Two independent organisations both have the name “Citrin Foundation”: Citrin Foundation (UK), a charitable company registered in England and Wales (Company Number 15940318) and Citrin Foundation (Singapore), a registered charity in Singapore (Company Registration Number: 201635027D. These organisations share a common mission which they each work to achieve (separately and in collaboration with each other). Each organisation is separate, independent and responsible for its own activities.

This page provides access to the Privacy Policies of both Citrin Foundation (Singapore) and Citrin Foundation (UK), reflecting their respective legal frameworks and operational responsibilities.

Your privacy is important to us. We, Citrin Foundation (Singapore), with Company Registration Number 201635027D (the “Foundation”, “we”, “us” or “our”) are committed to protect the personal data provided by you in accordance with the principles set out in this Personal Data Privacy Policy (“Data Privacy Policy” or “Policy”). As the context may require, “you” or “your” may include you and/or your spouse, children, parents, dependents, patients and/or third parties for and on whose behalf you are duly authorized to provide us with their personal data.

Please take a moment to read this Policy. This Policy sets out how we may collect, use, disclose and manage your personal data.

By accessing our website (https://patient.citrinfoundation.org), interacting with us, submitting information to us, signing up for or using any services (or products) offered by us, you agree and consent to us collecting, using, disclosing and managing your personal data (including disclosing such personal data to our authorized service providers and relevant third parties) in accordance with this Policy.

If you are below the age of 16 years, you represent and warrant that you have secured the consent of your parent/guardian for interacting with us, submitting information to us, signing up for any services (or products) offered by us, and for us to collect, use, disclose and manage your personal data (including disclosing such personal data to our authorized service providers) in accordance with this Policy.

This Policy supplements but does not supersede nor replace any other consents you may have previously provided to us in respect of your personal data, and your consents herein are additional to any rights which we may have at law to collect, use, disclose and manage your personal data.

Unless defined in this Policy, any terms used in this Policy which are also defined in Personal Data Protection Act 2012 of Singapore (“PDPA”) shall have the definition as provided by PDPA or Advisory Guidelines promulgated by Personal Data Protection Commission (“PDPC”). We may update this Policy from time to time to ensure that it remains consistent with applicable laws and guidelines. Subject to your rights at law, you agree to be bound by the prevailing terms of this Policy as updated from time to time on our website. The latest version of this Policy supersedes earlier versions. We encourage you to review this page periodically to keep up to date with any changes to this Policy.

1. PERSONAL DATA

In this Policy, “personal data” refers to any data, whether true or not, about an individual who can be identified (i) from that data or (ii) from that data and other information to which we have or are likely to have access, including data in our records as may be updated from time to time. Examples of such personal data may include your full name, identification number, passport, photograph, video, personal telephone number (including mobile number), personal email address, thumbprint, DNA profile, mailing address, and any of such foregoing information relating to any individuals that you may provide us with in any form.

Personal data does not apply to:

  1. business contact information, such as an individual’s business position or title, business telephone number, business address, business electronic mail address, business fax number and any other similar information not provided solely for the individual’s personal purposes;
  2. personal data that is anonymized, i.e. identifying information is removed such that the remaining data does not identify any particular individual or the possibility of re-identification is trivial;
  3. personal data of a deceased individual who has been dead for more than 10 years; and
  4. personal data that is falsified with the intent to commit fraudulent

2. PURPOSE FOR COLLECTION, USE AND DISCLOSURE OF YOUR PERSONAL DATA

As a non-profit organization that tackles citrin deficiency, we collect, use, disclose and manage personal data you provide us with so that we are able to:

  1. verify your identification;
  2. contact, communicate and interact with you;
  3. introduce you to our organization, work and events;
  4. provide you with such information, updates, resources, support and help as we could in relation to citrin deficiency;
  5. respond to, process and handle your queries, feedback, complaints and requests;
  6. organize events, seminars, meetings, tours, interviews, media campaigns and/or publications;
  7. comply with applicable rules, laws, regulations, codes of practice, guidelines, orders issued by any judicial, governmental, supervisory or regulatory bodies;
  8. respond to regulatory complaints, investigations, audit checks, due diligence and such other orders by any judicial, governmental, supervisory or regulatory bodies;
  9. initiate, respond to and otherwise conduct any legal and regulatory claims, suits, arbitrations, court actions, investigations and/or other proceedings; and
  10. take such actions as are necessary, desirable or relevant to the purposes reasonably related to the aforesaid.

In addition, if you submit a research proposal to us and/or otherwise apply for our funding, we collect, use, disclose and manage personal data you provide us with so that we are able to:

  1. conduct interviews, background screening and due diligence;
  2. process your application;
  3. obtain references;
  4. assess the suitability of your proposal and/or application;
  5. draft, review, negotiate, sign and perform agreements or other legal documents in respect of the proposed research and/or funding;
  6. plan, facilitate, manage, administer, perform and/or close the research and/or funding; and
  7. take such actions as are necessary, desirable or relevant to the purposes reasonably related to the aforementioned.

3. COLLECTION OF PERSONAL DATA

In general, we may collect personal data in the following ways:

  1. when you access our website;
  2. when you communicate and interact with us, including all verbal and written communications like telephone calls, emails, submissions through our website, letters, face-to-face interactions, social media platforms and other forms of communications;
  3. when you submit any form, including but not limited to online surveys and inquiry forms;
  4. when you request that we contact you or that you be included in an invitation, email or other mailing list; and
  5. when you respond to our initiatives or to any request for additional personal data;

If you provide us with personal data relating to a third party (e.g., your spouse, children, parents, dependents, patients and/or other individuals who have duly authorized you), you represent and warrant that the third party has given consent for the collection, use, disclosure and management of his/her personal data for the purposes for which such data is provided.

4. ANONYMITY

To the extent possible and practicable, we may anonymize your personal data in our possession so that we will no longer retain your personal data under PDPA, i.e., when the identifying information is removed such that the remaining data does not identify any particular individual or the possibility of re-identification is trivial.

5. PROTECTION OF PERSONAL DATA

We take reasonable steps (including anonymization so long as it is lawful and practicable, as mentioned above) to ensure the security of personal data in our possession and to protect it against loss, misuse or unauthorized access, destruction, use, modification or disclosure.

Only authorized personnel are permitted to access personal data in our possession.

While we take reasonable efforts to protect personal data in our possession, we cannot be held liable for unauthorized and unintended access beyond our control.

6. DISCLOSURE OF PERSONAL DATA

Subject to compliance with PDPA, we may disclose your personal data strictly for the purposes listed above only (as applicable) to the following entities or parties, whether located in Singapore or overseas:

  1. authorized personnel of our organization;
  2. external vendors, third party service providers, agents and contractors who provide operational services to us, including but not limited to courier services, information technology (including but not limited to hosting, storing and processing of data), event organization;
  3. our professional advisers such as lawyers and auditors in relation to the administration, operation and management of our organization and work;
  4. judicial, governmental, supervisory or regulatory bodies; and
  5. our associated entities, Citrin Foundation (UK) with Company Registration Number 15940318 and YH2 International Limited, with Company Registration Number 14398638 (both with their registered offices at Universal Building, Kensington High Street, London, W14 8NS); and
  6. any other party to whom you have authorized us to disclose your personal data to.

We will not disclose or transfer your personal data to an external party in contravention of PDPA.

7. RETENTION OF PERSONAL DATA

We will not retain your personal data longer than necessary for the purposes for which it has been collected, unless there are legitimate reasons for such retention. We will not retain your personal data “just in case” it may be needed for other purposes that you have not consented to.

Subject to the aforementioned, we will securely dispose of or anonymize personal data that we can reasonably determine is no longer needed.

8. TRANSFER OF PERSONAL DATA OUT OF SINGAPORE

If we transfer your personal data to a country outside of Singapore, we will ensure that the receiving organization is legally bound to provide protection comparable to the standard under PDPA.

9. WITHDRAWAL OF CONSENT, ACCESS AND CORRECTION OF PERSONAL DATA

If you (i) have any questions or feedback relating to your personal data or this Policy; (ii) would like to access and/or make corrections to your personal data in our possession or (iii) would like to withdraw your consent from any (or all) of the purposes listed in this Policy, please contact us at:

Data Protection Officer
Citrin Foundation Ltd
6 Temasek Boulevard
#38-05 Suntec Tower Four
Singapore 038986

We will ask you to provide some form of identification to ensure that you are the person to whom the information relates. We may also request further information from you about your request and the reasons behind it.

Occasionally, we may need to refuse your request to access information, if such access (but not restricted to):

  1. threatens or is likely to threaten the safety or physical or mental health of another individual;
  2. causes or is likely to cause immediate or grave harm to the safety or physical or mental health of the individual who has made the request;
  3. reveals or is likely to reveal personal data about another individual, or the identity of an individual who provided personal data about another individual; and
  4. is contrary to public and/or national interest.

In your notice to withdraw your consent, please specify any (or all) of the purposes in this Policy from which you intend to withdraw your consent. Within a reasonable notice period (not less than ten (10) business days) after receipt of your withdrawal notice, we will cease, and will cause our agents and authorized personnel (including data intermediaries and vendors) to cease such collection, use and disclosure of your personal data for the purpose(s) indicated in your notice. Depending on the nature of the withdrawal, we may no longer be in a position to continue to provide our services or products to you, or perform any contractual obligations in place, which in turn may result in the termination of any agreements with us, and your being in breach of your contractual obligations or undertakings. All our rights and remedies in such event are hereby expressly reserved.

10. THIRD PARTY WEBSITES

Our website may contain links to third party websites. This Policy does not apply to such third party websites.

Third party websites may also contain links to our website. This Policy also does not apply to such external links.

The operators of third party websites may collect your personal data. We urge you to read and understand the privacy policies of such third party websites.

11. GOVERNING LAW, JURISDICTION

The laws of Singapore shall govern, construe and enforce all of the rights and duties of the parties arising from or relating in any way to the subject matter of this Policy, without regard to its conflict of laws rules. All parties agree to submit to the exclusive jurisdiction of the courts of Singapore.Citrin Foundation (Singapore) Privacy Policy

Your privacy is important to us. We, Citrin Foundation (UK) with registered office at Universal Building, 364 – 366 Kensington High Street, London W14 8NS (the “Foundation”, “we”, “us” or “our”), are committed to protecting your personal data and to complying with our obligations under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

As the context may require, “you” or “your” may include you and/or your spouse, children, parents, dependants, patients and/or other third parties whose personal data you are duly authorised to provide to us.

Please take a moment to read this Privacy Policy. It explains how we collect, use, share and protect your personal data.

By interacting with us, including by accessing our website (https://www.citrinfoundation.org), submitting information to us, or signing up for or using any of our services, you confirm that you have read and understood this Policy and that we may process your personal data in accordance with it, including by sharing your data with our authorised service providers and relevant third parties.

If you are under the age of 13, you must obtain consent from a parent or guardian before interacting with us, submitting your personal data, or using our services. We do not knowingly collect personal data from children without such consent.

This Policy supplements but does not override any previous consents you have given us, and your consents under this Policy are in addition to our other lawful bases for processing your personal data.

We may update this Policy from time to time to reflect changes in the law or our practices. The latest version of this Policy will always be available on our website. Please check this page periodically for updates.

  1. WHAT IS PERSONAL DATA?

Personal data means any information about a living individual from which that person can be identified, directly or indirectly. This includes data such as:

  • Full name, identification numbers, passport number
  • Photographs, video images, audio recordings
  • Telephone number, email address, mailing address
  • Biometric data, e.g., fingerprint or DNA profile
  • Any of the above relating to individuals you are authorised to provide data for

Personal data does not include:

  • Business contact details used in a professional capacity (e.g., work email)
  • Anonymised data (where identifying information has been irreversibly removed)
  • Information about deceased persons (though other laws may still apply)
  1. WHY WE COLLECT AND USE PERSONAL DATA

We process personal data in our legitimate interests as a UK-based charitable entity and where necessary to comply with legal obligations, enter into contracts, or with your consent. Specifically, we may process personal data to:

  • Verify your identity and contact details
  • Communicate and interact with you
  • Promote our mission and activities
  • Respond to enquiries, feedback, or complaints
  • Organise events and engagement initiatives
  • Comply with legal or regulatory obligations
  • Carry out safeguarding, due diligence, or legal processes

If you apply for funding or submit a research proposal, we may also process personal data to:

  • Conduct background checks or suitability assessments
  • Manage grant or funding processes
  • Draft and manage contracts and legal documents
  • Administer and evaluate funded research
  1. HOW WE COLLECT PERSONAL DATA

We may collect personal data:

  • When you visit our website
  • When you contact us by phone, email, letter, or in person
  • When you complete forms or applications
  • When you participate in surveys, trials, or feedback sessions
  • When you sign up for updates, events, or newsletters
  • From third parties acting on your behalf, where you have authorised this

If you provide us with personal data about another individual, you must ensure that you have their permission to do so.

  1. ANONYMITY AND DATA MINIMISATION

Where appropriate, we may anonymise your personal data so that you cannot be identified. Anonymised data is not considered personal data and is therefore not subject to data protection laws. It may be used for research, reporting, or statistical purposes, provided that individuals cannot be re-identified from the data, either directly or indirectly.

  1. HOW WE PROTECT YOUR PERSONAL DATA

We implement appropriate technical and organisational measures to protect personal data, including:

  • Role-based access restrictions
  • Encryption and secure storage
  • Staff training and awareness
  • Anonymisation and pseudonymisation, where appropriate

We cannot guarantee the security of data transmitted via the internet, but we take steps to mitigate risks and limit access.

  1. WHO WE MAY SHARE YOUR DATA WITH

We may share your personal data, strictly on a need-to-know basis and in accordance with UK GDPR, with:

  • Our staff, volunteers, and trustees
  • Third-party service providers (e.g., IT, email platforms, event organisers)
  • Our professional advisers (e.g., lawyers, accountants, the Scientific Supervisory Board)
  • Government bodies, regulators, and courts (where required by law)
  • Our associated entities, (i) Citrin Foundation with its registered office at 6 Temasek Boulevard Suntec Tower Four, Singapore 038986 (“CF Singapore”) and (ii) YH2 Capital International Limited with its registered office at Universal Building, Kensington High Street, London W14 8NS.
  • Other third parties where you have given explicit consent

We do not sell your personal data.

  1. HOW LONG WE KEEP YOUR DATA

We will retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including any legal, accounting, or reporting requirements. When personal data is no longer needed, we will securely delete or anonymise it.

  1. TRANSFERS OF DATA OUTSIDE THE UK

If your personal data is transferred outside the UK (e.g., to our associated Singaporean entity (CF Singapore) or cloud service providers), we will ensure that appropriate safeguards are in place, such as:

  • Adequacy regulations under UK GDPR
  • Standard contractual clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO)
  • Binding corporate rules, or other lawful mechanisms
  1. YOUR RIGHTS

Under the UK GDPR, you have the right to:

  • Access your personal data
  • Correct or update inaccurate data
  • Request erasure of your data (in certain circumstances)
  • Object to or restrict certain processing
  • Withdraw your consent at any time (where processing is based on consent)
  • Lodge a complaint with the UK Information Commissioner’s Office (ICO)

To exercise your rights or raise concerns, please contact:

Data Protection Officer
Citrin Foundation Ltd (UK)
Universal Building, Kensington High Street, London W14 8NS

We may require you to verify your identity before fulfilling your request.

  1. THIRD PARTY LINKS

Our website may contain links to other websites. This Policy does not cover third-party websites and we are not responsible for their privacy practices. Please review their policies before submitting any data.

  1. GOVERNING LAW

This Policy is governed by the laws of England and Wales, and any disputes will be subject to the exclusive jurisdiction of the English courts.