OTTAI PRIVACY POLICY — SINGAPORE
Effective date: 15-August-2026
Last updated: 10-July-2026
1. Who we are and the scope of this policy
This Privacy Policy explains how Syai Health Technology Pte. Ltd. (UEN 202323053C) and its affiliates (together "Syai Health", "we", "us" or "our") collect, use, disclose, transfer and protect your personal data when you use our continuous glucose monitoring ("CGM") devices, companion mobile application, websites, customer support channels and related services (together, the "Services") in Singapore.
"Ottai" is a brand of Syai Health Technology Pte. Ltd. Syai Health markets and provides its CGM devices, companion application and related Services under the Ottai brand, and holds the applicable medical device registration for the Products in Singapore. References to "Ottai" in this policy, in the Ottai application and on Ottai-branded materials are references to Syai Health in its capacity as the provider of the Services and, for the purposes of the Singapore Personal Data Protection Act 2012 (the “PDPA”), Ottai is the organisation responsible for personal data collected, used or disclosed in connection with the Services , except where another entity is expressly identified as responsible for a specific service.
The Services may include products, portals, dashboards, professional tools or related functions used by hospitals, clinics, healthcare professionals (collectively, "HCPs"), caregivers or other authorised organisations to view, manage, analyse or support patient CGM data, where such functions are made available by Ottai. In this policy, references to "you" include individual users, patients, caregivers, healthcare professionals and other authorised users, as applicable.
This policy applies to users in Singapore and is intended to be read together with the Ottai Global Privacy Policy. If there is any inconsistency between this Singapore Privacy Policy and the Ottai Global Privacy Policy in relation to the Services in Singapore, this Singapore Privacy Policy will apply to the extent of the inconsistency. If we offer products or services in other countries, those users may be subject to separate local privacy notices or addenda.
2. Our Data Protection Officer and how to contact us
We have appointed a Data Protection Officer ("DPO") who is responsible for overseeing our compliance with this policy and with applicable data protection law. You may contact our DPO about anything in this policy or to exercise your rights.
Data Protection Officer — Contact details
- Attention: The Data Protection Officer
- Email: privacy@service.ottai.com
- Post: 1 Fusionopolis Link, #06-06, Nexus @one-north, Singapore (138542)
- Response time: We aim to acknowledge your request within 5 working days and to respond substantively within 30 days. If we need more time, we will tell you why and when you can expect a full response.
3. The personal data we collect
The Services are designed to help you monitor your glucose levels, so some of the data we handle is health-related personal data, which may be sensitive in nature. We collect the categories of personal data set out below. Not every user generates every category — what we hold depends on the features you use. More detailed function-by-function data fields are set out in the Functions and Data List, which describes the current Services and features, the personal data fields and app permissions required for each function, optional integrations, third-party services and SDKs, backend service categories, main technical endpoints where relevant, processing locations, and more detailed retention information.
The Function and Data List forms part of the information we provide to you under this policy. We may update the Function and Data List from time to time to reflect operational or technical changes to the Services. We will not use the Function and Data List to introduce a materially new purpose for collecting, using or disclosing your personal data, or a materially different way of handling your health-related personal data, without providing any notice or obtaining any consent required by applicable law.
Account & identity
Fields: user ID, username/nickname, login account, email address, mobile number, profile photo, country/region, language, glucose unit, login method, authentication tokens and credentials
When/purpose: On registration, login and account setup — to identify you, secure your account, show your profile and apply your region/unit settings
Third-party login
Fields: Google user ID, email, nickname, photo; Apple sub/email; X (Twitter) user ID, email, username
When/purpose: When you choose social login — to authenticate you and link the third-party account
Purchase & order
Fields: product ID, SKU, product name, specification, quantity, price, cart, promo/discount code and amount, order number, order status, order amount, tax, shipping fee, order/payment/cancellation/closure times
When/purpose: When you buy a device or place an order — for the online store, order fulfilment and after-sales
Delivery & logistics
Fields: recipient name, phone, email, country, state/province, city, district, full address, postcode, building, courier, tracking number, dispatch and estimated/actual delivery times
When/purpose: When you order and we ship — for delivery, tracking and after-sales
Payment
Fields: payment channel, transaction number, payment status, receipt email, bank name, card brand, masked card number, cardholder name, expiry month/year, billing address, payment token/result
When/purpose: When you pay. Full card details are handled by the payment processors; we retain only the payment result, transaction reference and masked information
App & device
Fields: App version, OS platform and version, device brand, model and device ID, jailbreak/root status, CPU, board, network status, language, NFC support, FCM/APNs push token
When/purpose: On app start, login and push — for compatibility, diagnostics, push notifications and fraud/abuse prevention
Technical, network & service-operation metadata
Fields: IP address, connection logs, DNS or network request metadata, API request metadata, messaging or push-delivery metadata, service routing information, timestamps, error logs, crash logs, diagnostic events, and backend service interaction records
When/purpose: When you use the Services — to operate backend services, route requests, deliver messages and notifications, maintain service reliability, diagnose faults, prevent abuse, support security monitoring, troubleshoot technical issues and investigate service or device problems. Not every technical connection or service endpoint receives glucose readings or health logs.
CGM device
Fields: CGM MAC address, serial number, deviceId, device type, binding/unbinding records, activation, wear, warm-up, connection, expiry/grace and abnormal-status states
When/purpose: On device binding, activation and wear — to operate the sensor, attribute readings and handle after-sales
Glucose & monitoring (health data)
Fields: real-time glucose values, timestamps, trend, level, sequence number, curve points, max/min/average, time-in-range (TIR), AGP, daily/weekly/monthly and other glucose reports
When/purpose: While you wear a sensor — the core monitoring, statistics, reports and alerts. This is health-related personal data
Glucose thresholds & alerts
Fields: high/low/urgent-low thresholds, fast rise/fall thresholds, reminder switches, sound/vibration settings, alert records and timestamps, notification data
When/purpose: When you set goals and wear a sensor — for abnormal-reading alerts and personalised reminders
Health log & manual records
Fields: meals, fingerstick readings, weight, insulin, medication, exercise check-ins, images, time, notes, pre/post-meal glucose
When/purpose: When you log entries — for your health diary, statistics and AI-assisted recognition or analysis, where you choose to use the relevant feature. This is health-related personal data
Location & region
Fields: GPS latitude/longitude, IP address, reverse-geocoded address, country/region, and registration/login/binding/daily/GPS-type location records
When/purpose: On registration, login, binding, wear and exercise — for region matching, customer-service routing and (where enabled) activity tracking
Exercise & ecosystem
Fields: exercise start/end time, GPS track, distance, steps, calories, exercise records and goals; Apple Watch / Garmin / widget / Nightscout sync data
When/purpose: If you enable activity, a smartwatch or a third-party ecosystem feature
Customer service & AI
Fields: AI questions and answers, customer-service sessions, message history, feedback, images, service group and bot ID; data passed to our customer-service tool (userId, name, phone, email, photo, device MAC)
When/purpose: When you contact support or use the AI assistant — to answer queries and handle after-sales
After-sales & device issues
Fields: device-abnormal events, connection failures, jitter, write failures, unbinding reasons, after-sales request type, device MAC/deviceId, complaint content
When/purpose: When you report a problem — for after-sales, quality analysis and troubleshooting
Health-related personal data.
Glucose readings, manual health logs and related monitoring data reveal information about your health. We collect and use them only to provide the monitoring Services you have asked for, to support product safety and quality matters, or as otherwise permitted or required by applicable law. We generally rely on your consent to collect and use such data. You can withdraw that consent as described in Section 11, although doing so may mean we can no longer provide the monitoring features.
HCPs data
Fields: name, work email address, work phone number, professional title, department, hospital, clinic or organisation name, professional or staff identifier, role, access permissions, login method, account status, audit logs and usage records
When/purpose: When a healthcare professional, hospital, clinic or authorised organisation creates or uses a professional account or portal — to verify and manage authorised access, configure roles and permissions, support clinical or care-team workflows, maintain security, provide auditability and administer professional Services.
Patient-management and professional-service data
Fields: patient identifiers, patient account or device linkage information, CGM readings, reports, alerts, trend information, device status, notes, tags, care-team assignments, report-sharing records, review history, professional comments, uploaded documents, consultation-related information or other information entered, uploaded, viewed or managed by authorised healthcare professionals or institutions through the Services
When/purpose: When a patient is linked to, managed by, reviewed by or supported through a hospital, clinic, healthcare professional, caregiver or other authorised organisation using the Services — to enable patient monitoring, glucose-data review, report generation, care coordination, device support, clinical workflow, patient support, auditability, quality and safety follow-up, and medical device compliance.
Where an HCP uses the Services to manage patient data, that HCP may also collect, use, disclose and retain patient data for its own healthcare, clinical, legal, regulatory, professional or operational purposes. Such HCP is responsible for its own handling of personal data and should provide its own privacy notice where required by applicable law.
4. How and why we use your personal data
We use your personal data for the following purposes:
- Providing the core Services — operating your CGM sensor, displaying real-time and historical glucose data, statistics, reports and abnormal-reading alerts.
- Creating and securing your account and authenticating you (including via third-party login).
- Processing purchases, payments, delivery, returns and other after-sales support.
- Providing customer service and our in-app AI assistant.
- Diagnosing crashes and errors, maintaining compatibility and improving and developing the Services.
- Sending you service messages and, where you have enabled them, push notifications and alerts.
- Safety and quality monitoring, including tracing device or adverse-event issues for our medical-device obligations.
- Detecting and preventing fraud, abuse and security incidents.
- Complying with legal, regulatory, accounting and tax obligations.
- Handling product complaints, adverse events, field safety matters, recalls, vigilance reporting, regulatory submissions, audits and other medical device safety or compliance matters.
- Enabling an HCP, caregiver or care-team use of the Services, where such functions are made available, including patient linkage, professional account management, role-based access, patient monitoring, glucose-data review, report generation, care coordination, device support and clinical workflow support.
- Supporting authorised HCP, caregivers or care-team in providing patient care, reviewing CGM data, managing device-related issues, communicating with patients, maintaining care records and carrying out related healthcare or operational activities.
- Maintaining records of HCP access, activity, report generation, data sharing, patient linkage, account administration and audit logs for security, accountability, clinical workflow, quality, regulatory and compliance purposes.
- Carrying out any other purpose that we notify you of at or before the time of collection, use or disclosure, or for which you have provided consent, or which is permitted or required by applicable law.
Because the Services relate to CGM devices and related medical device services, we may use and disclose personal data, including health-related personal data where necessary, for medical device safety, quality, regulatory and compliance purposes. These purposes may include:
- monitoring, maintaining and improving the quality, safety, usability, reliability, performance and effectiveness of our devices, app and related systems;
- investigating product complaints, device issues, technical failures, suspected adverse events, field safety matters, recalls or corrective actions;
- detecting, analysing and resolving systemic or recurring issues affecting the Services;
- validating upgrades, testing security and functionality, and maintaining safe and reliable operation of the Services; and
- complying with applicable medical device, product safety, regulatory reporting, audit, record-keeping, legal or governmental requirements.
Where practicable, we use anonymised, aggregated or de-identified data for analysis and improvement. We use identifiable health-related personal data only where necessary for the relevant purpose, consistent with this policy and permitted or required by applicable law.
5. Our basis for using your data, and your choices
Under the PDPA, we generally rely on your consent and, where applicable, on exceptions that permit collecting, using and disclosing your personal data (for example, to perform a contract with you, to comply with the law, or to protect your vital interests in a health emergency). This may include, where applicable, situations where the collection, use or disclosure is necessary to provide the Services requested by you, comply with legal or regulatory obligations, respond to emergencies, protect life, health or safety, prevent fraud or security incidents, or carry out permitted business improvement or other legally recognised activities in accordance with applicable law.
Withdrawing consent. You may withdraw your consent at any time by contacting our DPO or using the in-app settings. We will tell you the likely consequences — for some features, withdrawing consent means we can no longer provide them.
Analytics and tracking. Tools that are strictly necessary to run the Services operate by default. Analytics and tracking tools that are not strictly necessary are activated based on your consent where consent is required, and you can adjust your choices in the app's privacy settings.
AI assistant and AI-enabled features. Where you use our AI assistant or AI-enabled features, we may process the questions, prompts, images, voice input, text, health logs or other content that you actively submit for that feature, in order to provide the requested response, recognition, support or analysis. We will not use your identifiable glucose data, health logs, support content, voice input or images to train general-purpose AI models unless we have notified you and obtained any consent required by applicable law.
HCPs, caregivers and authorised care access: Some Services may allow you to share or make available your CGM data, glucose reports, alerts, device information, health logs or other personal data to healthcare professionals, hospitals, clinics, caregivers, family members or other persons involved in your care or support ("Care Team"). We do not automatically share your health-related personal data with your Care Team merely because such function is available. Such sharing or access will occur only where you choose to enable or authorise it, where a person legally authorised to act on your behalf does so, where an HCP or institution confirms that it has obtained the necessary consent or lawful authority, or where disclosure is permitted or required by applicable law. Each HCP, institution, caregiver or other Care Team member is responsible for ensuring that it has the necessary authority and for complying with its own legal, professional, clinical, institutional and confidentiality obligations.
6. Clipboard access and device permissions
Our app accesses your device clipboard only in direct response to your actions — for example, when you copy a message from the in-app AI assistant or customer-service chat, or when you paste content (such as a verification code or device identifier) into a field. We do not read the clipboard in the background or use it to build a profile of you, and any copied content stays on your device unless you choose to send it. You can clear your clipboard at any time.
Our app may also request device permissions such as notifications, Bluetooth, camera/photo access, microphone, location or background activity where required for a feature you use. The current app permissions, the relevant functions and the data involved are listed in the Function and Data List. You may manage device permissions through your device or app settings, although disabling a permission may affect the relevant feature.
7. Third-party services and SDKs we use
We use third-party services and SDKs to provide and support the Services. The current list of third-party services and SDKs, the purposes for which they are used, the data they handle and the relevant processing locations are set out in the Function and Data List. We do not use third-party services or SDKs to build advertising profiles of you. Each provider processes data under its own privacy policy.
8. How we share and disclose your data
We do not sell your personal data.
We may disclose personal data only as described below:
- Service providers (processors) — cloud hosting, customer service, analytics, crash reporting, mapping, payment and logistics providers that process data on our behalf under contract.
- Payment providers — to process your payments, as listed in Function and Data List.
- Other parts of the Ottai group — where necessary to operate the Services, under appropriate safeguards.
- HCPs, caregivers, family members or other persons involved in your care or support, but only where you choose to enable or authorise the relevant sharing or access, where a person legally authorised to act on your behalf does so, where the relevant HCP confirms that it has the necessary consent or lawful authority, or where disclosure is permitted or required by applicable law.
- Legal and regulatory disclosures — where required by law, court order or a competent authority, or to protect our rights, your vital interests or the safety of others.
- Business transfers — in connection with a merger, acquisition or reorganisation, subject to this policy.
8.1 Sharing that you initiate
Some features let you send your own glucose data to third-party platforms, such as xDrip+, AAPS (AndroidAPS), Nightscout or other platforms that we may support from time to time, and with HCPs, caregivers, family members or other persons involved in your care or support. Such sharing or access happens only when you choose to enable or authorise it. The receiving platform, HCP, caregiver or other recipient handles the data under its own terms, privacy policy, professional duties or legal obligations. The currently supported sharing platforms are listed in the Function and Data List. You can stop user-enabled sharing through the relevant app settings or third-party integration settings, where supported. Stopping future sharing may not delete data that has already been received, downloaded, stored or independently processed by the recipient.
9. Where your data is stored and international transfers
Storage location. Your personal data may be stored or processed in Singapore and in other countries or regions where our group entities, service providers or business partners operate. The current primary hosting location, service-provider processing locations and international transfer details are listed in the Function and Data List.
Safeguards. When we transfer personal data outside Singapore, we take appropriate steps required under the PDPA to ensure that the overseas recipient is bound by legally enforceable obligations, binding corporate rules, recognised certifications or other legally recognised safeguards that provide the transferred personal data with a standard of protection comparable to that under the PDPA. These may include data-processing agreements, contractual transfer clauses, EU Standard Contractual Clauses or ASEAN Model Contractual Clauses where relevant, confidentiality obligations, access controls, encryption, vendor due diligence, vendor oversight and restrictions on unauthorised onward transfers. You may contact our DPO for more information about these safeguards.
10. How long we keep your data
We keep personal data only for as long as necessary for the purposes set out in this policy, or for longer where the law requires or permits it. Our main retention periods are:
- Glucose and related health-monitoring data: retained while your account remains active. When you delete your account, this data is deleted from our primary systems and connected services, and database backups are purged within 7 days, unless longer retention is required for safety, adverse-event, regulatory, legal, audit or dispute-resolution purposes.
- Account and profile data: retained while your account remains active. When you delete your account, this data is deleted from our primary systems and connected services, and database backups are purged within 7 days, unless longer retention is required for safety, adverse-event, regulatory, legal, audit or dispute-resolution purposes.
- Order, payment and tax records: For the period required by applicable accounting and tax law, in a form no longer linked to your deleted account.
- Customer-service and after-sales records: For as long as needed to handle your matter and any related quality or safety follow-up
When a retention period ends, we delete or irreversibly anonymise the data, unless otherwise required under applicable law.
11. Your rights
Subject to the limits in applicable law, you have the following rights over your personal data:
- Access — you can ask for a copy of the personal data we hold about you, and for information about the ways in which it has been used or disclosed by us in the year before your request.
- Correction — you can ask us to correct personal data that is inaccurate or incomplete.
- Withdraw consent — you can withdraw consent you have given, on reasonable notice.
- Deletion — you can ask us to delete your personal data where it is no longer needed for the purposes for which it was collected, subject to data we must keep to meet legal, accounting, safety or other legitimate requirements (for example within the retention periods in Section 10).
11.1 How to exercise your rights
Contact our DPO at privacy@service.ottai.com. To protect your account and your health data, we will verify your identity before we act on a request. We will respond within the timeframe in Section 2. We do not charge for most requests, but we may charge a reasonable fee for an access request where permitted, and we will give you an estimate first.
11.2 Accuracy
We will make reasonable efforts to ensure that personal data collected by us or on our behalf is accurate and complete where the data is likely to be used by us to make a decision that affects you, or disclosed by us to another organisation. You should keep your account information accurate and up to date, and you should update your account information or notify us if the information changes.
12. How we protect your data
We use technical and organisational measures to protect personal data against unauthorised access, use, disclosure, copying, modification or loss. These measures include encryption in transit, physical segregation of health data from other data, access controls, authentication, audit logging, segregation of administrative access, data minimisation where practicable, security reviews, incident-response procedures and vendor due diligence. Encryption of stored data is part of our security roadmap. No system is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to respond promptly to any incident.
13. Personal-data breaches.
We maintain procedures to detect, assess, investigate and respond to personal-data breaches. Where a breach is likely to result in significant harm to affected individuals, or affects a significant number of individuals, we will notify the Personal Data Protection Commission of Singapore ("PDPC") as soon as practicable and, in any event, within 3 calendar days of determining that the breach is notifiable, and we will notify affected individuals where the law requires.
14. Children and people under guardianship
The Services may be used to monitor the glucose of a child or a person who lacks capacity. Where a user is a minor or under guardianship, the account should be set up and managed by a parent or legal guardian. If you create, manage or use an account for a child, a person under guardianship, or another person who requires assistance, you represent that you are authorised to do so and to provide consent on that person's behalf. If you believe a child's data has been provided to us without appropriate authority, please contact our DPO.
15. Marketing and communications
We may send you service-related messages, product notices, safety notices, updates and support communications relating to your account, device or use of the Services.
We may send marketing communications only where permitted by applicable law and, where required, with your consent. You may opt out of marketing communications at any time using the unsubscribe or opt-out mechanism provided, or by contacting us. Service, safety, transactional and account-related messages are not marketing messages and may continue where necessary. Where we send specified marketing messages to a Singapore telephone number, we will comply with the PDPA's Do Not Call provisions, including consent, opt-out and DNC Registry requirements.
16. Changes to this policy
We may update this policy from time to time. We will post the updated version with a new "Last updated" date and, where the changes are significant, we will take reasonable steps to notify you. Please review this policy periodically.
17. Language Precedence
Where this Agreement is provided in multiple languages, the English version prevails to the extent permitted by applicable law.
18. Questions and complaints
If you have a question or concern, please contact our DPO first at privacy@service.ottai.com so we can try to resolve it. You also have the right to lodge a complaint with the relevant authority — in Singapore, the PDPC.