Privacy Policy
Effective date: 18 May 2026 Last updated: 18 May 2026
This Privacy Policy explains how SiteFolk, a business registered in Singapore (“SiteFolk”, “we”, “us”, or “our”), collects, uses, discloses, and protects personal data in connection with the website located at wearesitefolk.com (the “Site”) and our design and Webflow development services (the “Services”).
This Policy is issued in accordance with the Personal Data Protection Act 2012 of Singapore (“PDPA”). Where you access the Site or use the Services from the European Economic Area or the United Kingdom, the additional rights set out in Section 9 apply.
By accessing the Site or engaging us for the Services, you consent to the collection, use, and disclosure of your personal data as described in this Policy.
1. Data Controller
The data controller responsible for your personal data is:
SiteFolk A business registered in Singapore hello@wearesitefolk.com
2. Personal Data We Collect
We collect the following categories of personal data:
2.1 Information you provide directly. When you book an intro call, submit an enquiry, or engage us for the Services, you may provide:
(a) identification and contact information (name, email address, company name, role, country);
(b) booking details (preferred meeting times, time zone, agenda notes);
(c) project information (business context, requirements, content, and any other information you choose to share);
(d) billing information (billing address, tax identifiers); payment card details are processed directly by Stripe and are not stored by us.
2.2 Information we collect automatically. When you visit the Site, we and our service providers may collect:
(a) device and connection data (IP address, browser type and version, operating system, device identifiers, referring URL);
(b) usage data (pages viewed, time spent, links clicked, scroll depth, approximate geographic location derived from IP address);
(c) data collected through cookies and similar technologies (see Section 6).
2.3 Information from third parties. We may receive personal data about you from:
(a) publicly available sources (LinkedIn, company websites) used for due diligence and outreach;
(b) referrers who recommend us to you;
(c) our service providers listed in Section 5.
3. Purposes of Processing
We process personal data for the following purposes:
(a) to respond to enquiries, schedule intro calls, and provide quotes;
(b) to deliver the Services, including communicating with you through Slack, Loom, email, and Webflow, and producing Deliverables;
(c) to invoice you and process payments through Stripe;
(d) to operate, secure, and improve the Site;
(e) to send service-related communications (project updates, billing notices, changes to these documents);
(f) to send marketing communications about our Services where permitted by law and where you have not opted out;
(g) to comply with legal, accounting, tax, and regulatory obligations;
(h) to establish, exercise, or defend legal claims;
(i) to detect, investigate, and prevent fraud, abuse, or security incidents.
4. Legal Bases for Processing
Where the PDPA applies, we rely on your consent (express or deemed) and on the exceptions set out in the First and Second Schedules of the PDPA, including the legitimate interests exception, business contact information, and necessity for the performance of a contract.
Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:
(a) performance of a contract (Article 6(1)(b)) for processing necessary to provide the Services and administer your account;
(b) legitimate interests (Article 6(1)(f)) for operating and securing the Site, marketing to existing clients, business development outreach, and improving our Services. Our legitimate interests are balanced against your rights and freedoms;
(c) consent (Article 6(1)(a)) for non-essential cookies and marketing communications to prospects where consent is required;
(d) legal obligation (Article 6(1)(c)) for tax, accounting, and other statutory record-keeping.
5. Disclosure to Third Parties and Sub-Processors
We do not sell personal data. We disclose personal data only to the categories of recipients listed below and only as necessary to provide the Services or to comply with law.
5.1 Sub-processors and service providers. We use the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Webflow, Inc. | Site hosting and content management | United States |
| Cloudflare, Inc. | Content delivery, DNS, security, bot protection | Global |
| Google LLC (Google Analytics 4) | Website analytics | United States |
| Ahrefs Pte. Ltd. | Search analytics and SEO monitoring | Singapore |
| Cal.com, Inc. | Meeting scheduling and booking | United States |
| Stripe, Inc. | Payment processing | United States |
| Slack Technologies, LLC | Client communications | United States |
| Loom, Inc. | Video walkthroughs and project recaps | United States |
| Google LLC (Google Workspace) | Email and document collaboration | United States |
This list may be updated from time to time. Material changes will be reflected in this Policy.
5.2 Professional advisers. We may disclose personal data to our accountants, lawyers, insurers, and other professional advisers where reasonably necessary.
5.3 Authorities and law enforcement. We may disclose personal data where required by law, court order, or government request, or where necessary to enforce our rights or protect the safety of any person.
5.4 Corporate transactions. In connection with a merger, acquisition, financing, or sale of all or substantially all of our assets, personal data may be transferred to the relevant counterparty, subject to equivalent confidentiality and data protection obligations.
6. Cookies and Similar Technologies
6.1 We use cookies and similar technologies to operate the Site, measure usage, and improve performance.
6.2 The categories of cookies we use are:
(a) Strictly necessary cookies. Required for the Site to function (for example, security, load balancing, and Cloudflare bot protection). These cannot be disabled.
(b) Analytics cookies. Set by Google Analytics 4 to measure usage and improve the Site. IP addresses are truncated or anonymised where supported.
(c) Functional cookies. Set by tools such as Cal.com to remember preferences and support scheduling.
(d) Custom cookies. As the Site develops, we may introduce additional first-party cookies for product features, A/B testing, or personalisation. Material changes will be disclosed in this Policy and, where required, your consent will be sought.
6.3 You may control cookies through your browser settings or, where available, through the cookie consent banner on the Site. Disabling cookies may affect Site functionality.
7. International Transfers
Several of our sub-processors are located outside Singapore, including in the United States. Where we transfer personal data outside Singapore, we comply with the PDPA Transfer Limitation Obligation by ensuring that the recipient is bound by enforceable obligations that provide a standard of protection comparable to the PDPA.
Where the GDPR or UK GDPR applies, transfers outside the European Economic Area or the United Kingdom are made on the basis of: (a) an adequacy decision of the European Commission or the UK Government; (b) Standard Contractual Clauses or the UK International Data Transfer Addendum; or (c) another lawful transfer mechanism.
8. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, including any retention required to satisfy legal, accounting, tax, or reporting obligations. Indicative retention periods are:
(a) enquiry data not converted into an engagement: up to 24 months from last contact;
(b) client records and project files: 7 years from the end of the engagement (to satisfy tax and accounting requirements under Singapore law);
(c) invoices and payment records: 7 years;
(d) website analytics data: in accordance with the default retention settings of the relevant provider (currently 14 months for Google Analytics 4);
(e) marketing contacts: until you unsubscribe or request deletion.
After the applicable retention period, personal data is deleted or anonymised.
9. Your Rights
9.1 Rights under the PDPA. You have the right to:
(a) request access to the personal data we hold about you;
(b) request correction of personal data that is inaccurate or incomplete;
(c) withdraw any consent you have given for the collection, use, or disclosure of your personal data, subject to reasonable notice and the consequences described in the PDPA.
9.2 Additional rights under the GDPR or UK GDPR. If you are in the European Economic Area or the United Kingdom, you also have the right to:
(a) request erasure of your personal data (“right to be forgotten”);
(b) request restriction of processing;
(c) object to processing carried out on the basis of legitimate interests, including direct marketing;
(d) request portability of your personal data;
(e) lodge a complaint with a supervisory authority (for the EEA: your local Data Protection Authority; for the UK: the Information Commissioner’s Office at ico.org.uk).
9.3 How to exercise your rights. To exercise any of these rights, contact us at hello@wearesitefolk.com. We will respond within thirty (30) days, or such longer period as may be permitted by law. We may need to verify your identity before responding.
10. Security
We implement reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorised access, disclosure, alteration, and destruction. These include access controls on workspace tools, encryption in transit, and the use of reputable sub-processors with appropriate security certifications. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Children
The Site and the Services are not directed to individuals under the age of 18, and we do not knowingly collect personal data from such individuals. If you believe we have inadvertently collected personal data from a minor, please contact us so we can delete it.
12. Third-Party Links
The Site may contain links to third-party websites and services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy notices.
13. Changes to This Policy
We may amend this Policy from time to time. Material changes will be notified by updating the “Last updated” date above and, where appropriate, by direct notice. Continued use of the Site or the Services after the effective date constitutes acceptance of the revised Policy.
14. Contact and Data Protection Officer
For any questions, requests, or complaints regarding this Policy or our processing of your personal data, including PDPA access or correction requests, please contact:
SiteFolk Data Protection Officer hello@wearesitefolk.com
If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission of Singapore at pdpc.gov.sg.