Aurion Group Privacy Governance Policy
1. Purpose
This Policy sets out how Aurion Global Pte Ltd (“Aurion Global”), a Singapore-incorporated company, collects, uses, discloses, and protects personal data of customers, platform users, candidates, partners, or any other individuals whose personal data is collected and processed through its platforms, services, and operations. It also sets out the data protection responsibilities of Staff-on-Demand (“Staff”) who are granted access to such data in the course of their engagement.
2. Scope
This Policy applies to:
- Aurion Global and all of its subsidiaries and affiliated entities (collectively, the “Aurion Group”), whether incorporated in Singapore, Malaysia, the United States, Switzerland, or any other jurisdiction in which such entities may be established from time to time; and
- all Staff engaged by any entity within the Aurion Group (“Aurion Co”).
3. Collection and Use of Personal Data
Aurion Group may collect and use personal data for the following purposes, in accordance with applicable data protection laws:
HR and Internal Operations
- Hiring, background checks, and onboarding of candidates;
- Managing performance, engagement terms, and communications with Staff;
- Processing payments, benefits, and reimbursements to Staff;
- Maintaining internal records and complying with employment-related legal obligations; and
- Any other legitimate internal purpose related to workforce and operational management.
Commercial and Platform Operations
- Verifying identity and performing know-your-customer (KYC) checks;
- Managing subscriptions, billing, and payment processing;
- Providing, maintaining, and enhancing services offered on the platform;
- Authenticating users and facilitating communications;
- Ensuring security, fraud prevention, and compliance with legal obligations; and
- Any other legitimate business purpose in line with Aurion Group’s commercial objectives and data protection laws.
4. Legal Basis and Data Retention
Aurion Group processes data in accordance with applicable laws, including:
- Personal Data Protection Act 2012 (Singapore);
- Personal Data Protection Act 2010 (Malaysia);
- Swiss Federal Act on Data Protection (FADP);
- General Data Protection Regulation (GDPR), where applicable; and
- U.S. privacy laws, including the CCPA, where applicable.
Personal data must only be retained for as long as necessary to fulfil the purpose for which it was collected or to meet applicable legal, regulatory, or contractual obligations.
Retention policy for specific types of records
| Data | Retention Policy |
|---|---|
| Resumes/CVs | If no longer in use (e.g., candidate not selected), resumes and CVs will be discarded within 1 month from the date of the decision. |
| Contracts | All executed contracts, including employee, service provider, and vendor agreements, will be retained for a period of 7 years following the termination of the contract or the completion of the services. |
| Transaction Records | Data related to payments, invoicing, and financial transactions will be retained for a period of 7 years from the date of the transaction. |
| User Data | Personal data of users will be retained for the duration of their active use of the Platform or services. Once an account is deactivated or the relationship is terminated, user data will be deleted or anonymized within 6 months, unless a longer retention period is required by law. |
| Communication Records | Email communications and customer support interactions will be retained for 6 months after resolution of the issue, unless longer retention is necessary. |
| Sensitive Data | Any sensitive data (e.g., health information, financial details) will be retained for no longer than necessary for the processing purpose and in compliance with applicable data protection laws. |
Data retention periods may be adjusted as necessary based on changes in regulatory requirements or the nature of the data involved. Upon expiration of the retention period, data will be securely deleted or anonymized.
5. Responsibilities of Staff
All Staff are required to uphold the confidentiality, integrity, and security of personal data in accordance with this Policy. Specific responsibilities based on roles are set out below.
5.1 Confidentiality and Access
- Access personal data strictly on a need-to-know and purpose-specific basis;
- Use only Aurion-authorised tools, systems, networks, and environments;
- Ensure that personal data is only disclosed or shared in accordance with internal authorisation protocols.
5.2 Security Requirements (All Staff)
- Maintain strong, unique passwords and enable multi-factor authentication where applicable;
- Never store personal data on personal devices, unauthorised drives, or unapproved cloud platforms;
- Avoid unauthorised copying, screenshotting, or exporting of personal data;
- Immediately report any actual or suspected data breach, leak, or unauthorised access to: privacy@auriongroup.io.
Role-Specific Responsibilities
Staff handling IT systems or support must:
- Implement, monitor, and regularly update security protocols (e.g. firewalls, access controls, encryption);
- Ensure that system logs, backups, and audit trails are maintained securely;
- Proactively identify and patch vulnerabilities in infrastructure used to store or process personal data;
- Support compliance with secure software development, hosting, and infrastructure handling practices.
HR Staff must:
- Ensure that personal data of candidates and Staff is collected only for legitimate purposes (e.g. hiring, payroll);
- Limit access to employment records, background checks, and salary data to authorised persons only;
- Use secure channels when communicating sensitive HR data;
- Dispose of records securely in accordance with the retention policy set out below.
Commercial Staff (e.g. platform, subscriptions, user support) must:
- Ensure all customer, subscriber, or user data is processed in accordance with stated privacy terms and consent;
- Avoid extracting or storing user data outside approved systems (e.g. CRM, payment processors);
- Use data only for legitimate business purposes;
- Immediately flag any unusual customer requests involving personal data access or erasure;
- Dispose of records securely in accordance with the retention policy.
6. Prohibited Actions
Staff are strictly prohibited from:
- Using personal data for personal or third-party purposes;
- Storing data on personal devices or unapproved platforms;
- Sharing data without written consent from Aurion Co;
- Transferring data cross-border without authorisation.
7. Cross-Border Transfers and Third Party Processing
- Cross-border transfers of personal data, including that of EU, must be subject to appropriate safeguards, such as Standard Contractual Clauses (SCCs) as per Appendix I or other legally recognised mechanisms.
- Any such transfer requires prior written approval from Aurion Co.
- Any contractor, service provider, or third party who processes personal data on behalf of Aurion Group must sign a Data Processing Agreement (DPA).
- Staff to ensure DPA is signed as per Appendix II.
8. Termination and Data Deletion
Upon expiry or termination of engagement:
- All data and credentials must be returned to Aurion Co;
- All data on personal systems must be permanently deleted;
- Staff must confirm no copies, backups, or screenshots are retained; and
- Retention after termination is strictly prohibited unless legally required and expressly approved in writing.
9. Enforcement and Liability
Non-compliance may result in:
- Immediate termination of engagement;
- Reporting to legal authorities;
- Personal liability under applicable data protection laws.
10. Contact
For questions or incident reporting: Email: privacy@auriongroup.io