Privacy Policy

TALK SAYA PTE. LTD.

PRIVACY POLICY

Last Updated: March 31, 2026

1. Introduction

This Privacy Policy sets out how Talk Saya Pte. Ltd. ("Saya," "we," "us," or "our"), a private limited company incorporated under the laws of the Republic of Singapore (UEN: 202438387K), collects, uses, discloses, stores, transfers, and protects your personal data when you access or use the Saya platform, including the website www.talksaya.com, its related mobile applications, and any associated services (collectively, the "Platform").

Saya is a technology platform that facilitates the delivery of mental health services by independent, locally credentialed mental health professionals ("Providers") to clients. Saya is not a healthcare provider and does not practice medicine, psychology, or counseling.

This Privacy Policy should be read together with the Saya Informed Consent for Mental Health Services (including all applicable Country Schedules and addenda) and the Saya Terms of Use, which together form the complete agreement governing your use of the Platform.

2. Applicable Data Privacy Laws

Saya is incorporated in Singapore and serves clients in multiple jurisdictions. Saya processes personal data in accordance with the Singapore Personal Data Protection Act 2012 (PDPA), as amended, which serves as our baseline data protection standard.

Where additional or different requirements apply under the law of the jurisdiction in which you are located, those requirements are identified in the applicable Country Schedule annexed to the Informed Consent and apply solely to clients in that jurisdiction. Applicable frameworks may include:

• Singapore: Personal Data Protection Act 2012 (PDPA), as amended.
• Philippines: Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and applicable Circulars of the National Privacy Commission (NPC).
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA), and applicable provincial health information privacy legislation.
• Other jurisdictions: The applicable data privacy or data protection law of the jurisdiction in which you are located, as identified in the applicable Country Schedule.

3. Definitions

"Personal data" means any data, whether true or not, about an individual who can be identified from that data, or from that data combined with other information to which we have or are likely to have access. This includes "personal information" as defined under the Philippine DPA, and equivalent terms under other applicable laws.

"Sensitive personal data" means personal data that is afforded heightened protection under applicable law, including but not limited to health data, mental health records, clinical notes, psychological assessments, and any data relating to your physical or mental health condition. This includes "sensitive personal information" as defined under the Philippine DPA (Section 3(l)), and equivalent classifications under other applicable laws.

"Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, transfer, modification, and deletion.

"Provider" or "Practitioner" means any independent mental health professional who delivers clinical services through the Platform, which may include counselors, psychologists, and psychiatrists.

Other terms used in this Privacy Policy shall have the meanings given to them in the applicable data privacy law and in the Saya Informed Consent and Terms of Use.

4. Data We Collect

4.1 Data You Provide Directly

Account and identity data: Full name, date of birth, sex/gender, email address, phone number, emergency contact name and phone number, and government-issued identification (for identity verification purposes).

Payment data: Payment method details, billing address, and transaction records. Payment card details are processed by our third-party payment processor and are not stored on Saya's servers.

Communications data: Messages exchanged between you and your Provider through the Platform's messaging feature, and any communications you send to Saya's support team.

4.2 Data Generated Through the Services

Clinical notes: Notes prepared by your Provider regarding your sessions, stored on Saya's servers.

Session data: Session scheduling records, attendance records, session duration, and session metadata used for generating automated session summaries (for subscribed users).

Messaging logs: Records of messages exchanged between you and your Provider on the Platform.

4.3 Data Collected Automatically

Technical data: Device type, operating system, browser type and version, IP address, session timestamps, error logs, and Platform usage data.

Cookie data: Data collected through cookies and similar tracking technologies as described in Section 10.

4.4 Data We Do Not Collect

Saya does not record video or audio of your sessions. We do not collect biometric data. We do not collect data from your device beyond what is described in this Section.

5. Purposes of Processing

We process your personal data for the following specific, declared, and legitimate purposes:

• Delivery of Services: Facilitating the connection between you and your Provider; enabling session booking, video sessions, and messaging; and supporting the continuity and coordination of your care (including referral where appropriate).
• Clinical records: Storing clinical notes prepared by your Provider to support the delivery and continuity of care.
• Automated session summaries: Processing session data to generate AI-assisted session summaries for subscribed users, as described in Section 7.
• Payment and billing: Processing payments, managing subscriptions, issuing invoices, and enforcing the cancellation and no-show policy.
• Account management: Creating and maintaining your account, verifying your identity, and communicating with you about your account and the Services.
• Platform administration: Maintaining the security, integrity, and performance of the Platform; detecting and preventing fraud; resolving technical issues; and conducting internal analytics using anonymized and aggregated data.
• Legal and regulatory compliance: Complying with applicable laws, regulations, court orders, and requests from regulatory authorities in any applicable jurisdiction.
• Service communications: Sending you transactional and service-related communications, including booking confirmations, session reminders, policy updates, and responses to your inquiries.
• Marketing (with consent): Sending you marketing communications about Saya's services, promotions, or events, only where you have provided separate, specific consent to receive such communications. You may withdraw your marketing consent at any time as described in Section 8. Marketing consent is not bundled with your consent to receive the Services and is not a condition of using the Platform.

6. Lawful Basis for Processing

We process your personal data on the following legal bases, as applicable under the data privacy law of your jurisdiction:

• Consent: We process your sensitive personal data (health and mental health data) on the basis of your explicit, informed, and freely given consent, as provided through the Informed Consent and this Privacy Policy.
• Contractual necessity: We process personal data where necessary for the performance of our contract with you, including the delivery of Services, payment processing, and account management.
• Legal obligation: We process personal data where necessary to comply with a legal obligation to which we are subject, including mandatory reporting obligations, court orders, and regulatory requirements.
• Legitimate interests: Where permitted by applicable law, we may process personal data where necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include Platform security, fraud prevention, and service improvement using anonymized data.

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

7. Session Data and Automated Processing

7.1 Automated Session Summaries

Subscribed users may receive an automated, AI-generated session summary following each session. Session data used for this purpose is processed as follows:

Processing is performed using Saya's internal systems and, where necessary, third-party processing services. These third-party services are engaged solely as data processors acting on Saya's instructions, and are bound by contractual obligations requiring them to: process data only for the specified purpose of summary generation; maintain confidentiality; implement appropriate security measures; and delete or return data upon completion of the processing task.

Saya does not use identifiable session data to train, fine-tune, or improve machine learning models. Where third-party processing services are used, Saya ensures through contractual safeguards that such services do not retain, use, or train on your session data beyond the scope of the immediate processing task.

7.2 Messaging Data

Messages exchanged between you and your Provider through the Platform are stored on Saya's servers for the purposes of supporting the continuity of care and enabling the messaging feature. Messaging does not constitute therapy and is not a substitute for in-session Services, as set out in the Terms of Use (Section 3.2).

7.3 No Automated Decision-Making

Saya does not use automated processing, including profiling, to make decisions that produce legal effects or similarly significant effects concerning you. Automated session summaries are provided for your personal reference only and do not constitute clinical records, diagnoses, or treatment plans. All clinical decisions are made by your Provider.

8. Disclosure of Personal Data

We may disclose your personal data to the following categories of recipients, for the purposes described in Section 5:

• Your Provider: The Provider assigned to you through the Platform, who is an independent contractor and a separate data controller with respect to clinical notes and clinical decisions.
• Third-party service providers: Companies that provide services to us, including cloud hosting and infrastructure providers, payment processors, customer support tools, and AI processing services for session summary generation. These service providers are engaged under contractual obligations requiring them to process your data only on our instructions and to maintain appropriate security and confidentiality.
• Regulatory and legal authorities: Government agencies, regulatory bodies, courts, and law enforcement where disclosure is required by applicable law, court order, or legal process, or where disclosure is necessary to protect the rights, safety, or property of Saya, its users, or the public.
• Professional advisors: Auditors, legal counsel, and other professional advisors engaged by Saya in connection with its operations, under obligations of confidentiality.
• Corporate transactions: In connection with a merger, acquisition, reorganization, sale of assets, or similar transaction, your personal data may be transferred to the successor entity, subject to the same privacy commitments set out in this Privacy Policy. We will notify you of any such transfer.

Saya does not sell your personal data to third parties. Saya does not disclose your personal data to third parties for their own marketing purposes.

9. Your Rights

9.1 Rights Under Applicable Law

Depending on the data privacy law applicable to you, you may have some or all of the following rights regarding your personal data. The specific rights available to you are determined by the law of your jurisdiction, as identified in the applicable Country Schedule annexed to the Informed Consent.

• Right to be informed: The right to know what personal data we collect, how we use it, and who we share it with.
• Right of access: The right to request a copy of the personal data we hold about you and information about how it has been processed.
• Right to rectification: The right to request correction of inaccurate or incomplete personal data.
• Right to erasure: The right to request deletion of your personal data under certain conditions, subject to legal and professional retention obligations. Availability of this right depends on applicable law.
• Right to data portability: The right to receive your personal data in a structured, commonly used, machine-readable format. Availability of this right depends on applicable law.
• Right to object: The right to object to the processing of your personal data on grounds relating to your particular situation, including objection to processing for direct marketing. Availability of this right depends on applicable law.
• Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with the relevant data privacy authority in your jurisdiction, including the Personal Data Protection Commission (Singapore), the National Privacy Commission (Philippines), the Office of the Privacy Commissioner (Canada), or other applicable authority as identified in your Country Schedule.

9.2 Exercising Your Rights

To exercise any of the above rights, contact Saya's Data Protection Officer at dataprotection@talksaya.com. We will respond to your request within the timeframe required by applicable law. Under the Singapore PDPA, we will endeavor to respond within thirty (30) days. Where permitted by applicable law, a reasonable fee may be charged for access requests that are manifestly unfounded, repetitive, or excessive. We will inform you of any applicable fee before processing your request.

If we are unable to fulfill your request (for example, where a legal or professional obligation requires us to retain data), we will inform you of the reasons.

9.3 Withdrawing Consent

You may withdraw your consent for the collection, use, and disclosure of your personal data at any time by submitting a written request to dataprotection@talksaya.com. Upon receipt of your request, we will process it within a reasonable time and notify you of any consequences, including any impact on our ability to provide the Services.

Withdrawal of consent does not affect: the lawfulness of processing that occurred before the withdrawal; our right to continue processing where another lawful basis applies (such as legal obligation or legitimate interest).

10. Cookies and Tracking Technologies

10.1 What Are Cookies

Cookies are small text files placed on your device when you visit our website. They help us provide you with a functional experience, understand how you use the Platform, and improve our services.

10.2 Types of Cookies We Use

• Strictly necessary cookies: Required for the operation of the Platform, including session management and security. These cookies cannot be disabled.
• Analytical/performance cookies: Allow us to measure and analyze how visitors use the Platform, helping us improve functionality and user experience.
• Functionality cookies: Enable the Platform to remember your preferences (such as language or region) and provide enhanced features.
• Targeting cookies: Record your activity on the Platform to deliver content and communications more relevant to your interests. We do not currently serve third-party advertisements on the Platform.

10.3 Managing Cookies

You can modify your browser settings to decline cookies, though this may affect your ability to use certain Platform features. Where applicable law in your jurisdiction requires prior consent for non-essential cookies, we will obtain your consent before placing such cookies on your device.

11. Cross-Border Data Transfers

Saya is incorporated in Singapore and serves clients in multiple jurisdictions. Your personal data, including sensitive personal data (health and mental health records), is processed using infrastructure that may be located in Singapore and/or other jurisdictions where Saya's cloud service providers and sub-processors operate. Your Provider may also be located in a jurisdiction different from your own (for example, if you are an overseas Filipino worker accessing a Philippine-licensed Provider).

Saya ensures that any cross-border transfer of personal data is conducted in compliance with:

• Singapore PDPA: Section 26 (Transfer Limitation Obligation), which requires that overseas recipients be bound by legally enforceable obligations providing protection comparable to the PDPA.
• Philippine DPA: Section 21 of R.A. 10173 and applicable NPC Circulars, which require that data transferred outside the Philippines be afforded a comparable standard of protection.
• Other applicable laws: Equivalent transfer requirements under the data privacy law of your jurisdiction, as identified in the applicable Country Schedule.

Safeguards we implement for cross-border transfers include: data processing agreements with all sub-processors requiring standards at least comparable to the Singapore PDPA; encryption of personal data in transit and at rest; role-based access controls; and regular security assessments and audits.

12. Data Security

We implement appropriate administrative, physical, and technical security measures to protect your personal data from unauthorized access, collection, use, disclosure, modification, or destruction. These measures include:

• Technical measures: Encryption of data in transit (TLS/SSL) and at rest; role-based access controls; multi-factor authentication for administrative access; and regular vulnerability assessments.
• Administrative measures: Staff training on data protection; internal data protection policies and procedures; access limited to personnel with a legitimate need-to-know; and contractual confidentiality obligations for all employees and contractors.
• Physical measures: Secure data center facilities operated by our cloud infrastructure providers, with physical access controls and environmental protections.

While we take all reasonable steps to protect your personal data, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security. We continually review and enhance our security measures in response to evolving threats and industry best practices.

13. Data Breach Notification

In the event of a personal data breach involving your data that is likely to cause harm or significant impact:

• Notification to authorities: We will notify the relevant data privacy authority within the timeframe required by applicable law. Under the Singapore PDPA, notification will be made to the PDPC as required by law. Under the Philippine DPA, notification will be made to the National Privacy Commission (NPC) within seventy-two (72) hours of becoming aware of the breach.
• Notification to you: We will notify affected individuals within a reasonable period, as required by applicable law, providing information about the nature of the breach, the data affected, and the steps we are taking in response.

If you believe your data may have been compromised, please contact us immediately at dataprotection@talksaya.com.

14. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

• Clinical notes and messaging logs: Retained for a minimum of ten (10) years from the date of your last session, or such longer period as may be required by applicable professional regulations or law.
• Account and identity data: Retained for the duration of your account and for a period of two (2) years after account closure, unless a longer period is required by law.
• Payment data: Retained for the period required by applicable tax and financial reporting laws, typically seven (7) years.
• Technical and analytics data: Retained for up to two (2) years, after which it is anonymized or deleted.
• Marketing consent records: Retained for as long as the consent is active, plus two (2) years after withdrawal for audit and compliance purposes.

Upon expiration of the applicable retention period, personal data will be securely destroyed using methods that render it unrecoverable, or irreversibly anonymized.

15. Children and Minors

Saya serves clients who are minors (below the age of majority in their jurisdiction). Where a client is a minor, parental or legal guardian consent is required before we process their personal data, in accordance with the provisions of the Informed Consent (Section XII) and the applicable Country Schedule.

We implement age verification measures as part of our account creation process and collect only the minimum personal data necessary to deliver the Services to minor clients.

16. Third-Party Websites and Services

The Platform may contain links to third-party websites or services that are not operated by Saya. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to read the privacy policies of any third-party site you visit.

17. Data Controllers

For purposes of applicable data privacy law:

Saya acts as a data controller (or Personal Information Controller under the Philippine DPA) with respect to: your account and identity data; payment and billing data; session scheduling and attendance data; messaging logs stored on the Platform; technical and analytics data; and automated session summary generation.

Your Provider acts as an independent data controller (or Personal Information Controller) with respect to: clinical notes and clinical records they create; clinical decisions regarding your care; and any personal data they process in the exercise of their independent professional judgment.

Where Saya and your Provider are independent controllers of the same data, each is independently responsible for their own compliance with applicable data privacy law. Saya's obligations as set out in this Privacy Policy apply to data within Saya's control. Your Provider's obligations are governed by their professional ethical duties and applicable law.

18. Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, or if you wish to exercise any of your rights as described in Section 9, please contact our Data Protection Officer:

Data Protection Officer
Talk Saya Pte. Ltd.
Email: dataprotection@talksaya.com

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law.

For non-material changes, we will post the updated Privacy Policy on the Platform and update the "Last Updated" date. Your continued use of the Platform after the changes become effective constitutes acceptance of the updated Privacy Policy.

For material changes — including changes to the categories of data collected, the purposes of processing, the lawful basis for processing, cross-border transfer practices, or third-party disclosure practices — we will provide at least fourteen (14) days' notice by email or in-app notification, and will request your affirmative acceptance before the changes take effect.

If you do not accept a material change, you may discontinue your use of the Platform. Your most recently accepted version of this Privacy Policy shall govern the processing of data collected prior to the change.