided by you, your parent / guardian or companion when you present yourself for consultation and treatment at our premises
Financial information, tax information, insurance details
Employment information
Details of interactions with us (e.g. feedback, complaints, images, biometrics, voice recordings, personal opinions)
Information obtained from your device such as computer or mobile device with your consent (e.g. IP address, cookies and location information)
Generally, we collect your personal data in the following ways:
when you submit any form, including but not limited to application and registration forms;
when you enter into any agreement or provide other documentation or information in respect of your interactions with us, or when you use our products and services;
when you interact with our staff, including customer service officers, for example, via telephone calls (which may be recorded), emails, face-to-face meetings, social media and instant messaging platforms;
when you use our physical premises or electronic services, or interact with us via our websites and applications or use services on our websites and applications;
when you request that we contact you or request that you be included in an email or other mailing list;
when your images or sound recordings are captured by us via CCTV cameras while you are within our premises, or via photographs or videos taken by us or our representatives when you attend events or engage in our services online, at our premises or at any other venues;
when you are contacted by, and respond to, our representatives, customer service officers and service providers;
when you respond to our promotions, offers or sign up for marketing communication;
when you submit an employment application or when you provide documents or information including your resume and/or CVs for any job application as an employee, contractor or any other position;
when we seek information about you and receive your personal data in connection with your relationship with us, from you (or your authorised representative (as defined below)) or any third parties such as our service providers, related companies, law enforcement and government or regulatory authorities; and/or
when you submit your personal data to us for any other reason.
We generally do not collect your personal data unless:
it is provided to us voluntarily by you directly or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”) after (i) you (or your authorised representative) have been notified of the purposes for which the data is collected, and (ii) you (or your authorised representative) have provided written consent to the collection and usage of your personal data for those purposes; or
where the collection and use of personal data without consent is permitted or required by the PDPA or other laws.
We shall seek your consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorised by law).
If you provide us with any personal data relating to a third party (e.g. information of your spouse, children, parents, and/or employees), by submitting such information to us, you represent to us that you have obtained the consent of the third party to provide us with their personal data for the respective purposes.
We may collect and use your personal data for the following purposes:
To provide services to you including verifying your identity, performing obligations in the course of or in connection with our provision of services requested by you
To manage your relationship with us
To personalise recommendations, programmes or services
To process bookings and payments including processing payment or credit card transactions
To handle customer support requests including responding to, handling, and processing queries, requests, applications, complaints and feedback from you
For internal analytics, service improvement and quality assurance including monitoring or recording phone calls and customer-facing interactions for quality assurance, training and performance evaluation
To send service-related communications
To contact you via telephone, SMS/text, WhatsApp, email, and/or other communication channels to provide marketing messages including information about our services, and those of our related companies and affiliates, including new offerings, promotional offers, and other relevant packages that you may choose to sign up for or purchase through the relevant channels, where you have given consent
To comply with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority
To manage the safety and security of our premises, websites, applications and services (including but not limited to carrying out CCTV surveillance and conducting security clearances)
In connection with any claims, actions or proceedings (including but not limited to drafting and reviewing documents, transaction documentation, obtaining legal advice, and facilitating dispute resolution), and/or protecting and enforcing our contractual and legal rights and obligations
Any other purposes for which you have provided the information
To transmit to any unaffiliated third parties including our third party service providers and agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for the aforementioned purposes
Any other incidental business purposes related to or in connection with the above
In compliance with the PDPA, we may collect, use or disclose your personal data without your consent for our legitimate interests or another person. In relying on the legitimate interests exception of the PDPA, we will assess the likely adverse effects on the individual and determine that the legitimate interests outweigh any adverse effect. In line with the legitimate interests’ exception, we will collect, use or disclose your personal data for the following purposes:
Fraud detection and prevention;
Monitoring, detection and prevention of misuse of services;
Network analysis to prevent fraud and financial crime, and perform credit analysis; and
Supporting research and development purposes, including innovation in our services, subject to appropriate oversight and safeguards.
In the provision of healthcare services to you by MORROW Medical, you agree that:
By voluntarily providing your personal data in order to obtain medical care, it shall be deemed that you have consented to the collection, use, disclosure and processing of your personal data by us for the purposes directly related to the provision of medical care to you by our staff, healthcare providers and other allied healthcare professionals, and to make referrals and communicate with other healthcare professionals, institutions and other associated purposes, e.g. billing, specialists, laboratories, insurance, referrals, etc. This includes the administration of claims, reimbursement of claims and other related services through insurers and third-party administrators and payors for medical treatment and healthcare services provided to you.
Your medical records will be shared with other health care providers where required or permitted by law, including but not limited to, by way of Medisave and the National Electronic Health Record (NEHR) system. This system facilitates the sharing of health information across the Singapore healthcare ecosystem.
We may use your personal data to invite you to participate in suitable care programmes, health and wellness education programmes, group discussions or consultations, or recommend services provided by our related companies.
The purposes listed above may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under a contract with you).
We may share your personal data with the following third parties:
Your authorised representatives such as parent/guardian, next-of-kin, employer, insurance providers;
Our related companies and affiliates;
Service providers, agents and other organisations we have engaged such as IT hosting, payment processing, analytics and marketing platforms to perform any of the functions with reference to the above-mentioned purposes;
Professional advisers including legal, accounting and compliance professionals;
Law enforcement, governmental or regulatory authorities, if required by any of the above-mentioned purposes;
Partners who support or contribute to the delivery, improvement or advancement of our services; and
Other third parties where such disclosure is required for performing obligations in the course of or in connection with our provision of the goods and services requested by you.
We may collect or use your personal data, or disclose existing personal data for secondary purposes that differ from the primary purpose which it had originally collected for. If we intend to rely on deemed consent by notification for such secondary purposes, we will notify you of the proposed collection, use or disclosure of his personal data through appropriate mode(s) of communication. You will be given a reasonable period to inform us if you wish to opt-out of the collection, use and disclosure of your personal data for such purposes. After the lapse of the opt-out period, you may notify us that you no longer wish to consent to the purposes for which your consent was deemed by notification by withdrawing your consent for the collection, use or disclosure of your personal data in relation to those purposes.
We do not sell your personal data. Any sharing with third parties is subject to PDPA-compliant safeguards and appropriate oversight.
We generally do not transfer your personal data to countries outside of Singapore. In particular, your personal data may be stored in external servers that are located out of Singapore, or may be transferred out of Singapore where it is necessary to share your personal data with and between our related corporations and business units, and third party service providers. For disaster recovery purposes, certain personal data may be securely stored in overseas servers such as in the USA.
Where your personal data is transferred out of Singapore, we will take reasonable steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPA. For example, we may enter into contracts or impose binding corporate rules with the recipients of your personal data to protect your personal data in a manner that is compliant with all applicable laws.
We retain personal data as long as necessary to fulfil the purposes for which it was collected and to comply with applicable legal obligations. In some cases, data may be retained longer when needed to support follow-up services, long-term records, or research, subject to appropriate safeguards.
We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes.
To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures including but not limited to:
Minimised collection of personal data
Encryption of data in transit and at rest where appropriate
Access controls and authentication measures
Advanced technical safeguards, including endpoint threat protection, risk-based vulnerability remediation, and secure media disposal
Staff training on data protection obligations
Regular review of security practices
In addition, MORROW Medical is committed to comply with other applicable laws such as the Healthcare Services Act 2020, the Health Information Bill and the Ministry of Health's guidelines and circulars. We take patient confidentiality very seriously.
We also follow best practices such as prompt software updates, controlled access to sensitive data, regular backups, incident preparedness, secure data disposal and periodic security reviews.
While we strive to protect your personal data, no method of storage or transmission is completely secure.
As part of our efforts to ensure that we properly manage, protect and process your personal data, we will be reviewing our policies, procedures and processes from time to time.
We may amend or update this Privacy Statement at any time by publishing the updated Privacy Statement on our website, with the “last updated” date clearly indicated. We encourage you to check our website regularly to ensure that you are aware of the updated version of the Privacy Statement.
Your continued use of our websites, applications and services after any changes means you accept and consent to the revised Privacy Statement.