Privacy & Data Notice.

1.1 Introduction

5 Ways to Innovate Pte Ltd ("we", "our", "us") is an innovation consultancy registered in Singapore. We respect your privacy and comply with the Singapore Personal Data Protection Act 2012 (PDPA) and, where applicable, the EU/UK General Data Protection Regulation (GDPR). This notice explains how we collect, use, disclose and protect your personal data.

1.2 Personal Data We Collect

Business contact information (e.g., corporate e‑mail, office phone) is exempt under PDPA s. 4(6) and is not covered by the rights below.

  • Inbound enquiries - Name, company name, message content

  • Project delivery - Client contact details, project-related business information, feedback, meeting notes

  • Billing & accounting - Client company registration number, billing contact name, billing address, bank details

1.3 Purpose of Collection, Use & Disclosure

We collect and use personal data only for legitimate business purposes, including:

  1. Assessing inbound enquiries and responding to your requests.

  2. Delivering consulting projects you engage us to perform.

  3. Managing business relations & billing, including invoicing and payment administration.

  4. Legal & regulatory compliance, including responding to PDPC, IRAS or other lawful requests.

  5. Marketing with consent – sending occasional updates or invitations relevant to innovation consulting.

1.4 Consent

  • We rely on express consent when you submit information via our Squarespace form or sign a Statement of Work.

  • In deemed‑consent situations (e.g. voluntarily handing us a business card), we limit use to the purpose for which it was provided.

  • Marketing unbundling: Consent for marketing communications is optional and not a condition for receiving our core consultancy services, unless the communication is strictly necessary for service delivery (e.g., project status updates).

  • You may withdraw consent at any time by emailing dpo@5waystoinnovate.com. We will process withdrawals as soon as practicable and within the timelines prescribed by PDPA.

1.5 Disclosure to Third Parties

We use reputable third‑party service providers (for example, cloud‑hosting, accounting, contract‑management and marketing platforms) that are bound by comparable data‑protection obligations. A current list is available on request.

We may also disclose personal data to professional advisers (accountants, lawyers) or regulatory bodies where required by law.

1.6 Data Security Measures

  • We implement appropriate security measures, including MFA and encryption where feasible

  • Encryption at rest on laptops and Google Drive storage.

  • Access limited to authorised personnel (our two partners) on a need‑to‑know basis.

1.7 Retention

We retain project files for up to seven (7) years after project completion—or for as long as necessary to satisfy legal and contractual obligations—after which we securely delete or anonymise them. Enquiry emails are kept for up to 12 months from last contact.

1.8 Accuracy & Correction

We make reasonable efforts to ensure that the personal data we hold is accurate and complete, and we also rely on you to provide information that is current and correct. If you believe your data is inaccurate, please contact us for correction.

1.9 Access & Withdrawal of Consent

You may request access to or correction of your personal data, or withdraw consent, by contacting us (see 1.12). We aim to respond within 30 calendar days (PDPA) or one month (GDPR), as permitted by law. We may extend these periods by a further 30 days (PDPA) or two months (GDPR) where requests are complex, and will inform you if we need more time. We may refuse, or charge a reasonable fee for, requests that are manifestly unfounded or excessive, or where an exception under PDPA Schedule 5 or GDPR applies..

1.10 International Transfers

When personal data is transferred outside Singapore or the EU/UK, we ensure the recipient is bound by legally‑enforceable obligations to provide a standard of protection comparable to the PDPA (s. 26) or, for GDPR, appropriate safeguards under Art. 46.

1.11 Breach Notification

If a data breach is likely to result in significant harm to affected individuals or involves 500 or more individuals, we will notify the Personal Data Protection Commission (PDPC) and the affected individuals within the timelines required by PDPA (currently 3 calendar days after determining notifiability). Where GDPR applies, we will notify the competent supervisory authority within 72 hours of becoming aware of a personal‑data breach, if required.

1.12 Contacting Us

Data Protection Officer
Email: dpo@5waystoinnovate.com
Mail: 5 Ways to Innovate Pte Ltd, #14-04, 160 ROBINSON ROAD, 068914, Singapore

1.13 Updates to This Notice

We review this Notice annually. Changes will be posted on our website with the revised effective date.

1.14 Additional Information for EU/UK Individuals (GDPR)

  • Legal bases: We process data on the bases of contract, legitimate interests, consent, and legal obligation (e.g., accounting records) (Art. 6 GDPR).

  • Your rights: Where GDPR applies, you have the right to access, rectification, erasure, restriction, data portability and objection to processing, plus the right to lodge a complaint with your supervisory authority.

Updated: May 2025