Our Privacy Statement
Personal Data Protection Policy
Lillipods Preschool (“Lillipods”, “we”, “our”, “us”) respects your privacy and protects personal data in our care in line with Singapore’s Personal Data Protection Act 2012 (“PDPA”) and related guidelines.
This Policy explains how we collect, use, disclose, process, protect, and retain personal data in accordance with the PDPA of students, parents/guardians, job applicants, vendors, and visitors of our centres and website (“you or “your”) which are in our possession or under our control.
This Policy supplements but does not supersede nor replace any other consents you may have provided or terms you may have agreed to with us, nor does it affect any rights we may have at law in connection with the collection, use or disclosure of your personal data.
1) What “Personal Data” means
Personal data is any data (alone or with other data) that can identify an individual. Examples include name, contact details, addresses, photographs and video, dates of birth, medical or dietary information, emergency contacts, payment details, device identifiers and CCTV footage.
NRIC/FIN/Passport numbers. We generally do not collect full NRIC/FIN or copies of these identifiers unless required by law or necessary to verify identity to a high degree (e.g., insurance or regulated disclosures). We do not retain physical NRICs.
Children’s data. Because we are a preschool, we obtain consent from the parent/guardian.
2) How we collect data
We will collect your personal data in accordance with the PDPA. We will notify you of the purposes for which your personal data may be collected, used, disclosed and/or processed, as well as obtain your consent for the same, unless an exception under the law permits us to collect and process or disclose your personal data without your consent.
We may collect your personal data through one or more of the following ways (whether electronically or otherwise):
when you submit our admission and consent forms or any other school forms;
when you communicate with us (e.g., via email, WhatsApp, telephone calls, face-to-face meetings (virtual or otherwise), social media platforms, surveys, mobile applications and/or official school website);
when you complete event registrations for participation;
when your images are captured by us via closed-circuit television (CCTV) or security cameras while you are within our premises or via photographs or videos taken by us when you attend our school events;
when you subscribe to or unsubscribe from our official school newsletter, or use any of our school related services (e.g. school transport arrangements);
when we receive references from third parties (e.g. parents/guardians of children already enrolled with us);
when you enrol into, participate in, and/or attend field trips, learning portfolios, payments, and interactions with our service providers (e.g., student care, insurance, IT hosting);
when you request us to contact you (whether pursuant to a request for more information, complaints, or any other purposes).
3) Purposes — how we use and disclose data
We use and/or disclose personal data for purposes a reasonable person would consider appropriate in the circumstances, including to:
enrol and administer students; deliver our curriculum and student care; manage attendance, safety, and incident response;
communicate with parents/guardians on school matters, schedules, fees, events, and learning updates;
manage billing, subsidies, financial assistance, audits and reporting;
meet regulatory, licensing, and reporting requirements; respond to lawful requests by authorities or non-government entities authorised to perform Government services or duties;
plan activities, excursions, and transport; arrange insurance;
operate and secure our premises (including access-control systems and CCTV); conduct investigations into possible fraud, misconduct, unlawful acts or omissions;
manage teacher-child ratios, school manpower, training and compliance;
maintain IT systems, cloud services and data backups;
use photos/videos for learning documentation and internal communications;
creating and publishing school related social media content, brochures, and yearbooks;
creating and performing school related marketing/advertising campaigns (you may opt out at any time);
carry out market-related, evaluative or similar research and analysis for Lillipods’ operational strategy and policy planning, including providing data to external parties for programme evaluation, and to partner/affiliated institutions/centres for jointly administered programmes and events;
facilitate business asset transactions, including mergers, acquisitions or asset sales;
respond to handling, and processing queries, requests, applications, complaints, and feedback from you in connection with the school and our staff;
archive, back-up or destroy personal data;
comply with any applicable laws, regulations, codes of practice, guidelines, directions or rules imposed by any statutory body, governmental and/or regulatory authority, law enforcement agency or dispute resolution body;
comply with and assist with law enforcement and investigations conducted by any statutory body, governmental and/or regulatory authority; and or law enforcement agency.
We may share personal data with service providers (IT/cloud, payment, transport, photographers, insurers), professional advisors, external evaluators (as above), partners, and regulators strictly for the purposes above and subject to appropriate safeguards. Where data is transferred overseas (e.g., to cloud providers), we ensure comparable protection in accordance with the PDPA.
Please note that the purposes listed above may continue to apply even where your relationship and/or school account with us is no longer in force, terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to comply with applicable laws and/or enforce our rights under any contract with you).
4) Giving / Withdrawing Consent
We obtain consent before collecting, using, processing and/or disclosing personal data, unless an exception under the PDPA applies (e.g., emergencies, investigations, or where required by law). Consent may be express (written/electronic) or deemed (including by notification after clear notice and a reasonable opt-out period).
By submitting your personal data to us or by engaging us to provide the service(s) we offer, you signify that you have read and understood this Policy, and that you consent to us collecting, using, processing and/or disclosing your personal data for the purpose(s) as described in this Policy.
Please note that if you provide us with any personal data relating to any other person or a third party, you represent and warrant to us that you have obtained the consent of such person or third party to provide us with their personal data for the relevant purpose(s).
You may withdraw consent and request us to stop collecting, using processing and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to our DPO at the contact details provided below.
Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same. In general, we shall seek to process your request within thirty (30) days of receiving it.
Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing the services we offer to you. We shall, in such circumstances, notify you before completing the processing of your request. However, should you decide to cancel your withdrawal of consent, please inform our DPO in writing in the manner described in this Policy.
5) Disclosure
We may disclose your personal data (a) if where such disclosure is required for performing our obligations and services as a school; or (b) to comply with applicable laws; or (c) to third party service providers, agents, and/or other organisations we have engaged to perform any of the purposes (in whole or in part) listed in this Policy for us.
We may disclose your personal data to third parties without first obtaining your consent in certain situations, such as cases in which the disclosure:
is required or authorised based on applicable laws and/or regulations;
is clearly in your interests, and if consent cannot be obtained in a timely way;
is necessary to respond to an emergency that threatens the life, health or safety of a natural person;
is necessary for any investigation or legal proceedings;
is to a public agency and such disclosure is necessary in the public interest; and/or;
without your consent is permitted by the PDPA or by law
Neither we nor any of our staff shall be liable for any loss or damage suffered by you as a result of any disclosure of any personal data which you have consented to us and/or any of our staff disclosing.
6) Do Not Call (DNC) provisions
We do not send marketing messages to Singapore telephone numbers listed on the DNC Registry unless permitted by law (e.g., with clear consent or where the message is not a “specified message”) or you are already an existing staff or parent of a currently enrolled child, and have not opted out of receiving such messages.
Service-related messages about your child’s enrolment and our ongoing services are not marketing. You can opt out of marketing at any time.
7) Access and correction
You may request access to or correction of your personal data in our possession or control by submitting your request in writing or via email to our DPO at the contact details provided below. We will respond within a reasonable time and may charge a reasonable fee for access.
We will respond to your request as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).
For corrections, where appropriate we will send corrected data to organisations we disclosed it to within the past year unless doing so is not necessary for legal or business purposes.
8) Accuracy
We rely on you to provide accurate and complete data and to update us when details change (e.g., contact numbers, medical or allergy information). We will make reasonable efforts to ensure data we use is accurate and up-to-date.
9) Protection
We implement reasonable administrative, physical and technical safeguards to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. We require comparable safeguards from our data intermediaries (processors).
You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your personal data and are constantly reviewing and enhancing our personal data security measures.
Please note that we do not sell or rent your personal data to third parties.
10) Retention
We retain personal data only for as long as necessary to fulfil the purposes above and to meet legal, regulatory or operational needs, then securely delete or anonymise it.
11) Data breaches
We assess all suspected data incidents promptly. If a breach is notifiable (likely to result in significant harm to affected individuals, or of significant scale affecting 500 or more individuals), we will notify the Personal Data Protection Commission Singapore (PDPC) as soon as practicable and in any case no later than 72 hours after determining it is notifiable, and we notify affected individuals where required. We document our assessment and remediation steps.
12) Photography, videography and CCTV
We use CCTV for safety and security. We may take photos/videos during school activities for internal purposes (e.g., portfolios, updates) and external publicity. We will respect reasonable opt-out requests and take practical steps to avoid featuring your child.
13) Third-party sites and services
Our website or communications may contain links or integrations with third-party sites/services with their own privacy practices. Such other websites are not operated or maintained by us. Please exercise caution and review their data protection policies and/or privacy practices; we are not responsible for their practices. Therefore, we cannot be accountable for the protection and privacy of any information which you provide whilst visiting such other websites. (This does not limit our PDPA obligations where we remain the organisation in control of the data.)
14) Policy changes / Governing Law
We may update this Policy to reflect legal or operational changes. Material changes will be notified through appropriate channels (e.g., email/website). Nevertheless, we are committed to ensuring that your privacy rights are maintained at all times.
The latest version will be published on our official website. You are encouraged to visit our official website from time to time to ensure that you are well informed of our latest Policy and changes (if any) in relation to personal data protection.
Your continued engagement of our school and the use of our services we offer, constitutes your acknowledgement and acceptance of such changes.
This Policy shall be governed in all respects by the laws of Singapore
15) How to contact our Data Protection Officer (DPO)
For questions, access/correction requests, or to withdraw consent, please contact our DPO:
Data Protection Officer, Lillipods Preschool
Email: dpo@lillipods.sg
Please include your name, relationship to the student (if applicable), contact details, and a description of your request.
Last updated: 1 October 2025