FitCode Pte. Ltd. (trading as “empathAIse”)

Last Updated: 12 December 2025

This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Terms of Service or any other written or electronic contract between FitCode Pte. Ltd. (trading as “empathAIse”) (“Processor”, “Data Intermediary”, “we”, “us”, “our”) and the Customer (“Controller”, “you”, “your”).

This DPA governs the processing of Personal Data by empathAIse on behalf of the Customer in connection with the Customer’s use of the empathAIse platform (“Platform”).

1. Definitions

For purposes of this DPA:

“PDPA”

Refers to the Singapore Personal Data Protection Act 2012, as amended.

“Personal Data”

Data about an individual who can be identified from that data or from that data and other accessible information.

“Customer Data”

Personal Data submitted, uploaded, imported, or collected by the Customer or its users via the Platform.

“Data Controller” / “Controller”

The Customer who determines the purposes and means of processing Customer Data.

“Data Intermediary” / “Processor”

FitCode Pte. Ltd., when processing Customer Data on behalf of the Controller.

“Processing”

Any operation performed on Personal Data, including storage, transmission, retrieval, organisation, or deletion.

“Subprocessor”

A third party engaged by empathAIse to assist with processing Customer Data.

2. Roles of the Parties

2.1 The Customer as Data Controller

You determine:

What Customer Data is collected

Why it is collected

How it is used

You remain fully responsible for:

Obtaining all required consents

Providing privacy notices

Ensuring accuracy and lawfulness of Customer Data

Responding to data subject requests

2.2 empathAIse as Data Intermediary (Processor)

We process Customer Data solely on your documented instructions, except where required by law.

We do not:

Sell Customer Data

Share Customer Data for advertising

Control or determine the purposes of processing

3. Scope and Purpose of Processing

empathAIse processes Customer Data strictly for:

Operating and delivering the Platform

Providing customer support

Maintaining platform security and availability

Improving features and system performance

Complying with legal obligations

Processing communications (email, SMS, WhatsApp, voice, AI tools)

Storing Customer Data and backups

Processing of Customer Data will not occur for any other purpose unless instructed by the Customer.

4. Customer Obligations

The Customer agrees to:

4.1 Obtain All Necessary Consent

You confirm that:

You have collected valid PDPA-compliant consent

You have issued required notices to individuals

You maintain proof of consent for messages, marketing, and communications

4.2 Ensure Lawful Collection

You confirm that Customer Data was collected lawfully and can be processed by empathAIse.

4.3 Retention & Deletion

You are responsible for configuring:

Data retention rules

Deletion policies

Export and backup procedures

4.4 Data Accuracy

You must ensure that Customer Data is accurate and up to date.

4.5 Respond to Data Subject Requests

You remain responsible for:

Access requests

Correction requests

Withdrawal of consent

Objections

If empathAIse receives such a request directly, we will redirect the individual to you.

5. Processor Obligations (empathAIse Responsibilities)

empathAIse agrees to:

5.1 Process Data Only on Documented Instructions

Unless required by law, in which case we will notify you unless prohibited.

5.2 Confidentiality

We ensure staff and contractors with access to Customer Data are bound by confidentiality obligations.

5.3 Security Measures

We implement reasonable administrative, technical, and organisational safeguards including:

Encryption in transit and at rest

Access controls and authentication

Network and infrastructure monitoring

Secure development lifecycle

Data loss prevention

Regular security reviews

5.4 Assistance with Compliance

Where reasonable, we will support the Customer in:

Security considerations

Breach reporting information

Data subject requests (redirecting only)

Data protection assessments

5.5 Deletion After Termination

Upon account closure:

Customer Data will be retained for 30 days

Deleted thereafter

Backups may persist for up to 90 days

6. Subprocessors

6.1 Authorised Subprocessors

The Customer provides general authorisation for empathAIse to engage Subprocessors necessary for operations such as:

Cloud hosting & storage

Email/SMS/WhatsApp/voice delivery

AI providers

Support platforms

Payment gateways

Analytics and monitoring systems

A list of subprocessors is available upon request.

6.2 Subprocessor Contracts

Each Subprocessor is bound by:

Confidentiality obligations

Security requirements

PDPA-aligned data protection terms

6.3 Customer Objection

If you object to a new Subprocessor for reasonable grounds, we will work with you to find a compliant solution. If none is possible, termination of the affected service may be required.

7. International Data Transfers

Customer Data may be transferred or stored in data centres outside Singapore.

empathAIse will ensure:

Comparable PDPA protection through contractual clauses

Appropriate transfer mechanisms

Encryption and secure transport

By using the Platform, you consent to international data transfers.

8. Data Breach Management

8.1 empathAIse Responsibilities

If empathAIse becomes aware of a data breach affecting Customer Data, we will:

Promptly assess the incident

Take steps to contain and remediate

Notify the Customer without undue delay

Provide necessary breach details for PDPA reporting

Assist with technical recovery where appropriate

8.2 Customer Responsibilities

You must:

Notify empathAIse immediately if you suspect a breach originating from your use

Comply with PDPA reporting obligations for affected individuals

Provide breach notifications to your customers where required

9. Audits & Compliance

9.1 Customer Audit Rights (Enterprise-Friendly)

Upon reasonable written notice, you may request:

A summary of our security measures

Documentation demonstrating PDPA compliance

Responses to security questionnaires

Full on-site audits are not permitted unless required by law or contractually negotiated with enterprise customers.

9.2 Confidentiality

All audit information must remain confidential.

10. Data Retention, Return, and Deletion

Upon termination or expiration:

10.1 Retention

Customer Data remains accessible for 30 days.

10.2 Deletion

After 30 days, Customer Data is permanently deleted, except:

Backups that remain for up to 90 days

Data retained where required by law

10.3 Return of Data

You may export Customer Data at any time before termination using built-in tools.

11. Limitation of Liability

Liability under this DPA is subject to the limitation of liability provisions in the governing agreement (typically the Terms of Service or Master Service Agreement).

empathAIse shall not be liable for:

Improper configuration by the Customer

Unlawful or incorrect data submitted by the Customer

Customer misuse of messaging or AI functions

Issues caused by third-party providers or carriers

12. Governing Law & Dispute Resolution

This DPA is governed by Singapore law.

Disputes will be resolved through:

Negotiation for 30 days, then

Binding arbitration under SIAC, before a single arbitrator, in English.

13. Term & Termination

This DPA remains in effect:

For the duration of the Customer’s subscription, and

Until all Customer Data has been deleted in accordance with this Agreement

14. Contact Details

For all data protection-related matters:

FitCode Pte. Ltd. (trading as empathAIse)

8 Chang Charn Rd, #02-13 Link (THM) Building

Singapore 159637

Email: [email protected]