Last Updated: December 1, 2023
The company processes personal information only for the purposes specified at the point of collection, and will not use the personal information for any other purposes beyond those stated, unless separate consent is obtained in accordance with Singapore's Personal Data Protection Act. If the purpose of use is changed, appropriate measures will be taken, such as obtaining separate consent from the individual in question.
① The CT Box's collects and uses personal information as in Article 6 (Creating items of personal information to be processed).The period of retention and use of collected personal information is from the signing of the service use contract (membership registration) to the termination of the service use contract (including application for withdrawal).
② The Ctomorow App processes and retains personal information within the retention of personal information in accordance with laws and regulations.
Each personal information processing and (obligatory) retention period in accordance with laws and regulations is as follows.
| Retention information | Retention Period | Grounds of Law |
|---|---|---|
| Records on payment and supply of goods | 5 years | Section 7(3) of the Sale of Goods Act, and Section 34 of the Limitation Act |
| Records on contract or withdrawal of subscription | 6 years | Limitation Act (Chapter 163) |
| Records on handling consumer complaints or disputes | 3 years | Association of Banks in Singapore (ABS) Code of Consumer Banking Practice, and Financial Industry Dispute Resolution Centre (FIDReC) |
| Records on display and advertisement | 6 months | Singapore Code of Advertising Practice (SCAP) |
| Records of Electronic Financial Transactions | 5 years | Section 24 of the Payment and Settlement Systems Act |
| Website and app visit history | 1 year | Personal Data Protection Commission (PDPC) Advisory Guidelines on the Personal Data Protection Act (PDPA) for NRIC and Other National Identification Numbers |
| Records on the collection, processing and use of credit information | 2 years | Banking Act (Chapter 19), and Guidelines on Fair Dealing by Banks (Monetary Authority of Singapore) |
③ If the use contract is still in effect after the above mandatory retention period, the information is kept until the end of the use contract. If it is necessary to withdraw the information beyond the mandatory retention period, the user can request the withdrawal through Article 12 (Request for Access to Personal Information).
The CT Box App uses your personal information only for the purposes notified to you in accordance with Section 13 of the Personal Data Protection Act (PDPA). We will not use your personal information for purposes beyond what has been disclosed, nor will we disclose it to other companies or organizations without your consent, except when required by law.
① The company processes personal information only within the scope specified in Section 18 (Limitation on purpose) of the PDPA. Personal information may be disclosed to third parties only in accordance with the provisions of the PDPA, such as with your consent or when required by law.
② The company discloses personal information to third parties only in accordance with the provisions of the PDPA, such as with your consent or when required by law.
| Recipient | Offer | Purpose of provision | Retention and period of use |
|---|---|---|---|
| Shipping company | Name/Phone Number/Address | Product delivery | 6 months after delivery |
| Partner Company (Provides cosmetics) | ID, name, phone number, mobile phone number, delivery address, email address (when selected), customs unique code (when selected) | Handling of tasks necessary for the fulfillment of information and communication service provision contracts and e-commerce (mail order sales) contracts, such as product and gift (service) delivery (transmission), product installation, return, refund, customer consultation, etc. | 3 months after the end of the purchase service |
① The company entrusts the following personal information processing tasks for smooth personal information processing.
| consignee | Consignment work | Purpose |
|---|---|---|
| SMS | Twilio | Send SMS for verification |
| Payment | Stripe, Inc. | Domestic payment processing |
| Payment | Stripe, Inc. | Overseas credit card payment processing |
② Pursuant to section 24 of the Personal Data Protection Act (PDPA), the company will require the third-party service providers to implement appropriate measures to protect the personal data that they process, and ensure that they process the personal data only for the purposes for which the personal data was collected or as required by law. The company will also monitor and supervise the third-party service providers to ensure that they process the personal data securely.
③ If there are any changes to the third-party service providers or the purposes for which they process the personal data, the company will update this personal data protection policy as soon as practicable.
① The User may, at any time, exercise the right to access, correct, delete, and restrict the processing of personal data held by the company.
② The exercise of rights under Paragraph 1 may be made in writing, via email, or other means prescribed by the Personal Data Protection Act (PDPA), and the company shall take appropriate measures without undue delay.
③ The User may also exercise the rights under Paragraph 1 through an agent, such as a legal representative or a person authorized by the User. In such cases, the company may require the submission of a power of attorney in a form prescribed by the PDPA.
④ The rights of the User may be restricted in accordance with the exceptions set out in the PDPA.
⑤ Requests for correction and deletion of personal data may be refused if the personal data is required by law or for the performance of a contract.
⑥ The company shall verify the identity of the User or the authorized representative before responding to any request for access, correction, deletion, or restriction of personal data.
① The company is processing the following personal information category.
| purpose | category |
|---|---|
| Customer |
Sign up (Required) Email, name, password, date of birth, gender (optional) Mobile phone number, ID, withdrawal account, Q account password |
| Skin Data | Access to phone camera |
| Order, payment, delivery service | Name, mobile phone number, phone number, address, email, credit card information for card payment, bank account information for bank transfer, simple payment account information for simple payment, personal customs clearance code |
| Email or ID, find a password | Name, gender, date of birth, mobile phone number, email address |
| SNS login | Google, Apple, Facebook, KakaoTalk |
| Non-member order, payment and delivery service | Name, mobile phone number, phone number, address, email, credit card information for card payment, bank account information for bank transfer, simple payment account information for simple payment, personal customs clearance code. |
| Other access information | Service usage history, access logs, cookies, access IP information |
| Seller |
Seller member service provision, etc. Company name, contact person name, ID, email, phone number, mobile phone number, address, URL for reference (optional) |
| Sales payment settlement, etc. | Bank account information, business license number, company name, email, phone number, address. |
At Ctomorrow, we understand the importance of protecting your personal data and privacy. This article provides an overview of the skin scanning data we collect, how we use it.
① The company destroys the personal information without delay when the personal information becomes unnecessary, such as the expiration of the personal information retention period or achievement of the purpose of processing.
② The company notifies the user in advance of the personal information of the user who has not used the company's service for one year, and destroys or separates the personal information and stores and manages it.
③ If personal information must be continuously preserved according to other laws, the personal information is moved to a separate database (DB) or stored in a different storage location.
④ Separately stored personal information is completely destroyed in a safe manner after five years without the requirements of other laws and regulations.
⑤ The procedures and methods for personal information destruction are as follows.
The company is taking the following measures to ensure the safety of personal information.
① The company uses 'cookie' to store and retrieve usage information from time to time to provide individual customized services to users.
② Cookies are small amounts of information that the server (http) used to run the website sends to the user's computer browser, and are sometimes stored on the user's hard disk in the user's PC computer.
Purpose of use of cookies: It is used to provide optimized information to users by identifying the types of visits and usage of each service and website visited by the user, popular search terms, and whether or not secure access is available.
Installing and operating and rejecting cookies: You can refuse to save cookies by going to the bottom right of the website and settings through the app.
If you refuse to store cookies, you may experience difficulties in using customized services.
In accordance with the Personal Data Protection Act (PDPA), the company may use and disclose personal data without the consent of the individual in certain circumstances, as provided under sections 18 and 20 of the PDPA. However, such use and disclosure must be considered in accordance with the following standards:
The criteria for considering additional use and disclosure of personal data are determined and disclosed by the company autonomously.
Users can view their personal information through "My Profile" in the CT Box's site or app. If you are having difficult then please contact Ctomorrow's Customer service center through [email protected]
Users who would like to make a report can do so for dispute resolution or consultation purposes to the Personal Data Protection Commission (PDPC) or seek legal redress through the courts. In addition, for other personal information infringement reports and consultations, the following organizations may be contacted:
This privacy policy is effective from the 1st of December, 2023.