Terms of Service — Clinics
PLEASE READ THESE TERMS CAREFULLY. BY REGISTERING FOR A CLINIC ACCOUNT OR USING THE PLATFORM AS A CLINIC-USER, YOU AGREE TO BE BOUND BY:
- THESE CLINIC TERMS OF USE ("Terms");
- THE SERVICE LEVEL COMMITMENTS IN PART B BELOW ("SLA");
- THE PRIVACY AND DATA PROTECTION POLICY("Privacy Policy"); AND
- THE DATA RETENTION AND DELETION POLICY ("Data Retention Policy").
These documents together form part of the contractual framework governing the use of the Platform and apply together with any Clinic Agreement, order form, or subscription terms entered into between Refora and the Clinic:
Refora Pte. Ltd. (UEN: 202555125N) of 103 Hillview Rise, Singapore 667982 ("Refora", "we", "us", or "our"), and
the subscribing clinic or authorised healthcare entity that accesses or uses the Platform (as defined below) ("Clinic", "you", or "your").
This Agreement applies only to Clinic-Users. Separate patient terms will govern Patient-Users.
PART A – CLINIC TERMS OF USE
1. Definitions
1.1 Platform means the online referral and coordination system operated by Refora, including any websites, portals, dashboards, APIs and related services.
1.2 Clinic-Users means clinics, dentists, medical or dental specialists, and their authorised staff who access or use the Platform for referral activity or related operational purposes.
1.3 Patient-Users means individual patients who access or view referral information relating to them on the Platform under separate patient-facing terms.
1.4 Health Information means medical or health-related data, including clinical notes, diagnostic images, documents and attachments.
1.5 Authorised Users means the Clinic's doctors, clinicians and staff whom the Clinic permits to use the Platform under its account.
1.6 Authorised Representative means a person validly authorised to act for a Clinic-User (for example, a practice manager/ lead doctor or other administrative personnel).
1.7 Clinic Agreement means any separate written agreement between Refora and the Clinic setting out the commercial terms of Refora's subscription offering for the Platform, including the scope of any onboarding or implementation support included in that offering (where Refora offers such support, it is provided as part of the same subscription package unless the parties agree otherwise in writing).
1.8 SLA means the service-level commitments in Part B of this document, as updated from time to time.
1.9 PDPA refers to the Personal Data Protection Act 2012.
1.10 PDPC refers to the Data Protection Commission Singapore.
Where capitalised terms are not defined here, they take the meaning given in the Privacy Policy or the Data Retention Policy.
2. Nature of Services (No Medical Practice)
2.1 The Platform facilitates referrals, secure exchange of referral materials, and related coordination between Clinic-Users. In addition to direct platform entry, the Platform supports the following intake channels:
(a) Inbound email intake: Clinic-Users may configure a Refora-issued forwarding address so that referral emails sent by third-party practitioners are automatically routed into the Platform, parsed, and imported as referral records.
(b) Embeddable website widget: Clinic-Users may embed a Refora referral submission form on their own website. Patients or referring practitioners who complete and submit that form transmit data to Refora on behalf of the embedding Clinic.
2.2 Refora does not provide medical or dental advice, diagnosis or treatment, and does not practice medicine or dentistry. All clinical decisions remain solely with the relevant Clinic-Users.
2.3 The Platform must not be used for emergencies. Patients must be directed to appropriate emergency services or clinical channels.
3. Account Creation, Eligibility, and Responsibility
3.1 The Clinic must create an account to use the Platform. The Clinic must ensure that all information provided to Refora is accurate, current and complete, and is kept updated.
3.2 Authorised User accounts will be created by Refora on the instructions of the Clinic or its Authorised Representative. The Clinic is responsible for ensuring that all information provided for account creation is accurate and up to date. Credentials issued by Refora are intended for use only by the specific Authorised User for whom the account is created and must not be shared. Refora is not responsible for verifying professional credentials or employment status of Authorised users.
3.3 The Clinic is responsible for safeguarding all login credentials and for all activities undertaken on the Platform under its account, including those performed by Authorised Users.
3.4 The Clinic must promptly notify Refora of any suspected compromise, unauthorised access, or misuse of its account.
4. Roles and Data Responsibilities
4.1 For patient data uploaded or generated via the Platform, the Clinic acts as data controller under the PDPA and any applicable healthcare regulations.
4.2 Refora acts as a data intermediary / processor in respect of Health Information processed on the Platform on the Clinic's instructions.
4.3 Patient-Users acknowledge that their clinic controls clinical and referral content. Requests relating to clinical content (including corrections to medical records) must be directed to the relevant clinic.
4.4 Refora will implement safeguards appropriate to the risks, including unique-user authentication, access controls, audit logging, session timeouts, and encryption of Health Information and key identifiers, as further described in the Privacy and Data Protection Policy.
4.5 AI-Assisted Processing. Where the Clinic uses the inbound email intake feature, email content (including subject, body, and extracted attachment text) may be submitted to a third-party AI inference service for automated extraction of structured referral data. Refora uses this solely to populate referral records and does not use Health Information to train or improve AI models. The AI service provider is contractually bound to equivalent confidentiality and data-protection obligations. Further detail is set out in the Privacy and Data Protection Policy (Section 6.IX).
5. Consent and Uploads
5.1 The Clinic represents and warrants that it has obtained, and will maintain, all necessary consents or other lawful bases required under applicable law to collect, use, disclose and upload personal data and Health Information to the Platform for the purposes of referrals and related care coordination. This obligation extends to:
(a) Inbound email intake: The Clinic confirms that it has a sufficient lawful basis to route through the Platform any emails (and personal data contained therein) received from third-party practitioners. Where the original sender or the patient has not directly consented to processing by Refora, the Clinic is responsible for ensuring that its own authority or a statutory exception is in place before configuring the intake forwarding address.
(b) Embeddable website widget: The Clinic is responsible for obtaining the informed consent of individuals who submit data through any widget embedded on its website before their data is transmitted to the Platform. The Clinic must ensure its website displays adequate privacy notices that disclose Refora's role as a data intermediary and link to this Policy and the Privacy and Data Protection Policy.
5.2 Refora is entitled to rely on the Clinic's representations under this clause and has no obligation to independently verify the existence or validity of such consents. Where Refora reasonably believes that required consents or lawful bases are absent or defective, Refora may suspend processing or restrict access pending clarification.
5.3 Refora may suspend processing, remove content, or restrict access where it reasonably believes that valid consent was not obtained, or that the upload breaches these Terms, applicable law, or Refora's acceptable-use standards.
5.4 By continuing to use the Platform, the Clinic confirms that all uploads and instructions given to Refora in relation to Health Information are lawful and compliant with applicable retention, consent and confidentiality obligations.
6. Acceptable Use
6.1 The Clinic and its Authorised Users must not:
(a) upload unlawful, defamatory, or non-essential personal data;
(b) attempt to bypass security controls, probe or test the Platform, or introduce malware;
(c) use content obtained from the Platform for any purpose unrelated to referrals or permitted clinical/operational use;
(d) reverse engineer, decompile or create derivative works from the Platform;
(e) share logins between different individuals;
(f) use the Platform in any way that breaches applicable law or professional standards;
(g) configure the inbound email intake feature to route emails containing personal data for which the Clinic does not hold a sufficient lawful basis to process; or
(h) embed the website widget in a manner that collects personal data without adequate privacy notice and consent mechanisms visible to the person submitting data.
6.2 Refora may suspend or restrict access where it reasonably believes there has been a breach of this clause or a security risk.
7. Integrations, Third-Party Systems, and Data Intake Channels
7.1 Where the Platform enables export of data or interoperability with third-party systems, the Clinic is solely responsible for:
- the third-party environment,
- access controls within that environment, and
- any data exposure or incident arising after data leaves the Platform.
7.2 Refora is not responsible for data once exported or processed outside the Platform. Any integration disclaimers in the Privacy and Data Protection Policy apply.
7.3 Inbound email intake. Where the Clinic configures the inbound email intake feature:
(a) Refora will process received emails as a data intermediary acting solely on the Clinic's instructions.
(b) The Clinic is solely responsible for ensuring that routing third-party emails through the Platform complies with applicable law, including any obligations owed to the original sender.
(c) Refora does not verify the identity or authority of the original email sender. Any liability arising from processing emails that were forwarded without proper authority rests with the Clinic.
7.4 Embeddable website widget. Where the Clinic embeds the Refora website widget:
(a) Data submitted through the widget is received by Refora as a data intermediary on the Clinic's behalf from the time of submission.
(b) The Clinic is responsible for the privacy notices and consent mechanisms displayed on its website prior to widget submission.
(c) Refora applies rate-limiting and token-based authentication to the widget but is not responsible for misuse of the widget arising from inadequate controls on the Clinic's website.
8. Free Trial, Fees, Plans and Payment (Clinics)
8.1 Refora may offer a 30-day free trial of the Platform to new clinics. During the free-trial period:
(a) subscription fees are not charged;
(b) Refora will provide access to the Platform and core features;
(c) Refora's obligations are limited to those in this Agreement and the SLA, and do not extend to any minimum usage, outcomes, or specific business results.
8.2 Refora may, at its discretion, enable certain higher-tier features during the free trial. This does not create a right for the Clinic to continue receiving such features after the trial unless the Clinic selects and pays for the relevant subscription tier under a Clinic Agreement.
8.3 The billing start date for any paid subscription will typically be set to commence after the free trial ends, and may be stated in the Clinic Agreement or order confirmation. The Clinic acknowledges that:
- the initial subscription tier, billing interval (monthly/annual), and billing cycle start date will be documented in the Clinic Agreement or equivalent order form; and
- changes to subscription tier or user counts may be made via the Platform, in accordance with the Clinic Agreement.
8.4 Unless otherwise agreed in writing, subscription fees and any other platform-based fees are due in advance and are non-refundable once the relevant billing period has commenced, except where expressly stated in a Clinic Agreement.
8.5 Late payments may result in suspension of access. All taxes are additional to stated fees.
Note: Detailed commercial terms (including the subscription package, pricing, discounts, referral rebates, and the scope of any support or services included in that package) will be set out in the Clinic Agreement and/or order form, not in this document.
9. Service Levels and Support (High-Level)
9.1 Refora aims to provide uptime, support and response targets as set out in Part B (SLA).
9.2 Support channels and response times are as described in the SLA. Scheduled maintenance and emergency maintenance may occur as described in the SLA.
10. Intellectual Property
10.1 Refora and its licensors own all rights, title and interest in and to the Platform, its software, documentation, and related materials. No rights are granted to the Clinic except as expressly set out in this Agreement.
10.2 The Clinic retains ownership of its own content, Health Information, and referral materials. The Clinic grants Refora a limited, non-exclusive licence to host, process, transmit and display such content for the purposes of operating the Platform and providing the services, and for security, backup, and quality-improvement purposes as described in the Privacy and Data Protection Policy.
11. Confidentiality
11.1 Each party must protect the other party's confidential information using safeguards no less stringent than those it uses for its own confidential information.
11.2 This clause does not restrict disclosures required by law, court order, or a regulator, provided reasonable notice is given to the other party where lawful and practicable.
12. Privacy; Data Transfers; Retention
12.1 Refora's Privacy and Data Protection Policy forms part of this Agreement. It explains data categories, purposes, safeguards, cross-border transfers and breach notification under the PDPA.
12.2 Data may be hosted with reputable cloud providers in Singapore or in other jurisdictions with comparable data protection. Refora will implement legally enforceable transfer mechanisms where required.
12.3 Retention, archival and deletion are governed by the Data Retention and Deletion Policy. Clinics remain responsible for meeting healthcare record-retention obligations as data controllers.
13. Warranties
13.1 Refora warrants that it will provide the services with reasonable care and skill in accordance with industry standards for similar SaaS healthcare platforms.
13.2 Except as expressly stated, Refora disclaims all other warranties, including implied warranties of merchantability, fitness for a particular purpose, and any warranty that the Platform will be uninterrupted or error-free.
14. Indemnities
14.1 The Clinic shall indemnify and hold harmless Refora and its affiliates from direct losses, damages, costs and reasonable legal fees arising directly from:
(a) the Clinic's negligence or wilful misconduct in using the Platform;
(b) material breach of this Agreement by the Clinic;
(c) infringement of third-party intellectual property rights caused by Clinic-provided materials or use contrary to Refora's documentation;
(d) non-compliance with applicable law by the Clinic; or
(e) any data exposure or incident occurring in, or caused by, the Clinic's third-party systems or integrations outside the Platform.
14.2 Refora will notify the Clinic promptly of any claim and give reasonable cooperation at the Clinic's expense. The Clinic will have control of the defence, subject to Refora's right to participate.
15. Limitation of Liability
15.1 Subject to clause 15.2, the total aggregate liability of Refora and its affiliates arising out of or in connection with this Agreement, whether in contract, tort or otherwise, shall be limited to two times (2x) the total fees paid by the relevant Clinic to Refora in the twelve (12) months immediately preceding the event giving rise to liability.
15.2 The caps above do not apply to liability that cannot be excluded or limited under law, or to liability arising from a party's gross negligence, fraud or wilful misconduct.
15.3 Neither party is liable for indirect, incidental, consequential, special, exemplary or punitive damages, loss of profits, loss of business, loss of goodwill, or loss of data, even if advised of the possibility.
16. Suspension and Termination
16.1 Refora may suspend or terminate access where:
(a) the Clinic materially breaches this Agreement;
(b) fees remain unpaid in accordance with the applicable billing terms, as set out in the Clinic Agreement and as specified in the relevant invoice issued by Refora; or
(c) Refora reasonably believes there is unauthorised access, security risk, or unlawful activity.
16.2 The Clinic may terminate its account through any account-deletion flow on the Platform or by written notice to Refora.
16.3 Upon termination, service obligations cease. Data handling after termination is governed by the Privacy and Data Protection Policy and the Data Retention and Deletion Policy.
17. Audit and Compliance (Clinic Side)
17.1 Clinics must maintain appropriate internal policies, access controls and audit trails for their Authorised Users.
17.2 Where reasonably required to verify compliance with security or data-protection obligations relating to Platform use, Refora may request attestations or documentary evidence of controls from the Clinic. Any on-site audit at the Clinic must be mutually agreed and shall not unreasonably disrupt operations.
18. Changes to the Platform and to this Agreement
18.1 Refora may update features or issue patches and improvements.
18.2 Refora may amend this Agreement (including the SLA) by posting an updated version on the Platform and, where changes are material, notifying Clinics by email or in-app notice. Continued use after the effective date constitutes acceptance.
19. Force Majeure
Neither party is liable for failure or delay due to events beyond reasonable control, including outages of the public Internet, third-party hosting environments, or regulatory actions.
20. Notices, Assignment, Entire Agreement, Third-Party Rights
20.1 Refora may notify the Clinic via the Platform, email, or other contact details provided. The Clinic may notify Refora at the address or email specified on the Platform.
20.2 The Clinic may not assign this Agreement without Refora's prior written consent. Refora may assign or subcontract performance to affiliates or qualified providers.
20.3 This Agreement, together with the Privacy and Data Protection Policy, the Data Retention and Deletion Policy, any Clinic Agreement, and the SLA, forms the entire agreement between the parties and supersedes all prior discussions.
20.4 If any provision is held invalid, the remainder remains in effect. No failure to enforce is a waiver.
20.5 Except as expressly stated, no person who is not a party has rights under the Contracts (Rights of Third Parties) Act 2001 to enforce any term.
21. Governing Law and Jurisdiction
This Agreement is governed by the laws of Singapore. The courts of Singapore have exclusive jurisdiction. Parties will first attempt good-faith discussions for thirty (30) days before commencing proceedings.
PART B – SERVICE LEVEL AGREEMENT (SLA) – CLINIC USERS
This Part B forms the SLA between Refora and the Clinic and sets out operational performance metrics and support commitments. In case of inconsistency, Part A governs legal interpretation.
1. Purpose and Scope
1.1 This SLA defines measurable performance targets and operational responsibilities for the Platform.
1.2 It governs:
- system availability and reliability;
- data integrity, security and backup measures;
- user-support response and resolution timelines; and
- quality-improvement obligations.
2. Service Description
2.1 The Platform is a secure, cloud-hosted SaaS system enabling clinics to:
- create, send, and manage patient referrals;
- exchange Health Information securely;
- maintain searchable referral records and audit logs;
- receive and import referral emails via the inbound email intake feature; and
- embed a referral submission widget on their website.
2.2 Unregistered recipients may receive referral details by secure email for continuity of care.
2.3 Core features include encrypted data transmission, unique-user authentication, session time-outs, audit trails, and controlled data export.
3. Service Availability
3.1 Refora shall target at least 99.0% uptime per calendar month, excluding:
(a) scheduled maintenance with at least 24 hours' notice;
(b) emergency maintenance required for security or stability; and
(c) force majeure events or failures of external networks, Internet providers, or clinic-side systems.
3.2 Uptime is measured via internal and/or independent monitoring and may be reported on request.
3.3 If monthly uptime falls below 99.0%, the Clinic is entitled to a service credit equal to 10% of that month's subscription fee, capped at one month of fees per calendar year. Service credits are the Clinic's sole and exclusive remedy for failure to meet uptime targets.
4. Maintenance Windows
4.1 Routine maintenance will typically occur outside business hours (10 p.m.–6 a.m. SGT), where required and practicable.
4.2 Scheduled downtime should not, on average, exceed four (4) hours per month.
4.3 Emergency maintenance may be performed without notice where delay would risk data integrity or security.
5. Data Integrity and Backups
5.1 Backups are performed on a regular schedule (for example, daily incremental and weekly full backups).
5.2 Backup data are encrypted in transit and at rest.
5.3 Upon termination or written request, Refora will assist the Clinic in exporting data in a reasonable format (such as CSV, JSON, or PDF). Data will be retained and/or deleted in line with the Data Retention and Deletion Policy.
6. Security and Compliance
6.1 Refora maintains administrative, physical and technical controls consistent with PDPA obligations and applicable MOH cybersecurity guidance to a scale appropriate to its operations.
6.2 All clinical and patient identifiers are encrypted at rest and in transit. Access within Refora is restricted to authorised personnel on a need-to-know basis.
6.3 Confirmed data breaches will be notified in accordance with the Privacy and Data Protection Policy and PDPC requirements.
6.4 Clinics remain responsible for obtaining valid patient consent before uploading data. Refora acts as a data intermediary.
7. Support and Incident Response
7.1 Standard Support Hours: 9 a.m.–6 p.m. (SGT), Monday–Friday, excluding Singapore public holidays.
7.2 Channels: Email (support@refora.app) and any in-app support tools that may be made available.
7.3 Response and Resolution Targets
| Severity | Description | Initial Response Target | Resolution |
|---|---|---|---|
| P1 – Critical | Complete outage or data loss | ≤ 2 hours | ≤ 8 hours |
| P2 – Major | Material functionality impaired | ≤ 4 hours | ≤ 24 hours |
| P3 – Minor | Non-critical issue | ≤ 1 business day | Next reasonable release |
| P4 – Inquiry | Usage question / information | ≤ 2 business days | As agreed |
7.4 Root-cause analysis for any P1 incident will be completed within a reasonable period (e.g. five (5) business days) and a brief corrective-action summary may be provided to the Clinic.
8. Quality Assurance and Continuous Improvement
8.1 Refora will periodically review:
- uptime and support metrics;
- incident trends;
- security enhancements; and
- user feedback, where available.
8.2 If material deficiencies are identified, Refora will take reasonable corrective actions within a commercially reasonable timeframe.
9. SLA Reporting and Audit-Related Information
9.1 Refora may, at its sole discretion, provide high-level summaries of service performance and security controls (for example, uptime statistics or descriptions of security practices).
9.2 No right is granted under this SLA for the Clinic or any third party to conduct technical audits of Refora's systems, request SOC reports, or access underlying infrastructure. Any such arrangements, if ever offered, will be agreed separately in writing.
10. Changes to SLA
10.1 Refora may amend this SLA from time to time to reflect operational changes or improvements. Material changes will be communicated via the Platform or email. Continued use of the Platform constitutes acceptance of the updated SLA.
Last updated: 7 April 2026
Effective date: 7 April 2026