PDPA Compliance9 min read12 April 2026

Free Privacy Policy Template for Singapore Websites (PDPA Compliant)

Free PDPA-compliant privacy policy template for Singapore websites. Section-by-section guide with explanations and a ready-to-use template for your business.

ComplyHQ Team

Free Privacy Policy Template for Singapore Websites (PDPA Compliant)

Every Singapore website that collects personal data needs a privacy policy. This is a legal requirement under the PDPA's Notification Obligation (Sections 20-21), not a nice-to-have.

This guide provides a section-by-section template with explanations for each section. Customise it to match your business's actual data practices, and you will have a compliant privacy policy.

Before You Start

A privacy policy must accurately describe your data practices. Before filling in the template, you need to know:

  1. What personal data you collect (names, emails, phone numbers, payment info, analytics data, etc.)
  2. Why you collect it (provide services, marketing, analytics, legal compliance, etc.)
  3. Where it is stored (local servers, cloud services, third-party tools)
  4. Who you share it with (payment processors, analytics providers, email tools, etc.)
  5. How long you keep it (retention periods for each data type)
  6. Who your DPO is and their contact details

If you do not know the answers, start with a data inventory before writing your privacy policy.

Privacy Policy Template

Below is a complete template. Sections in [BRACKETS] need to be customised with your business information.

Section 1: Introduction

[COMPANY NAME] ("we", "us", or "our") is committed to protecting the personal data of our users, customers, and website visitors in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and how we protect it. It also explains your rights regarding your personal data and how to contact us with questions or concerns.

This policy applies to personal data collected through our website at [WEBSITE URL], our mobile applications, and our offline interactions with you.

Effective date: [DATE] Last updated: [DATE]

Why this matters: The introduction establishes the scope of the policy and identifies your organisation. The PDPA requires you to be transparent about who is collecting the data and for what purposes.

Section 2: Personal Data We Collect

We may collect the following types of personal data:

Data you provide directly:

  • Name
  • Email address
  • Phone number
  • Mailing address
  • [ADD OTHER DATA TYPES: company name, job title, payment information, etc.]

Data collected automatically:

  • IP address
  • Browser type and version
  • Device information
  • Pages visited and time spent on our website
  • Referring website or source
  • [ADD OTHER: cookies, location data, etc.]

Data from third parties:

  • [IF APPLICABLE: data from social media platforms, business partners, public databases, etc.]

Why this matters: The PDPA requires you to notify individuals of the types of data you collect. Be comprehensive — if you collect it but do not disclose it, you are in breach of the Notification Obligation.

Section 3: Purposes of Data Collection

We collect and use your personal data for the following purposes:

  • Providing our services: To process your orders, manage your account, and deliver the products or services you request
  • Communication: To respond to your enquiries, send order confirmations, and provide customer support
  • Marketing: To send you promotional materials, newsletters, and updates about our products and services (with your consent)
  • Website improvement: To analyse website usage patterns and improve our website's functionality and user experience
  • Legal compliance: To comply with applicable laws, regulations, and legal obligations
  • Security: To detect, prevent, and address fraud, security issues, and technical problems
  • [ADD OTHER PURPOSES SPECIFIC TO YOUR BUSINESS]

Why this matters: Under the Purpose Limitation Obligation, you may only use personal data for the purposes you have disclosed. If a purpose is not listed in your privacy policy, using data for that purpose may be a breach.

Section 4: Legal Basis for Processing

We process your personal data based on the following legal bases under the PDPA:

  • Consent: Where you have given express consent (e.g., subscribing to our newsletter)
  • Deemed consent: Where you have voluntarily provided personal data for a purpose that is reasonable and apparent (e.g., submitting a contact form)
  • Deemed consent by notification: Where we have notified you of the intended use and you have not opted out within a reasonable period
  • Legal requirement: Where processing is required by Singapore law
  • Contractual necessity: Where processing is necessary to perform a contract with you

Section 5: Disclosure to Third Parties

We may share your personal data with the following types of third parties:

  • Service providers: Companies that provide services on our behalf, such as payment processing, email delivery, website hosting, and analytics [NAME SPECIFIC PROVIDERS: e.g., Stripe, Mailchimp, Google Analytics, AWS]
  • Professional advisers: Lawyers, accountants, and auditors as necessary
  • Government authorities: Where required by law or in response to valid legal requests
  • Business transfers: In connection with a merger, acquisition, or sale of assets (with notice to you)
  • [ADD OTHER THIRD PARTIES SPECIFIC TO YOUR BUSINESS]

We require all third-party service providers to process your personal data in accordance with the PDPA and to implement appropriate security measures.

Section 6: Cross-Border Data Transfers

[IF APPLICABLE] Some of the third-party services we use may store or process your data outside Singapore. These include:

  • [SERVICE NAME] — data stored in [COUNTRY]
  • [SERVICE NAME] — data stored in [COUNTRY]

Where we transfer personal data outside Singapore, we ensure that the recipient provides a standard of protection comparable to the PDPA through contractual arrangements or other appropriate safeguards, in compliance with Section 26 of the PDPA.

Section 7: Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

  • Customer records: [X years] after the end of the customer relationship
  • Financial records: [5-7 years] as required by IRAS
  • Marketing data: Until you withdraw consent or unsubscribe
  • Website analytics data: [X months/years]
  • [ADD OTHER DATA TYPES AND RETENTION PERIODS]

When personal data is no longer needed, we will securely destroy or anonymise it.

Section 8: Data Security

We implement reasonable security measures to protect your personal data from unauthorised access, disclosure, alteration, and destruction. These measures include:

  • Encryption of sensitive data in transit and at rest
  • Access controls limiting data access to authorised personnel only
  • Regular security assessments and software updates
  • Staff training on data protection practices
  • Secure disposal of physical and digital records

While we take reasonable precautions, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

Section 9: Your Rights

Under the PDPA, you have the following rights:

Right to access: You may request access to the personal data we hold about you. We will respond within 30 days of receiving your request. A reasonable fee may apply.

Right to correction: You may request that we correct any inaccurate or incomplete personal data. We will make corrections as soon as practicable.

Right to withdraw consent: You may withdraw your consent for any specific purpose at any time by contacting our DPO. We will process your withdrawal within [X business days]. Please note that withdrawal of consent may affect our ability to provide certain services to you, and we will inform you of the likely consequences.

To exercise any of these rights, please contact our Data Protection Officer using the details below.

Section 10: Cookies

[IF YOUR WEBSITE USES COOKIES] Our website uses cookies and similar technologies to enhance your browsing experience and collect analytics data.

Essential cookies: Required for the website to function properly Analytics cookies: Help us understand how visitors interact with our website (e.g., Google Analytics) Marketing cookies: Used to deliver relevant advertisements [IF APPLICABLE]

You can manage your cookie preferences through your browser settings. Disabling cookies may affect the functionality of our website.

Section 11: Data Protection Officer

Our Data Protection Officer (DPO) is responsible for overseeing our compliance with the PDPA.

DPO Contact:

  • Name/Title: [DPO NAME or "Data Protection Officer"]
  • Email: [dpo@yourcompany.com]
  • Phone: [PHONE NUMBER, if applicable]
  • Address: [BUSINESS ADDRESS]

If you have any questions about this privacy policy, wish to exercise your rights, or have concerns about how we handle your personal data, please contact our DPO.

Section 12: Complaints

If you are not satisfied with our response to your data protection concern, you may file a complaint with the Personal Data Protection Commission (PDPC):

Section 13: Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you by [posting a notice on our website / sending an email notification / other method].

We encourage you to review this policy periodically.

How to Use This Template

  1. Copy the template sections above
  2. Customise every bracketed field with your specific business information
  3. Remove sections that do not apply (e.g., cross-border transfers if all data stays in Singapore)
  4. Add sections for any unique data practices your business has
  5. Publish on your website with a link accessible from every page (footer is standard)
  6. Set a review date to update the policy at least annually

Important: What This Template Does Not Cover

  • GDPR compliance: If you serve EU customers, you need additional disclosures. See PDPA vs GDPR.
  • Industry-specific requirements: Healthcare, financial services, and telecommunications have additional data protection regulations beyond the PDPA.
  • Complex data processing: If you engage in automated decision-making, profiling, or process large volumes of sensitive data, a more detailed policy is advisable.

Generate a tailored privacy policy in minutes. Instead of manually customising a template, ComplyHQ's AI privacy policy generator asks you targeted questions about your business and produces a professionally written, PDPA-compliant privacy policy. It covers all the sections above and adds industry-specific language based on your answers. Try it free

Related Resources

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

Is this template legally sufficient for PDPA compliance?
This template covers all the elements required under the PDPA's Notification Obligation. However, you must customise it to accurately reflect your specific data practices. A generic template that does not match your actual practices is not compliant. For complex businesses or those handling sensitive data, consider having a legal professional review your customised policy.
Do I need a separate privacy policy for my mobile app?
If your mobile app collects personal data, it needs its own privacy policy or a combined policy that covers both your website and app. App stores (Apple App Store, Google Play) also require a privacy policy link before they will approve your app for listing. The core PDPA requirements are the same, but app-specific data collection (location, device identifiers, push notification tokens) should be addressed.
Should my privacy policy be in English only?
There is no language requirement under the PDPA, but the Notification Obligation requires that individuals can easily understand the notification. If a significant portion of your users communicate in a language other than English, consider providing the policy in their language as well. For most Singapore businesses, English is sufficient.
How do I make my privacy policy effective from a legal standpoint?
Publish it on your website in an easily accessible location (footer link on every page is standard). Include the effective date and a revision history. Notify existing users when you make material changes. Ensure the policy accurately reflects your current data practices. The policy becomes effective when published — no user signature is required.

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Start Free AssessmentView Pricing
Gap AssessmentPolicy GeneratorAI Compliance Chat

Related Articles

12 April 202614 min read

10 PDPA Obligations Every Singapore Business Must Follow

Complete guide to all 10 PDPA obligations for Singapore businesses. Learn each requirement with real examples, compliance tips, and penalties for non-compliance.

Read more
12 April 20268 min read

Do I Need a Privacy Policy for My Singapore Website?

Yes, if you collect personal data. Learn what your Singapore website's privacy policy must include under PDPA, common mistakes, and how to create one quickly.

Read more
12 April 20268 min read

How to Appoint a Data Protection Officer in Singapore

Step-by-step guide to appointing a DPO under PDPA. Learn requirements, responsibilities, in-house vs outsourced options, and costs for Singapore businesses.

Read more