GDPR Compliance

Bio-Tech Wellness Lab - Your Data Rights and Our Obligations

1. GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that regulates how personal data is collected, processed, and stored for individuals in the European Union and the European Economic Area (EEA).

Bio-Tech Wellness Lab is committed to full GDPR compliance. We respect your privacy rights and have implemented safeguards to protect your personal information in accordance with GDPR requirements.

GDPR Applicability: If you are located in the EU/EEA or your data is processed by us, GDPR applies to your personal information. This is in addition to Singapore's PDPA and other applicable local laws.

2. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access

You can request a copy of all personal data we hold about you in a structured, commonly used, and machine-readable format.

Right to Rectification

You can request correction of inaccurate or incomplete personal data held about you.

Right to Erasure

You can request deletion of your personal data (the "Right to be Forgotten") under certain circumstances.

Right to Restrict Processing

You can request to limit how we process your personal data in specific situations.

Right to Data Portability

You can receive your personal data and transmit it to another controller without hindrance.

Right to Object

You can object to processing for marketing purposes, profiling, or legitimate interests.

Right to Withdraw Consent

You can withdraw consent for data processing at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

You can file a complaint with your national data protection authority if you believe your rights are violated.

3. Legal Basis for Data Processing

Under GDPR Article 6, we only process personal data when we have a legal basis to do so. Here are the bases we rely on:

1 Contractual Necessity

Processing is necessary to fulfill a contract with you or to take steps at your request before entering into a contract. Example: Processing payment information to complete your purchase.

2 Consent

We have obtained your explicit, freely given, specific, and informed consent for processing. Example: Marketing emails or optional health questionnaires.

3 Legal Obligation

Processing is necessary to comply with legal obligations. Example: Tax records retention for 7 years as required by law.

4 Vital Interests

Processing is necessary to protect vital interests. Example: Processing health information in emergency situations.

5 Public Task

Processing is necessary for the performance of a task in the public interest.

6 Legitimate Interests

Processing is necessary for legitimate interests pursued by the controller or third parties. We balance our interests against your rights. Example: Website analytics to improve user experience.

4. Exercising Your Rights

To exercise any of your GDPR rights, please submit a written request to our Data Protection Officer:

Data Protection Officer: dpo@bricklayergold.com

Address: Bio-Tech Wellness Lab, Singapore

Email Subject: "GDPR Data Request - [Your Full Name]"

What to Include in Your Request:

  • Your full name and email address
  • Type of request (access, rectification, erasure, etc.)
  • Specific details about the data you're requesting
  • Proof of identity (copy of ID or passport)
  • Your signature (digital or physical)

Response Timeline:

  • We aim to respond to all requests within 30 days
  • Complex requests may require up to 60 additional days
  • We may request clarification if your request is unclear
  • Response will be free unless requests are manifestly unfounded or excessive

5. Data Protection Impact Assessment (DPIA)

We conduct Data Protection Impact Assessments for high-risk processing activities, including:

  • Health and wellness questionnaire processing
  • Automated decision-making and profiling
  • Large-scale processing of personal data
  • Processing of special category data
  • Systematic monitoring of public areas

If a processing activity poses high risks to your rights and freedoms, we conduct a DPIA and may engage in prior consultation with relevant supervisory authorities.

6. Data Processing Agreements

We have Data Processing Agreements (DPAs) in place with all third-party processors who handle personal data on our behalf. These agreements:

  • Define the purpose and scope of processing
  • Specify processor obligations and responsibilities
  • Require sub-processor agreements
  • Include security and confidentiality obligations
  • Provide for data subject rights assistance
  • Include liability and indemnification clauses

All processors are bound by GDPR compliance requirements and must implement appropriate technical and organizational measures.

7. International Data Transfers

Your personal data may be transferred outside the EU/EEA for processing. For such transfers, we ensure adequate safeguards:

Transfer Mechanisms:

  • Standard Contractual Clauses (SCCs): We use EU-approved model clauses in contracts with processors
  • Binding Corporate Rules (BCRs): Where applicable, we apply binding corporate rules
  • Adequacy Decisions: We transfer to countries with GDPR adequacy decisions where available

Supplementary Measures:

  • Encryption of data in transit and at rest
  • Access controls and authentication protocols
  • Regular security audits and assessments
  • Data Localization Agreement clauses
Note: You have the right to object to international transfers and request additional safeguards.

8. Data Retention Schedules

We retain personal data only as long as necessary for the purpose it was collected:

  • Account Data: Duration of account plus 3 years after closure
  • Transaction Records: 7 years (tax and legal compliance)
  • Marketing Consent: Until withdrawal or 5 years of inactivity
  • Website Analytics: 26 months from date of collection
  • Support Communications: 2 years after last contact
  • Backup Data: Deleted in accordance with backup rotation schedules

After retention periods expire, data is securely deleted or anonymized. Where anonymization is not possible, we apply secure deletion methods.

9. Special Category Data

We process special category data (health information) under GDPR Article 9. Our processing is lawful because:

  • We obtain your explicit consent for wellness questionnaires
  • Processing is necessary for health or social care purposes
  • Processing is necessary for vital interests protection
  • We implement strict access controls and security measures
  • We have documented processing activities
Data Minimization: We collect only the minimum health information necessary for providing wellness services and do not share this data with unrelated third parties.

10. Privacy by Design and by Default

We implement privacy protective measures at every stage of our operations:

  • Privacy principles embedded in system design
  • Data minimization in all processing activities
  • Privacy impact assessments before new projects
  • Encryption of sensitive personal data
  • Regular security updates and patches
  • Access controls and authentication systems
  • Privacy training for all staff members
  • Incident response and breach notification procedures
  • Privacy policies and notices clearly communicated
  • Regular privacy audits and compliance checks

11. Data Breach Notification

In the event of a personal data breach, we are committed to timely notification:

Notification to Authorities:

  • Without undue delay and no later than 72 hours after discovery
  • To the relevant supervisory authority in your jurisdiction
  • Including details of the breach, affected data, and measures taken

Notification to Data Subjects:

  • Individuals will be notified without undue delay
  • Notification will include breach details and mitigation steps
  • We will provide contact information for further information
  • In high-risk situations, notification is mandatory

Contact for Security Issues: security@bricklayergold.com

12. Supervisory Authority Contacts

If you believe your GDPR rights have been violated, you have the right to lodge a complaint with your local data protection authority:

European Data Protection Board: https://edpb.europa.eu/

Find your country's data protection authority on the EDPB website.

Filing a complaint does not preclude you from pursuing other legal remedies.

13. Accountability and Governance

Bio-Tech Wellness Lab demonstrates GDPR accountability through:

  • Appointing a Data Protection Officer (DPO)
  • Maintaining detailed records of processing activities (ROPA)
  • Conducting regular privacy impact assessments
  • Implementing staff privacy training programs
  • Regular compliance audits and risk assessments
  • Data Protection Agreements with all processors
  • Clear privacy policies and consent mechanisms
  • Incident response procedures and documentation

14. Contact Our Data Protection Officer

Data Protection Officer (DPO)

Email: dpo@bricklayergold.com

Address: Bio-Tech Wellness Lab, Singapore

Phone: +65 6XXX XXXX

Response Time: 5-10 business days for general inquiries

Our DPO is responsible for monitoring GDPR compliance and can assist with all data protection matters.

Last Updated: January 4, 2026

© 2026 Bio-Tech Wellness Lab. All rights reserved.

Home | Privacy Policy | Terms of Service | Cookie Policy