Internal Data Protection Policy
Purpose
OMNI GAME LABS PTE. LTD.("we", "us", "our") is committed to protecting personal data in compliance with the Personal Data Protection Act 2012 (PDPA) of Singapore. This internal policy outlines how we collect, use, disclose, store, retain, delete, and protect personal data to ensure confidentiality, integrity, and security. It applies to all employees, contractors, and third parties handling data on our behalf.Personal data means any data about an individual who can be identified from that data (e.g., name, NRIC/FIN, contact details, email, address, employment info, IP address if linked to identity).
Scope
This policy covers all personal data we handle, including:
Employee and contractor data
Customer/client data (if applicable)
Vendor/supplier data
Any other personal data collected in business operations
It aligns with PDPA obligations: Consent, Notification, Purpose Limitation, Accuracy, Protection, Retention Limitation, Transfer Limitation, Access & Correction, and Accountability.
Data Protection Officer (DPO)
We have appointed:
Name: [zack.hammer]
Email: [admin@igrush.com]
inquiries/access requests, and is the contact for PDPC. All staff report concerns to the DPO.
Providing services/products
HR/employment management
Compliance with laws
Security and operations
Collection methods: Direct (forms, emails, contracts), indirect (public sources, referrals), or automatically (logs, cookies — with notice where applicable).
We practice data minimization — collect only what's needed.
Service delivery and support
Internal administration/HR
Marketing (with consent)
Legal/compliance requirements
Sharing with authorized service providers (e.g., cloud hosts in Singapore or with PDPA-equivalent protection)
Overseas transfers (if any) are limited and protected (e.g., contracts requiring equivalent safeguards). No selling of data.
Employee records: Duration of employment + 2–7 years post-termination (for tax/claims)
Customer data: Duration of relationship + 1–3 years
Logs/technical data: 90–365 days
Other: As required by law
After retention period:
Securely delete (e.g., permanent erase, shred paper)
Anonymize where possible
Automatic tools (e.g., Google Workspace/AWS lifecycle policies) used where feasible
Deletion logs maintained for audits.
Access controls (passwords, role-based, MFA where possible)
Encryption (in transit/at rest for sensitive data)
Antivirus, firewalls, secure servers/cloud (Singapore or PDPA-compliant regions)
Employee training (annual basics)
Incident response plan (detect, contain, notify PDPC/individuals if significant harm)
No liability for third-party breaches beyond our control.
Access to their data
Correction of inaccuracies
Information on use/disclosure (past year)
Withdrawal of consent (may affect services)
Requests to DPO; respond within 30 days (or reasonable time). Verify identity first. Fees may apply for access. Refusals only if permitted by PDPA.
Assess impact immediately
Contain and mitigate
Notify PDPC within 72 hours if significant harm or >500 affected
Notify individuals if high risk
Document and review
Training and AccountabilityAll staff receive basic PDPA training on onboarding and annually. Violations may lead to disciplinary action.
Review and UpdatesThis policy is reviewed annually or upon PDPA changes. Updates communicated internally.
Governing Law: This policy is governed by the laws of Singapore.By working with us, employees/contractors agree to follow this policy.