GigHub
Apply
Policies

Privacy Policy.

How we collect, use, and protect personal data — written for Singapore's Personal Data Protection Act and the operators, clients, and visitors who rely on this network.

Effective: 24 September 2021

This Privacy Policy describes how GigHub Pte Ltd. (UEN: 202133363H) (“GigHub”, “we”, “us”, or “our”) collects, uses, discloses, and otherwise processes personal data in connection with the GigHub platform, services, and communications (collectively, the “Services”). It is written to comply with the Personal Data Protection Act 2012 of Singapore(the “PDPA”) and the advisory guidelines issued by the Personal Data Protection Commission (“PDPC”).

We are committed to protecting the personal data of our applicants, operators, client representatives, candidates, and website visitors. By accessing the Services or providing personal data to us, you acknowledge this Policy and consent to the practices described below to the extent required by law.

Scope and definitions

“Personal data” means data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access. “Processing” covers any operation performed on personal data, including collection, recording, organisation, storage, retrieval, use, disclosure, and erasure.

This Policy applies to personal data we process when you:

  • apply to join the GigHub operator network;
  • engage GigHub as a client to source operators or run engagements;
  • correspond with us in any capacity, including press or media enquiries;
  • browse our website, sign in to the platform, or use any related service.

This Policy does not cover the practices of third parties to whom we link or whose services are embedded in our Services. Those third parties operate under their own privacy policies.

Personal data we collect

We collect only the personal data necessary for the purposes set out in this Policy. The categories of personal data we may collect include:

Identity and contact data

  • full name, preferred name, and pronouns;
  • email address, phone number, postal address;
  • professional links (e.g. LinkedIn, GitHub, portfolio URLs);
  • nationality, country of residence, time zone.

Professional and engagement data (operators)

  • résumé, work history, references, professional credentials;
  • practice areas, capabilities, prior engagements, availability, rate structure;
  • tax residency, business registration where the operator works through a personal entity (e.g. Pte. Ltd., LLC), and bank or payout details required to settle engagement fees;
  • vetting notes, interview transcripts or recordings (with notice), evaluation scores, and outcome assessments.

Client and engagement data

  • business contact details of representatives of client companies (name, title, email, phone);
  • engagement briefs, scopes of work, deliverables, evaluation feedback;
  • billing entity, billing address, and tax identifiers.

Account, authentication, and device data

  • account credentials (we store passwords only as salted, irreversible hashes);
  • IP address, browser type, device type, operating system, referring URL, language preferences;
  • authentication session tokens, theme preference, and other strictly necessary cookies (see Cookies and similar technologies below).

Communications

  • messages you send via email, in-platform messaging, or other channels, including any attachments;
  • records of customer support interactions and any feedback you provide.

We do not deliberately collect special categories of personal data (such as race, religious or political beliefs, biometric data, or health information). If such data is necessary in unusual circumstances, we will obtain your express consent first and apply additional safeguards.

Purposes for which we use personal data

Under the PDPA, we collect, use, and disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances, and only where you have consented (expressly, or by deemed consent under the PDPA) or where an exception under the PDPA applies. Specifically, we process personal data for the following purposes:

  • Operator vetting and matching — evaluating applications, conducting reference and background checks (with consent where required), curating the network, and matching operators with client engagements.
  • Engagement delivery — facilitating contract formation, scoping, kick-off, delivery coordination, and outcome evaluation between clients and operators.
  • Payments and accounting — invoicing clients, settling fees to operators, withholding and remitting taxes where applicable, and maintaining the financial records required under Singapore law (including the Companies Act 1967 and Income Tax Act 1947).
  • Platform operation and security — providing, maintaining, and improving the Services; investigating security incidents; preventing fraud; enforcing our Terms of Use.
  • Communications — responding to enquiries; sending operational notices about your account, engagements, or material changes to this Policy.
  • Marketing — sending you marketing or promotional messages only where you have specifically consented or where deemed consent by notification under section 15A of the PDPA applies. You may withdraw consent at any time (see Your rights below).
  • Legitimate interests permitted under the PDPA — including network analytics, business research, internal record keeping, and protecting our rights, where the benefits outweigh any adverse effect on you and where required, an appropriate assessment has been documented.
  • Legal and regulatory compliance — complying with applicable laws, court orders, lawful requests from regulators including the PDPC, the Inland Revenue Authority of Singapore, and the Accounting and Corporate Regulatory Authority.

Legal basis and consent

Under the PDPA, our processing is supported by one or more of:

  • Your consent, which may be expressly given (for example, when you submit an application) or deemed (where you voluntarily provide personal data and it is reasonable for you to do so).
  • Contractual necessity, where processing is required to enter into or perform a contract with you or your organisation.
  • The legitimate interests exception under the First Schedule of the PDPA, where the legitimate interests of GigHub or another person outweigh the adverse effect on the individual.
  • Other PDPA exceptions, such as business asset transactions, business improvement, research, or where required by law.

Where we rely on your consent, you may withdraw that consent at any time by writing to legal@gighub.com. We will process the withdrawal within a reasonable time and inform you of the likely consequences, which may include our inability to continue providing the Services to you.

Disclosure of personal data

We disclose personal data only as necessary to fulfil the purposes set out in this Policy, and only to:

  • Operators and clients within the network, where disclosure is required for an engagement (for example, sharing an operator’s profile with a prospective client, or sharing a client brief with shortlisted operators);
  • Service providers and data intermediaries who process personal data on our behalf under contractual confidentiality and security obligations (for example, cloud hosting, identity and authentication, payment processing, email delivery, analytics, customer support, and background-check providers);
  • Professional advisers, including legal counsel, auditors, accountants, and tax advisers, under duties of confidentiality;
  • Acquirers and successors in connection with a merger, acquisition, financing, restructuring, or sale of all or part of our business, subject to confidentiality and the business asset transaction provisions of the PDPA;
  • Authorities and courts, where required to comply with applicable law, lawful requests, court orders, or to protect our rights and the safety of others.

We do not sell personal data.

Overseas transfers

Our infrastructure, service providers, and parts of our team may be located outside Singapore. Where we transfer personal data overseas, we comply with section 26 of the PDPA and the PDPC’s Transfer Limitation Obligation by taking appropriate steps to ensure the recipient is bound by legally enforceable obligations to provide protection comparable to the PDPA. Those steps include, where applicable:

  • entering into contractual data protection clauses (including the ASEAN Model Contractual Clauses or equivalent);
  • relying on binding corporate rules within a group of companies;
  • relying on specified certifications (e.g. APEC Cross-Border Privacy Rules);
  • obtaining your consent to the transfer after informing you of the risks, where appropriate.

Retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. When personal data is no longer required for any legal or business purpose, we anonymise it or securely destroy it in accordance with our internal retention schedule. Examples of typical retention periods:

  • Applicant records (unsuccessful applications): retained for up to 24 months from the close of the application, after which we may invite you to re-apply or delete the record.
  • Operator and client account records: retained for the duration of the relationship and for up to seven (7) years after the last engagement, to satisfy tax, accounting, and statutory record-keeping obligations under the Companies Act, the Income Tax Act, and the Goods and Services Tax Act.
  • Engagement records and deliverables metadata: retained for at least the limitation period applicable to claims arising from the engagement (typically six (6) years under the Limitation Act 1959).
  • Marketing consents and preferences: retained until you withdraw consent and for a short follow-on period to demonstrate compliance with that withdrawal.
  • Server logs and security telemetry: retained for up to 12 months for security and operational purposes.

Your rights under the PDPA

Subject to the conditions and exceptions under the PDPA, you have the following rights:

  • Access — you may request access to the personal data we hold about you, and information about how we have used or disclosed it in the year preceding your request.
  • Correction — you may request the correction of personal data we hold about you that is inaccurate, incomplete, misleading, or out of date.
  • Withdrawal of consent — you may withdraw any consent you previously gave us, on reasonable notice. We will inform you of the likely consequences before giving effect to the withdrawal.
  • Data portability — where the data portability provisions are in force and apply to your data, you may request that we transmit a copy of specified data in a commonly used electronic format to another organisation.
  • Complaint — you may lodge a complaint with us first; if you remain dissatisfied, you may approach the PDPC at pdpc.gov.sg.

To exercise these rights, please contact our Data Protection Officer at legal@gighub.com. We will respond within thirty (30) days or otherwise inform you of when we will respond. We may charge a reasonable fee for access requests, which we will inform you of in advance. We may also be required to refuse a request where an exception under the PDPA applies (for example, where granting access could threaten the safety or health of another individual, or reveal confidential commercial information that could harm our competitive position).

Cookies and similar technologies

We use a small number of cookies and similar technologies, classified as follows:

  • Strictly necessary — sign-in session tokens, cross-site request forgery protection, and load-balancing cookies. These cannot be disabled and do not require consent under PDPC guidelines because they are essential to deliver the Services.
  • Preferences — theme (light/dark), language, accessibility preferences.
  • Analytics — privacy-preserving aggregate analytics that help us understand how the Services are used. We do not deploy advertising or cross-site tracking cookies.

You can control or delete cookies through your browser settings. Blocking strictly necessary cookies may prevent you from signing in or using parts of the Services.

Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. These include encryption in transit (TLS) and at rest where applicable, role-based access controls, least-privilege engineering practices, secure software development, regular reviews, and personnel training. No system is perfectly secure; we maintain an incident response plan and will notify affected individuals and the PDPC of any notifiable data breach in accordance with sections 26A to 26E of the PDPA.

Children

The Services are intended for adults aged 18 and above. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact legal@gighub.com and we will take steps to delete it.

Third-party links and integrations

The Services may link to or integrate with third-party services (for example, identity providers, calendaring tools, payment processors, or document signing). When you interact with those services, your personal data is also processed under their respective privacy notices. We encourage you to read them.

Updates to this Policy

We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we will update the effective date above and, where the changes are material, take reasonable steps to bring them to your attention (for example, by notice on the Services or by email). Your continued use of the Services after an update means you accept the revised Policy.

Contact us

If you have questions, requests, or complaints about this Policy or our handling of your personal data, please contact our Data Protection Officer:

  • Data Protection Officer, GigHub Pte Ltd.
  • Email: legal@gighub.com
  • Registered office: 68 Circular Road #02-01, Singapore 049422

If you are not satisfied with our response, you may contact the Personal Data Protection Commission of Singapore at pdpc.gov.sg.