1. Who We Are and Our Data Protection Officer
FlexiWork Pte. Ltd. (UEN: 202550322H) is a company incorporated in Singapore with its registered office at 60 Paya Lebar Road, #06-28, Paya Lebar Square, Singapore 409051. We operate the FlexiWork platform at joinflexi.work, providing roster scheduling and pay calculation software (the SaaS Service) and a gig marketplace (the Gig Platform) for Singapore's service economy.
For the purposes of the Personal Data Protection Act 2012 (PDPA), FlexiWork Pte. Ltd. is the organisation responsible for personal data in our possession or under our control.
Data Protection Officer (DPO)
We have appointed a DPO as required under the PDPA. Our DPO is responsible for ensuring that FlexiWork handles personal data in accordance with this policy and the PDPA.
| DPO Name | Csenge Csoka |
| DPO Contact | privacy@joinflexi.work |
| Postal Address | 60 Paya Lebar Road, #06-28, Paya Lebar Square, Singapore 409051 |
2. What This Policy Covers
This policy covers personal data we collect and use in our capacity as the responsible organisation under the PDPA. That includes data about:
- business customers and their authorised users ("Employers") who use our SaaS Service or Gig Platform;
- individuals who register with FlexiWork as gig workers available for shifts via the Gig Platform ("Gig Workers"); and
- visitors to our website at joinflexi.work.
This policy does not cover personal data that Employers upload to the SaaS Service about their own staff. When Employers use our platform to manage their workforce data, FlexiWork processes that data as a data intermediary acting on Employer instructions. That arrangement is governed by the Data Protection Agreement (Schedule 1 to our Terms of Service).
This policy covers our Singapore operations only.
In plain terms: if you are an Employer using FlexiWork to manage your team's rosters and pay, this policy covers your own Account and contact data. The data about your own staff members that you enter into the platform is covered separately by the Data Protection Agreement in our Terms.
3. The Personal Data We Collect
3.1 Business Customers (Employers)
When you register as a business customer or use the SaaS Service or Gig Platform, we collect:
Account and contact information
- Your name, job title, and business email address.
- Your business name, UEN, and registered address.
- Your phone number (if provided).
Billing and payment information
- Payment card details are collected and stored by Stripe. We receive only a tokenised reference and the last four digits of your card; we do not store full card numbers.
- Billing address and invoice history.
Gig Platform activity
- Shift postings, Bookings made, Escrow funding history, Timesheet approvals, and ratings given to Gig Workers.
Platform usage and support data
- Log-in timestamps, features accessed, and support requests submitted.
- Records of emails or messages exchanged with FlexiWork.
3.2 Gig Workers
When you register as a Gig Worker on the Gig Platform, we collect:
Identity and contact information
- Full legal name, date of birth, and residential address.
- NRIC number or FIN (for identity verification and right-to-work purposes).
- Email address and mobile phone number.
- A selfie or photograph for identity verification purposes, retained only for the duration of the verification process and deleted upon completion.
Work profile information
- Work experience, skills, and any relevant certifications or licences.
- Preferred work locations and availability.
- Profile photograph (optional).
Financial information
- Bank account details (bank name, account number) for pay disbursement via Stripe.
- Records of pay received for each Shift.
Shift and attendance data
- Shift Bookings, clock-in and clock-out records, and Timesheets.
- GPS-verified location data at the point of clock-in and clock-out, to confirm attendance at the correct outlet location.
- Ratings and reviews left by Employers following completed Shifts.
Work Injury Compensation (WIC) data
- Where a work injury claim arises, we may collect medical certificates, incident details, and related documentation to administer WIC insurance as required under the Platform Workers Act 2024. This data is used solely for WIC administration and insurance purposes.
Communications
- Records of messages, support enquiries, and dispute correspondence.
3.3 Website Visitors
When you visit joinflexi.work, we may collect:
- Technical data: IP address, browser type and version, device type, operating system, and referring URL.
- Usage data: pages visited, time spent, and interactions with page elements.
- Form submissions: name, business name, email, phone number, industry, and staff count submitted via our sign-up or contact forms.
This data is collected using cookies and similar technologies. See Section 6.
4. How and Why We Use Personal Data
4.1 Business Customers
| Purpose | Description |
|---|---|
| Account management | Creating and maintaining your Account, verifying your business details, and managing your subscription. |
| Service delivery | Providing access to Rosta, PayOut, and the Gig Platform, and processing your configurations and Bookings. |
| Escrow and payment | Processing Escrow funding and releases via Stripe, generating invoices, and managing payment failures. |
| Customer support | Responding to queries, resolving disputes, and handling complaints. |
| Service improvements | Analysing aggregated or anonymised usage data to improve the platform. |
| Legal compliance | Meeting obligations under Singapore law, including IRAS, MOM, and PDPA requirements. |
| Security | Detecting and preventing fraud, abuse, and unauthorised access. |
| Communications | Sending service notifications, billing communications, and (where you have opted in) product updates. |
4.2 Gig Workers
| Purpose | Description |
|---|---|
| Registration and vetting | Verifying your identity, right to work in Singapore, and relevant qualifications before you are approved to take Shifts. |
| Shift matching and Bookings | Displaying your profile to Employers for relevant Shifts and processing Booking confirmations. |
| Attendance tracking | Recording clock-in/clock-out data (including GPS verification) to generate accurate Timesheets. |
| Pay disbursement | Calculating pay and processing payments to your bank account via Stripe following Timesheet approval. |
| WIC administration | Administering Work Injury Compensation insurance as required under the Platform Workers Act 2024. |
| Ratings and feedback | Displaying Employer ratings on your profile to build your shift history on the platform. |
| Communications | Sending Shift confirmations, payment notifications, and platform updates. |
| Legal compliance | Complying with Singapore law, including MOM regulations and the Platform Workers Act 2024. |
| Security and fraud prevention | Detecting false Timesheets, identity fraud, or other abusive activity. |
| Dispute resolution | Retaining records necessary to investigate and resolve disputes about Shifts, Timesheets, or pay. |
4.3 Website Visitors
We use website visitor data to: maintain and improve the performance and security of our website; understand how visitors interact with our pages; and respond to enquiries submitted through our sign-up and contact forms.
5. Our Legal Bases Under the PDPA
The PDPA requires us to have a valid purpose and basis for collecting, using, and disclosing personal data. The primary bases we rely on are:
| Basis | When We Rely on It |
|---|---|
| Consent (s13 PDPA) | Where we request and obtain your consent before collecting or using personal data — for example, for optional marketing communications, or for the collection of identity verification photographs. |
| Contractual necessity | Processing necessary to perform our contract with you — providing the SaaS Service, processing Bookings, and disbursing pay to Gig Workers. |
| Legal obligation | Processing required to comply with Singapore law — including right-to-work verification, MOM reporting, WIC administration, and IRAS obligations. |
| Legitimate interests | Processing for our legitimate business interests where these do not override your rights — including fraud prevention, platform security, and service improvements using anonymised data. |
| Business improvement (s17 PDPA) | Use of personal data to improve or develop our services, where the data is used in a way that does not adversely affect any individual. |
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and may affect our ability to provide certain services.
6. Cookies and Similar Technologies
Cookies are small text files placed on your device when you visit a website. We use cookies in accordance with the PDPA and our obligations to provide you with clear notice of our data collection practices.
| Category | Details |
|---|---|
| Strictly necessary | Cookies essential to platform operation, including session cookies and security tokens. These cannot be disabled without affecting core functionality. |
| Functional | Cookies that remember your preferences and settings. We will request your consent before placing these. |
| Analytics | Google Analytics 4 with Consent Mode v2 is used, subject to your cookie consent via our CookieYes banner. |
| Marketing | We do not currently use marketing or advertising cookies. If we do so in future, we will update this policy and obtain your consent. |
You can manage cookies through your browser settings or via the cookie preferences panel on our website. Disabling essential cookies may affect your ability to use the platform.
7. Who We Share Personal Data With
We do not sell personal data. We may share it with:
| Recipient | Purpose and Basis |
|---|---|
| Stripe (payment processor) | To process Escrow payments, subscription billing, and Gig Worker pay disbursements. Stripe receives only the data necessary to process each transaction. |
| Email delivery service | To send transactional emails. Only the recipient's email address and message content are shared. |
| IRAS and Singapore tax authorities | For any applicable tax reporting obligations. |
| Ministry of Manpower (MOM) | Where required by law, including Platform Workers Act reporting obligations. |
| WIC insurer | To administer Work Injury Compensation insurance for Gig Workers under the Platform Workers Act 2024. Relevant Gig Worker data is shared only where a WIC claim is made. |
| Employers (for Gig Workers) | Your name, profile, skills, and ratings are visible to Employers for Shift matching. Employers may not use this data for any other purpose. |
| Gig Workers (for Employers) | Upon Booking confirmation, relevant Gig Worker details are shared with the Employer for the purpose of the Shift. |
| Professional advisers | Our legal, accounting, and insurance advisers, subject to confidentiality obligations. |
| Law enforcement and regulators | Where required by law, court order, or the request of a Singapore competent authority. We will notify you unless prohibited from doing so. |
| Prospective buyers of our business | In the event of a merger or acquisition, subject to confidentiality obligations. You will be notified before data transfers to a new responsible organisation under different terms. |
8. Transfers Outside Singapore
We store and process personal data on servers located in Singapore. Where any sub-processor or service provider processes data outside Singapore, we ensure that the recipient provides a standard of protection comparable to the PDPA, in accordance with section 26 of the PDPA and any regulations made thereunder.
If you would like more information about the safeguards in place for any specific transfer, contact our DPO at privacy@joinflexi.work.
9. How Long We Keep Personal Data
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by Singapore law.
| Category | Retention Period |
|---|---|
| Account data (Employers) | For the duration of your subscription, plus 5 years after termination (consistent with Singapore's Limitation Act 1959). |
| Billing and payment records | 5 years from the date of the transaction, as required by IRAS. |
| Gig Worker identity and NRIC data | 2 years after the end of the last Shift worked, or longer if required by applicable law. |
| Gig Worker pay records | 5 years from the date of payment, for IRAS compliance. |
| Shift records and Timesheets | 5 years from the date of the Shift. |
| GPS clock-in/clock-out data | 12 months from the date of the Shift, unless retained longer in connection with an active dispute. |
| WIC claims data | As required by the Work Injury Compensation Act 2019 and applicable insurer requirements. |
| Identity verification photographs (selfies) | Deleted within 30 days of successful verification. |
| Dispute records | 3 years from the date of resolution. |
| Website enquiry data | 12 months from submission, unless you become a customer. |
| SaaS platform content (Employer staff data) | 30 days after Account termination, then deleted. See Schedule 1 to the Terms of Service. |
10. Your Rights Under the PDPA
Under the PDPA, you have the following rights. To exercise any of them, contact our DPO at privacy@joinflexi.work. We will respond within 30 days of receiving your request.
| Right | What It Means |
|---|---|
| Right of access (s21 PDPA) | You may request confirmation of whether we hold personal data about you, and to be provided with a copy of that data and information about how it has been used or disclosed within the past 12 months. |
| Right of correction (s22 PDPA) | You may request that we correct personal data about you that is inaccurate or incomplete. We will correct it as soon as practicable. |
| Right to withdraw consent | Where we rely on consent, you may withdraw it at any time by contacting our DPO. Withdrawal does not affect prior processing. |
| Right to data portability (s26H PDPA) | Where applicable under the PDPA's data portability provisions, you may request that we transmit your personal data to another organisation in a machine-readable format. |
Gig Workers: Some of your data (such as WIC records and pay history) must be retained by law regardless of a deletion or access request. We will tell you clearly which data we are legally required to retain, and why, if this is relevant to your request.
We may charge a reasonable fee for access requests that are excessive or repetitive. We will notify you of any fee before processing your request.
11. Children's Data
The FlexiWork platform and services are intended solely for individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a person under 18, contact our DPO immediately at privacy@joinflexi.work and we will delete it promptly.
12. Changes to This Privacy Policy
We may update this policy from time to time to reflect changes in our practices, services, or applicable law. Where we make material changes, we will notify you by email to your registered address at least 14 days before the changes take effect. The most current version will always be available at joinflexi.work/policies/privacy-policy.
13. How to Contact Us and Make a Complaint
13.1 Contact Our DPO
For any questions, concerns, or requests relating to this policy or your personal data:
| DPO | Csenge Csoka |
| privacy@joinflexi.work | |
| Post | FlexiWork Pte. Ltd., 60 Paya Lebar Road, #06-28, Paya Lebar Square, Singapore 409051 |
We aim to acknowledge all privacy enquiries within 5 business days and to complete any formal request within 30 days.
13.2 Right to Complain to the PDPC
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC), the Singapore supervisory authority for data protection:
| Website | pdpc.gov.sg |
| info@pdpc.gov.sg | |
| Phone | +65 6377 3131 |
We would ask that you contact us first to give us the opportunity to address your concern before approaching the PDPC.
— End of Privacy Policy —