Our Privacy Statement

Personal Data Protection Policy

Lillipods Preschool (“Lillipods”, “we”, “us”) respects your privacy and protects personal data in our care in line with Singapore’s Personal Data Protection Act 2012 (“PDPA”) and related guidelines.

This Policy explains how we collect, use, disclose, protect, and retain personal data of students, parents/guardians, job applicants, employees, vendors, and visitors of our centres and website. It supplements any other terms you have agreed to with us.

1) What “Personal Data” means

Personal data is any data (alone or with other data) that can identify an individual. Examples include name, contact details, addresses, photographs and video, dates of birth, medical or dietary information, emergency contacts, payment details, device identifiers and CCTV footage.

NRIC/FIN/Passport numbers. We generally do not collect full NRIC/FIN or copies of these identifiers unless required by law or necessary to verify identity to a high degree (e.g., insurance or regulated disclosures). We do not retain physical NRICs.

Children’s data. Because we are a preschool, we obtain consent from the parent/guardian.

2) How we collect data

We collect personal data through admission and consent forms, communications with us (e.g., email, WhatsApp, phone), event registrations, our website forms, CCTV at our premises, transport arrangements, field trips, learning portfolios, payments, job applications, and interactions with our service providers (e.g., student care, insurance, IT hosting).

3) Purposes — how we use and disclose data

We use and/or disclose personal data for purposes a reasonable person would consider appropriate in the circumstances, including to:

  • enrol and administer students; deliver our curriculum and student care; manage attendance, safety, and incident response;

  • communicate with parents/guardians on school matters, schedules, fees, events, and learning updates;

  • manage billing, subsidies, financial assistance, audits and reporting;

  • meet regulatory, licensing, and reporting requirements; respond to lawful requests by authorities or non-government entities authorised to perform Government services or duties;

  • plan activities, excursions, and transport; arrange insurance;

  • operate and secure our premises (including access-control systems and CCTV); conduct investigations into possible fraud, misconduct, unlawful acts or omissions;

  • manage teacher and staff recruitment, HR administration, payroll, benefits, training and compliance;

  • maintain IT systems, cloud services and data backups;

  • use photos/videos for learning documentation and internal communications; for external publicity purposes of Lillipods programmes (you may opt out at any time).

  • carry out market-related, evaluative or similar research and analysis for Lillipods’ operational strategy and policy planning, including providing data to external parties for programme evaluation, and to partner/affiliated institutions/centres for jointly administered programmes and events.

  • facilitate business asset transactions, including mergers, acquisitions or asset sales.

We may share personal data with service providers (IT/cloud, payment, transport, photographers, insurers), professional advisors, external evaluators (as above), partners, and regulators strictly for the purposes above and subject to appropriate safeguards. Where data is transferred overseas (e.g., to cloud providers), we ensure comparable protection in accordance with the PDPA.

4) Consent

We obtain consent before collecting, using, or disclosing personal data, unless an exception under the PDPA applies (e.g., emergencies, investigations, or where required by law). Consent may be express (written/electronic) or deemed (including by notification after clear notice and a reasonable opt-out period).

You may withdraw consent and request us to stop collecting, using and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below. We will inform you of likely consequences.

5) Do Not Call (DNC) provisions

We do not send marketing messages to Singapore telephone numbers listed on the DNC Registry unless permitted by law (e.g., with clear consent or where the message is not a “specified message”) or you are already an existing staff or parent of a currently enrolled child and have not opted out of receiving such messages.

Service-related messages about your child’s enrolment and our ongoing services are not marketing. You can opt out of marketing at any time.

6) Access and correction

You may request access to or correction of your personal data in our possession or control. We will respond within a reasonable time and may charge a reasonable fee for access. For corrections, where appropriate we will send corrected data to organisations we disclosed it to within the past year unless doing so is not necessary for legal or business purposes.

7) Accuracy

We rely on you to provide accurate and complete data and to update us when details change (e.g., contact numbers, medical or allergy information). We will make reasonable efforts to ensure data we use is accurate and up-to-date.

8) Protection

We implement reasonable administrative, physical and technical safeguards to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. We require comparable safeguards from our data intermediaries (processors).

9) Retention

We retain personal data only for as long as necessary to fulfil the purposes above and to meet legal, regulatory or operational needs, then securely delete or anonymise it.

10) Data breaches

We assess all suspected data incidents promptly. If a breach is notifiable (likely to result in significant harm to affected individuals, or of significant scale affecting 500 or more individuals), we notify the PDPC as soon as practicable and in any case no later than 72 hours after determining it is notifiable, and we notify affected individuals where required. We document our assessment and remediation steps.

11) Photography, videography and CCTV

We use CCTV for safety and security. We may take photos/videos during school activities for internal purposes (e.g., portfolios, updates) and external publicity. We will respect reasonable opt-out requests and take practical steps to avoid featuring your child.

12) Third-party sites and services

Our website or communications may contain links or integrations with third-party sites/services with their own privacy practices. Please review their policies; we are not responsible for their practices. (This does not limit our PDPA obligations where we remain the organisation in control of the data.)

13) Policy changes

We may update this Policy to reflect legal or operational changes. Material changes will be notified through appropriate channels (e.g., email/website). The latest version will be published on our website.

14) How to contact our Data Protection Officer (DPO)

For questions, access/correction requests, or to withdraw consent, please contact our DPO:

Data Protection Officer, Lillipods Preschool
 Email: dpo@lillipods.sg

Please include your name, relationship to the student (if applicable), contact details, and a description of your request.

Last updated: 12 September 2025