fShepherdForms
Legal

Privacy Policy

Last updated: 13 May 2026 · PDPA-compliant

1. Who we are

This Privacy Policy describes how NHB Industrial Pte Ltd (UEN 202542682D), the operator of ShepherdForms ("we", "us", "our"), collects, uses, discloses, and protects personal data in accordance with the Singapore Personal Data Protection Act 2012 ("PDPA").

Our registered office is at 5038 Ang Mo Kio Industrial Park 2, #01-409, Singapore 569541.

2. Our role under the PDPA

For the personal data you (a customer organisation) provide to us when signing up for the Service — your name, email, organisation details, billing information — we are the data controller.

For the personal data your registrants provide through forms you build with the Service — registrants' names, contact details, registration responses — you are the data controller and we are your data intermediary. You determine what personal data is collected, the purpose of collection, and how long it is retained.

3. What we collect

From customers:

  • Identification: name, email, organisation name;
  • Account: password (stored hashed), session tokens;
  • Billing: invoice details, payment method records (we do not store full card numbers);
  • Support communications and account history;
  • Technical: IP address, browser type, access timestamps, audit logs.

From registrants (on your forms):

  • Whatever your form collects — typically name, contact details, age, dietary requirements, payment confirmation, etc.;
  • Consent timestamps for PDPA compliance;
  • Technical metadata: IP address at submission, audit logs.

4. How we use it

For customer data, we use it to:

  • Provide and maintain the Service;
  • Process payments and issue invoices;
  • Respond to support requests;
  • Send service-related communications (security notices, billing reminders);
  • Comply with legal obligations.

For registrants' data, we use it strictly to operate the Service on your behalf — storing, retrieving, exporting at your request. We do not use registrants' data for our own marketing or analytics.

5. Legal basis

Under the PDPA, we collect, use, and disclose personal data based on consent (express or deemed), or where permitted by law (e.g., to perform a contract you have with us, or to comply with legal obligations).

6. Sharing and disclosure

We do not sell personal data. We share personal data only:

  • With service providers we use to operate the Service (currently: Render (Singapore region) for hosting; Cloudflare R2 (Asia-Pacific) for image storage). These providers process data only on our instructions;
  • With your nominated payment processor (such as HitPay) if you configure one for collecting registration payments. We pass only the data required to create payment requests and verify webhooks;
  • If required by Singapore law, court order, or regulatory request;
  • To protect the rights, property, or safety of NHB Industrial Pte Ltd, our users, or the public;
  • In connection with a merger, acquisition, or sale of assets, subject to the receiver respecting the terms of this Policy.

We do not transfer personal data outside Singapore beyond what our service providers' data residency policies require. Where data is transferred, we ensure the recipient provides a comparable standard of protection as required by the PDPA.

7. Retention

For customer data, we retain it for as long as your account is active and for a reasonable period after termination (typically 90 days) to handle billing disputes or legal claims. Audit logs may be retained longer for compliance.

For registrants' data, you control retention. The Service includes configurable per-event retention periods and automatic data purging at expiry, implemented as a daily background job. Default retention is 365 days from submission unless you change it.

8. Security

We use reasonable technical and organisational measures to protect personal data, including:

  • HTTPS / TLS encryption for all data in transit;
  • Encryption at rest for sensitive fields (NRIC, passport, payment credentials);
  • Singapore-region hosting and database backups;
  • Per-organisation data isolation in our application logic;
  • Role-based access controls;
  • Audit logging of personal data access and changes.

No method of internet transmission is 100% secure. We strive to use commercially acceptable means to protect personal data but cannot guarantee absolute security.

9. Your rights under the PDPA

You (and your registrants, where applicable) have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate or incomplete data;
  • Withdraw consent we have relied on for processing;
  • Request deletion of your personal data, subject to legal retention requirements.

For registrants of your forms: a withdrawal link is provided on every form submission. Use it to withdraw consent directly; we will mask the registrant's personal data on the customer's record while preserving payment and booking totals for the customer's bookkeeping integrity.

For customer data and other requests: email us at hello@shepherdforms.com. We respond to PDPA requests within 30 days.

10. Data breach notification

In the event of a personal data breach that is likely to cause significant harm or that affects 500 or more individuals, we will notify the Personal Data Protection Commission of Singapore (PDPC) and affected individuals as required by Section 26D of the PDPA.

11. Cookies and tracking

We use functional cookies necessary for the Service to operate (session tokens, authentication). We do not use third-party advertising trackers or analytics that share data with marketing networks.

12. Children

The Service is not directed at children. Customers using the Service to register children for events are responsible for obtaining parental consent in accordance with the PDPA and the PDPC's Advisory Guidelines on Children's Personal Data in the Digital Environment.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify customers of material changes by email or through the Service. The "Last updated" date at the top of this page reflects the current version.

14. Data Protection Officer

Our Data Protection Officer can be reached at hello@shepherdforms.com.

If you are dissatisfied with our response to a privacy request, you may contact the Personal Data Protection Commission of Singapore (PDPC) at www.pdpc.gov.sg.

Issued by NHB Industrial Pte Ltd (UEN 202542682D) trading as ShepherdForms.