VIVA-SG-EDU
Legal / Compliance · PDPA

PDPA Notice.

Personal Data Protection Notice·Navigate Your Degree

This notice is issued by VIVA EDUCATION PTE. LTD. (UEN 202448391R, "VIVA", "we") to all students, parents, prospective clients and website visitors, satisfying the disclosure obligations of sections 13 and 14 of Singapore's Personal Data Protection Act 2012 (PDPA). Read together with the Privacy Policy, this notice forms VIVA's PDPA-compliance framework.

Effective date2026-05-24
Last updated2026-05-24
Statutory basisPDPA 2012 ss13–14

Section 1Identity of data controller (PDPA s13(a))

In satisfaction of section 13's disclosure obligations, VIVA confirms the following identifiers:

  • Legal name: VIVA EDUCATION PTE. LTD.
  • Singapore UEN: 202448391R
  • Primary business: private-university tutoring for Singapore PEI-delivered programmes; pre-submission review; viva practice;
  • Registered address: 3 Little Road · #04-02 · Singapore
  • Primary email: [email protected]
  • Primary telephone: +65 8686 3695 (also WhatsApp)
  • Website: viveedu.com

Section 2Reasonable contact channel / DPO (PDPA s11 + s13(b))

VIVA has appointed a Data Protection Officer (DPO) as required by PDPA s11(3). The DPO handles all personal-data requests, queries and complaints.

DPO contact

All PDPA-related requests should be addressed to:

Email: [email protected]

Telephone: +65 8686 3695

Post: VIVA EDUCATION PTE. LTD. · DPO · 3 Little Road · #04-02 · Singapore

The DPO contact details are reproduced in the footer of every page across viveedu.com so that data subjects can find them at any time.

Section 3Purposes of collection (PDPA s13(b))

VIVA collects personal data only for the following declared purposes:

Service delivery
Identify the student, match a suitable tutor, schedule sessions, prepare materials specific to your programme, log tutoring progress and track learning outcomes.
Contract and accounts
Execute the Tutoring Service Agreement, issue GST-compliant invoices, process payments, refunds and bad-debt recovery, reconcile ledgers.
Communication
Reply to enquiries, confirm meetings, send subscribed notifications.
Safeguarding minors
Verify the parent or guardian's identity, retain signed consent forms, log meeting circumstances to keep students safe.
Service-quality improvement
Anonymised analysis of internal tutoring records to refine pedagogy and curriculum design.
Legal and regulatory compliance
Respond to lawful enquiries from regulators (PDPC, IRAS, CPE), cooperate with court process, satisfy record-keeping duties under Singapore law.
Marketing (opt-in only)
After you expressly opt in, we may send programme announcements and event invitations; you may opt out at any time.

VIVA will not use your personal data for purposes beyond the above unless we obtain further consent in advance or are required by law.

Section 4Consent mechanism (PDPA s14)

VIVA processes your personal data only on the following bases:

  1. Express written consent: signing the consent clause of the Tutoring Service Agreement;
  2. Express electronic consent: ticking a consent box on the website enquiry form, confirming by email, or by an explicitly affirmative WhatsApp reply (e.g. "I agree that VIVA may process my data to respond to this enquiry");
  3. Deemed consent (PDPA s15): where the processing is reasonably necessary to deliver the service you have asked for (e.g. a tutor reading a draft to give feedback);
  4. Deemed consent — necessity for a contract (PDPA s15(2)): disclosure to a third-party data intermediary (such as Stripe for payment or Google Workspace for email) where reasonably necessary to perform your contract with VIVA;
  5. Authority of law: the exceptions listed in the First Schedule to the PDPA, such as cooperation with law-enforcement or protecting life and property.

Parental / guardian consent. For minors under 13, consent must be given by a parent or legal guardian. For minors aged 13 to 17, the student gives consent and the parent or guardian ratifies it afterwards. See Privacy Policy Section 10.

Section 5Specific third-party data intermediaries

Within the meaning of "data intermediary" in PDPA s4(2), VIVA has written agreements in place authorising the following providers to process specific personal data on VIVA's behalf:

Stripe Payments Singapore Pte. Ltd.
Payment processing. Data processed: billing name, billing address, card identifier (not the full card number), transaction reference. Legal basis: PCI-DSS Level 1 compliance + Data Processing Agreement with VIVA.
WhatsApp Business / Meta Platforms Ireland Ltd.
Messaging with you. Data processed: phone number, message content, attachments, read receipts. Legal basis: Meta WhatsApp Business terms of service.
Cloudflare, Inc.
Website hosting, CDN, DNS, Email Routing, DDoS protection. Data processed: IP address, access logs, email-delivery metadata. Legal basis: Cloudflare Data Processing Addendum.
Google LLC (Workspace)
Email (@viveedu.com), document collaboration, calendar. Data processed: email content, attachments, calendar events, document content. Legal basis: Google Workspace Data Processing Amendment.
OpenAI, L.L.C.
Only used to support tutors in idea structuring, language checking and lesson-material drafting; opted out of training at the API level so the data is not used to train OpenAI models. Data processed: transient text input (no student-identifiable fields retained). Legal basis: OpenAI Enterprise Data Processing Addendum.
Anthropic, PBC
Only used to support tutors in idea structuring and document review; opted out of training at the API level so the data is not used to train Anthropic models. Data processed: transient text input (no student-identifiable fields retained). Legal basis: Anthropic Commercial Terms of Service + DPA.
Accountant / tax agent [TBC]
Specific firm to be confirmed by user. Data processed: transaction vouchers, payment records. Legal basis: planned Engagement Letter + DPA.
Other tools [TBC]
e.g. Calendly / Zoom / Notion / Microsoft 365 — please confirm with user.
[TBC] Items marked TBC need confirmation by the user before formal publication. The full list (with DPA references) is maintained in VIVA's internal Vendor Register; a summary is available to data subjects from the DPO on request.

VIVA remains the data controller under the PDPA. Third-party data intermediaries are contractually bound and must not process or disclose data outside the scope VIVA has authorised.

Section 6Cross-border transfer (PDPR 2021 regs 10/11/12)

Several of the providers in Section 5 (Stripe, Cloudflare, Google, OpenAI, Anthropic, Meta) host their servers outside Singapore (United States, European Union, Ireland etc.). VIVA relies on PDPR 2021 regs 10, 11 and 12 to ensure the cross-border standard of protection is at least as high as the PDPA:

Reg 10 — Recipient's obligations
Each overseas recipient must be bound by an enforceable contract (such as standard contractual clauses) to protect the data at PDPA-equivalent standards.
Reg 11 — Form and content of contract
The contract specifies: (a) data categories and volume; (b) processing purpose; (c) retention period; (d) security controls; (e) rules on sub-processors; (f) breach-notification duties; (g) the obligation to delete or return data on VIVA's instruction.
Reg 12 — Exceptions
The transfer is also lawful where (a) the data subject expressly consents, (b) it is necessary to perform a contract with the data subject, (c) it is in the data subject's interest (e.g. medical emergency), or (d) the data is publicly available.

VIVA signs a Data Processing Agreement (DPA) with each intermediary covering the above. Summary terms for any specific intermediary are available from the DPO.

Section 7Access and correction rights (PDPA ss21–22)

You have the following rights under PDPA ss21 and 22:

  1. Access request: ask VIVA for (a) the personal data we hold about you; and (b) how it has been used and disclosed in the past 12 months.
  2. Correction request: ask VIVA to correct inaccurate or incomplete data.

How to submit.

  • Send a written request to the DPO inbox: [email protected];
  • Use the subject line "PDPA Access Request" or "PDPA Correction Request";
  • Include your name, contract number or registered email, and the specific data scope you want.

Identity verification. To prevent improper disclosure, VIVA may ask you for an ID document (e.g. scanned Singapore NRIC / passport / student card with non-essential fields redacted).

Fees. For access requests requiring significant manpower, VIVA may charge a reasonable fee under PDPA s28(3), and will notify you in writing in advance. Routine access requests are free.

Section 8Withdrawal of consent (PDPA s16)

You may withdraw any previously given consent as follows:

  • Send a written request to [email protected];
  • Use the subject line "PDPA Withdrawal of Consent";
  • Specify the processing purpose you are withdrawing (e.g. "marketing emails", "sharing with Stripe"), or withdraw all consents.

Effect. Within 10 business days of a valid request, VIVA will stop the affected processing and reply in writing confirming the scope, the service impact and what data remains subject to legal-retention obligations.

Consequences. Withdrawing some key consents (e.g. "do not share with Stripe") may make it impossible for VIVA to continue providing the tutoring service. VIVA will warn you in writing of any such impact, but this warning does not limit your right to withdraw.

Section 9Service-level commitments

VIVA commits to the following processing timelines:

Access / correction requests
Replied within 30 calendar days of a valid written request (the reasonable period contemplated in PDPA s21(2)). For wide-scope requests beyond 30 days, VIVA will give written notice of the reason and the expected completion date.
Withdrawal of consent
Stop the affected processing and reply in writing within 10 business days of a valid request.
Complaint handling
Acknowledge receipt within 14 calendar days; report the outcome within 30 calendar days.
Data breach notification
If the incident crosses the Part VIA (s26A–26E) notification threshold, notify the PDPC within 3 calendar days of becoming aware, and notify affected individuals at the same time.

Section 10Complaints mechanism

If you believe VIVA's processing breaches the PDPA or this notice, please address a written complaint to the DPO first: [email protected]. The process is:

  1. Stage 1 (VIVA internal): the DPO acknowledges within 14 days and reports within 30 days;
  2. Stage 2 (PDPC): if you are not satisfied, file a complaint with the Personal Data Protection Commission: https://www.pdpc.gov.sg;
  3. Stage 3 (alternative dispute resolution): the PDPC may channel the dispute to IMDA-supervised mediation.

This notice, together with the Privacy Policy, Terms of Service, Cookie Policy and Disclaimer, constitutes VIVA's compliance framework.