Privacy Policy

1. Who We Are

Stonefall is a procurement consulting practice registered and operating in Singapore. Our registered address is 15 Beach Road, #06-12, Beach Centre, Singapore 189677. We are the data controller for personal data collected through this website and through our consulting services. We operate in compliance with Singapore's Personal Data Protection Act 2012 (PDPA).

2. Data We Collect

We collect the following categories of personal data:

Data you provide directly

• Name and job title, when submitted via our contact form or in the course of an engagement
• Organisation name and size
• Email address and phone number
• The content of messages or enquiries you send us
• Documents or materials you share with us as part of a service engagement

Data collected automatically

• IP address and approximate geographic region
• Browser type and device information
• Pages visited, time on page, and referral source — collected via analytics tools
• Cookie identifiers (see Section 8 for detail)

We do not collect sensitive personal data (such as NRIC numbers, financial account details, or health information) through this website.

3. How We Use Your Data

• To respond to enquiries submitted through the contact form
• To deliver and administer the services you engage us for
• To communicate about your engagement — including scheduling, written notes, and follow-up
• To send relevant updates about our services, where you have consented to receive them
• To improve this website based on aggregated usage data
• To comply with applicable legal obligations

We do not use personal data for automated decision-making or profiling.

4. Legal Basis for Processing

Under Singapore's PDPA, we rely on the following grounds for collecting and using your personal data:

• Consent — for contact form submissions and any optional marketing communications
• Contractual necessity — where data is required to deliver services you have engaged us for
• Legitimate interest — for website analytics, where it does not override your fundamental interests
• Legal obligation — where we are required to retain or process data by applicable law

5. Sharing and Disclosure

We do not sell personal data. We share data only in the following limited circumstances:

• Service providers: Third-party tools used in operating our website (analytics, email infrastructure) may process data on our behalf under appropriate data processing terms
• Analytics: We use Google Analytics to understand website usage. This service processes anonymised data including IP addresses. Google's privacy practices are described at policies.google.com
• Legal requirements: We may disclose data where required by law, court order, or a request from a regulatory body with jurisdiction over our activities

Client materials and engagement notes are kept strictly confidential and are not shared with any third party without express consent.

6. Retention Periods

• Contact enquiries: Retained for up to 24 months from receipt, or until the matter is resolved, whichever is earlier
• Client engagement records: Retained for 7 years from the close of the engagement, in line with Singapore business record-keeping requirements
• Analytics data: Retained for up to 26 months in aggregated form
• Cookie consent records: Retained for 12 months

When data is no longer needed, it is deleted securely or anonymised.

7. Security Measures

We take reasonable and appropriate steps to protect personal data against unauthorised access, disclosure, alteration, or destruction:

• All website traffic is served over HTTPS with TLS encryption
• Access to client data is restricted to personnel directly involved in the relevant engagement
• Client documents shared with us are stored in access-controlled environments
• We review our data handling practices periodically

In the event of a data breach that is likely to result in significant harm, we will notify affected individuals and the Personal Data Protection Commission (PDPC) in accordance with PDPA mandatory breach notification requirements.

8. Cookies

This website uses cookies to function and to understand how it is used. We use the following categories:

• Essential cookies: Required for the website to operate. Cannot be disabled.
• Analytics cookies: Used to understand page traffic and usage patterns in aggregate.
• Marketing cookies: Used to support advertising measurement.

For full detail on the cookies we use and how to manage your preferences, see our Cookie Policy. You can update your preferences at any time from that page.

9. Your Rights

Under Singapore's PDPA, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Ask us to correct inaccurate or incomplete personal data
• Withdrawal of consent: Withdraw consent at any time, where processing is based on consent. This does not affect the lawfulness of processing prior to withdrawal.
• Data portability: Receive personal data in a commonly used format, where technically feasible
• Objection to processing: Object to processing based on legitimate interest
• Erasure: Request deletion of personal data in certain circumstances

To exercise any of these rights, contact us using the details in Section 13. We will respond within 30 days. You may also lodge a complaint with the Personal Data Protection Commission at pdpc.gov.sg.

10. Third-Party Links

This website may contain links to external sites that are not operated by us. Once you leave our site, we have no control over the content or privacy practices of those sites and are not responsible for them. We encourage you to review the privacy policy of any external site you visit.

11. Children

Our services are directed at organisations and business professionals. This website is not intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected such data, we will delete it promptly.

12. Policy Updates

We may update this policy from time to time to reflect changes in our practices, services, or applicable law. When we do, we will revise the "Last updated" date at the top of this page. Material changes will be noted clearly. Continued use of this website after changes are posted constitutes acceptance of the revised policy.

13. Contact

For any questions, requests, or complaints relating to this privacy policy or our handling of personal data, please contact us: