PDPA & Privacy Policy (SG500 Open Homes)

We collect and use personal data only to run SG500 Open Homes (vetting, matching, communications, incident handling, post-event feedback) and to meet our responsibilities under Singapore's Personal Data Protection Act (PDPA).

Hosts:

• [compulsory] name, contact, gender, postal code, church affiliation/reference, no. of available rooms & beds, languages, hosting availability, household composition, hosting preferences; consent for photos, consent for being featured as host; host declaration & non-rental declaration
• [optional] street name, referee name & code; building name & unit number

Guests:

• [compulsory] name, contact, nationality, gender, church affiliation/reference; referee name, contact, organisation & recommendation; languages, homestay dates, arrival & departure date, est arrival time; preferences; married partner's name, contact; consent for photos, consent for being featured as guest; guest declaration
• [optional] dietary restrictions, allergies, flight/ travel details, extension requested, preferences/ constraints

NRIC/FIN/passport numbers are not collected, unless legally necessary (e.g., verification or incident reporting).

We will tell you (in a privacy notice) what data we collect, why we need it, who we may share it with, and how long we keep it. We will ask for your consent when you sign up, and we will ask separately for any optional uses (e.g., photography, publicity). You may withdraw consent at any time by contacting the Privacy Contact (DPO). If you withdraw consent, SG500 may not be able to continue matching/hosting you, and we will stop using or sharing your data for that purpose.

You can ask to see the personal data we hold about you and request corrections (e.g., updated contact details). We will respond within a reasonable time. We may need to verify your identity and may provide information about how your data was used or shared in the past year, where required.

We adopt reasonable security measures such as role-based access (need-to-know), staff/volunteer confidentiality, and appropriate technical controls (e.g., MFA for admins, restricted sharing, and secure storage).

We retain matching/operations data through the event and incident resolution. Default retention: 12 months post-event for debrief/audit, then secure deletion/anonymisation unless a legal hold applies.

We share personal data only with: (i) the assigned Host/Guest; (ii) SG500 operations on a need-to-know basis; (iii) church verifiers (limited fields); (iv) processors/vendors (e.g., email/CRM) under binding terms. If systems are hosted overseas, we will take reasonable steps to ensure comparable protection when transferring data.

We treat any loss, unauthorised access/disclosure, or ransomware affecting personal data as a data incident. We will assess and respond promptly, including any required notifications under the PDPA, and keep records of incidents and actions taken.

Email/Phone: sg500dpo@gmail.com

All staff and volunteers who handle personal data will receive role-appropriate PDPA briefing/training and be subject to confidentiality obligations proportionate to their access.

Hosts and Guests confirm acceptance of this Policy Pack when they sign up / accept a placement.