This Policy is issued by Ever Higher Data Recovery Centre Pte Ltd. The data processing activities of Ever Higher Data Recovery Centre Pte Ltd, the “Controller”, and the collected individually identifiable information, business contact information, video/images/files and device identifiers, the “Personal Data”. The terms "EHDR", "we" and "us" therefore refer to either Ever Higher Data Recovery Centre Pte Ltd or Ever Higher Data Recovery Centre Sdn Bhd, depending on where you live.

This Policy may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or changes in applicable law. We encourage you to read this Policy carefully and to regularly check this page to review any changes we might make in accordance with the terms of this Policy.

This Policy is addressed to individuals inside and outside our organization with whom we hire and interact, including customers, personnel of corporate customers, corporate, and visitors to our websites, partners, suppliers, applicants for employment, and other users of our Services. This policy describes how we collect, use, disclose, transfer, store and otherwise process your personal data when you are using our data recovery services (hereinafter collectively referred to as : “Service” or "Services").

1.1       Direct Collection of Personal Data

• Data collected: When you contact us via email, telephone, or by any other means or when you provide us with your business card, when you interact with our Services, or when you submit a job application.
• Relationship data: Personal Data we obtain for the purpose of:
  • Providing a Service to an individual, corporate, or personnel of corporate, partners, suppliers, visitors, or
  • Internal usage related to employment.
• Website data: Personal Data obtain when you visit any of our websites or social channel, register, or use any features or resources available on or through a website.
• Content and advertising information: If you interact with any third-party content or advertising on a website or third-party plugins and cookies, we receive your Personal Data from the relevant third-party provider of that content or advertising.
• Third-party information: Personal Data collect or obtain from third parties (e.g. credit reference agencies or law enforcement agencies).
• Authentication information: Personal Data collect or obtain from registered individuals or personnel to verify the identity of non-registered individuals or personnel collecting data or devices on behalf of registered individuals or personnel.

1.2       Indirect Collection of Personal Data

• Corporate clients who submit your device or information on behalf of their employees.
• Family members or representatives who bring in storage media or devices for data recovery.
• Insurance companies, law firms, or third-party partners involved in a case.
• Publicly available sources, such as business websites, directories or social media for verification or contact purposes.
• Our service providers who assist in performing diagnostics, logistics, or service fulfilment.

1.3       Categories of Personal Data

• Personal information: Name
• Contact details: correspondence or shipping address, contact number, and email address
• Consent: records of consents that are given by correspondence (if applicable)
• Payment data: purchase information, pricing, invoice records, billing address; bank account number; cardholder or accountholder name; card or account security details.
• Views and feedback: reviews that you choose to send to us, or publicly post on social media platforms related to the Controller or Services
• Employment Application: Document and details summited from job applicants such as Professional experience, Certification, Qualifications, reference number, and other documents which required during application.
• Corporate information: Personnel who interact on behalf of a company; name, email address, contact number, company name.
• Compliance data: Information from fraud-prevention agencies, business directories, individuals we believe you have authorized to provide your personal details on your behalf, and similar data.

• Provisioning Purposes
  • To perform data recovery, diagnostics, imaging, verification, analysis or other technical work on your device or media.
  • To communicate with you on job status, approvals, recovery findings, or completion.
  • To verify identity and confirm device or data ownership before service work is carried out.
  • To prepare and issue quotations, contracts, invoices, receipts, or service records.
  • To securely return recovered data, devices, or media to you.

• Service enhancement purposes
  • Develop new Products and services
  • To personalize the services offer
  • To perform market analysis
  • To respond to enquiries, requests, or complaints.
  • To manage appointments, pick-up/delivery arrangements, or logistics.
  • To maintain service history for troubleshooting, repeat service or follow-up evaluations.

• Benefits purposes
  • Use of marketing and advertising to deliver including through voice, message, email, and digital advertising.
  • To update about recovery advancement, information about products and services that might be interesting for individuals, rewards, promotion, share promotional benefits and loyalty programs which you may qualify for, provide updates, offers, and invitations to events.
  • For internal reporting and administrative functions.
  • Enhancing quality, safety, and reliability of our services.
  • Improving diagnostic methods, workflows, or recovery processes.
  • Conducting internal reviews, audits or staff training.

• Security purposes
  • For authentication
  • To ensure facility and system security, including device monitoring and access logs.
  • To prevent and detect fraud or other crimes, ensure the safety and security of related storage medium.

• Regulation purposes
  • To meet regulatory, legal or law-enforcement requirements including aiding law enforcement, judicial, and other government agencies.

• Financial management purposes
  • For auditing, tax compliance,
  • To manage the financial affairs of our business regards to sales and vendors.

• Defence of legal claim
  • Management of legal claims.
  • Establishment of facts and claims, including collection, review, and production of documents, facts, evidence, and witness statements.
  • Exercise and defence of legal rights and claims, including formal legal proceedings.=

• Additional Purposes
  • If EHDR needs to use your personal data for any new purpose not listed above, we will:
    1. Notify you of the new purpose; and
    2. Obtain your consent, unless a PDPA exception applies.

1.1         Legal Justification

1. Obtaining Consent

EHDR collects, uses and discloses personal data only with your consent, unless an exception under the PDPA applies. Consent may be obtained through:

• Email, messages or written communication
• Verbal confirmation (for in-person or phone enquiries)
• Continued use of our services.

By providing your device or storage media for diagnostics or data recovery, you consent to EHDR handling and processing the information contained within for service-related purposes.

2. Withdrawal of Consent

You may withdraw your consent for the collection, use or disclosure of your personal data at any time by contacting our Data Protection Officer (DPO).

Upon receiving your request:

• We will process it within a reasonable time.
• We will inform you of the likely consequences (such as our inability to continue service).
• Your withdrawal will not affect our right to retain personal data where retention is required or permitted by law.

3. Deemed Consent under the PDPA

EHDR may rely on deemed consent in the following circumstances:

• Deemed Consent by Contractual Necessity
  • Where personal data is reasonably necessary to perform services, you have requested.

• Deemed Consent by Notification
  • Where we notify you of the new purpose and give you a reasonable period to opt out before using your data for that purpose.

• Deemed Consent by Conduct
  • Where you voluntarily provide your personal data for our services.

4. Exceptions to Consent

EHDR may collect, use or disclose your personal data as stated under section “Disclosure Of Personal Data”.

1. Accuracy of Personal Data

EHDR will make reasonable efforts to ensure that personal data we collect, use, or disclose is accurate and complete, especially when the data is likely to be:

• Used to make a decision that affects you; or
• Service-related purposes; or
• Legal obligation.

To help us maintain accuracy, please ensure that any personal data you provide is correct and up to date.

 2. Request to Correct Personal Data

You may submit a request to correct or update your personal data at any time by contacting us.

When we receive a correction request:

• We will respond within 30 days.
• We will correct your personal data in our records once the request is verified.
• Where appropriate, we will send the corrected information to other organisations to which the data was disclosed within the past year, unless those organisations do not require the updated data for legal or operational reasons.

3. Situations Where Correction May Not Be Allowed

EHDR may refuse correction requests in situations allowed under the PDPA, such as:

• When the data relates to opinion data, or
• When the data is part of an ongoing investigation, or
• When the request is frivolous or vexatious.

If we are unable to make the correction, we will inform you of the reason unless prohibited by law.

We disclose your Personal Data to other controllers to fulfil our contractual obligations towards an individual or legitimate business purposes in accordance with consent or applicable law. In addition, we disclose your Personal Data to:

1. Administrative Personal
   • Individual or personnel of corporate, and where appropriate.
   • Accountants, auditors, consultants, lawyers, and other outside professional advisors to the controller, subject to binding contractual obligations of confidentiality.
     
2. Corporate Clients or Authorised Representatives 
   • Your appointed representatives, or if we are providing Services to your employee, your employer.
   • Your employer (when company devices are submitted)
   • Insurance companies or law firms managing your case
   • Family members or authorised persons acting on your behalf
     (Only when permitted under PDPA or when you have provided authority.)
3. Government and Regulatory Bodies
   • Legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation.
   • Government agencies, regulators, or law enforcement as required by law.
   • Courts, tribunals, or authorities during legal processes.
     • To the extent necessary for the establishment, exercise, or defence of legal rights, or any relevant party for the purposes of prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties.
       
4. Professional Third Party Service Providers
   • Such as payment services providers, channel and retail partners, shipping/courier companies
   • Technology suppliers, customer satisfaction survey providers, operators of “live-chat” Professional and Administrative Service Providers
   • Third party acquirer(s) or successors in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution, or liquidation), but only in accordance with the applicable law.

Data may transfer within the controller, and to third parties, as noted in Section "DISCLOSURE OF PERSONAL DATA", including obtaining the individual’s consent under section "CONSENT, WITHDRAWAL OF CONSENT, AND DEEMED CONSENT".

We may transfer personal data to countries outside of Singapore, limited to Malaysia, Cambodia, Brunei, Thailand, Vietnam,  and other countries where the data's owner is located rely on exceptions under section "DISCLOSURE OF PERSONAL DATA", including obtaining the individual’s consent under section "CONSENT, WITHDRAWAL OF CONSENT, AND DEEMED CONSENT", or where the transfer is necessary for the performance of a service, contract, or to respond to an emergency. EHDR will:

• Provide a level of protection to the transferred data that is at least comparable to the protection provided under the PDPA.
• Requiring the controller or recipient to protect the personal data.
• Binding corporate rules.

Your Data processed for the purposes hereunder will be saved only to the extent necessary based on request or legal process requirements.

• Data recovery case files: 7 days after collection
• Billing/financial records: 7 years (IRAS requirement)

If a judicial or disciplinary action is initiated, Your Data may be saved until the end of such action, including any potential periods for appeal, and will then be deleted or archived as permitted by applicable law.

In principle, we will retain Your Data if required or permitted by applicable law. It will remove Personal Data from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it.

We have implemented appropriate technical and organizational security measures to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and other unlawful or unauthorized Processing, in accordance with applicable law. In particular;

• Regularly review practices regarding personal data collection, storage, and processing to prevent unauthorized access to or tampering with our various systems and your personal data.
• Only EHDR employees and personnel of authorized service companies access such personal data on a need-to-know basis, to process such personal data or provide relevant services. These employees and external personnel are subject to strict contractual confidentiality obligations. If they fail to perform these obligations, they may be held liable, and/or their relationship with EHDR may be terminated.
• Carefully select our business partners and service providers and ensure that they are sufficiently bound to protect personal data and will be subject to privacy audits and assessments.
• Conduct security and privacy protection training, testing, and other activities to enhance employee awareness of and proficiency in personal data protection.
• To not transfer using an online network or the internet. The transmission of information via the internet is not entirely secure, and EHDR cannot guarantee the security of your data transmitted to us or to individuals using the internet – any such transmission is at your own risk.
• Recovered data will be wiped off on the 8th day after collection, except we receive a request to extend further or wipe off on the same day after collection, upon request.

Subject to applicable laws, individuals may have specific rights regarding their own personal data including the following rights below:

• The right to access- You may request access to the personal data we hold about you and information about its processing by contacting us using the "Contact Us" section.
• The right to rectification- If you find that the personal data, we process about you is inaccurate or incomplete, you are entitled to ask us to make rectifications and request the completion of your personal data where appropriate.

• The right of erasure- You have the right to request us to erase your personal data

• The right of processing restriction- You have the right to request the restriction of processing of your Personal Data, the respective data will be marked and may only be processed by us for certain purposes.
• The right to object- You have the right to object, on grounds relating to your situation, at any time to the processing of your Personal Data by us and we can be required to no longer process your Personal Data.
• The right of data portability- You have the right to receive the Personal Data concerning you, which you have provided to us in a structured, commonly used, and machine-readable format and you have the right to transmit that Personal Data to another controller.

If you wish to make a request, you can submit it through “Contact Us”.

In case of complaints, you also have the right to lodge a complaint with the competent supervisory authority, in the member state of your habitual residence or alleged infringement of the PDPC.

EHDR Services may contain links to third-party websites and services. You can choose whether to access websites or accept products and services provided by third parties such as Facebook, Instagram, LinkedIn, TikTok, and others, where you can view marketing or promotional information published by EHDR.

We do not control third-party privacy and data protection policies and do not accept any responsibility or liability for such policies. At the same time, such third parties are not bound by this Privacy Notice. Therefore, before submitting personal data to third parties, we strongly recommend that you refer to the privacy protection practices of such third parties.

The controllers in respect of whom this policy is issued are as follows:

If you have questions or concerns regarding our Privacy Notice or practices, please submit your request at

Email:info@3verhigher.com

Address: 217 Henderson Road, #09-02 Henderson Industrial Park, 159555 Singapore.