Privacy Policy

PRIVACY POLICY (PERSONAL DATA PROTECTION) 

Controller: ITALENT PTE. LTD. (UEN: 202345163W) 
Registered Address: High Street Centre, #B1-35, 1 North Bridge Road, Singapore 179094 
General Contact: office@italent-sg.com | +65 315 923 77 
Data Protection Officer (DPO): Data Protection Officer — office@italent-sg.com

Effective: 31 October 2025 

Last Updated: 31 October 2025

1. Scope and Governing Law

This Privacy Policy explains how we collect, use, disclose, store, and safeguard personal data in the course of delivering our recruitment, talent sourcing, advisory, and related services (collectively, the “Services”). This Privacy Policy applies to candidates (including potential candidates, referrals and contractors), client and prospective client contacts, visitors to our website or other channels we operate, and any other person who communicates with us in relation to our Services. This Privacy Policy is governed by the laws of Singapore, including the Personal Data Protection Act 2012 (“PDPA”). If you are located in the EU or UK, please also see Section 17 (EU/UK Add-On). We may provide different or additional privacy terms for specific engagements, proposals, or contracts. Those terms will prevail if there is a conflict with this Privacy Policy. Business contact information (for example, your name, job title, company name, business email address, and business phone number when provided for business purposes) is generally not subject to certain data protection provisions under the PDPA.

2. Definitions

For clarity in this Privacy Policy: 

Personal Data” means data, whether true or not, about an individual who can be identified (a) from that data alone, or (b) from that data and other information to which we have access. 

Business Contact Information” means an individual’s name, position name or title, business telephone number, business address, business email address or business fax number, and any other similar information about the individual, not provided solely for personal purposes. 

Data Intermediary” means an organisation that processes Personal Data on our behalf and for our purposes only (for example, certain software vendors or cloud hosting providers). 

Services” means our recruitment, talent sourcing, market intelligence, and related advisory and support services. 

Client” means an organisation that engages us to identify, assess, introduce, or onboard talent, or to advise on hiring needs.

3. Our Data Protection Officer (DPO)

We have appointed a Data Protection Officer. You may contact our Data Protection Officer at office@italent-sg.com with any questions about how we handle Personal Data, to exercise your rights under the PDPA (see Section 15), to raise a complaint about our handling of Personal Data, or to report any suspected unauthorised use or disclosure of your Personal Data.

4. How We Collect Personal Data

We collect Personal Data directly from you (for example when you send us your CV, fill out a form, email or message us, schedule a call, or otherwise communicate with us); from publicly available or professional sources (for example LinkedIn or other platforms where you have made your profile, work history, or contact information available); from referrals (for example, when a former manager, colleague, investor, or client refers you to us as a potential candidate or contact); from our clients (for example, role requirements, interview feedback, onboarding requirements, or information about work eligibility and notice periods); automatically when you interact with our website, emails, or systems (for example, security logs such as IP address, timestamp, browser/user agent, anti-abuse data, and system analytics that help protect the integrity of our Services); and from service providers and tools we use to support our Services (for example, scheduling tools, applicant tracking systems, background screening vendors where specifically instructed by a client, and infrastructure hosting providers).

5. Personal Data We Collect

Depending on your relationship with us, we may collect and process the following categories of Personal Data. We collect only what we reasonably need for the relevant purpose. 

Website & Security Data. We may collect IP address, timestamps, URLs visited, referrer information, browser / user-agent details, server error or access logs, security and fraud detection data from hosting / DNS / email infrastructure providers, and cookie or session IDs used for functionality, performance, and security. 

Enquiries. When you contact us, we collect your name and contact details, the content of your enquiry, and any information you choose to provide to us, such as CVs, portfolios, commercial proposals, or statements of requirements. 

Candidate / Talent Data. For candidate sourcing and assessment, we may collect CVs and professional histories (including qualifications, certifications, seniority, compensation expectations, notice period, and work eligibility or visa status), interview and reference notes, feedback from clients and interviewers, communications with you about roles, interviews and onboarding, and information we generate for suitability assessment where lawful. 

Client / Contact Data. For client relationship management, we may collect name, job title, department or team structure, business contact details, hiring needs and feedback, and operational or invoicing information. 

NRIC / Passport / Other National ID Numbers. We avoid collecting or retaining full NRIC, FIN, or passport numbers unless (i) it is required by law; or (ii) it is strictly necessary to verify identity to a high degree of fidelity (for example, pre-employment background screening expressly requested in writing by a client or required for compliance). Where such identifiers must be collected, we do not use them as usernames, public identifiers, or routine reference IDs. Access is limited to personnel with a strict business need to know, and the data is stored with additional access controls. We delete or mask these identifiers once verification is complete unless we are legally required to retain them. Wherever possible, we collect only partial or masked identifiers, and we do not request images of NRICs, passports, or other national IDs “for our records” unless we have explained why it is legally required or strictly necessary and you have agreed to provide it for that purpose.

6. Purposes

We collect, use, and disclose Personal Data in order to provide and improve our Services (for example, sourcing and matching candidates to current or future roles, advising clients on talent availability, and supporting interviews and onboarding); manage relationships with candidates and clients (including responding to enquiries, maintaining contact, arranging interviews, and sharing role briefs or profiles); evaluate suitability for roles (including assessing experience against requirements, obtaining or providing references where lawful, facilitating screening or background checks when instructed, and presenting candidate summaries to clients); support internal operations and quality control (including coaching, training, service quality review, audit, and process improvement); meet contracting and compliance needs (such as issuing engagement paperwork, invoicing, managing accounts and receivables, maintaining tax and audit records, and complying with applicable law); and maintain IT and security (for example, protecting our systems, preventing fraud or abuse, troubleshooting issues, and ensuring network reliability).

7. Legal Bases Under Singapore Law

Consent and Deemed Consent. Where required under the PDPA, we obtain consent before collecting, using, or disclosing Personal Data. In some cases, consent may be deemed — for example, where you voluntarily provide Personal Data for a particular purpose in circumstances where it is reasonable to do so, or where you have been notified of a new purpose and given a reasonable opportunity to opt out but do not opt out (“deemed consent by notification”). You may withdraw consent at any time (see Section 15.3). If you withdraw consent, we will stop processing your Personal Data for the affected purpose unless an exception under the PDPA applies. Withdrawal of consent may limit our ability to continue working with you (for example, if we cannot share your profile with a client). 

Other Legal Bases (Legitimate Interests, Evaluative Purposes, etc.). In addition to consent (including deemed consent), we may collect, use, and disclose Personal Data without consent where permitted or required by the PDPA. Examples include: (i) legitimate interests, where the collection, use, or disclosure is necessary for our legitimate interests or those of another person and we have assessed that the benefit to such interests outweighs any likely adverse effect on you (typical examples include IT and network security, fraud or misconduct detection, service quality review, internal training, service analytics, or safeguarding our rights); (ii) evaluative purposes, where we handle Personal Data such as references, interview notes, and suitability assessments for the purpose of determining suitability, eligibility, qualifications, or performance in relation to employment or engagement opportunities; (iii) business asset transactions, where Personal Data may be disclosed (subject to confidentiality safeguards) in connection with a potential or actual merger, acquisition, investment, or sale of business assets; and (iv) legal or regulatory purposes, where we handle Personal Data as required by law, regulation, or court order, or to establish, exercise, or defend legal claims.

8. Candidate CV Submission to Clients

When you express interest in a role, or when a role is clearly aligned with what you have told us you are looking for (for example, seniority, function, compensation range, or geography), we may share relevant parts of your profile with that client so they can assess suitability. This may include your CV or professional summary, summaries of experience and skills, current or expected compensation range, work eligibility or visa status where relevant, and notice period or availability. We do not send your full CV to unrelated clients “just in case” without an appropriate PDPA basis (for example, your consent, deemed consent for that opportunity, or an applicable PDPA exception such as evaluative purposes).

9. Direct Marketing, DNC & Spam Control

For direct marketing and outreach, we comply with the Singapore Do-Not-Call (DNC) provisions (for specified messages to Singapore telephone numbers) and the Singapore Spam Control Act. We may contact you about relevant roles, market insights, or services that we believe may interest you. You may opt out of such messages at any time by using any provided unsubscribe mechanism or by contacting us at office@italent-sg.com.

10. Disclosures to Third Parties

Service providers (acting as Data Intermediaries). We may share Personal Data with hosting, infrastructure and email providers, applicant tracking / recruitment platforms, scheduling and communications tools, security and analytics providers, and other operational vendors. These providers act on our instructions, are subject to confidentiality and security obligations, and must notify us promptly if they believe a data breach has occurred. 

Clients. We may share Personal Data where you are being put forward or considered for a specific role, or in connection with onboarding into a client’s organisation. 

Professional advisers. We may share Personal Data with accountants, auditors, or legal counsel where reasonably necessary for us to operate our business or comply with law. 

Public authorities or courts. We may disclose Personal Data where required by applicable law, regulation, legal process, or government request. 

Potential acquirers or investors. We may disclose Personal Data (subject to confidentiality safeguards) in connection with a merger, acquisition, investment, or sale of business assets. 

We do not sell Personal Data.

11. Cross-Border Transfers

Some of our systems and service providers may be located outside Singapore, or may store or process data in other jurisdictions (for example, cloud infrastructure or client offices in another country). Where Personal Data is transferred out of Singapore, we will take steps to ensure that the receiving organisation is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to the protection under the PDPA. This may include contractual clauses, intra-group data transfer agreements, or other legally enforceable protections. Where feasible, highly sensitive data (for example, national ID numbers) may be redacted or provided in masked form.

12. Accuracy

We rely on accurate and up-to-date information to provide our Services. Candidates should provide updated CVs, corrected information, or revised expectations to office@italent-sg.com so that we present them accurately to clients. Clients should inform us if hiring needs, contact details, or requirements change.

13. Security and Governance

We implement administrative, technical, and physical safeguards that are appropriate to the nature and sensitivity of the Personal Data and the risks involved. These measures include encrypted transmission (for example TLS/SSL with HSTS), secure configuration and patch management, role-based access controls and multi-factor authentication for systems containing Personal Data, limiting access to personnel and service providers with a strict business need to know, vendor due diligence and contractual safeguards for Data Intermediaries, internal policies, training, and periodic reviews of our security measures, and incident response procedures designed to detect, assess, contain, and report suspected data breaches in a timely manner. No method of transmission or storage is perfectly secure; however, we aim to maintain safeguards that are commercially reasonable in light of the sensitivity of the data.

14. Retention

We retain Personal Data only for so long as there is a reasonable business or legal need to do so. Examples: 

  • Server / security logs: typically 30–180 days, or longer if required to investigate or address security incidents. 
  • Enquiries (e.g. general conversations, inbound interest): up to 24 months after our last meaningful interaction with you. 
  • Candidate files: for the duration of the recruitment / placement lifecycle, including reasonable future opportunities where permitted by the PDPA (for example, your consent, deemed consent, or evaluative purposes). You may withdraw consent to future opportunities at any time (see Section 15.3). 
  • Client / contract / billing data: for as long as required under applicable law (typically 5–7 years for tax, audit, and accounting records). 

Where Personal Data is no longer required for any legal or business purpose, we will cease to retain it, or will anonymise it so that it no longer identifies you.

15. Your Rights

Access. You may request information about how we have used or disclosed your Personal Data in the past 12 months, and a copy of the Personal Data we hold about you. We may need to verify your identity and may charge a reasonable fee as permitted by law. Certain data may be withheld where an exception under the PDPA applies (for example, evaluative data or confidential references obtained from other organisations). 

Correction. You may ask us to correct or update Personal Data that you believe is inaccurate or incomplete. 

Withdrawal of Consent / Opt-Out of Talent Pool. You may withdraw consent to our continued use or disclosure of your Personal Data for some or all purposes by contacting office@italent-sg.com, and you may ask us not to keep your profile for future opportunities. If you withdraw consent for purposes that are necessary for us to continue working with you (for example, sharing your CV with a client you want to interview with), we will let you know if that limits what we can do next.

16. Data Breach Notification

We maintain incident response and breach management procedures. If we assess that a data breach has occurred and that it is notifiable under the PDPA (for example, it is likely to result in significant harm or involves significant volumes of Personal Data), we will notify the Personal Data Protection Commission of Singapore (PDPC) and affected individuals as soon as practicable, in line with applicable law. We also require our Data Intermediaries (service providers processing Personal Data on our behalf) to notify us without undue delay if they have reason to believe a data breach has occurred.

17. EU/UK Add-On (If You Are in the EU/UK)

We are based in Singapore and do not specifically market or offer services to individuals in the EU or UK. We do not target EU/UK residents for the purpose of hiring into our own organisation. If you contact us from the EU or UK (for example, about an opportunity in Singapore or APAC) and applicable law requires it, you may have additional rights such as the right to object to certain types of processing (including certain forms of direct marketing), the right to restrict processing, the right to data portability, and the right to lodge a complaint with a supervisory authority. Where we process your data to match talent to client roles, we generally rely on our legitimate interests as the lawful basis (for example, sourcing and evaluating candidates). Where we rely on consent (for example, to introduce you to a specific client), you may withdraw that consent at any time. If you are in the EU or UK and wish to exercise rights under EU/UK data protection law, please contact office@italent-sg.com.

18. Cookies and Third-Party Sites

We use cookies and similar technologies that are necessary for security, functionality, authentication, spam and abuse prevention, performance analytics, and loading site assets (for example, fonts, UI libraries, or frontend frameworks). Where feasible, we self-host essential assets rather than loading them from third-party CDNs. You may adjust your browser settings to block or delete cookies, but core functionality may be affected. Our website, emails, or messages may link to third-party systems (for example, an applicant tracking system, background check portal, video interview platform, scheduling tool, or file-sharing service). We are not responsible for how those third parties handle Personal Data, and you should review their privacy notices before providing Personal Data to them.

19. Children

Our Services are not directed to children under the age of 18, and we do not knowingly collect Personal Data from individuals under 18 for recruitment or placement purposes. If you are a parent or guardian and believe that a minor has provided us with Personal Data without proper consent, please contact our Data Protection Officer at office@italent-sg.com and we will delete such data where required by law.

20. Automated Decision-Making and Profiling Tools

We may use software tools (for example, keyword / relevance matching, skills extraction, summarisation, or search / ranking algorithms) to help review CVs and match candidates to potential roles more efficiently. These tools support our team but do not make final hiring or rejection decisions on their own, and we do not make decisions that produce legal or similarly significant effects for you solely by automated processing without human involvement.

21.Complaints

If you have concerns about how we handle your Personal Data, please first contact our Data Protection Officer at office@italent-sg.com. We will investigate and aim to resolve the matter. If you are not satisfied with our response, you may file a complaint with the Personal Data Protection Commission of Singapore.

22. Updates

We may update this Privacy Policy from time to time. The “Last Updated” date at the top shows when this version took effect. When we make material changes, we will highlight them on this page or otherwise make them reasonably apparent. Your continued interaction with us after any update to this Privacy Policy constitutes your acknowledgment of the updated terms, to the extent permitted by applicable law.