Privacy Policy
This policy explains how SG² ("we") collects, uses, discloses and protects your personal data in line with Singapore's Personal Data Protection Act (PDPA). It applies to our website, member portal, front-desk kiosk and gym operations.
Our Data Protection Officer
Our DPO is David Ooi. For any privacy question, request or complaint, contact:
- Email: info@sg2.sg (mark it "Attn: DPO")
- Phone: +65 8675 4269
- Address: 1 Fusionopolis Way, #02-09, Singapore 138632
What we collect
- Contact & identity: name, email, mobile number, date of birth.
- Profile: belt rank, an optional profile photo, liability-waiver records.
- Family profiles: if you add your child or spouse, their name, date of birth and relationship. A parent or guardian provides this data and consents on a child's behalf.
- Health & safety: optional medical flags, injury notes and coach training notes, used only so coaches can keep you training safely.
- Payments & attendance: purchase and invoice records, class bookings and check-ins. We never see or store your full card or bank details — payments are processed by HitPay.
We do not collect NRIC/FIN numbers.
What we use it for
- Running your membership: bookings, waitlists, check-ins, class and course administration.
- Processing payments and sending receipts, payment reminders and account notices.
- Service messages about your classes (e.g. cancellations, schedule changes) and occasional personal check-ins from our team.
- Safety: making coaches aware of medical flags you have shared.
- Marketing (only with your consent): promotions and gym news. You can tick or untick this at any time — just tell the front desk or email the DPO. Saying no never affects your membership.
Who we share it with
We never sell personal data. We disclose it only to providers who help us run the gym, under their data-protection terms:
- HitPay (Singapore) — payment processing.
- Railway (hosting, USA) — our systems and database run here, so your data is stored outside Singapore with contractual safeguards comparable to the PDPA.
- Resend (USA) — delivers our emails to you.
- GoHighLevel (USA) — marketing platform, used only for people who have opted in to marketing.
How we protect it
Access to member data is restricted by staff role, all traffic is encrypted in transit, sessions are secured, and privileged actions are audit-logged. Front-desk screens show at most the last four digits of a phone number.
How long we keep it
We apply the retention schedule below through periodic reviews of our records. It is our working policy rather than an automated deletion process, so data may persist until the next review is carried out.
- Active member data: for as long as you train with us.
- After you leave: profile data is deleted or anonymised within 3 years of your last activity.
- Payment records: kept 5 years to meet Singapore tax and accounting law, then deleted.
- Enquiries/trials that never join: deleted within 1 year.
You can ask us to delete or anonymise your data sooner — see "Your rights" below — and we will action it rather than waiting for a scheduled review.
Your rights
You may ask us to: access the personal data we hold about you, correct it, withdraw any consent (including marketing), or explain how your data has been used or disclosed. Most of your data is visible and editable directly in the Member Portal. For anything else, contact the DPO — we respond within 30 days.
Updates to this policy
If we change this policy materially, we'll post the new version here with a new version number and effective date, and ask for fresh consent where the law requires it.