tools-processes7 min read1 July 2026

Privacy Notice Template for Singapore Websites

Free privacy notice template for Singapore websites. Learn PDPA compliance requirements, what clauses to include, and how to publish a compliant notice in 2026.

ComplyHQ Team

Privacy Notice Template for Singapore Websites

Privacy Notice Template for Singapore Websites

If your business collects any personal data through its website — a contact form, a newsletter sign-up, an online order, or even basic analytics — you are legally required to tell visitors how that data is handled. A clear, accurate privacy notice template for Singapore websites is the most practical way to meet your obligations under the Personal Data Protection Act 2012 (PDPA) and stay on the right side of the Personal Data Protection Commission (PDPC). This guide gives you a ready-to-adapt template, explains every clause, and shows you how to publish a notice that genuinely protects both your visitors and your organisation.

TL;DR — Key Takeaways

  • A privacy notice is legally required under Section 20 (Notification Obligation) of the PDPA for any Singapore website collecting personal data.
  • At minimum, your notice must state what data you collect, why you collect it, how it's used and disclosed, and how individuals can withdraw consent or contact your Data Protection Officer (DPO).
  • Penalties for non-compliance reach up to S$1 million or 10% of annual turnover (whichever is higher) since October 2022.
  • Use the copy-and-adapt template below — but tailor it to your actual data practices. A generic notice that doesn't match reality is worse than none.

Why your Singapore website needs a privacy notice

Every Singapore website that collects personal data must publish a privacy notice to satisfy the PDPA's Notification and Consent Obligations. Personal data means any data that can identify an individual — a name, email, phone number, NRIC, or even an IP address combined with other information. The moment your website captures any of this, the PDPA applies to your organisation.

The legal foundation sits in Section 20 of the PDPA (the Notification Obligation), which requires organisations to inform individuals of the purposes for collecting, using, or disclosing their personal data on or before collection. This works hand-in-hand with Section 13 (the Consent Obligation) — you cannot lawfully obtain valid consent unless the individual has been properly notified of the purpose first. A published privacy notice is how websites discharge both obligations at once.

Definitive statement: Without a privacy notice, your website cannot demonstrate that consent was validly obtained, which means every piece of personal data you hold may have been collected unlawfully. The PDPC has repeatedly cited notification and consent failures in its enforcement decisions, and these are among the most common grounds for financial penalties against Singapore SMEs.

This isn't just a large-enterprise concern. Singapore has more than 300,000 SMEs, and they make up roughly 99% of all businesses in the country. The PDPA applies equally to a sole proprietor running a Shopify store and to a multinational — the law makes no exemption based on company size.


What a PDPA-compliant privacy notice template must include

A compliant privacy notice for a Singapore website must clearly cover seven core elements: the data you collect, your purposes, your legal basis, disclosure to third parties, data retention, individual rights, and DPO contact details. Missing any of these creates a gap the PDPC can flag during an investigation.

Here is the mandatory checklist, mapped to the relevant PDPA obligations:

ClauseWhat it coversPDPA reference
Data collectedCategories of personal data (name, email, payment info, etc.)Notification — s.20
PurposesWhy each category is collected and usedPurpose Limitation — s.18
ConsentHow consent is obtained and withdrawnConsent — s.13–16
DisclosureThird parties data is shared with (payment gateways, couriers)Notification — s.20
RetentionHow long data is kept and when it's deletedRetention Limitation — s.25
ProtectionReasonable security measures in placeProtection — s.24
DPO contactName/role and contact channel for queries and complaintsAccountability — s.11–12

Appointing a Data Protection Officer is itself a legal requirement under Section 11(3) of the PDPA — every organisation must designate at least one, and the DPO's business contact information must be made available to the public. Your privacy notice is the natural place to publish it.


Privacy notice template for Singapore websites (copy and adapt)

Below is a practical, plain-English privacy notice template you can adapt for your Singapore website. Replace the bracketed placeholders with your organisation's actual details, and — critically — make sure every statement reflects what your business genuinely does with personal data.

# Privacy Policy

Last updated: [Date]

[Your Company Pte Ltd] ("we", "us", "our") is committed to protecting your
personal data in accordance with the Personal Data Protection Act 2012 (PDPA)
of Singapore. This Privacy Policy explains how we collect, use, disclose, and
protect your personal data when you visit [yourwebsite.com] or engage our
services.

## 1. Personal Data We Collect
We may collect the following categories of personal data:
- Identity data: name, NRIC/FIN (where required), date of birth
- Contact data: email address, telephone number, mailing address
- Transaction data: billing details, purchase history, payment information
- Technical data: IP address, browser type, cookies, and usage data

## 2. How We Use Your Personal Data
We collect and use your personal data for the following purposes:
- To process and fulfil your orders or service requests
- To respond to your enquiries and provide customer support
- To send you marketing communications, where you have consented
- To comply with legal and regulatory obligations
- To improve our website and services

## 3. Consent and Withdrawal
By submitting your personal data to us, you consent to the collection, use,
and disclosure of your data for the purposes set out above. You may withdraw
your consent at any time by contacting our Data Protection Officer. Please note
that withdrawing consent may affect our ability to provide certain services.

## 4. Disclosure of Personal Data
We may disclose your personal data to third-party service providers who assist
us in operating our business, including payment processors, delivery partners,
and IT service providers. We require these parties to protect your data in
accordance with the PDPA. We do not sell your personal data.

## 5. Data Retention
We retain your personal data only for as long as necessary to fulfil the
purposes stated in this Privacy Policy. When data is no longer needed, we
will securely dispose of or anonymise it.

## 6. Protection of Personal Data
We implement reasonable administrative, technical, and physical security
measures to protect your personal data against unauthorised access,
collection, use, disclosure, copying, modification, or disposal.

## 7. Your Rights
Under the PDPA, you have the right to request access to and correction of the
personal data we hold about you. To make such a request, please contact our
Data Protection Officer.

## 8. Transfers Outside Singapore
Where we transfer your personal data outside Singapore, we ensure a comparable
standard of protection through contractual or other lawful means, in line with
the Transfer Limitation Obligation under the PDPA.

## 9. Cookies
Our website uses cookies to improve your browsing experience and analyse site
traffic. You can control cookies through your browser settings.

## 10. Contact Us / Data Protection Officer
If you have any questions about this Privacy Policy or wish to exercise your
rights, please contact our Data Protection Officer:
- Name/Role: [DPO Name or "Data Protection Officer"]
- Email: [dpo@yourcompany.com]
- Address: [Your registered business address]

We will respond to your request within 30 days where reasonably possible.

A word of caution: copying a template verbatim without tailoring it is a common and costly mistake. If your notice says you don't share data with third parties but you actually use a payment gateway and an email marketing tool, the notice is inaccurate — and an inaccurate notice can be treated as a failure to properly notify under Section 20. Your privacy notice must describe your real data flows.


How to publish and maintain your privacy notice correctly

Publishing a privacy notice is not a one-time task — it must be easy to find, presented before consent is given, and kept up to date as your data practices change. The PDPC's Advisory Guidelines on the PDPA for Selected Topics emphasise that notification must be clear and accessible, not buried in fine print.

Follow these steps to publish your notice properly:

  1. Link it in your website footer. Standard practice in Singapore is a "Privacy Policy" link visible on every page. The PDPC expects notices to be readily accessible.
  2. Reference it at every collection point. Beside each form (contact, sign-up, checkout), add a short line such as: "By submitting, you agree to our [Privacy Policy]." This ties consent directly to notification.
  3. Make consent active, not assumed. For marketing communications, use an unchecked opt-in checkbox. Pre-ticked boxes do not constitute valid consent under the PDPA.
  4. Review it at least annually — and immediately whenever you add a new tool, vendor, or data purpose. An outdated notice that no longer matches your practices offers no protection.
  5. Date it. Always show a "Last updated" date so visitors (and the PDPC) can see the notice is maintained.

Definitive statement: A privacy notice that is hard to find, pre-consented by default, or out of sync with your actual data handling will not protect your organisation in a PDPC investigation — accessibility and accuracy are as important as the wording itself.

For businesses in specific sectors, the details matter even more. If you run an online store, our PDPA compliance guide for e-commerce covers checkout consent and order data in depth, while food businesses should review our guidance on customer data compliance for F&B and restaurants.


What happens if you get it wrong: enforcement and penalties

Since 1 October 2022, the PDPC can impose financial penalties of up to S$1 million, or up to 10% of an organisation's annual turnover in Singapore (whichever is higher) for organisations with turnover above S$10 million. Notification and consent breaches are not theoretical — they appear regularly in published enforcement decisions.

The PDPC takes a graduated approach, considering factors such as the number of individuals affected, whether the breach was deliberate, and the remedial steps taken. While the headline figure is S$1 million, many SME penalties land in the range of a few thousand to tens of thousands of dollars — still a meaningful hit for a small business, on top of mandatory remediation and reputational damage.

To understand how the PDPC actually applies these powers, our breakdown of real PDPA penalties and enforcement cases walks through decisions Singapore businesses can learn from. And if you want a single document that pulls every obligation together, the PDPA compliance checklist for Singapore SMEs is the fastest way to audit where you stand today.

A strong privacy notice is also only one part of a wider compliance posture that includes staff awareness — see our guide to PDPA staff training requirements — and a tested plan for when things go wrong, covered in what to do if your business has a data breach.


Compliance doesn't have to take weeks

Drafting, tailoring, and maintaining a privacy notice — alongside DPO appointment, consent flows, retention schedules, and breach procedures — can feel overwhelming for a lean SME team. This is exactly the gap ComplyHQ was built to close: AI-powered compliance that handles your PDPA obligations in minutes, not weeks. Instead of stitching together generic templates and hoping they fit, you answer a few questions about your business and generate a privacy notice that reflects your actual data practices, mapped to the correct PDPA sections.

For organisations that need more than documentation — custom integrations, internal tools, or a compliant data architecture from the ground up — Adaptels builds tailored digital solutions for Singapore SMEs that bake privacy in by design.

Whether you adapt the template above by hand or automate the whole process, the goal is the same: a clear, accurate, and accessible privacy notice that earns your customers' trust and keeps your organisation compliant with Singapore's data protection law.


Sources & References

  1. Personal Data Protection Act 2012 — Singapore Statutes Online
  2. Personal Data Protection Commission (PDPC) — Official Website
  3. PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act (PDF)
  4. PDPC — Guide to Developing a Data Protection Management Programme
  5. PDPC — Enforcement Decisions and Undertakings

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

Is a privacy notice legally required for Singapore websites?
Yes. Under the Personal Data Protection Act 2012, your organisation must notify individuals of the purposes for which their personal data is collected, used, and disclosed (Section 20, the Notification Obligation). For any website that collects personal data — through contact forms, newsletter sign-ups, e-commerce checkout, or analytics cookies — a published privacy notice is the standard way to meet this obligation. Failing to provide one is a breach that the PDPC can investigate and penalise.
What is the difference between a privacy notice and a privacy policy?
In practice, the two terms are used interchangeably in Singapore. A privacy notice is the public-facing document on your website that tells individuals how you handle their personal data, while a privacy policy sometimes refers to internal data-handling procedures. For PDPA compliance, what matters is that your website clearly publishes the purposes of collection, use, and disclosure — most Singapore SMEs combine both into a single 'Privacy Policy' page linked in the website footer.
How much can a business be fined for not having a PDPA-compliant privacy notice?
Since 1 October 2022, the PDPC can impose financial penalties of up to S$1 million, or up to 10% of an organisation's annual turnover in Singapore (whichever is higher) for organisations with local turnover exceeding S$10 million. Notification and consent failures are among the most commonly cited breaches in enforcement decisions. Beyond fines, the bigger cost is often reputational damage and loss of customer trust.
Tags:PDPASingapore complianceSMEdata protectionPDPC

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Gap AssessmentPolicy GeneratorAI Compliance Chat
29 June 20267 min read

Vendor Due Diligence Checklist for Singapore Businesses

A practical vendor due diligence checklist for Singapore businesses to manage PDPA compliance when sharing personal data with third-party vendors and processors.

Read more
26 June 20267 min read

Data Inventory and Mapping Guide for Singapore SMEs

A practical data inventory and mapping guide for PDPA compliance in Singapore. Learn how SMEs catalogue, map and protect personal data step by step.

Read more
23 June 20267 min read

Incident Response Plan Template for Singapore SMEs

A practical incident response plan template for Singapore SMEs to meet PDPA compliance Singapore obligations, including the mandatory 3-day data breach notification rule.

Read more