0. Definitions
In this Privacy Policy:
- "Broby", "we", "us", "our" — Broby Pte. Ltd. (UEN 202531542D), a private limited company incorporated in Singapore, operating the BrobyVets product at brobyvets.com.
- "Service" — the Broby AI scribe, clinical documentation, image analysis, and clinical-decision-support platform delivered via Chrome extension, web application, and mobile applications.
- "Notice" — this Privacy Policy.
- "Customer" or "Clinic" — the veterinary clinic or practice that subscribes to the Service.
- "Data Controller" and "Data Intermediary" — as defined in the Singapore Personal Data Protection Act 2012 ("PDPA-SG").
- "Data Controller" and "Data Processor" — as defined in the Malaysia Personal Data Protection Act 2010 (as amended by the Personal Data Protection (Amendment) Act 2024) ("PDPA-MY").
- "DPA" — the Data Processing Agreement entered into between Broby and the Customer, available on request from our Data Protection Officer.
- "Personal Data" — has the meaning given under PDPA-SG and PDPA-MY.
- "Sensitive Personal Data" — has the meaning given under Section 4 PDPA-MY (as amended), including biometric data such as voice patterns.
- "Sub-processor" — a third-party service provider that processes Personal Data on our instructions to deliver part of the Service.
- "Veterinarian" — a licensed veterinary professional using the Service.
- "AI Output" — text, image annotations, or other content generated or suggested by the Service's machine-learning models.
- "Personal Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
1. About This Notice
This Notice explains how we collect, use, disclose, and protect Personal Data when you use the Service. It applies to Personal Data we process in connection with the Service, including data we process on behalf of Customers as their Data Intermediary / Data Processor, and data we process about our own users (e.g. Customer admin contacts) as a Data Controller in our own right.
We are:
- Legal name: Broby Pte. Ltd.
- Company registration number (UEN): 202531542D
- Registered office: 68 Circular Road #02-01, Singapore 049422
- Website: brobyvets.com
By using the Service, you acknowledge that you have read this Notice. You should also read the relevant sections of our Terms of Service and (where applicable) the DPA between Broby and your Clinic.
Whether providing Personal Data is obligatory or voluntary (PDPA-MY s.7(1)(g)). Providing certain Personal Data is mandatory to enable us to deliver the Service to you, in particular: account information (name, email, Clinic affiliation), consent to consultation recording, and billing details. Without these, we cannot register your account or provide the Service. Providing other Personal Data (for example, your professional licence number) is voluntary and its absence will not prevent you from using the Service.
PDPA-MY s.7(1) compliance map. This Notice satisfies the seven mandatory disclosures under Section 7(1) of the Personal Data Protection Act 2010 (Malaysia): (a) the categories of Personal Data we process (Section 3); (b) the purposes of processing (Section 5 and Section 6A); (c) the sources of Personal Data (Section 4); (d) your rights of access and correction and how to contact us (Sections 11 and 16); (e) the classes of recipients (Sections 7 and 6A); (f) your choices and means to limit processing (Section 11); (g) whether providing Personal Data is obligatory or voluntary (the paragraph above).
2. Our Role Under Data Protection Law
The veterinary clinic that subscribes to Broby is the Data Controller of the patient and clinical records it processes through our Service. Broby acts as the Data Intermediary under PDPA-SG and the Data Processor under PDPA-MY in respect of those records, processing them only on the Customer's documented instructions and as set out in our DPA.
For our own corporate users (Customer admin accounts, billing contacts, marketing-list opt-ins), we act as a Data Controller in our own right.
3. Personal Data We Collect
We collect, use, and disclose Personal Data only for purposes that a reasonable person would consider appropriate in the circumstances and that have been notified to you (PDPA-SG s.18; PDPA-MY s.6(3)). The categories of Personal Data we collect are:
From the Veterinarian and Clinic staff:
- Account information: name, email address, professional licence number (where provided), Clinic affiliation, password (stored only as a salted hash)
- Voice recordings of veterinary consultations
- Free-text and structured clinical notes (SOAP notes), including drafts and final versions
- Diagnostic image uploads (radiographs, photos)
- Usage data: log entries, IP address, browser/device type, feature interactions
- Billing contact information (passed to Stripe for payment processing)
From the Clinic about pet owners:
- Owner contact details (name, phone, email) when entered by the Clinic for appointment management
- Information incidentally captured in voice recordings of consultations (e.g. the owner's voice or comments)
About pets (these are not Personal Data of any human individual but are disclosed for transparency): pet name, species, breed, microchip ID where provided, weight, age; diagnoses, prescriptions, treatment notes; diagnostic images.
We do not knowingly collect NRIC numbers in any input field. We instruct Clinics not to enter NRIC numbers in free-text fields.
Sensitive Personal Data — Important Notice for Malaysia
Under PDPA-MY (as amended in 2024 and effective from 1 April 2025), biometric data — including voice patterns — is classified as Sensitive Personal Data. Voice recordings made through the Service constitute biometric data of the speakers. Processing of Sensitive Personal Data in Malaysia requires explicit consent under Section 40 PDPA-MY.
We obtain that explicit consent through (a) granular, opt-in tickboxes presented to the Veterinarian in our in-product consent screen before any voice recording is initiated; and (b) a contractual obligation in our DPA on the Clinic to obtain pet-owner consent for recording at intake using the Clinic's own client-consent process.
4. Sources of Personal Data
We collect Personal Data:
- Directly from you when you create an account, log in, configure settings, contact support, or use the Service
- From your Clinic when the Clinic enters or uploads data on behalf of pet owners or other staff
- Automatically via cookies and server logs as you interact with the Service
We do not buy Personal Data from third parties or augment your data with marketing lists.
5. Purposes of Processing and Lawful Basis
We use Personal Data for the purposes set out in the table below. The lawful basis for each purpose is identified by reference to the specific section of PDPA-SG and PDPA-MY:
| Purpose | PDPA-SG Lawful Basis | PDPA-MY Lawful Basis |
|---|---|---|
| Deliver the Service to your Clinic (recording, transcription, SOAP generation, image analysis, differential diagnosis) | Express consent (s.14) | Express consent (s.6); explicit consent for Sensitive Personal Data (s.40) |
| Authenticate user logins and protect account security | Deemed consent on voluntary provision (s.15) | Consent (s.6) |
| Process subscription payments | Express consent (s.14) | Consent (s.6) |
| Provide customer support | Express consent (s.14) | Consent (s.6) |
| Send service-related notifications (e.g. security alerts, downtime, password reset) | Deemed consent (s.15) | Consent (s.6) |
| Diagnose and fix technical issues (error monitoring) | Deemed consent (s.15) | Consent (s.6) |
| Produce and use De-Identified Data for the purposes set out in Section 6A | Express consent (s.14), with Customer-side opt-out per Section 6A | Express consent (s.6), with Customer-side opt-out per Section 6A |
| Comply with legal obligations (tax, regulator requests) | Permitted disclosure under First Schedule Part 1 | Disclosure permitted under PDPA-MY exceptions |
We rely on consent as our principal lawful basis. We do not rely on the "legitimate interests" exception under the First Schedule Part 3 PDPA-SG without first conducting and documenting a Legitimate Interests Assessment. We will not use Personal Data for purposes outside the table above without obtaining further consent or notifying you in advance.
6. AI and Automated Processing
The Service uses machine-learning models to (a) transcribe spoken consultations into text, (b) draft clinical SOAP notes, (c) suggest differential diagnoses, and (d) analyse uploaded radiology images.
How the AI uses your data (general logic). When you record a consultation, audio is transmitted to a speech-recognition model that produces a text transcript. The transcript is then sent to one or more large language models that generate a structured SOAP note draft, a list of possible differential diagnoses, and (where applicable) image analysis findings. The AI uses only the data from the current consultation, your selected document templates, and (where you enable it) recent context from your Clinic's prior consultations on the same patient.
Decision support, not decision making. All AI Output is presented as draft material for the Veterinarian to confirm, modify, or reject. The Veterinarian must review and sign each output before it becomes part of the clinical record. Broby has no mechanism by which AI Output enters the clinical record without an affirmative confirmation by an authenticated Veterinary user. Broby does not autonomously make clinical decisions, generate prescriptions, communicate with pet owners, or take any action on AI-generated content.
AI accuracy and risk of error ("hallucination"). AI Output is produced by probabilistic systems and may contain errors, omissions, or fabricated content (commonly referred to as "hallucinations"). The Veterinarian is responsible for verifying every AI Output before relying on it for any clinical purpose. Broby makes no warranty as to the accuracy, completeness, or fitness for purpose of any AI Output. Use of the Service does not transfer any clinical liability from the Veterinarian to Broby. Clinical-outcome liability rests with the licensed Veterinarian and is covered by the Veterinarian's professional indemnity insurance, not by Broby.
Beta status of radiology AI. AI suggestions for radiographs and other diagnostic images are presented as draft findings for the Veterinarian to confirm, modify, or reject. Accuracy of the radiology model is improving as the model is refined; this feature is in beta. The Veterinarian remains solely responsible for radiological interpretation and clinical decisions.
No training of third-party AI models on your data. As of the effective date of this Notice, our agreements with Anthropic (Claude) and OpenAI (GPT-4) provide that data submitted to their APIs by us is not used to train their foundation models.
Third-party AI provider retention: Under our default API configurations, Anthropic retains API inputs and outputs for up to 7 days; OpenAI retains API inputs and outputs for up to 30 days for abuse monitoring. Anthropic and OpenAI may retain limited safety-classifier metadata for longer for misuse-prevention purposes; we do not control the retention of that metadata. Neither provider stores API content beyond those windows in the ordinary course. We monitor changes to these provider policies and will update this Notice on any material change.
No autonomous decision-making affecting legal rights. The AI Output does not, on its own, produce legal effects on any individual. Where you exercise your right to challenge an AI Output, you may use the correction process in Section 11.
6A. De-Identified Data
A core part of how Broby operates is producing De-Identified Data from Personal Data we process through the Service. De-identification is a primary processing purpose, not a retention housekeeping step. This Section 6A describes that purpose, the methodology, the downstream uses, and the Customer-side opt-out. The full contractual terms are in Section 10 of our Data Processing Agreement (DPA).
What De-Identified Data is. De-Identified Data means data derived from Personal Data from which all direct and indirect identifiers of pet owners, Veterinarians, and other Authorised Users have been irreversibly removed, such that there is no serious possibility of re-identification of any identifiable individual.
Methodology. We perform de-identification in accordance with the De-identification Standard set out in DPA Annex D, which incorporates: (a) the U.S. Department of Health and Human Services HIPAA Safe Harbor methodology (45 CFR §164.514(b)(2)) as the contractual benchmark; (b) a k-anonymity threshold of at least 5 for any combination of quasi-identifiers in De-Identified Data made available to third parties; and (c) a motivated-intruder risk assessment before any external release, taking into account the likely motivation, resources, and capabilities of a third party who might attempt re-identification. Voice recordings (which constitute biometric data) are not included in De-Identified Data made available to third parties.
Status under data protection law. Once data has been de-identified to the standard described above, it ceases to be Personal Data under PDPA-SG and PDPA-MY. This position is consistent with the Singapore Personal Data Protection Commission's Guide to Basic Anonymisation. From that point onward, the data falls outside the scope of this Notice except as expressly described in this Section 6A and in DPA §10.
How we use De-Identified Data. We use De-Identified Data to: (a) develop, train, evaluate, and improve our current and future products, services, machine-learning models, and AI features, including the Service generally; (b) generate aggregated analytics, benchmarks, statistics, and research insights; (c) conduct and publish veterinary research; and (d) license De-Identified Data, alone or combined with other data, to animal-health, veterinary, life-sciences, and pharmaceutical organisations for purposes including animal-health, veterinary, or zoonotic-disease research, regulatory analytics and public-health surveillance, academic research and publication, and the development and improvement of veterinary or animal-health products and services. Every recipient is contractually prohibited from attempting to re-identify the data or from combining it with other data sets in a manner that creates a serious possibility of re-identification (DPA §10.5).
Why our rights need to be perpetual. Once an anonymised dataset is incorporated into a trained AI model, the model cannot be un-trained on that data. Our licence over De-Identified Data already incorporated into our datasets therefore needs to outlast termination of any individual subscription. The full terms — including why the licence is irrevocable, royalty-free, worldwide, and sublicensable — are explained in plain language at DPA §10.2A and set out in DPA §10.3.
Customer-side opt-out. A Customer may opt out of having its data de-identified for use under this Section 6A by giving written notice to our Data Protection Officer (Section 16). The opt-out applies prospectively to data created or received by Broby on or after the effective date of the notice, across all of the Customer's Authorised Users and Clinics. The opt-out takes effect within 30 days of our receipt of the notice. The opt-out does not affect De-Identified Data already incorporated into our datasets prior to the effective date of the notice; that data remains subject to the licence in DPA §10.3. The full terms of the opt-out are in DPA §10.6.
7. Sub-processors
We engage the following Sub-processors to deliver parts of the Service. Each is bound by a written data-processing agreement and processes Personal Data only on our instructions.
| Sub-processor | Role | Region of processing |
|---|---|---|
| Anthropic, PBC (United States) | Claude AI models — radiology image analysis, differential diagnosis reasoning, transcript correction, agent reasoning | United States |
| OpenAI, L.L.C. (United States) | GPT-4 family — clinical text extraction, summarisation, classification, template parsing, radiology fallback | United States |
| A*STAR Institute for Infocomm Research (Singapore) | MERaLiON speech-recognition model — transcription (primary) | Singapore |
| Deepgram, Inc. (United States or EU) | Speech-recognition fallback | United States / EU |
| SenseVoice / FunAudioLLM (Alibaba open-weights model) | Cantonese speech-recognition fallback | Self-hosted |
| Stripe Payments Singapore Pte. Ltd. and Stripe, Inc. | Subscription billing and payment processing | Singapore + United States |
| Functional Software, Inc. d/b/a Sentry (United States) | Application error monitoring | United States |
| Railway Corp. (United States) | Backend application hosting + database (PostgreSQL) + object storage for audio, transcripts, and uploaded images | United States (current); migration to Singapore region planned |
Sub-processor change notification. We will give the Customer's admin contact at least 30 days' written notice before engaging any new Sub-processor that processes Personal Data, except where a shorter period is required to address a security or operational emergency.
Vendor neutrality. We are not owned by, and have no commercial data-sharing relationship with, any veterinary practice management software vendor (such as IDEXX or Covetrus), any diagnostics laboratory, or any pharmaceutical company. Personal Data does not flow to any parent company or affiliate group. Our licensing of De-Identified Data to research partners (including animal-health, veterinary, life-sciences, and pharmaceutical organisations) under Section 6A is on arms-length contractual terms and is conducted only after data has ceased to be Personal Data per Section 6A.
8. International Data Transfers
To deliver the Service, Personal Data is transferred outside Singapore and Malaysia, principally to the United States (where Anthropic, OpenAI, Stripe, Sentry, and Railway operate). Singapore-region processing currently applies to the MERaLiON speech-recognition model (where self-hosted on Singapore-region infrastructure).
For transfers from Singapore: we rely on Section 26 PDPA-SG safeguards. Each Sub-processor is bound by enforceable contractual obligations of a comparable standard to PDPA-SG, in line with Personal Data Protection Regulations 2021 reg.10. Where the Sub-processor is also subject to the EU GDPR, the relevant EU Standard Contractual Clauses apply. Where ASEAN Model Contractual Clauses are available with the Sub-processor, we use them in line with the PDPC's Guidance for Use of ASEAN MCCs in Singapore.
For transfers from Malaysia: we rely on Section 129(3)(f) PDPA-MY (reasonable precautions and due diligence) as set out in the Cross-Border Personal Data Transfer Guidelines, Version 1.0, dated 29 April 2025, using contractual clauses as the recognised mechanism. We obtain your explicit consent for the cross-border transfer of any Sensitive Personal Data (including voice biometric data) at the point of collection.
Categories of data transferred include account information, voice recordings, transcripts, clinical notes, image uploads, billing data, and operational logs.
Your rights regarding cross-border transfers are the same as your other rights set out in Section 11.
9. Retention of Personal Data
We retain Personal Data only as long as necessary for the purposes set out in this Notice, or as required by law.
| Data category | Retention period |
|---|---|
| Voice recordings (audio files) | 90 days from the date of consultation, after which raw audio is deleted from production systems on a rolling automated schedule |
| Encrypted backups containing audio | 30 days after production deletion, then permanently deleted |
| Transcripts and clinical notes | Retained for the duration of the Customer's subscription and for the period the Customer instructs us to retain in the DPA, subject to applicable veterinary record-retention rules |
| Account information (Veterinarian, Clinic admin) | Retained while the account is active; deleted within 30 days of account closure (subject to legal retention obligations) |
| Billing records | Retained for the period required by Singapore tax and accounting law |
| Application access logs | 90 days, then deleted |
| Security incident logs | Up to 12 months from the date of the incident |
| De-Identified Data | Retained indefinitely under the licence in Section 6A and DPA §10; not re-identifiable; not subject to deletion on Customer termination |
When the retention period ends, we delete or anonymise the affected data. Anonymisation is performed in accordance with the De-identification Standard described in Section 6A and DPA Annex D; data anonymised at end-of-retention is treated as De-Identified Data from that point onward.
We are also subject to the Accuracy Obligation under Section 23 PDPA-SG and Section 11 PDPA-MY: we take reasonable steps to ensure that Personal Data we hold is accurate and complete, particularly where it is likely to be used to make a decision affecting the individual or to be disclosed to a third party.
10. Security
We apply technical and organisational measures to protect Personal Data, including:
- Encryption in transit (TLS 1.2 or higher)
- Encryption at rest as configured by our managed-infrastructure provider (Railway), which encrypts all customer data at rest by default, including managed PostgreSQL databases and stored objects
- Role-based access controls limiting access to authorised personnel
- Authentication via JSON Web Tokens (JWT) with regular refresh and bcrypt-hashed passwords
- Server-side data scrubbing for error monitoring (Sentry)
- Audit logging for sensitive operations
- Regular review of security configurations
Additional security controls — including multi-factor authentication for administrative accounts, formal SOC 2 Type II certification, and annual penetration testing — are on our roadmap and will be reflected in this Notice when implemented. We do not currently make any specific certification claim.
Personal Data Breach notification
Where Broby acts as Data Controller (e.g., for Customer admin contact data and Authorised User account information that we hold in our own right per Section 2): we will assess any suspected Personal Data Breach for notifiability within 30 days of becoming aware of it (PDPA-SG s.26C(2)).
Where Broby acts as Data Intermediary / Data Processor (e.g., for clinical content processed on behalf of the Customer): we will notify the Customer (the Data Controller) without undue delay of becoming aware of a Personal Data Breach affecting Personal Data we process on the Customer's behalf (PDPA-SG s.26C(3)), in line with the 24-hour internal commitment in our DPA §6.1.
Where a breach is notifiable to a regulator or affected individuals:
- Singapore: we will notify the Personal Data Protection Commission no later than 3 calendar days from the assessment that the breach is notifiable (PDPA-SG s.26D(1)), and notify affected individuals as required under the Personal Data Protection (Notification of Data Breaches) Regulations 2021. The notifiability thresholds are: a breach likely to result in significant harm to any individual (s.26B(2)(b) read with the Schedules to those Regulations), or a breach affecting 500 or more individuals (s.26B(2)(a) read with regulation 4 of those Regulations).
- Malaysia: we will notify the Pesuruhjaya Perlindungan Data Peribadi as soon as practicable and in any case within 72 hours of becoming aware of a notifiable breach, in accordance with section 12B of Akta 709 (as inserted by Akta A1727), the Personal Data Breach Notification Guidelines, Version 1.0, dated 25 February 2025, and Pekeliling Pesuruhjaya No. 2/2025, and notify affected data subjects where significant harm ("kemudaratan yang ketara") is likely.
11. Your Rights
Subject to applicable law, you have the following rights with respect to your Personal Data:
Right to access (PDPA-SG s.21; PDPA-MY ss.30-32). You may request a copy of the Personal Data we hold about you and information about how it has been used or disclosed in the year preceding your request. We will respond within 30 days (Singapore) or 21 days (Malaysia) of receiving a complete request, or notify you of any extension. We do not normally charge a fee, but we reserve the right to charge a reasonable fee to recover the cost of providing access; in Malaysia the fee is capped at the rates prescribed under the Personal Data Protection Regulations 2013.
Right to correction (PDPA-SG s.22; PDPA-MY ss.34-37). You may request correction of inaccurate or incomplete Personal Data. We will action corrections as soon as practicable. We do not charge a fee for correction requests.
Right to withdraw consent (PDPA-SG s.16; PDPA-MY s.38). You may withdraw your consent to our collection, use, or disclosure of your Personal Data at any time by contacting our Data Protection Officer. We will inform you of the likely consequences of withdrawal (which may include our inability to continue providing parts of the Service) and cease the affected processing within a reasonable period.
Right to data portability (Malaysia only, from 1 June 2025). You may request that we transmit your Personal Data directly to another data controller of your choice, subject to technical feasibility and the compatibility of the receiving controller's format, consistent with any technical guidance issued by the PDP Malaysia Commissioner. The Singapore PDPA's data portability provisions have been enacted but are not yet in force; we will provide your data in a structured, commonly used, machine-readable format on request as a matter of policy where reasonably practicable.
Right to prevent processing for direct marketing (PDPA-MY s.43). You have the right to prevent us from processing your Personal Data for direct marketing purposes. To exercise this right, contact our Data Protection Officer with a written request. We will comply with the request within 30 days.
Right to limit processing (PDPA-MY ss.42-43). You may ask us to limit specific uses of your Personal Data, particularly where such processing causes or is likely to cause damage or distress to you (PDPA-MY s.42). Where this is technically and legally possible, we will action limitation requests within 30 days.
Account deletion. You may delete your Broby account at any time through the in-product account-deletion control. This permanently deletes your consultations, audio, and templates. The user account record itself is soft-deleted for 30 days for audit purposes and then permanently removed.
To exercise any of these rights, contact our Data Protection Officer using the details in Section 16. We may ask for proof of identity to ensure we are dealing with the right person.
Customer-side opt-out from de-identification (DPA §10.6). In addition to the individual data-subject rights above, a Customer may opt out of having its data de-identified for the purposes described in Section 6A by giving written notice to our Data Protection Officer (Section 16). This is a Customer right exercisable by the Customer (acting as Data Controller across all of its Clinics), distinct from the data-subject rights set out earlier in this Section. The opt-out applies prospectively to data created or received by Broby on or after the effective date of the notice and does not affect De-Identified Data already incorporated into Broby's datasets prior to that effective date. The opt-out takes effect within 30 days of our receipt of the notice. The full terms are in DPA §10.6.
12. Cookies and Similar Technologies
The Service uses cookies and similar technologies for essential functions including authentication and session management. We do not currently use third-party advertising cookies or marketing trackers. Where we add analytics or other non-essential cookies in the future, we will update this Notice and (where required) obtain your consent through a cookie banner.
13. NRIC Numbers
We do not use NRIC numbers for authentication. In line with the Singapore PDPC's directive, no organisation in Singapore may use full or partial NRIC numbers for authentication purposes after 31 December 2026. We instruct Clinics not to enter NRIC numbers in free-text fields of the Service.
14. Children
The Service is provided to licensed Veterinarians and their authorised Clinic staff in a professional setting. We do not direct the Service at minors and do not knowingly collect Personal Data from individuals under the age of 13. If you believe we have inadvertently collected Personal Data from a minor, please contact our Data Protection Officer.
15. Internal Complaints Process
If you have a concern or complaint about how we handle your Personal Data, please contact our Data Protection Officer (Section 16) with the subject line "Privacy complaint". We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with:
- Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg/complaints-and-reviews
- Malaysia: Personal Data Protection Department (PDP) — pdp.gov.my
16. Contact Us — Data Protection Officer
Broby has appointed a Data Protection Officer in compliance with Section 11(3) PDPA-SG and Section 12A of the Personal Data Protection Act 2010 (Akta 709) (as inserted by the Personal Data Protection (Amendment) Act 2024).
- Data Protection Officer: Caleb Yap Keane Yang
- Email: calebyky@gmail.com
- Phone: +65 8825 5472
- Postal address: Broby Pte. Ltd., 68 Circular Road #02-01, Singapore 049422
The DPO contact details are publicly accessible on this Notice and on our contact page in line with PDPA-SG s.11(5).
17. Changes to This Notice
We may update this Notice from time to time. The "Last updated" date at the top will reflect the most recent change.
For material changes affecting how we use your Personal Data or the categories of recipients, we will notify you (typically by email to your Clinic's admin contact) at least 30 days before the change takes effect, and where required by law we will obtain fresh consent.
A change log of prior versions is available on request.
18. Governing Law and Jurisdiction
This Notice is governed by the laws of Singapore. The courts of Singapore have exclusive jurisdiction in respect of any dispute arising under this Notice, save where local law in your jurisdiction confers exclusive jurisdiction on a different forum.
A Bahasa Malaysia translation of this Notice will be made available before the first Malaysian clinic is onboarded, in compliance with Section 7(3) PDPA-MY.