PDPA 2012 — Singapore

Privacy Policy

Effective date: 1 May 2026 · MyopiaClarity

MyopiaClarity is an educational intelligence platform— not a clinical service. This policy explains how we collect, use, store, and protect your personal data under Singapore's Personal Data Protection Act 2012 (PDPA).

1. Who We Are

MyopiaClarity is operated by Aw Wei Cong, an OOB-registered optometrist (Registration No. OOB-E2200029I), Singapore. We operate the website at myopiaclarity.com. As the organisation that determines the purposes and means of processing your personal data, we are the Data Controller under the PDPA.

MyopiaClarity provides optometric education and personalised myopia intelligence. We do not provide clinical diagnosis, medical advice, or treatment recommendations. Reports are for informational and educational purposes only and do not substitute for professional clinical consultation.

2. Data We Collect

We collect only the data necessary to provide the MyopiaClarity service.

Category	Data points	Purpose
Account data	Full name, email address	Authentication, service communications
Child profile	Child's name, date of birth, school year	Personalise reports to child's age
Prescription data	SPH, CYL, axis, exam date — per eye, per visit	Calculate velocity, generate age-18 projections
Payment data	Transaction ID, plan type, status (via Stripe — not stored by us)	Subscription and billing records
Consent records	PDPA consent timestamp, IP at consent	Legal compliance — evidence of informed consent
Usage data	Pages visited, reports generated (anonymised)	Platform improvement

Sensitive personal data: Prescription data relating to a child is sensitive personal data under the PDPA. Collected only with your explicit, informed consent captured at account creation. You may withdraw consent at any time (see Section 7).

We do not collect: credit card numbers, NRIC/FIN numbers, or government-issued identity documents. Payment card details are processed exclusively by Stripe and never transmitted to or stored on MyopiaClarity servers.

3. How We Use Your Data

Service delivery

Calculate myopia velocity, generate Velocity Reports and age-18 projections, deliver via dashboard and email.

AI report generation

Prescription data is transmitted to the Anthropic API per report request. See Section 4.

Account management

Authenticate your account, manage your plan, and process payments via Stripe.

Transactional email

Account confirmations, report delivery, threshold alerts, and renewal reminders via Resend.

Legal compliance

Maintain PDPA consent records and respond to data access or correction requests.

Platform improvement

Analyse anonymised usage patterns. Prescription data is never used for AI model training.

We do not sell your personal data to advertisers, data brokers, or third parties.

4. Third-Party Processors

We engage the following processors, each bound by contractual obligations to handle your data securely and only for the purposes we specify.

SupabaseDatabase & Authentication📍 Singapore / US

Data shared: Account data, child profiles, prescription data, consent records

Primary data store. Encrypted at rest and in transit.

Anthropic (Claude API)AI Report Generation📍 United States

Data shared: Prescription data (SPH, CYL, axis, dates) transmitted per report request

Transmitted over TLS. Zero data retention — inputs not used to train Anthropic's models.

StripePayment Processing📍 US / Global

Data shared: Email address, payment card (processed directly by Stripe — never stored by us)

PCI-DSS Level 1 compliant. MyopiaClarity never receives or stores card numbers.

ResendTransactional Email📍 United States

Data shared: Email address, name, report notifications

Service-related emails only — not marketing without separate consent.

VercelWeb Hosting & CDN📍 US / Global Edge

Data shared: IP address, standard server request logs

Logs retained 30 days. Analytics are anonymised — no personal identifiers.

5. Children's Data

MyopiaClarity processes personal data relating to minors aged 6–18. This constitutes sensitive personal data under the PDPA and is treated with heightened care.

Consent

All child data is provided by the parent or legal guardian via the PDPA consent modal at account creation.

Purpose limitation

Used exclusively to generate myopia intelligence for that child. Not used for advertising, profiling, or unrelated purposes.

Minimum data

Only prescription information necessary to calculate velocity and generate projections.

Access & deletion

A parent may request access, correction, or deletion of their child's data at any time — see Section 7.

6. Data Retention

Category	Retention period	Reason
Account & child profile	Active account + 1 year after closure	Service continuity; dispute resolution
Prescription & reports	Active subscription + 1 year after cancellation	Longitudinal accuracy; reactivation continuity
Payment records	7 years from transaction date	Singapore tax obligations
PDPA consent records	5 years from consent (or account closure, whichever later)	Legal evidence of consent
Server logs (Vercel)	30 days	Security monitoring

7. Your PDPA Rights

Access

Request a copy of all personal data we hold about you and your child. Responded to within 10 business days.

Correction

Request correction of inaccurate data. Prescription data can be updated directly in your dashboard at any time.

Withdraw consent

Withdraw PDPA consent at any time. Note: withdrawal requires account closure as consent is necessary to provide the service.

Data portability

Request an export of your data in JSON or CSV format.

Erasure

Request deletion of your account and all personal data, subject to retention obligations (e.g. payment records for tax purposes).

To exercise any right, email dpo@myopiaclarity.com with the subject line "PDPA Data Request". We acknowledge within 3 business days and respond fully within 10 business days. If dissatisfied, you may escalate to the Personal Data Protection Commission (pdpc.gov.sg).

8. Data Security

Encryption in transit

TLS 1.2+ between your browser, our servers, and all third-party processors.

Encryption at rest

Supabase database encrypted at rest (AES-256).

Access controls

Database access restricted to authenticated application processes only.

Authentication

Email confirmation and magic-link auth. Passwords are never stored in plaintext.

Payment security

Stripe PCI-DSS Level 1. Card numbers never reach MyopiaClarity servers.

In the event of a data breach likely to cause significant harm, we will notify affected users and the PDPC as required under the mandatory breach notification obligation of the PDPA Amendment Act 2020.

9. Cookies and Tracking

Cookie	Type	Purpose	Retention
Supabase auth session	Essential	Maintains your logged-in session	Session or 7 days
Vercel Analytics	Analytics (anonymised)	Page view counts — no personal identifiers	Aggregated only

No advertising cookies, third-party tracking pixels, or behavioural profiling technologies are used.

10. Changes to This Policy

When we make material changes, we will notify you by email at least 14 days before the effective date and display a notice in your dashboard. Continued use after the effective date constitutes acceptance.

11. Contact & Data Protection Officer

For any questions, concerns, or data requests, contact our Data Protection Officer:

Data Protection Officer — MyopiaClarity

Role: Appointed DPO, MyopiaClarity
OOB Registration: OOB-E2200029I
Email: dpo@myopiaclarity.com
Response: 3 business days (acknowledgement) · 10 business days (full response)
Governing law: Singapore

Formal complaints may also be submitted to the Personal Data Protection Commission at pdpc.gov.sg/complaints.