Elyx
Legal

Data Privacy & Security Policy

Elyx Life Pte. Ltd. is committed to safeguarding the privacy and security of our Clients’ personal and health-related information, in compliance with the Personal Data Protection Act (PDPA) and other relevant healthcare regulations.

1Purposes for Data Collection

We collect, use, and store Client data for the following purposes:

1.1. Provision of the Services. To provide our health concierge services, as described in our Services Agreement. The Services are not medical or healthcare services, and Elyx communications do not constitute medical advice, diagnosis, or treatment. Details regarding how your data may be used and disclosed are set out in the Services Agreement and in Section 4 below.
1.2. Appointments and Communication. To include the scheduling of appointments, sending reminders, and other communications between you and Elyx Life.
1.3. Billing and Payment. To include facilitating billing, processing payments, and handling insurance claims.
1.4. Regulatory Compliance. To include complying with legal and regulatory requirements, and associated reporting obligations.
1.5. Quality Improvement. To include conducting internal audits, training, and quality assurance initiatives.
1.6. Analysis. De-identified and aggregated data may also be used to perform analyses and create reports regarding over-arching health trends and diagnostics.

2Types of Data Collected

We may collect and process the following categories of personal data, including but not limited to the following:

2.1. Personal Identification Information: full name; NRIC/FIN/Passport number; date of birth; contact information (e.g., phone number, email address, residential address).
2.2. Health Information: medical history, medical notes, summaries, and reports; laboratory test results and screening results; medications, treatments, and treatment plans; allergies and chronic conditions; lifestyle habits, and health and fitness data; real-time biometric data (e.g., temperature, weight, heart rate); data from wearable devices, telehealth devices, and other wellness products and devices (“Wearables”); and any related data, including data and insights derived from analysis or computations carried out on the above.
2.3. Financial Information: payment details; insurance information.
2.4. Other Data: emergency contact information; feedback and inquiries that you may submit; scheduling and logistics information; contact details of support persons; any other information required to facilitate lifestyle changes and drive outcomes.

3How We Protect Your Data

We implement robust technical, administrative, and physical safeguards to ensure the confidentiality, integrity, and availability of Client data. These measures include:

3.1. Technical Safeguards: encryption of data in transit and at rest; use of secure servers and firewalls; access controls, including multi-factor authentication.
3.2. Administrative Safeguards: annual staff training on data privacy and security; designation of a Data Protection Officer (DPO); regular internal audits and reviews of data protection policies.
3.3. Physical Safeguards: restricted access to areas where sensitive data is stored; secure disposal of physical documents containing Client information.

4Data Sharing and Disclosure

We do not sell or share Client data with third parties for marketing purposes. However, we may share data under the following circumstances:

4.1. With Your Consent. Sharing information at your request, including with specifically identified individuals (e.g., spouse, emergency contacts).
4.2. Affiliates. Disclosure to Elyx’s affiliates for (a) analysis and computation of Health Data on Elyx’s behalf, (b) hosting and storage of Personal Data and Health Data, and (c) otherwise providing the Services.
4.3. Clinics and Doctors. Disclosure to clinics and doctors for the purpose of providing the Services, including arranging consultations and other purposes you request.
4.4. Elective Screening, Tests, and Referrals. Disclosure to third parties providing elective health screening or laboratory tests, for referrals, or otherwise for purposes related to the Services.
4.5. Non-Healthcare Service Components. Disclosure to third parties providing non-healthcare components of the Services (e.g., creating customized reports, analyzing data to identify correlations).
4.6. AI Model Training. Disclosure to third parties for training artificial intelligence models to assist in providing the Services, including supporting clinical decisions of clinics and doctors, logistics, Client responses, and data analyses.
4.7. Service Delivery. Disclosure to third parties engaged to track and improve the delivery of the Services.
4.8. Product Strategy. Disclosure to third parties to improve product strategies and offerings.
4.9. Overseas Recipients. Some affiliates and third parties above are located outside Singapore. By consenting, you permit the disclosure of your Personal Data and Health Data to them and their collection and use of it for the relevant purposes. Elyx takes reasonable steps consistent with the PDPA’s Transfer Limitation Obligation.
4.10. Regulatory Compliance. Reporting to government authorities as required by law.
4.11. Insurance Claims. Sharing relevant data with insurance providers for claims processing.
4.12. Other Service Providers. Engaging vetted service providers (e.g., IT, hosting, billing, and other operational vendors) under confidentiality and data-protection obligations. Please refer to the Health Data and Personal Data section of the Terms of Service Agreement for further details.

5Clients’ Rights

Under the PDPA, Clients have the following rights regarding their personal data:

5.1. Access and Correction. Clients can request access to or correction of their personal data.
5.2. Withdrawal of Consent. Clients can withdraw their consent for data collection, subject to legal or contractual restrictions.
5.3. Data Portability. Where required by law, or where Elyx elects to support such requests, you may request that your personal data be transmitted to another organization in a commonly used machine-readable format. The Data Portability Obligation under the PDPA will take effect only once the relevant regulations are issued by the PDPC; until then, Elyx handles portability requests on a discretionary basis.
5.4. Complaints. Clients can file complaints regarding data privacy or security breaches with our Data Protection Officer (DPO).

To exercise any of these rights, or to convey any questions or concerns you may have, please contact our DPO at the contact below.

6Retention and Disposal of Data

6.1. Retention Period. We retain Client data for as long as necessary to fulfill the purposes outlined in this policy or as required by law.
6.2. Secure Disposal. Upon reaching the retention period, data will be securely deleted or destroyed to prevent unauthorized access.

7Breach Notification

In the event of a material data breach, Elyx will:

7.1. Notify affected individuals and relevant authorities in compliance with PDPA requirements.
7.2. Take immediate steps to mitigate risks and prevent further breaches.
7.3. Conduct a root cause analysis and update our data protection measures as necessary.

8Updates to This Policy

We may update this policy from time to time to reflect changes in legal, regulatory, or operational requirements. The latest version will always be available on our website.

9Contact Information

If you have any questions or concerns about this policy, please contact our Data Protection Officer:

Legal Entity
Elyx Life Pte. Ltd.
Data Protection Officer
Nishanth Sudharsanam
Address
80 Raffles Place, #47-01, UOB Plaza, Singapore 048624