VOTE-TECH PRIVACY POLICY
1. Introduction
Vote Tech Pte. Ltd. (UEN: 202607078C) ("Vote-Tech", "we", "us" or "our") operates vote-tech.com, a technology platform providing electronic voting, shareholder registration, and related services for Annual General Meetings (AGMs), Extraordinary General Meetings (EGMs) and other corporate meetings ("Services").
This Privacy Policy sets out how Vote-Tech collects, uses, discloses, stores, and protects your personal data in Singapore. It has been prepared in compliance with:
- The Personal Data Protection Act 2012 (Cap. 26F) ("PDPA") and its subsidiary legislation, as amended from time to time;
- The PDPA (Amendment) Act 2020, including the Data Breach Notification Obligation;
- Guidelines and advisory guidelines issued by the Personal Data Protection Commission ("PDPC");
- Singapore Exchange Regulation ("SGX RegCo") Practice Note 7.5 on General Meetings;
- The SGX-ST Listing Manual requirements applicable to listed issuers; and
- Standards for Virtual and Hybrid General Meetings issued by SGX RegCo, the Singapore Institute of Directors (SID), and the Chartered Secretaries Institute of Singapore (CSIS).
The provision of your personal data is voluntary. However, certain personal data is necessary for us to provide our Services, verify your identity as a shareholder or authorised representative, and comply with applicable legal and regulatory requirements. If you choose not to provide such data, we may be unable to provide the Services to you.
2. Scope and Application
This Privacy Policy applies to all personal data we collect or process in connection with our Services in Singapore, including data relating to:
- Shareholders and registered holders of securities attending AGMs or EGMs via the Vote-Tech platform;
- Corporate representatives, attorneys, and duly appointed proxies of shareholders;
- Directors, company secretaries, and officers of issuer companies using our platform;
- Visitors to our website at vote-tech.com; and
- Business partners, vendors, and other persons whose personal data we process in the course of our operations.
Where Vote-Tech acts as a data processor on behalf of an issuer company (the data controller), the issuer's own privacy policy and data governance arrangements will also apply. In such circumstances, Vote-Tech processes personal data strictly in accordance with the issuer's instructions and the terms of our data processing agreement.
3. Personal Data We Collect
3.1 Shareholder and Proxy Registration
To verify identity and facilitate voting rights in compliance with SGX RegCo Practice Note 7.5, we collect:
- Full legal name and NRIC / FIN / passport number (for identity verification);
- Number of shares held and class of shares;
- Address and contact information;
- Proxy appointment details, including the identity of the appointor and appointee; and
- CPF Investment Scheme (CPFIS) or Supplementary Retirement Scheme (SRS) account details where applicable.
3.2 Meeting Participation Data
During the conduct of an AGM or EGM, we collect:
- Votes cast on each resolution, including split votes and amendments to votes prior to close of poll;
- Login timestamps, IP addresses, and device identifiers for audit trail purposes; and
- Technical support interaction records.
3.3 Website Visitors
When you visit vote-tech.com, we may automatically collect browser type, operating system, referring URLs, and pages visited through cookies and similar technologies.
3.4 Business Contacts
For employees, representatives, and officers of our corporate clients, we collect business contact information such as name, job title, business email address, and telephone number as permitted under the PDPA.
4. Purposes of Collection, Use and Disclosure
We collect, use, and disclose your personal data only for the purposes notified to you at or before the point of collection, or for purposes that are reasonably related to those purposes. The primary purposes are:
| Purpose | Details |
|---|---|
| Identity Verification & Registration | To authenticate shareholders, proxies, and corporate representatives in accordance with SGX RegCo Practice Note 7.5 and the Companies Act (Cap. 50). |
| Conduct of General Meetings | To facilitate attendance, live voting, and other meeting functions required by SGX RegCo guidelines effective 1 October 2022. |
| Voting Administration | To accurately record, verify, count, and report votes on resolutions; to generate audit trails required by SGX RegCo; and to enable the scrutineer to validate results. |
| Regulatory Compliance | To comply with the Companies Act, SGX Listing Rules, ACRA filing requirements, and any other applicable Singapore legislation. |
| Security & Audit | To maintain records for audit and scrutineering purposes; to detect and prevent fraud, unauthorised access, and double-counting of votes. |
| Technical Support | To provide support before, during, and after general meetings, and to resolve technical issues. |
| Service Improvement | To improve the functionality, security, and user experience of our platform, on an aggregated and anonymised basis where possible. |
| Legal Proceedings | To enforce our rights, defend legal claims, and comply with court orders or regulatory directives. |
Where we intend to use your personal data for a new purpose that was not disclosed at the point of collection, we will notify you and, where required under the PDPA, seek your consent before doing so.
5. Consent and Legal Basis for Processing
Under the PDPA, we rely on the following bases for processing your personal data:
- Consent: Where you have given express or deemed consent for us to collect, use, or disclose your personal data for a specified purpose. You may provide consent through registration on the Vote-Tech platform, through your engagement with the issuer company, or through the proxy appointment form.
- Contractual Necessity: Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.
- Legal Obligation: Where processing is required to comply with the PDPA, Companies Act, SGX Listing Rules, or any other applicable Singapore law or regulatory requirement.
- Legitimate Interests (Residual Purpose Exception): Where permitted under Schedule 2, Part 3 of the PDPA, for purposes such as fraud prevention, security, or business operations, to the extent such interests are not overridden by your interests or rights.
You have the right to withdraw your consent at any time by notifying us at privacy@vote-tech.com. Please note that withdrawal of consent may affect our ability to provide certain Services to you, and may prevent participation in a general meeting where verification of identity is a regulatory requirement.
6. Disclosure of Personal Data to Third Parties
We do not sell your personal data. We may disclose your personal data to the following categories of recipients, strictly for the purposes set out in Section 4:
- Issuer Companies: The company whose AGM or EGM you are attending, as the data controller, for the purposes of identity verification, shareholder register reconciliation, and meeting administration.
- CDP and Securities Registrars: The Central Depository Pte Ltd and appointed share registrars to verify shareholding records.
- Scrutineers and Poll Administrators: Independent scrutineers appointed in accordance with SGX RegCo requirements to verify and certify voting results.
- Regulatory Authorities: SGX RegCo, ACRA, PDPC, MAS, the Attorney-General's Chambers, courts, or other public authorities where we are required or permitted to do so by law.
- Service Providers & Processors: Approved sub-processors providing IT infrastructure, cloud hosting, cybersecurity, and technical support services, subject to binding data processing agreements.
- Professional Advisers: Lawyers, auditors, and accountants engaged in connection with our business operations, subject to confidentiality obligations.
All third parties to whom we disclose personal data are required to comply with the PDPA and our data protection requirements.
7. Cross-Border Data Transfers
Vote-Tech's primary processing and storage infrastructure for Singapore-related Services is located in Singapore. Where personal data is transferred to or stored in a jurisdiction outside Singapore, we comply with Section 26 of the PDPA and the Personal Data Protection (Transfer of Personal Data) Regulations 2021 by:
- Transferring personal data only to countries or organisations that provide a standard of protection that is at least comparable to the PDPA;
- Entering into binding contractual obligations with the recipient to protect your personal data; or
- Obtaining your consent for the transfer where required.
Shareholders and participants whose personal data originates in Singapore can be assured that data relating to Singapore general meetings is processed in Singapore or in jurisdictions meeting the applicable transfer requirements. For enquiries regarding cross-border transfers, please contact dpo@vote-tech.com.
8. Data Protection and Security
Vote-Tech implements technical and organisational measures to protect your personal data in accordance with our Protection Obligation under the PDPA and in line with industry best practices for electronic voting platforms. These measures include:
- End-to-end encryption of data in transit and at rest;
- Role-based access controls limiting data access to authorised personnel only;
- Regular penetration testing and vulnerability assessments;
- Audit trails recording all system access and voting activities, as required by SGX RegCo Practice Note 7.5;
- Incident response and business continuity procedures; and
- Contractual security obligations imposed on all sub-processors.
While we take reasonable measures to protect your personal data, no security system is infallible. You are responsible for keeping your login credentials confidential and should notify us immediately at security@vote-tech.com if you suspect any unauthorised access to your account.
9. Retention of Personal Data
We retain your personal data for no longer than is necessary to fulfil the purposes for which it was collected, or as required by applicable Singapore law and regulations, including:
- Meeting records (voting results, audit trails): Retained for up to 5 years in accordance with corporate governance best practices and the Companies Act;
- Shareholder identity verification records: Retained for up to 5 years following the relevant general meeting, or for such longer period as required by the issuer company;
- Website visitor logs and technical data: Retained for up to 12 months; and
- Business contact information: Retained for the duration of the business relationship, and for up to 3 years thereafter.
Upon expiry of the applicable retention period, or where the personal data is no longer necessary for any legal or business purpose, we will securely delete or anonymise the data in a manner that prevents re-identification.
10. Your Rights Under the PDPA
As an individual whose personal data is processed by Vote-Tech, you have the following rights under the PDPA:
10.1 Right of Access
You may request access to the personal data we hold about you, as well as information about the purposes for which it was used or disclosed in the 12 months preceding your request (Section 21, PDPA). We will respond within 30 calendar days, or such extended period as permitted under the PDPA.
10.2 Right of Correction
You may request that we correct any inaccuracy or error in your personal data (Section 22, PDPA). Where the corrected data has been disclosed to third parties within the preceding 12 months, we will notify those parties of the correction.
10.3 Right to Withdraw Consent
You may withdraw consent for us to collect, use, or disclose your personal data at any time by providing reasonable notice. Please note that withdrawal of consent to processing required for regulatory compliance may limit your ability to participate in general meetings.
10.4 Right to Data Portability (Forthcoming)
Once the PDPA data portability obligation takes effect, you will have the right to request that your personal data be transmitted to another organisation in a commonly used machine-readable format, subject to applicable exceptions.
10.5 How to Exercise Your Rights
To exercise any of the above rights, please submit a written request to:
Email: privacy@vote-tech.com
We may require you to provide proof of identity before processing your request. We will not charge a fee for access requests except in circumstances permitted by the PDPA.
11. Data Breach Notification
In the event of a data breach that is likely to result in significant harm to individuals or is of a significant scale, we will comply with our Data Breach Notification Obligation under Part VIA of the PDPA, which requires us to:
- Notify the PDPC no later than 3 calendar days after we assess that a notifiable breach has occurred; and
- Notify affected individuals as soon as practicable, where the breach is likely to result in significant harm to those individuals.
We maintain an internal data breach response plan and a dedicated incident response team. If you become aware of or suspect a data security incident involving Vote-Tech's Services, please notify us immediately at security@vote-tech.com.
12. SGX RegCo Compliance and Audit Trail
In compliance with SGX RegCo Practice Note 7.5 and the Standards for Virtual and Hybrid General Meetings, Vote-Tech's platform is designed to:
- Accurately count and record all votes cast at general meetings;
- Provide a comprehensive and tamper-evident audit trail of all voting operations, including the accuracy of recording and counting of votes;
- Verify that each vote is cast by a shareholder or proxy entitled to vote, including the disregarding of ineligible votes with communication of the reason to affected participants;
- Maintain transparency of votes and voter identities in real time for validation by the appointed scrutineer; and
- Support the declaration of voting results by the Chairman of the Meeting during the meeting.
Audit trail records maintained by Vote-Tech form part of the meeting records of the issuer company and may be disclosed to SGX RegCo, ACRA, or other regulatory authorities upon lawful request. Such records are retained in accordance with the retention schedule in Section 9 above.
13. Data Protection Officer
Vote-Tech has appointed a Data Protection Officer (DPO) in accordance with Section 11 of the PDPA. The DPO's business contact information is registered with the PDPC via ACRA BizFile+ and is publicly available as follows:
Name / Title: Data Protection Officer, Vote Tech Pte. Ltd.
Email: dpo@vote-tech.com
You may contact our DPO for any data protection queries, access or correction requests, or to report a concern about our data protection practices.
14. Cookies and Tracking Technologies
Vote-Tech uses essential cookies and similar technologies on vote-tech.com to enable core platform functionality (including authentication, session management, and fraud prevention). We do not use non-essential cookies, advertising cookies, or third-party tracking cookies without your consent.
You may manage cookie preferences through your browser settings or our cookie preference centre. Disabling essential cookies may impair the functionality of the platform and your ability to participate in general meetings.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our Services, applicable law, or regulatory requirements. When material changes are made, we will revise the "Last Updated" date above and notify you by email or by prominent notice on our website at least 14 days before the changes take effect.
We encourage you to review this Privacy Policy periodically. Continued use of our Services after the effective date of any changes constitutes your acknowledgment of the revised Privacy Policy.
16. Complaints and Regulatory Authority
If you have a complaint about how we have handled your personal data, please contact us at privacy@vote-tech.com. We will investigate your complaint and respond within 30 calendar days.
17. Governing Law and Jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of Singapore. Any disputes arising in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Singapore.
This Privacy Policy is issued by Vote Tech Pte. Ltd. and constitutes the data protection notice required under Section 20 of the PDPA.