PDPA Policy
Collection of Personal Data
Personal data refers to data about an individual who can be identified from either that particular data, or from that data and other information which we have or are likely to have access to. Commonly collected personal data of our customers typically include, amongst other things, first names, last names, email addresses, telephone (both landline and mobile) numbers, date of birth, gender as well as vital statistics such as (not limited to):
a. Height b. Weight c. Body Mass Index (BMI) d. Body Fat (Visceral fat, Low Density Lipoprotein - LDL, High Density Lipoprotein - HDL) e. Blood Pressure f. Oxygen Saturation Levels g. Electrocardiogram (ECG) h. Cholesterol and HbA1c Levels i. Body Temperature
Wherever possible, we will only collect personal data directly from you. Your data (including personal data where you are an individual) may be collected through the use of the Site and/or the mobile app (hereby referred to as app), or through marketing events such as roadshows or any other means, for the purpose of planning and administering MedLyves products, services and kiosks.
Without limitation, this can occur during or before you:

• Sign up to receive information

• Set up a MedLyves account on the Site, kiosk or on the app

• Provide any feedback or complaints through our Site, kiosk and/or the app

• Participate in any social media offerings

• Participate in any marketing activity or campaign held by us

In addition to personal data provided to us, certain information related to you that is not considered personal data may also be collected. We collect this information to improve our Site, app and other online services. Such non-personal data may include information such as your IP address, the internet browser you use, details of your interaction with our Site and/or the app, MedLyves measurement and usage habits, preferences and information about your lifestyle or preferences such as your medication frequency, conditions and other types of non-personal data. We may also receive personal information about you from other sources if you have given permission for that information to be shared. This may include information from corporations participating in marketing campaigns, commercially available sources such as public databases and data aggregators, and information from third parties.
Use of Cookies
We and some of our third-party partners ("third-party partner" refers to websites and/or mobile applications owned, operated or provided by third parties) may use data collection devices such as “cookies” on certain pages of the Site and on our app to personalise your online experience, help analyse our Site and the app flow and measure promotional effectiveness. “Cookies” are small files placed on your hard drive that assist us in providing our services. We may offer features that are only available through the use of a “cookie”. We also use cookies to reduce the number of times you need to enter your password. Cookies may also help us provide to you information targeted in accordance to your interests. Most browsers automatically accept cookies, but you can modify your browser to decline cookies (if your browser permits you to do so), although in such a case you may not be able to access certain features on our Site and/or the app or some interactive features offered on our Site and/or the app may be restricted or rendered inoperable.
Using Your Personal Data

• We collect personal data for various reasons. The data collected may serve one or many of these purposes:

• Managing your MedLyves account

• Processing your registration and/or using MedLyves kiosks or any of MedLyves products

• To verify your identity and allow access to MedLyves kiosks or any of MedLyves products and third-party partner applications for health measurements (similar to connection with Apple Health and Google Health app to get step count)

• To conduct market research, survey and/or analysis

• Processing credit transactions for the depositing of funds in your eWallet through our Site and/or the app

• Improving your experience on our Site and the app

• Making the Site and the app easier to use and tailoring the Site and the app to your interests and needs

• Suggesting products, services or kiosks by MedLyves which we think may interest you, but only if you have given us your consent to do so

• To fulfil a legal or regulatory requirement

• To respond to your enquiries and/or feedback

• Informing you of any changes to our Terms of Use which may affect you; and informing you of updates and/or developments to MedLyves products, services and kiosks

Sharing Your Personal Data

1. As a general rule, we do not share your personal information with anyone. However, we may share your personal information with trusted third-party partners.

2. Government agencies (or with non-government entities which have been authorised to carry out specific government services) to process any applications you have made or to render you a service, so as to serve you in a most efficient and effective way, unless such sharing is prohibited by law.

3. Our advertising, marketing and promotional agencies to help us deliver and analyse the effectiveness of our advertising campaigns and promotions

4. Third parties required to deliver a service to you, such as a software provider or application developer

5. Law enforcement or government authorities where they have followed due legal process to request us to disclose the information

6. Third parties who wish to send you information about their products and services, but only if you have given us your consent to do so

7. Third-party providers of services, such as data processing

8. Web analytics tool providers, such as Google

9. We may also share your personal data for the reasons outlined above, including but not limited to:

• Verification of your identity

• Processing measurements and transactions for MedLyves measurements at kiosks or from third-party partners’ applications, rewards and coupon redemptions through our Site and/or the app

• Processing credit transactions for the depositing of funds in your eWallet through our Site and/or the app

• To enforce applicable terms of use of the Site and/or the app

• Conduct investigations into possible breaches of applicable laws

• To comply with a court order or other legal or regulatory requirements in the jurisdictions we operate

• In situations where a third party under contract with us collects personal data about you, we will require the third party to exercise reasonable care in protecting your information

• For your convenience, we may also display to you personal data you had previously supplied us or other government agencies. We will retain your personal data only as necessary for the effective delivery of public services to you

• The Site and/or the app may contain links to non-government sites whose data protection and privacy practices may differ from ours. We are not responsible for the content and privacy practices of these other websites and encourage you to consult the privacy notices and/or policies of those sites

Security
To safeguard your data, all electronic storage and transmission of data is secured with appropriate security technologies. However, no method of transmission over the Internet or method of electronic storage is 100% secure. While security cannot be guaranteed, we strive to protect your personal data and are constantly reviewing and enhancing our security protocols to ensure that your personal data is not subjected to any unnecessary risks. We will also put in place reasonable

security arrangements to ensure that your personal data is adequately protected and secured. Appropriate security arrangements will be taken to prevent any unauthorised access, collection, use, disclosure, copying, modification, leakage, loss, damage and/or alteration of your personal data on the cloud as well as physically. However, we cannot assume responsibility for any unauthorised use of your personal data by third parties which are wholly attributable to factors beyond our control.
Data Storage
We make use of third-party cloud service providers such as Google to store your data and the geographical locations where data is stored is currently only in Singapore.
Cryptographic controls
We ensure that your personal data collected are encrypted at rest and all data that is stored in Google encrypted at the storage layer using the Advanced Encryption Standard (AES) algorithm, AES-256.
Data Breach and Information Security Incidents
We will notify you without undue delay after becoming aware of a Personal Data breach. Such notification will include that information a processor must provide to a controller under to the extent such information is reasonably available to MedLyves.
If MedLyves becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, Professional Services Data, or Personal Data while processed by MedLyves (each a “Security Incident”), MedLyves will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
Notification(s) of Security Incidents will be delivered to Customer by any means MedLyves selects, including via email. It is Customer’s sole responsibility to ensure Customer maintains accurate contact information with MedLyves for each applicable Product and Professional Service. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.
MedLyves shall make reasonable efforts to assist Customer in fulfilling Customer’s obligation under PDPA or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.
MedLyves’s notification of or response to a Security Incident under this section is not an acknowledgement by MedLyves of any fault or liability with respect to the Security Incident.
Customer must notify MedLyves promptly about any possible misuse of its accounts or authentication credentials or any security incident related to the Products and Services at support@medlyves.com.
Data Subject Rights; Assistance with Requests
MedLyves will make available to Customer, in a manner consistent with the functionality of the Products and Services and MedLyves’s role as a processor of Personal Data of data subjects, the ability to fulfil data subject requests to exercise their rights under the PDPA. If MedLyves receives a request from Customer’s data subject to exercise one or more of its rights under the PDPA in connection with the Products and Services for which MedLyves is a data processor or sub processor, MedLyves will redirect the data subject to make its request directly to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Products and Services. MedLyves shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request including to agree upon request for potential digital evidence or other information from within the cloud computing environment.
Records of Processing Activities
To the extent the PDPA requires MedLyves to collect and maintain records of certain information relating to Customer, Customer will, where requested, supply such information to MedLyves and keep it accurate and up-to-date. MedLyves may make any such information available to the supervisory authority if required by the PDPA.

Rights to Amend this Privacy Policy
We reserve the right to amend this Privacy Policy at any time without prior notice. If material changes are made to this Privacy Policy, they will be posted on this page and date stamped. We encourage you to review this page periodically in order for you to stay notified and up to date of any changes.
Your continued use of this Site and/or App and acceptance of our services after any changes to this Privacy Policy constitutes your consent to any such changes to the extent such consent is not otherwise provided.
What Are My Rights? In accordance with the Personal Data Protection Act (PDPA) you have the right to unsubscribe to any EDM or mailer, access, correct, export and delete your data. Upon withdrawal, you acknowledge that all functions and services within the application will no longer be made available.
You may decline to the use of your personal information at any time by sending your request to support@medlyves.com.
Complaint Process
If you have any complaint or grievance regarding about how we are handling your personal data, intellectual property rights or about how we are complying with the PDPA, we welcome you to contact us with your complaint or grievance.
Please contact us through one of the methods as outlined below with your complaint or grievance.
Where it is an email or a letter through which you are submitting a complaint, your indication at the subject header that it is a PDPA complaint would assist us in attending to your complaint speedily by passing it on to the relevant staff in our organisation to handle. For example, you could insert the subject header as “PDPA Complaint”
We will certainly strive to deal with any complaint or grievance that you may have speedily and fairly.
CHANGES TO THE PRIVACY POLICY MedLyves may make changes to this policy without prior notice. All changes, if any will be made available on our website at https://www.medlyves.com/pdpa
Should you have any inquiries or require further clarification concerning this Privacy Policy, or if you wish to withdraw your consent to the collection, use, or disclosure of your personal data, you may direct your correspondence to support@medlyves.com, specifying "[Request] Withdrawal of Consent – Privacy Policy" or "[Enquiry] Privacy Policy" in the subject header, as applicable.
Kindly note that the standard turnaround time for all enquiries, including but not limited to requests for withdrawal of consent or clarification regarding this Privacy Policy, shall be within three (3) to five (5) business days from the date of receipt of the correspondence.

-End-

Version 3.1
Last edited: 06/08/2025
All information published is accurate as of 06/08/2025.
Unauthorized reproduction of any portion of this publication is strictly prohibited without the prior written consent of Medlyves. Any unauthorized reproduction may result in legal action.