link.creo.farm
Last updated: 13 May 2026 · Effective: 13 May 2026
CREO.FARM PTE. LTD. ("Creo", "we", "us", or "our") operates link.creo.farm (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal data in accordance with Singapore's Personal Data Protection Act 2012 (PDPA) and its 2020 amendments.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service.
Data Controller: CREO.FARM PTE. LTD., Singapore
Data Protection Officer (DPO): For all privacy enquiries, access or correction requests, and consent withdrawal, contact our DPO at:
Email: contact@creo.farm
We aim to respond within 10 business days.
When you register with email and password, we collect your email address and store a securely hashed version of your password. We never store your password in plain text.
If you sign in with Google, we receive from Google your name, email address, and profile picture. We use this solely to create and authenticate your account. We do not receive your Google password or access your Google Drive, Gmail, or any other Google services.
When you configure an NFC tag, you voluntarily provide profile information such as your display name, job title, organisation, address, profile photo, and links (URLs, phone numbers, email addresses). This data is displayed publicly to anyone who scans or views your tag. Only provide information you are comfortable sharing publicly.
Each time your NFC tag is scanned or your link page is visited, we log the timestamp, action type (redirect or link page view), IP address, and browser/device user agent. This helps you understand tag activity and allows us to detect abuse. Logs are attributed to your tag but are not shared with third parties in identifiable form.
We use session cookies and authentication tokens to keep you logged in. These are stored in your browser and are necessary for the Service to function. We do not use advertising cookies or third-party tracking pixels.
When you enter an address in the tag configuration form, your input is sent to Google Maps Platform to provide autocomplete suggestions. This is subject to Google's own privacy policy. We do not store your search queries, only the final address you select and save.
| Purpose | Data Used | Legal Basis (PDPA) |
|---|---|---|
| Create and authenticate your account | Email, name, Google profile data | Consent; Contractual necessity |
| Display your NFC link page to visitors | Profile data, links, avatar | Consent (you choose to publish this) |
| Provide tag activity analytics to you | Scan logs, IP, user agent | Contractual necessity; Legitimate interests |
| Security — detect abuse and replay attacks | IP, user agent, NFC counters | Legitimate interests |
| Send password reset and account emails | Email address | Contractual necessity |
| Improve the Service | Aggregated, anonymised usage data | Business Improvement Exception (PDPA s.17) |
We do not sell your personal data. We do not use your data for advertising profiling or share it with marketing third parties.
We engage the following sub-processors, each under a data processing agreement that requires them to protect your data to a standard comparable to the PDPA:
Cloud Infrastructure & Authentication Provider (United States)
Provides authentication, database storage, and file storage for the Service. Data is stored in a Singapore-region database where available. This provider maintains industry-standard security certifications.
Google LLC (United States) — Google Sign-In
Provides identity verification when you choose "Sign in with Google." Your use of Google Sign-In is also governed by Google's Privacy Policy.
Google LLC — Google Maps Platform
Powers address autocomplete in the tag configuration form.
Web Hosting & Delivery Provider (United States)
Hosts and serves the Service globally. Network-level logs (including IP addresses) may be processed by this provider for security and performance purposes.
Transfer of personal data to these overseas processors is covered by appropriate contractual safeguards in accordance with PDPA Part IX (Transfer Limitation Obligation).
The profile information you add to your NFC tag (name, title, organisation, address, links, photo) is displayed publicly to anyone who scans your tag or visits your tag's URL. This is the core function of the Service. Please only include information you are comfortable making publicly available. You can update or delete this information at any time from your dashboard.
For our secure NFC tags, each tap generates a unique, one-time URL. This means your link page URL cannot be meaningfully shared or replayed — only a physical tap of your tag opens the page.
| Data Category | Retention Period |
|---|---|
| Account data (email, auth credentials) | Until account deletion, then purged within 30 days |
| NFC tag profile data | Until you delete the tag or your account |
| Tag scan logs (IP, user agent) | 90 days, then anonymised or deleted |
| Uploaded avatar images | Until replaced or account deleted |
| Session tokens / cookies | Until sign-out or 7-day expiry |
We retain data only as long as necessary for the purposes described in this policy or as required by applicable law. In accordance with PDPA s.25 (Retention Limitation Obligation), data is securely deleted or anonymised when no longer needed.
Under Singapore's PDPA, you have the following rights:
Request a copy of the personal data we hold about you and information on how it has been used or disclosed in the past 12 months.
Request correction of inaccurate or incomplete personal data. You can update most profile data directly via your dashboard.
Withdraw consent for data processing at any time. Note that withdrawing consent for essential processing (e.g., account authentication) may mean we can no longer provide the Service to you.
Request transmission of your data to another service in a commonly used machine-readable format (where technically feasible, per PDPA s.26H).
To exercise any of these rights, email our DPO at contact@creo.farm. We will respond within 30 days. We may need to verify your identity before processing your request.
We take reasonable security measures to protect your personal data, including:
No system is completely secure. In the event of a data breach that is notifiable under PDPA s.26C, we will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of assessment and notify affected individuals as soon as practicable.
The Service is not directed at children under 14. We do not knowingly collect personal data from children under 14 without verifiable parental consent. If you believe we have collected data from a child under 14, please contact us at contact@creo.farm and we will delete it promptly.
We may update this Privacy Policy from time to time. Material changes will be notified via email (if you have an account) or by a prominent notice on the Service before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes are published constitutes your acceptance of the updated policy.
If you have a concern about how we handle your personal data that we have not resolved to your satisfaction, you may lodge a complaint with the Personal Data Protection Commission (PDPC):
Personal Data Protection Commission (PDPC)
10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438
Website: www.pdpc.gov.sg
For any questions about this Privacy Policy or your personal data:
© 2026 CREO.FARM PTE. LTD. · Singapore · PDPA Compliant