Privacy Policy

 

Version: 1.0
Effective date: 15 July 2026

1. Organisation responsible for your information

1.1 This Privacy Policy explains how Maison Serein collects, uses, discloses, protects and retains personal data.

1.2 Maison Serein is operated by:

Legal entity: 5CP PTE LTD
UEN: 201730993C
Registered address: 9 Temasek Boulevard, #29-01 Suntec Tower 2 Singapore 038989

1.3 Maison Serein’s Data Protection Officer may be contacted at:

DPO designation or name: DPO Officer
Email: dpo@maisonserein.com.sg

2. Scope

2.1 This Policy applies to personal data relating to:

a. Clients;
b. prospective Clients;
c. persons making bookings for another Client;
d. website visitors;
e. persons communicating with Maison Serein; and
f. other individuals whose information is provided in connection with a Service.

2.2 Where a person provides another individual’s personal data, that person must have authority to provide it and must inform the individual of this Policy where reasonably practicable.

3. Personal data collected

3.1 Depending on the interaction, Maison Serein may collect:

Identity and contact data

a. name;
b. telephone number;
c. email address;
d. preferred contact method;
e. age confirmation; and
f. emergency contact details where reasonably necessary.

Booking data

a. requested Service;
b. appointment date and time;
c. selected Therapist preferences;
d. booking history;
e. special requests;
f. cancellation and rescheduling records; and
g. booking acceptance records.

Location and access data

a. service address;
b. unit number;
c. hotel or condominium details;
d. parking information;
e. security or access instructions; and
f. relevant premises-safety information.

Health and safety data

a. health declarations;
b. pregnancy status where relevant;
c. disclosed injuries, allergies, medical conditions or medication;
d. areas to avoid;
e. adverse symptoms; and
f. treatment-related incident information.

Payment and transaction data

a. amount paid;
b. payment status;
c. transaction reference;
d. partial payment-card information supplied by the payment provider;
e. refund details; and
f. billing records.

Maison Serein should not ordinarily collect or store complete payment-card numbers or security codes.

Communication data

a. emails;
b. messages;
c. call records or notes;
d. complaint correspondence;
e. feedback; and
f. consent records.

Technical and website data

a. IP address;
b. browser type;
c. device information;
d. pages visited;
e. referral source;
f. form-submission logs;
g. cookie identifiers; and
h. website security logs.

Incident and safeguarding data

a. allegations or reports of misconduct;
b. property-loss reports;
c. safety observations;
d. witness details;
e. photographs voluntarily supplied as evidence; and
f. investigation records.

Marketing data

a. marketing preferences;
b. campaign engagement;
c. unsubscribe records; and
d. consent to receive offers or updates.

4. How personal data is collected

4.1 Maison Serein may collect personal data:

a. through its website and booking forms;
b. by telephone, email, WhatsApp or other communication channel;
c. through payment providers;
d. from the Client at the appointment;
e. from a person booking on behalf of the Client;
f. from the assigned Therapist;
g. from hotels, building personnel or access providers where authorised;
h. through cookies and website technology; and
i. during complaints, investigations or emergency responses.

5. Purposes of collection, use and disclosure

5.1 Maison Serein may process personal data for purposes including:

a. receiving and evaluating booking requests;
b. confirming, providing and administering Services;
c. processing payments and refunds;
d. assigning and briefing Therapists;
e. assessing service suitability and safety;
f. adapting or refusing a Service where appropriate;
g. communicating appointment information;
h. gaining access to the Premises;
i. handling cancellations and rescheduling;
j. responding to enquiries and complaints;
k. investigating incidents and misconduct;
l. protecting Clients, Therapists and Maison Serein;
m. preventing fraud and unauthorised transactions;
n. administering insurance claims;
o. maintaining accounting, tax and legal records;
p. improving Services and website performance;
q. securing Maison Serein’s systems;
r. complying with legal obligations; and
s. sending marketing where permitted.

5.2 Maison Serein will not collect, use or disclose personal data for an unrelated purpose without notifying the individual and obtaining consent where required.

6. Required and optional information

6.1 Information necessary to administer and safely provide a Service is mandatory.

6.2 A Client who does not provide required information may be unable to complete a booking or receive the requested Service.

6.3 Marketing consent is optional and is not a condition of receiving a Service.

6.4 Maison Serein should not require consent to excessive data collection as a condition of providing a Service.

7. Consent and withdrawal

7.1 Maison Serein may rely on:

a. express consent;
b. consent reasonably inferred from information voluntarily provided for an apparent purpose;
c. deemed consent permitted by law; or
d. another legal basis permitted under the PDPA.

7.2 An individual may withdraw consent by contacting the DPO.

7.3 Maison Serein will explain the likely consequences of withdrawal.

7.4 Withdrawal will not affect processing already lawfully carried out.

7.5 Maison Serein may continue to retain or use information where required or permitted for legal, safety, insurance, dispute or legitimate business purposes.

8. Health information

8.1 Health information will be collected only to the extent reasonably necessary to evaluate and safely provide a Service.

8.2 Access should be limited to personnel who reasonably require it, including:

a. the assigned Therapist;
b. authorised operations personnel;
c. the DPO;
d. senior personnel managing an incident;
e. insurers or professional advisers where required; and
f. authorities where legally required or reasonably necessary.

8.3 Routine booking-notification emails should not contain unnecessary medical details.

8.4 Therapists must not store Client health information on personal devices except through an approved secure system.

8.5 Health information must not be used for marketing profiling.

9. Disclosure to service providers and other recipients

9.1 Maison Serein may disclose relevant personal data to:

a. assigned Therapists;
b. website and booking-system providers;
c. hosting and cloud-service providers;
d. payment processors and financial institutions;
e. email and communications providers;
f. analytics and cybersecurity providers;
g. professional advisers;
h. auditors and accountants;
i. insurers and claims handlers;
j. law-enforcement, emergency or regulatory authorities; and
k. a purchaser or successor in a genuine business restructuring, subject to appropriate safeguards.

9.2 Service providers should receive only the data reasonably required for their functions.

9.3 Maison Serein should enter into appropriate contractual data-protection arrangements with material service providers.

9.4 Maison Serein does not sell Client health or booking data.

10. Overseas transfers

10.1 Some service providers may store or process personal data outside Singapore.

10.2 Maison Serein will take reasonable steps to ensure that transferred personal data receives a standard of protection comparable to that required under the PDPA.

10.3 Measures may include:

a. contractual data-protection clauses;
b. due diligence;
c. access restrictions;
d. encryption;
e. recognised certification; and
f. transfer-risk assessment.

11. Payments

11.1 Payments may be processed by an independent payment provider.

11.2 The payment provider’s own privacy terms may apply to information collected directly by that provider.

11.3 Maison Serein should use tokenised or hosted payment processing where reasonably practicable.

11.4 Maison Serein personnel must not request complete card numbers, passwords or one-time passwords through WhatsApp, email or telephone.

12. Website cookies and analytics

12.1 Maison Serein’s website may use:

a. essential cookies;
b. security cookies;
c. preference cookies;
d. performance analytics; and
e. advertising cookies where implemented.

12.2 Non-essential cookies should be identified in a separate cookie notice or consent interface where appropriate.

12.3 Users may control cookies through their browser, although disabling essential cookies may affect website operation.

12.4 Maison Serein must update this clause to name the actual analytics, advertising and embedded-content providers used by the website.

13. Marketing communications

13.1 Maison Serein may send marketing communications only where legally permitted.

13.2 Marketing consent should be:

a. separate from booking acceptance;
b. clearly described;
c. optional; and
d. recorded.

13.3 Maison Serein will comply with applicable Do Not Call requirements for marketing sent to Singapore telephone numbers.

13.4 Marketing emails and applicable electronic messages should:

a. identify Maison Serein;
b. contain accurate sender information;
c. provide a functional unsubscribe method; and
d. avoid misleading subject lines.

13.5 An unsubscribe request should be implemented promptly and recorded on a suppression list.

13.6 Service communications, including booking confirmations, appointment reminders and safety messages, are not treated as optional marketing merely because they are sent electronically.

14. Photography, recordings and testimonials

14.1 Maison Serein will not use a Client’s image, voice, testimonial or service footage for marketing without separate express consent.

14.2 Consent for publicity is optional.

14.3 Refusal will not affect the Client’s booking.

14.4 A Client may withdraw consent for future use, subject to reasonable limitations where material has already been lawfully published or distributed.

15. Accuracy

15.1 Maison Serein will take reasonable steps to ensure personal data used for material decisions is accurate and complete.

15.2 Clients should promptly update:

a. contact details;
b. service address;
c. access instructions; and
d. relevant health information.

16. Security

16.1 Maison Serein will use reasonable security arrangements appropriate to the nature of the information.

16.2 Measures should include, where appropriate:

a. role-based access;
b. strong passwords and multi-factor authentication;
c. encryption in transit and at rest;
d. secure backups;
e. system updates;
f. access logging;
g. staff confidentiality obligations;
h. secure disposal;
i. device controls; and
j. incident-response procedures.

16.3 No transmission or storage method is completely risk-free. This does not reduce Maison Serein’s duty to implement reasonable protection.

17. Retention

17.1 Maison Serein will retain personal data only while:

a. the purpose for which it was collected remains active;
b. retention is reasonably necessary for legal or business purposes; or
c. retention is required by applicable law, insurance arrangements or a pending dispute.

17.2 Maison Serein should maintain an internal retention schedule covering:

a. booking and payment records;
b. health declarations;
c. complaint and incident records;
d. marketing consent;
e. website logs; and
f. employment or contractor records.

17.3 When retention is no longer justified, Maison Serein will securely delete, destroy or anonymise the data.

18. Access and correction

18.1 An individual may contact the DPO to request:

a. access to personal data held by Maison Serein;
b. information about how it was used or disclosed; or
c. correction of an error or omission.

18.2 Maison Serein may require reasonable information to verify identity.

18.3 A reasonable fee may be charged where permitted, provided the applicant is informed in advance.

18.4 Access may be restricted where an exception under the PDPA applies, including where disclosure would reveal another person’s data or confidential commercial information.

18.5 Maison Serein will respond within the timeframe required by applicable law or will inform the applicant if additional time is reasonably required.

19. Data breaches

19.1 Maison Serein will maintain procedures to:

a. contain a suspected breach;
b. preserve evidence;
c. assess affected data and individuals;
d. evaluate likely harm and scale;
e. notify the PDPC and affected individuals where required;
f. remediate the cause; and
g. document the assessment and response.

19.2 All staff and Therapists must report suspected loss, unauthorised disclosure or compromise immediately.

19.3 No staff member should attempt to conceal, privately resolve or delete evidence of a suspected breach.

20. Children

20.1 Maison Serein does not knowingly collect a minor’s information for a Service without appropriate parent or guardian involvement.

20.2 Where a Service for a minor has been expressly approved, Maison Serein may collect information reasonably required to verify consent and provide the Service safely.

20.3 Maison Serein should avoid routine collection of NRIC numbers or copies unless legally required or reasonably necessary.

21. Complaints

21.1 Privacy questions or complaints should be sent to the DPO.

21.2 The complaint should include:

a. the individual’s name and contact details;
b. the nature of the concern;
c. relevant dates; and
d. supporting information.

21.3 Maison Serein will investigate and respond reasonably.

21.4 An individual may also raise an unresolved data-protection concern with the Personal Data Protection Commission.

22. Changes to this Policy

22.1 Maison Serein may amend this Policy to reflect legal, operational or technological changes.

22.2 The current version and effective date will be published on the website.

22.3 Material changes affecting an existing consent or purpose will be notified where required.