wGrow
menu
Agent Teams
BD CrewArticle CrewWaterDoctor CrewSelection CrewImage CrewFinance Crew
Services
Private LLMBuild & shipConsulting & trainingInfra & security
Case StudiesClientsField NotesAbout Brief us →
Privacy notice / wGrow

Your data, written plainly. PDPA-grade.

This notice explains what personal data wGrow Technologies Pte Ltd (UEN 200816810M, "wGrow", "we", "us") collects when you visit wgrow.com, why we collect it, who we share it with, how long we keep it, and the rights you have under Singapore's Personal Data Protection Act 2012 (the "PDPA"). Engagements we run for clients are governed by separate signed agreements; this notice covers the website only.

Last updated · 7 May 2026

Contents
  1. 1. Who we are
  2. 2. What this notice covers
  3. 3. Personal data we collect
  4. 4. How and why we use it
  5. 5. Legal bases under PDPA
  6. 6. Marketing and the Do Not Call Registry
  7. 7. Who we share it with
  8. 8. International transfers
  9. 9. How long we keep it
  10. 10. Your rights
  11. 11. Children's data
  12. 12. Cookies and similar technologies
  13. 13. Security
  14. 14. Data breach notification
  15. 15. Visitors from the EU, UK and elsewhere
  16. 16. Changes to this notice
  17. 17. Contact and complaints

1. Who we are

wGrow Technologies Pte Ltd is a Singapore-incorporated software studio (UEN 200816810M), founded in 2008. Our registered office is at 114 Lavender Street, #07-51, CT Hub 2, Singapore 338729. We operate offices in Singapore, Johor Bahru and Jakarta.

For all questions about this notice, the personal data we hold, or to exercise any of the rights set out below, write to our Data Protection Officer at [email protected]. The DPO is the business contact we have designated under section 11 of the PDPA.

2. What this notice covers

This notice applies to personal data you provide to us, or that we collect about you, in connection with your use of wgrow.com and any sub-domain we operate (collectively, the "Site"), and to any business correspondence you send us by email, phone or post in response to the Site.

It does not cover personal data that we process on behalf of a client under a signed engagement agreement (a master services agreement, statement of work, or data-processing addendum). For that, the client is the data controller, we are the data intermediary as defined in section 4(2) of the PDPA, and the relevant client's privacy notice and our DPA govern the processing.

3. Personal data we collect

We collect only what we need. In practice, that is one of three categories:

3.1 Information you submit to us

When you fill in the brief form at /contact/, you provide: your name, your work email address, optionally your company, the "door" you came through (e.g. existing client, government / regulated, deep-tech, undecided), and the free-text message describing your problem. When you contact us by email or telephone you give us whatever is in that message or call.

3.2 Information collected automatically

Like every web server, ours records technical information necessary to deliver the Site and to detect abuse: your IP address, the URL requested, the timestamp of the request, the HTTP referer (if any), and the user-agent string your browser reports. This is held in standard server logs.

3.3 Information from anti-abuse providers

The brief form is protected by Cloudflare Turnstile, a privacy-preserving anti-bot challenge that does not use third-party tracking cookies. To do its work, Turnstile examines signals about your browser and network connection. We see the pass/fail result; Cloudflare's own privacy notice covers what they collect.

We do not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioural-analytics tracker on the Site. We do not buy or enrich personal data from third-party data brokers.

4. How and why we use it

We use the personal data described above for the following limited purposes:

  • To answer your brief. Our BD Crew reads every brief; a partner replies. The data goes to the colleagues necessary to scope and reply to your enquiry, and into our internal CRM and email systems.
  • To maintain a record of business correspondence. So that the next person you speak to at wGrow does not have to make you repeat yourself.
  • To run the Site reliably and securely. Server logs let us detect and respond to faults, scraping, denial-of-service patterns, and intrusion attempts.
  • To detect and prevent abuse and fraud. Including by operating the Turnstile anti-bot challenge, applying rate limits, and reviewing suspicious submissions.
  • To comply with legal obligations. Including under the PDPA, the Income Tax Act, the Companies Act, and any lawful regulator or court order.

We do not use your personal data to train, fine-tune or evaluate any large language model or other machine learning system. We do not sell personal data. Period.

Under the PDPA we collect, use or disclose personal data only with consent (express or deemed) or where another lawful basis applies. In practice we rely on:

  • Consent — when you submit the brief form or contact us directly, you are consenting to our processing the information you provide for the purposes set out at section 4 above.
  • Deemed consent by notification (PDPA s.15A, as amended in 2020) — for processing that is reasonably necessary for the purposes you'd expect, e.g. forwarding your brief to the colleague who can answer it.
  • Legitimate interests (PDPA s.17 read with the First Schedule) — for site security, fraud prevention, and the operation of basic server logs and anti-bot tools, where our interest in protecting the Site is not outweighed by any adverse effect on you.
  • Legal obligation — where we must process or disclose data to comply with Singapore law, court orders, or lawful regulatory requests.
  • Performance of a contract — once an engagement begins, processing under that contract.

You can withdraw consent for any future processing at any time by writing to [email protected]. We will tell you the likely consequences before acting on the withdrawal (PDPA s.16(2)). Withdrawal does not affect processing that has already happened on your earlier consent.

6. Marketing and the Do Not Call Registry

We do not run outbound marketing by SMS, voice call or fax. The Singapore Do Not Call (DNC) Registry provisions of the PDPA therefore do not engage in practice. If we ever begin to send specified messages, we will check the DNC Registry and obtain clear consent first.

We may send transactional and engagement-related emails — replies to your brief, follow-ups on a conversation in progress, contracts and invoices for an active engagement, and security or service notices. These are necessary to do business with you, not marketing.

If we ever add an email newsletter or similar marketing channel we will introduce a separate, explicit opt-in for it; subscribing to one channel will not enrol you in any other.

7. Who we share it with

Within wGrow, your personal data is accessed only by colleagues who need it to do their job — typically our BD Crew, the partner who signs replies, the engagement lead if a brief converts, and our finance and legal functions where relevant. Access is logged.

Outside wGrow, we share personal data with:

  • Service providers we have engaged under contract — namely our hosting / cloud infrastructure providers, our email-delivery provider, our customer-relationship management system, and Cloudflare (for Turnstile and edge protection). Each is contractually required to handle personal data only on our instructions and to a standard at least equivalent to the PDPA.
  • Professional advisers — our auditors, lawyers, insurers and bankers, on a confidential basis, as needed.
  • Authorities, regulators or courts — when we are required to disclose by Singapore law, by an order of the Singapore courts, or by a lawful request from a regulator.
  • An acquirer or successor — if wGrow undergoes a merger, acquisition, reorganisation or sale of all or part of its business, in which case personal data may be transferred subject to equivalent protections, and you will be notified at the relevant time.

We do not sell, rent or trade personal data, and we do not share it with advertising networks.

8. International transfers

Some of the service providers above may store or process personal data outside Singapore — for example, on cloud regions in other parts of Asia-Pacific, the European Union or the United States. Section 26 of the PDPA requires us to ensure that any such transfer is made to a recipient that affords a standard of protection comparable to the PDPA.

We meet this by selecting providers with mature security and privacy programmes, by binding them under contracts that incorporate PDPA-equivalent obligations (and, where relevant, Standard Contractual Clauses for transfers from the EU/UK), and by reviewing them periodically. Where a transfer would not meet that standard, we do not make it.

9. How long we keep it

We keep personal data only as long as we need it for the purpose we collected it for, plus any retention period required by law:

  • Brief submissions and direct correspondence — kept while the conversation is active and for up to 24 months after the last contact, then archived or deleted unless an engagement has begun.
  • Active engagements — retained for the life of the engagement and for the period required by Singapore tax, accounting and contractual record-keeping obligations (typically up to 7 years after engagement end, under section 67 of the Income Tax Act 1947 and similar).
  • Server logs — retained for up to 90 days, except where a specific log entry is implicated in a security or fraud investigation, in which case it may be held until the investigation closes.
  • Anti-abuse data — retained for as long as necessary to detect repeated abuse, typically not more than 12 months.
  • Records we are required to keep — held for the period the relevant law specifies.

When the retention period ends, we delete the data, anonymise it irreversibly, or move it to secure, access-controlled archival storage.

10. Your rights

The PDPA gives you the following rights in respect of personal data we hold about you. Most are exercised by writing to [email protected].

  • Access (PDPA s.21) — you may ask us to confirm whether we hold personal data about you, what it is, and how it has been used or disclosed in the past 12 months. We will respond as soon as reasonably possible and in any case within the statutory window. We may charge a small fee where the law permits, and will tell you in advance.
  • Correction (PDPA s.22) — you may ask us to correct an error or omission in your personal data. We will correct the data and notify any organisation that we disclosed the data to in the past year, unless they no longer need the corrected data.
  • Withdrawal of consent (PDPA s.16) — you may withdraw consent for any future processing. We will explain the likely consequences (e.g. we may no longer be able to reply to your brief).
  • Data portability — where and when the data portability provisions of the PDPA (sections 26F–26J, as amended) are operative for the relevant data and recipient, we will provide your data in a commonly used machine-readable format and, where requested, transmit it to a designated organisation.
  • Erasure — where retention is no longer necessary for the purpose collected and no legal obligation requires us to keep the data, we will delete on request.

We will need to verify your identity before acting on a request. If we decline, we will tell you why and how to escalate to the Personal Data Protection Commission (see section 17).

11. Children's data

The Site is directed at organisations and the people who buy software at them. It is not intended for children under 13, and we do not knowingly collect personal data from anyone under 13. If you believe a child has submitted personal data to us, please write to [email protected] and we will delete it.

12. Cookies and similar technologies

Cookies are small files a website can place on your device. We use the minimum we need:

  • Strictly necessary cookies — for example, session and security cookies set by Cloudflare Turnstile when the brief form is loaded, to verify you are a human submitter. These cannot be switched off in our system without breaking the form.
  • No analytics, advertising or social-media cookies. We do not run them on the Site.

You can configure your browser to refuse all cookies or to alert you when cookies are being sent. If you refuse cookies, the brief form may not work, but the rest of the Site will load normally.

13. Security

We apply reasonable and appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, alteration and destruction. These include encryption in transit (TLS), access controls and least-privilege provisioning on our systems, audit logging, hardened server baselines, regular patching, and periodic review of our security posture.

No system is invulnerable. If we become aware of a security incident affecting your personal data, we will respond in line with the next section.

14. Data breach notification

We comply with the data breach notification obligations under Part VIA of the PDPA and the Personal Data Protection (Notification of Data Breaches) Regulations 2021. Where a notifiable data breach occurs — broadly, one that results in or is likely to result in significant harm to affected individuals, or that affects 500 or more individuals — we will:

  • notify the Personal Data Protection Commission (PDPC) as soon as practicable, and in any case within 3 calendar days from the time we assess the breach as notifiable; and
  • notify affected individuals, in clear language and on a no-undue-delay basis, with the information the regulations require, unless an exception in the PDPA applies.

15. Visitors from the EU, UK and elsewhere

The Site is operated from Singapore. If you are accessing it from the European Economic Area, the United Kingdom or another jurisdiction with its own data-protection regime, the data protection regime of your jurisdiction may also apply. We will, in good faith, treat you as having the equivalent rights and remedies described in section 10 above, and will work with you to find an appropriate route to resolve a request or complaint.

For UK / EU data subjects: where we rely on your consent, you can withdraw it at any time. Where we rely on legitimate interests, you can object on grounds relating to your particular situation. You also have the right to lodge a complaint with your local supervisory authority.

16. Changes to this notice

We may update this notice from time to time — for example, when our practices or the law change. The effective date at the top of this page tells you when the current version took effect. If the change is material we will take reasonable steps to bring it to your attention before it applies, for example by posting a notice on the Site or, where you are in active correspondence with us, by email.

17. Contact and complaints

For any privacy question or to exercise any right above, write to:

Data Protection Officer · wGrow Technologies Pte Ltd
114 Lavender Street, #07-51, CT Hub 2, Singapore 338729
Email: [email protected]
General: [email protected] · +65 8942 6252

We aim to acknowledge privacy enquiries within 7 business days and to substantively respond within 30 calendar days. If we cannot meet that window we will tell you why and when we will reply.

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore, the supervisory authority for the PDPA. Their contact details, and an online complaint form, are at www.pdpc.gov.sg.