Privacy and Data Protection Policy
This Privacy Policy sets out the basis on which Refora Pte. Ltd. (UEN: 202555125N) ("Refora", "we", "us", or "our") may collect, use, disclose or otherwise process your personal data when you access or use our online referral platform at refora.app (the "Platform").
This Policy explains how we handle personal data in compliance with the Personal Data Protection Act 2012 ("PDPA") of Singapore, and, where applicable, in alignment with standards under the U.S. Health Insurance Portability and Accountability Act (HIPAA). Refora is not a U.S. HIPAA covered entity. Where applicable, we adopt selected HIPAA-aligned safeguards as best practice for protecting health information.
It applies to personal data in our possession or under our control, including personal data in the possession of third-party organisations engaged by us to collect, use, disclose, or process such data on our behalf.
By using the Platform, you acknowledge and agree that you have read and understood this Privacy Policy, and consent to the collection, use, and disclosure of your personal data as described herein.
If you do not agree with this Privacy Policy or the accompanying Terms and Conditions, please do not use the Platform. Your continued access and use of the Platform constitutes your acknowledgement and acceptance of this Privacy Policy.
1. Scope
This Policy applies to all users of the Platform, including clinics and patients. Sections will indicate where provisions apply to either category specifically.
Refora acts as a data intermediary under the PDPA when processing patient data on behalf of clinic-users. Clinic-users are responsible for determining the purposes and means of processing patient data and for obtaining all required consents and notices. Refora processes such data strictly on instructions from the clinic-users.
2. Definitions
As used in this Privacy Policy:
"Customer" means an individual who (a) has contacted Refora Pte. Ltd. through any means (including the Platform) in relation to the services available on the Platform, or (b) may, or has, entered into a contract with Refora Pte. Ltd. for the supply of any services.
"Personal Data" means data, whether true or not, about an individual who can be identified (a) from that data, or (b) from that data and other information to which Refora Pte. Ltd. has or is likely to have access.
3. Data Collection
Refora collects only the data necessary to provide the referral services. This may include patient identifiers, clinical notes, and diagnostic attachments (x-rays, images, etc.).
Data may be submitted to the Platform through any of the following channels:
- Direct platform entry: Clinic-users manually create referrals or upload records via the Platform dashboard.
- Inbound email intake: Clinic-users may configure a forwarding address so that referral emails sent by third-party practitioners are automatically routed into the Platform. Refora receives and processes the full email content, including any attachments, on the receiving clinic's instructions.
- Embeddable website widget: Clinic-users may embed a Refora referral submission form on their own website. Patients or referring practitioners who complete and submit that form transmit data directly to Refora on behalf of the embedding clinic.
4. Types of Personal Data Collected
Depending on the nature of your interaction with us, the personal data we may collect includes, but is not limited to, the following:
(a) Personally identifiable information such as your name, identification numbers (NRIC, Passport No., FIN), residential address, email address, contact number, nationality, gender, and date of birth.
(b) Pre-existing clinical information: Medical and health-related information about you that is provided to us by your healthcare providers, including medical or referral notes, health history, claims or referral information, laboratory results, diagnostic images, and other clinical records. This includes information contained in emails forwarded to the Platform by clinic-users through the inbound email intake feature.
(c) Platform-generated clinical information: Medical or health information about you that is prepared by healthcare professionals, treatment providers, diagnostic laboratories, or other third parties providing services via the Platform, including medical records, treatment and examination notes, laboratory testing results, diagnostic images, treatment plans, and clinical procedures. This list is illustrative and not exhaustive.
(d) Referral request information submitted voluntarily through an embeddable referral form hosted on a clinic's website, including contact details and any clinical or administrative information entered by the submitting individual.
(e) Billing and payment information (for example, credit-card or online-payment details).
(f) Information about the computer or mobile device you use to access the Platform.
(g) Geographical location or address information derived from your device or your clinic's records.
(h) Any other information you may provide or input into the Platform or related services.
5. Interpretation
Unless otherwise defined in this Privacy Policy, terms used shall have the meanings given to them in the Personal Data Protection Act 2012 (PDPA) of Singapore (where the context so permits).
6. Collection, Use and Disclosure of Personal Data
By registering on the Platform, users consent to the collection, use, and disclosure of their data as outlined herein. Clinics are responsible for obtaining consent from their patients before uploading any data to the Platform.
I. General Collection
Refora generally does not collect your personal data unless
(a) it is provided to us voluntarily by you directly, or via a third party duly authorised by you (an "Authorised Representative"), such as your clinic, healthcare provider, or insurer, for the purposes set out in this Privacy Policy; or
(b) collection, use, or disclosure without consent is permitted or required under the PDPA or other applicable laws.
We shall seek your consent before collecting any additional personal data or before using your personal data for any purpose not previously notified (except where otherwise permitted or required by law).
II. Consent and Authorisation
By registering an account or otherwise using the Platform, you consent to our collection, use, and disclosure of your personal data as described in this Privacy Policy.
Clinics and healthcare providers are solely responsible for obtaining valid consent from their patients before uploading, disclosing, or transmitting any patient data to the Platform. Refora reserves the right to suspend processing of any data if there are reasonable grounds to believe that such data was provided without proper consent or authorisation. Any liability for breach arising from unauthorised uploads shall rest solely with the uploading clinic or provider.
Where a patient is a minor or otherwise lacks legal capacity, the clinic-user confirms that valid consent has been obtained from a parent, legal guardian, or authorised representative before any personal data is uploaded to the Platform.
III. Purposes of Collection and Use
Clinic-users should only upload data that is reasonably necessary for referral and continuity of care. We are not responsible for excessive or inappropriate uploads that are outside the stated purposes.
We may collect and use personal data for any or all of the following purposes:
(a) Performing obligations in connection with the provision of services via the Platform, including facilitating referrals, maintaining referral records, and enabling communication between clinics and patients.
(b) Verifying identities of users and ensuring account integrity.
(c) Responding to and processing queries, requests, and feedback.
(d) Administering, operating, and improving the Platform.
(e) Processing billing and subscription payments, and issuing invoices or receipts.
(f) Facilitating claims or payment settlements through authorised third parties.
(g) Enhancing service quality through audits, testing, analytics, and de-identified reporting.
(h) Creating anonymised or de-identified datasets for research, analytics, or quality-improvement purposes.
(i) Automated extraction and structuring of referral data from unstructured sources (such as inbound emails) using AI-assisted processing, as further described in Section 6.IX below.
(j) Complying with applicable laws, regulations, and codes of practice, or assisting law-enforcement or regulatory investigations.
(k) Transmitting personal data to third-party service providers (including cloud hosts, data processors, or consultants) for the above purposes under strict confidentiality obligations.
(l) Any other incidental business purposes reasonably related to or in connection with the above.
IV. Inbound Email Intake and Third-Party Email-Origin Data
Where a clinic-user configures the inbound email intake feature, Refora will receive, read, and process emails forwarded to its intake address on that clinic's behalf. Such emails may originate from practitioners who are not registered on the Platform and may contain personal data and health information relating to patients who have not directly interacted with the Platform.
Clinic-users are solely responsible for ensuring they hold a sufficient lawful basis to route such emails (and any personal data contained therein) through the Platform. Refora processes this data strictly as a data intermediary acting on the clinic-user's instructions. Refora will apply the same security, encryption, and access controls to email-origin data as to data entered directly through the Platform.
Data extracted from inbound emails will be used only for the purposes of creating and managing the relevant referral record. Raw inbound email content is retained as part of the referral record and is subject to the same retention rules as other referral data under the Data Retention and Deletion Policy.
V. Passive Collection
As you use the Platform, certain information may be collected automatically, including:
- Site-usage data such as search queries and referral activity;
- Device and browser information (IP address, device ID, connection speed, access times);
- Cookies and similar technologies used to maintain session security and improve functionality;
- Real-time location data (where you have enabled GPS functions); and
- Crash logs or performance metrics collected to enhance system stability.
You may manage cookies through your browser settings. Certain strictly necessary cookies are required for security and session management. Disabling non-essential cookies may impact performance but will not affect your legal rights.
VI. Storage and Processing
Personal and health data may be stored on secure servers operated by third-party providers engaged by Refora. These providers may be located in Singapore or other jurisdictions with comparable data-protection standards. Where data is transferred outside Singapore, cross-border transfers are subject to legally enforceable obligations ensuring a standard of protection comparable to that under the PDPA. In particular, health information processed by Amazon Web Services Bedrock is governed by a signed AWS Business Associate Agreement (BAA), which constitutes the legally enforceable transfer mechanism for that processing activity.
All clinical records (including notes, images, and x-rays) and identifiers (patient names, emails, dates of birth) will be encrypted at rest and in transit. Clinic and doctor names or public business details need not be encrypted but remain subject to access controls.
Where clinic-users export or integrate data from the Platform into third-party systems, the clinic-user remains responsible for the security and lawful processing of the data within those external environments.
Where personal data is transferred or made available outside Singapore, we will ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to the protection under the PDPA.
VII. Disclosure
We may disclose personal data where such disclosure is necessary for the purposes described above, including to:
(a) Our subsidiaries, affiliates, or partners supporting Platform operations;
(b) Third-party contractors and service providers engaged to provide data-hosting, analytics, or customer-support services, subject to written confidentiality obligations;
(c) Regulators, law-enforcement agencies, or other competent authorities as required by law;
(d) Successor entities in the event of a merger, sale, or corporate reorganisation; or
(e) Any other party you have authorised or been notified of at the time of collection.
Refora will ensure that all external recipients of sensitive health information are contractually bound to meet data-protection and breach-notification standards comparable to those required under the PDPA.
Refora requires third-party service providers that process personal data on its behalf to enter into written data protection agreements that include confidentiality, security, breach notification and deletion-on-termination obligations. Refora may obtain attestations or audit summaries from such providers to verify compliance.
Key sub-processors currently engaged by Refora that handle personal data or health information include:
| Sub-processor | Role | Data Processed | Agreement |
|---|---|---|---|
| Amazon Web Services (S3) | Secure file storage | Attachments, diagnostic images, documents | AWS BAA + Data Processing Addendum |
| Amazon Web Services (Bedrock) | AI inference for data extraction | Inbound email content and attachments (where intake feature is used) | AWS BAA + Data Processing Addendum |
| Resend | Transactional email delivery and inbound email relay | Referral notification emails (including patient name, clinical notes, and referral details); forwarded referral emails | Data Processing Agreement (DPA) |
| Stripe | Payment processing | Billing and subscription data only — no health or clinical data | Stripe Data Processing Agreement |
Refora retains copies of all sub-processor agreements and may make them available to the Data Protection Officer upon request. This list may be updated from time to time. The current version will always be reflected in this Policy.
VIII. Withdrawal of Consent
Your consent remains valid until withdrawn in writing. You may withdraw consent by contacting our Data Protection Officer ("DPO") at dpo@refora.app. Upon receiving your request, we will process it within ten (10) business days and notify you of any legal or service consequences. Withdrawal of consent does not affect our right to retain data where required by law or for legitimate business or regulatory purposes.
IX. AI-Assisted Processing
Where clinic-users make use of the inbound email intake feature, the content of received emails (including subject lines, body text, and any extracted text from attachments) may be submitted to a third-party AI inference service (currently Amazon Web Services Bedrock, using a large language model) for the purpose of automatically extracting structured referral information such as patient name, contact details, referral reason, and referring practitioner details.
The following safeguards apply to this processing:
- Data submitted to the AI inference service is used solely to generate the extracted referral record and is not used to train, fine-tune, or improve the underlying AI model.
- Refora has executed an AWS Business Associate Agreement (BAA) with Amazon Web Services, which governs the processing of health information through the Bedrock service and includes confidentiality, security, and breach-notification obligations consistent with Refora's obligations under the PDPA.
- The AI inference endpoint is operated within a jurisdiction that provides a comparable standard of data protection to Singapore.
- Extracted data is stored on the Platform under the same encryption, access control, and retention rules as other referral data.
- AI extraction is an automated process. Refora does not make any legally or clinically significant decision solely on the basis of AI-extracted information. Clinical accuracy remains the responsibility of the relevant clinic-user.
- The confidence level of the extraction and the model version used are logged alongside the referral record for audit purposes.
Clinic-users who wish to use the inbound email intake feature should ensure that their consent notifications and privacy practices adequately disclose the use of AI-assisted processing to their patients.
X. Retention and Export
Personal data will be retained for as long as necessary to fulfil the purpose for which it was collected, or for a minimum of fifteen (15) years for healthcare records, whichever is longer, unless otherwise required by law.
Clinics may export their own referral data from the Platform for integration with their internal management systems, provided that such export complies with all applicable data-protection and confidentiality requirements.
Backups containing personal data are subject to the same retention controls and are purged on a defined cycle as set out in the Data Retention and Deletion Policy.
For more information on how data is stored, archived, and permanently deleted, please refer to our Data Retention and Deletion Policy, which sets out detailed timelines, procedures, and safeguards governing the retention and disposal of personal and health information.
7. Protection of Personal Data
Refora implements encryption, user authentication, and automatic session timeouts to safeguard personal data. Each clinic user has a unique login credential. Account sharing is prohibited. Clinic-users must ensure each user has a unique credential. Any loss, alteration or disclosure of personal data arising from shared or compromised credentials will be the responsibility of the clinic-user.
To safeguard your personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, Refora has implemented appropriate administrative, physical, and technical measures, including but not limited to:
- Use of up-to-date antivirus and security protection;
- Sensitive identifiers such as patient names, email addresses, and dates of birth are encrypted at rest and in transit, while publicly available information such as clinic names or doctor details are protected through access controls rather than encryption;
- Access controls and unique user authentication for each clinic account;
- Automatic session time-outs and audit logs for system activities; and
- Disclosure of personal data internally and to authorised third-party service providers strictly on a need-to-know basis.
You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, Refora strives to protect the confidentiality and integrity of your personal data and continuously reviews and enhances its information-security measures in accordance with recognised industry standards.
In the event of a data-breach incident (as defined under the Personal Data Protection Act 2012 (PDPA)), Refora shall comply with all applicable breach-notification obligations, including the duty to detect, assess, and report any qualifying data breach to the relevant authorities and, where applicable, to affected individuals without undue delay. Refora will assess suspected incidents promptly and will notify the Personal Data Protection Commission (PDPC) and affected individuals of any notifiable data breach without undue delay and in accordance with statutory timelines.
8. Accuracy of Personal Data
Refora generally relies on the accuracy and completeness of personal data provided by you or your authorised representatives. You may update or correct your own account information (such as your contact details or profile information) directly through the Platform. For any clinical or medical information, updates and corrections must be made by your healthcare provider. If you believe any clinical data is inaccurate, please inform your clinic directly. We will provide reasonable assistance to facilitate the clinic's response, where required.
9. Access and Correction Requests
You may access and update certain personal account information (such as your contact details or profile information) directly through the Platform. Requests to access or correct clinical or medical information (including referral notes, diagnostic reports, or any data uploaded by your healthcare provider) must be directed to the clinic-user that originally uploaded the data. Clinics act as the data controller for such medical records and are responsible for ensuring their accuracy. If we receive a request relating to clinical data, we will notify the relevant clinic-user and provide reasonable assistance to facilitate their response, where appropriate. We do not amend or alter medical records on our own.
10. Effect of Privacy Policy and Changes to Privacy Policy
This Privacy Policy applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
We may revise this Privacy Policy from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Privacy Policy was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes and you agree to be bound by the prevailing terms of this Privacy Policy as may be updated from time to time.
11. Contact
You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:
Email Address: dpo@refora.app
Last updated: 7 April 2026
Effective date: 7 April 2026