Privacy Policy
Your privacy is important to us. The purpose of this core privacy policy (“Privacy Policy”) is to make you aware of what personal data Cialfo (“Cialfo”, “we”, “us” or “our”) collects from the students and school personnel through your use of our platform dedicated to early career exploration, college search and selection process (“Platform”).
This Privacy Policy describes how Cialfo collects, uses, discloses and otherwise processes personal data regarding (i) the personnel, account holders, teachers or counsellors from schools (“School Personnel”) and (ii) the students and/or their legal guardians (“Students”). This Privacy Policy applies to personal data that we collect through the Platform as a controller (such as when we are in direct contact with Students).
IMPORTANT NOTE FOR STUDENTS: This Privacy Policy does not apply to the processing of personal data that we handle on behalf of our customers (i.e., when we use or store your personal data in accordance with your school’s instructions). In this case, our use of your personal data is governed by our agreements with your school and you should refer to your school’s privacy policy to obtain more information about the processing of your personal data.
If you are located in the European Economic Area (“EEA”) or the United Kingdom (“UK”), please also consult the EEA/UK GDPR Annex below. For residents in the People’s Republic of China (“PRC”), please also consult the PRC Annex below.
1. Who We Are and Our Data Processing Roles
Cialfo has two roles with respect to its processing of personal data through the Platform:
AS A PROCESSOR – To provide our Platform, Cialfo processes personal data on behalf of the schools and at their direction. In those cases, Cialfo acts as a processor and your school acts as a data controller. As explained above, our activities as a processor are not governed by this Privacy Policy.
AS A CONTROLLER - In addition, Cialfo also processes Students’ personal data either (i) on its own initiative and separately from the schools, or (ii) by taking joint decisions with the schools on how to process your personal data and for which purposes, as explained in this Privacy Policy. In such cases, we invite Students to read both this Privacy Policy and the privacy policy from their schools. Cialfo also acts as a controller when processing personal data of School Personnel holding accounts on the Platform.
2. Contact Us
If you have any questions about this Privacy Policy or want to exercise any rights you may have with respect to your personal data, as set out in this Privacy Policy, please contact us at: legal@cialfo.com.sg. Our mailing address is 52 Joo Chiat Rd, #02-01, Singapore 427374. Please mark all correspondence to us for the attention of the Data Protection Officer.
3. Information We Collect
Information that you provide or information about you provided to us by the schools may include:
FROM SCHOOL PERSONNEL:
- Content you upload on the Platform. We may collect information such as academic transcripts, letters of recommendations and test scores, along with the metadata associated with the files you upload on the Platform.
FROM STUDENTS:
- Content uploaded about you on the Platform. We may collect information such as text, images, resumes, profiles’ information and universities preferences, along with the metadata associated with the files you upload on the Platform. Note that this information can be uploaded directly by the School Personnel.
FROM ALL (STUDENTS AND SCHOOL PERSONNEL):
- Contact details: We collect the following information about you, including when we meet you at events or workshop or when you otherwise seek information from us: your first and last name, your work email, your phone number.
- Sign-up information. We collect the following information when you sign-up on our Platform: your first and last name, your work email, your title (counselor, school leader, teacher, student/parent), the name of your school, your phone number, your location.
- Feedback or Correspondence. We may collect information such as when you contact us with questions, feedback, or otherwise correspond with us online.
- Usage information. We may collect information about how you use the Platform and interact with us, including information you submit to us and information you provide when you use any interactive features of the Platform.
4. How We Use Your Personal Data
FROM SCHOOL PERSONNEL:
- To provide access to the Platform: We process School Personnel’s personal data to create and maintain any account they may have through the Platform, provide our Platform’s services, answer requests and queries.
FROM STUDENTS:
- To provide direct services to Students: We process Students’ personal data to provide them with direct services, which means services subscribed by the Students directly as opposed to services subscribed by the schools (e.g. where Students use the “Connection” functionality of our Platform). We also process Students’ personal data to create and maintain any account they may have through the Platform, and to respond to inquiries, complaints or requests (e.g. where Students seek help via the Help Center on our website).
- For profiling purposes: We may use profiling in regard to Students’ personal data for some direct services, for example, we may provide tailored recommendations to Students regarding universities’ choices. Students can object to profiling by contacting us using the details at Section 2 of this Privacy Policy.
FROM ALL (STUDENTS AND SCHOOL PERSONNEL):
- For marketing purposes: We and/or our third-party marketing partners may use personal data from School Personnel and Students for our marketing purposes. We organize events and workshops in which your contact details may be collected for this purpose. You can opt-out of our marketing emails at any time by clicking on the unsubscribe button at the bottom of our email communications.
- For security and maintenance of our Platform: We process your personal data for security and maintenance purposes, including to measure the performance of our Platform; to enforce applicable terms and conditions; to protect our rights, privacy, safety or property and/or that of you or others; and to protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
- To analyze and improve our Platform and develop new products and services: We may use personal data, including through the use of analytics, to improve our Platform and to assist us with the development of other products and services, to better understand how our Platform are used, to understand what products and services may be of interest to you and to deliver relevant web content to you and to measure or understand the effectiveness of the content we serve to you. As part of these activities, we may create aggregated, de-identified or other anonymous data from personal data we collect. We may make personal data into anonymous data by removing information that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the service and promote our business. For this purpose, we may also ask for your feedback and send you satisfaction surveys.
- To comply with any legal or regulatory requirements: We may use personal data to comply with legal or regulatory requirements, lawful requests and legal process (such as to respond to subpoenas or requests from government authorities) and to audit our internal processes for compliance with such requirements or with our internal policies.
- To establish, exercise and defend ourselves in the context of legal claims: We may process personal data as we in good faith believe is necessary or appropriate to defend our legal interests.
- To disclose your personal data to a prospective or actual purchaser or seller: We may disclose your personal data if Cialfo is involved in, or is contemplating, a business transaction, including in the context of a merger, acquisition, sale of all or a portion of our business or assets, bankruptcy, reorganization or similar event.
5. Who We Share Your Personal Data With
We may share your personal data with the following categories of third parties for purposes described in this Privacy Policy:
- Affiliates: We may share your personal data with our subsidiaries and affiliates.
- Business Customers: We may share your personal data with the relevant business customer.
- Service providers / Sub-processors: We may share your personal data with, or transfer your personal data to, our service providers / sub-processors to help us operate the Platform (e.g. payment processors, customer support, hosting, information technology, marketing and analytics).
- Authorities and others: We may share your personal data with government, law enforcement officials or private parties as required by law, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce applicable terms and conditions; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
- Organizations Involved in Business Transfers or Potential Business Transfers: We may disclose or transfer your personal data in connection with an actual or potential business transaction, including in the context of a merger, acquisition, sale of all or a portion of our business or assets, bankruptcy, reorganization or similar event.
6. International Data Transfer
We are headquartered in Singapore and may use service providers / sub-processors that operate in other countries. We may also transfer your personal data to our affiliates or business customers that are located outside of Singapore for purposes described in this Privacy Policy. Your personal data may be transferred to locations where privacy laws may be different from those in your state, province, or country.
If you are located in the EEA or the UK or China, we will transfer your personal data outside the EEA/UK or China in accordance with the provisions on data transfers in the EEA/UK GDPR Annex and China Annex below.
7. Your Privacy Rights
Under certain circumstances, if and to the extent provided by any law applicable to your personal data, you may have certain rights with respect to your personal data. Such rights may include the right to access, update, rectify, or erase certain personal data that we have about you or restrict or object to certain activities with respect to your personal data. To the extent you have such rights, you may exercise them as described herein.
Where we process your personal data as a controller, you may exercise any rights you may have under applicable privacy laws by contacting us using the details in Section 2 of this Privacy Policy. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
8. Data Retention
We may retain your personal data as long as necessary for the purpose for which it was collected, including to comply with and enforce the terms of our agreements with our business customers, and beyond such time to the extent legally permitted and based on our legal obligations or legitimate interests (e.g. in retaining data for the purposes of responding to possible disputes or complaints).
9. Information Security
Cialfo uses technical, organizational and physical safeguards designed to protect information from loss, theft, misuse, and unauthorized access, disclosure, alteration and destruction. We cannot, however, guarantee that any safeguards or security measures will be sufficient to prevent a security issue.
10. Age Limitations
The Platform is not intended for children under the age of thirteen (13) and we do not knowingly collect data relating to such children. If we learn that we have collected personal data through our Platform from a child under thirteen (13) without the consent of the child’s parent or guardian as required by law, we will comply with applicable legal requirements to delete the information. We encourage parents or guardians with concerns to contact us using the details at Section 2 of this Privacy Policy.
11. Third-Party Platform
Our Platform may integrate with or enable access to third party tools. If you register, install or access any third-party tools, you may be required to accept privacy notices provided by those third parties. Please review any applicable third-party notices carefully. Cialfo does not control and is not responsible for these third parties’ privacy or information security practices
12. Other Privacy Policies
In addition to this Privacy Policy, please note that depending on your role, you may also be subject to:
- Explore Platform Privacy Policy, which applies to the processing activities arising out of or in connection with the “Explore by CIALFO” platform.
For the avoidance of doubt, this Privacy Policy:
(a) does not override the requirements in the Explore Platform Privacy Policy to the extent those requirements are additional to the requirements of this Privacy Policy;
(b) overrides the requirements in the Explore Platform Privacy Policy to the extent this Privacy Policy requires a higher data protection standards; and
- Cookie Policy, which applies to the processing of personal data in connection with our use of cookies and other tracking technologies on our website / Platform.
13. Changes to this Privacy Policy
Cialfo reserves the right to modify this Privacy Policy at any time. We thus advise you to check this Privacy Policy regularly for the latest information on our privacy practices. Any material changes to this Privacy Policy will be announced via our website or other appropriate means.
Any modifications to this Privacy Policy will be effective upon our posting of the new terms and/or upon implementation of the new changes on the services (or as otherwise indicated at the time of posting).
In all cases, the continued use of the Platform by you after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.
EEA/UK GDPR Annex
If you are located in the EEA or the UK, this EEA/UK GDPR Annex also applies to you.
1. The controller of your personal data
Cialfo (“Cialfo”), established at the address stated at Section 2 of this Privacy Policy, is the controller of your personal data for the purposes referred to in Section 4 of this Privacy Policy.
2. Legal basis
We use your personal data only as permitted by law. Our legal bases for processing the personal data described in this Privacy Policy are described in the table below.
To provide access to the Platform
We process your personal based on contractual necessity.
To provide direct services to Students
We process your personal based on contractual necessity.
For profiling purposes
We process your personal data based on our legitimate interests to create a Platform that matches Students’ needs by providing them with tailored recommendations.
For marketing purposes
Your consent to receive marketing communications.
By exception, we will rely on our legitimate interest in promoting our Platform, if your contact details were collected in the context of a sale and that the products and services we advertise are similar to those we already provided you
In both cases, we will offer you a chance to opt-out from each subsequent marketing communication.
For security and maintenance of our Platform
We process your personal based on our legitimate interests to protect and maintain the security of our day-to-day business activities.
To analyze and improve our Platform and develop new products and services
We process your personal data based on our legitimate interest in getting to know Students and School Personnel’s preferences so as to enable us to better personalise our offers, and ultimately, offer a Platform that better meet their needs and desires.
To comply with any legal or regulatory requirements
We process your personal data based on compliance with our legal obligations.
To establish, exercise and defend ourselves in the context of legal claims
We rely on our legitimate interests to defend our legal rights or interests in courts.
To disclose your personal data to a prospective or actual purchaser or seller
We rely on our legitimate interests to ensure the sustainability of our business.
When we disclose your personal data to third party business partners / services providers, the lawful bases listed above apply to any disclosure necessary to achieve the corresponding purpose.
3. How to access your personal data and your other rights
You have the following rights in relation to the personal data we hold about you:
- Your right of access: If you ask us, we will confirm whether we are processing your personal data and, if necessary, provide you with a copy of that personal data (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
- Your right to rectification: If the personal data we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified. If you are entitled to rectification and if we have shared your personal data with others, we will let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
- Your right to erasure: You can ask us to delete or remove your personal data in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal data with others, we will let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we've shared your personal data with so that you can contact them directly.
- Your right to restrict processing: You can ask us to “block” or suppress the processing of your personal data in certain circumstances, such as where you contest the accuracy of that personal data or you object to us. If you are entitled to restriction and if we have shared your personal data with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
- Your right to data portability: You have the right, in certain circumstances, to obtain personal data you have provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
- Your right to object: You can ask us to stop processing your personal data, and we will do so, if we are:
- relying on our own or someone else's legitimate interests to process your personal data, except if we can demonstrate compelling legal grounds for the processing; or
- processing your personal data for direct marketing purposes.
- Your right to withdraw consent: If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time.
- Your right to lodge a complaint with the supervisory authority: If you have a concern about any aspect of our privacy practices, including the way we have handled your personal data, you can report it to the relevant supervisory authority.
Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the data or where data may be exempt from disclosure due to reasons of legal professional privilege or professional secrecy obligations.
4. International data transfers
We may transfer your personal data outside of the EEA and/or UK. Some of these recipients are located in countries in respect of which either the European Commission and/or UK Government (as and where applicable) has issued adequacy decisions, in which case, the recipient’s country is recognized as providing an adequate level of data protection under UK and/or European data protection laws (as applicable) and the transfer is therefore permitted under Article 45 of the GDPR.
Some recipients of your personal data may be located in countries outside the EEA and/or the UK for which the European Commission or UK Government (as and where applicable) has not issued adequacy decisions in respect of the level of data protection in such countries (“Restricted Countries”). For example, Singapore and the United States are Restricted Countries. Where we transfer your personal data to a recipient in a Restricted Country, we will either:
- enter into appropriate data transfer agreements based on so-called Standard Contractual Clauses approved from time-to-time under GDPR Art. 46 by the European Commission, the UK Information Commissioner’s Office or UK Government (as and where applicable); or
- rely on other appropriate means permitted by the EU/UK GDPR, which establish that such recipients will provide an adequate level of data protection and that appropriate technical and organizational security measures are in place to protect personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.
You may ask for a copy of such appropriate data transfer agreements by contacting us using the contact details in Section 2 of this Privacy Policy.
Where we receive requests for information from law enforcement or regulators, we carefully validate these requests before disclosing any personal data.
PRC Annex
This PRC Annex supplements the other sections of this Privacy Policy and applies to individuals located in PRC. In case of any consistencies between this PRC Annex and other sections with respect to how we collect, process, share, transfer and protect personal data of individuals located in PRC, this PRC Annex prevails.
1. Collection and use of your personal data
We collect and use your personal data to provide you with services on our Platform in accordance with what is described under Section 3 “Information We Collect” and Section 4 “How We Use Your Personal Data” of this Privacy Policy.
You need to provide us with your personal data that is necessary for us to provide the basic functions of our services to you on our Platform. For the categories of personal data that are not necessarily needed for the basic functions of our services, if you choose not to provide them to us, you may still use the basic functions of our services but may not be able to use the specific functions that rely on such personal data. We will ask for your consent if we process your personal data for new purposes that are not described in this Privacy Policy.
To the extent that we display online advertisements or other marketing messages to you on our Platform, you may choose to opt out of receiving such online advertisements or marketing messages by contacting us using Section 2 of this Privacy Policy. Please note that if you choose to opt out, we may not be able to continue providing you with access to our Platform.
We may also collect and use your personal data without obtaining your consent under the following circumstances:
- it is necessary for the conclusion or performance of a contract to which you are a party;
- it is necessary for the fulfillment of our statutory obligations;
- it is necessary for coping with public health emergencies or for the protection of an individual’s life, health or property; and
- your personal data is processed within a reasonable scope in accordance with applicable Chinese laws if such personal data has already been publicly disclosed by yourselves or by other legal sources.
2. Sharing and disclosure of personal data
We share your personal data with entities and for purposes as described under Section 5 “Who We Share Your Personal Data With”.
In the event of a merger, reorganization, dissolution, or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, will be transferred to the surviving entity in a merger or the acquiring entity. We will notify you of the name and contact information of the recipient of your personal data. The recipient shall comply with this Privacy Policy when processing your personal data. If the processing methods and purposes of the recipient fall beyond the scope of this Privacy Policy, the recipient shall obtain your new consent.
We will not publicly disclose your personal data unless we have obtained your explicit prior consent or the public disclosure is required by applicable laws, regulations or legally binding enforcement actions or court orders.
3. International transfer of personal data
For the purposes described under Section 4 “How We Use Your Personal Data” of this Privacy Policy, we may transfer your personal data described under Section 3 “Information We Collect” to Cialfo affiliates, business customers and service providers located outside of China.
We will rely on a lawful international data transfer mechanism available under applicable Chinese laws to transfer your personal data overseas and adopt necessary measures to ensure that the overseas recipients of your personal data can provide the same level of protection as required under applicable Chinese laws.
4. Security
In case a security incident occurs, we will take remediation actions immediately and notify relevant government authorities and affected users, when required by applicable Chinese law.
5. Your privacy rights
You have the following rights in relation to the personal data we hold about you:
- Right of access
- Right to obtain a copy of your personal data
- Right to rectification
- Right to erasure where:
- the purposes of processing have been achieved or cannot be achieved, or such personal data is no longer necessary for achieving the purposes of processing;
- we cease to provide our services, or the retention period has expired;
- you have withdrawn your consent;
- our processing is in violation of applicable Chinese laws or the agreements with you; or
- other circumstances as provided by applicable Chinese laws.
- Right to object to or restrict the processing of your personal data.
- Right to data portability if your request complies with the requirement issued by competent Chinese authorities.
- Right to withdraw your consent.
We will respond to your request for exercising your right within 30 days after your identity is verified.
We are headquartered in Singapore and may use service providers / sub-processors that operate in other countries. We may also transfer your personal data to our affiliates or business customers that are located outside of Singapore for purposes described in this Privacy Policy. Your personal data may be transferred to locations where privacy laws may be different from those in your state, province, or country.
If you are located in the EEA or the UK or China, we will transfer your personal data outside the EEA/UK or China in accordance with the provisions on data transfers in the EEA/UK GDPR Annex and China Annex below.
6. Changes to this Privacy Policy
This Privacy Policy may be amended from time to time. If we make changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Platform. If we make any material changes to this Privacy Policy, where required by applicable Chinese laws, we will also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via email or another manner through the Platform.