Privacy and Data Protection Policy
This Privacy Policy sets out the basis on which Refora Pte. Ltd. (UEN: 202555125N) ("Refora", "we", "us", or "our") may collect, use, disclose or otherwise process your personal data when you access or use our online referral platform at refora.app (the "Platform").
This Policy explains how we handle personal data in compliance with the Personal Data Protection Act 2012 ("PDPA") of Singapore, and, where applicable, in alignment with standards under the U.S. Health Insurance Portability and Accountability Act (HIPAA). Refora is not a U.S. HIPAA covered entity. Where applicable, we adopt selected HIPAA-aligned safeguards as best practice for protecting health information.
It applies to personal data in our possession or under our control, including personal data in the possession of third-party organisations engaged by us to collect, use, disclose, or process such data on our behalf.
Refora does not use your personal data or health information to train, fine-tune, or improve any generalised or public AI model. Where AI services are used to process data on the Platform (for example, to extract referral information from emails or to generate conversation replies), data is used solely to produce the specific output for your record and is not retained by the AI service provider for model improvement. Further detail is set out in Sections 6.IX and 6.XI.
By using the Platform, you acknowledge and agree that you have read and understood this Privacy Policy, and consent to the collection, use, and disclosure of your personal data as described herein.
If you do not agree with this Privacy Policy or the accompanying Terms and Conditions, please do not use the Platform. Your continued access and use of the Platform constitutes your acknowledgement and acceptance of this Privacy Policy.
1. Scope
This Policy applies to all users of the Platform, including clinics, patients, and individuals who interact with the Platform via WhatsApp or web forms. Sections will indicate where provisions apply to a specific category.
Refora acts as a data intermediary under the PDPA when processing patient data on behalf of clinic-users within the referral management platform. Clinic-users are responsible for determining the purposes and means of processing patient data and for obtaining all required consents and notices. Refora processes such data strictly on instructions from the clinic-users.
2. Definitions
As used in this Privacy Policy:
"Customer" means an individual who (a) has contacted Refora Pte. Ltd. through any means (including the Platform) in relation to the services available on the Platform, or (b) may, or has, entered into a contract with Refora Pte. Ltd. for the supply of any services.
"Personal Data" means data, whether true or not, about an individual who can be identified (a) from that data, or (b) from that data and other information to which Refora Pte. Ltd. has or is likely to have access.
3. Data Collection
Refora collects only the data necessary to provide its referral management and patient enquiry services. This may include patient identifiers, clinical notes, diagnostic attachments (x-rays, images, etc.), and messaging data.
Data may be submitted to the Platform through any of the following channels:
- Inbound email intake: Clinic-users may configure a forwarding address so that referral emails sent by third-party practitioners are automatically routed into the Platform. Refora receives and processes the full email content, including any attachments, on the receiving clinic's instructions.
- QuickRefer form: Clinic-users may embed a Refora referral submission form on their own website. Patients or referring practitioners who complete and submit that form transmit data directly to Refora on behalf of the embedding clinic.
- Manual import: Clinic-users may manually import referral records that arrived outside the Platform (e.g., by phone or fax) into the Platform dashboard.
- WhatsApp messaging: Where a clinic-user has connected a WhatsApp Business account to the Platform, patients and other individuals who send messages to that WhatsApp number will have their messages received and processed by Refora on the clinic's behalf. Refora may also send messages to such individuals via WhatsApp, including AI-generated replies and pre-approved template messages, as further described in Section 6.XI below.
- Web form enquiries: Patients or prospective patients may submit enquiry forms on a clinic-user's website. Refora receives and processes these submissions on the clinic's behalf and may initiate WhatsApp-based follow-up where the clinic has WhatsApp configured.
4. Types of Personal Data Collected
Depending on the nature of your interaction with us, the personal data we may collect includes, but is not limited to, the following:
(a) Personally identifiable information such as your name, identification numbers (NRIC, Passport No., FIN), residential address, email address, contact number, nationality, gender, and date of birth.
(b) Pre-existing clinical information: Medical and health-related information about you that is provided to us by your healthcare providers, including medical or referral notes, health history, claims or referral information, laboratory results, diagnostic images, and other clinical records. This includes information contained in emails forwarded to the Platform by clinic-users through the inbound email intake feature.
(c) Platform-generated clinical information: Medical or health information about you that is prepared by healthcare professionals, treatment providers, diagnostic laboratories, or other third parties providing services via the Platform, including medical records, treatment and examination notes, laboratory testing results, diagnostic images, and clinical procedures. This list is illustrative and not exhaustive.
(d) Referral request information submitted voluntarily through an embeddable referral form hosted on a clinic's website, including contact details and any clinical or administrative information entered by the submitting individual.
(e) WhatsApp messaging data, including your phone number, message content (text, images, documents, and other media), message timestamps, delivery and read status, and WhatsApp profile information (such as display name and profile photo) provided by the WhatsApp Business API.
(f) AI-generated conversation data, including automated replies sent to you on a clinic's behalf, conversation context summaries, booking intent signals, and escalation records produced by our AI nurture system.
(g) Billing and payment information (for example, credit-card or online-payment details).
(h) Information about the computer or mobile device you use to access the Platform.
(i) Geographical location or address information derived from your device or your clinic's records.
(j) Any other information you may provide or input into the Platform or related services.
5. Interpretation
Unless otherwise defined in this Privacy Policy, terms used shall have the meanings given to them in the Personal Data Protection Act 2012 (PDPA) of Singapore (where the context so permits).
6. Collection, Use and Disclosure of Personal Data
By registering on the Platform, users consent to the collection, use, and disclosure of their data as outlined herein. Clinics are responsible for obtaining consent from their patients before uploading any data to the Platform.
I. General Collection
Refora generally does not collect your personal data unless
(a) it is provided to us voluntarily by you directly, or via a third party duly authorised by you (an "Authorised Representative"), such as your clinic, healthcare provider, or insurer, for the purposes set out in this Privacy Policy; or
(b) collection, use, or disclosure without consent is permitted or required under the PDPA or other applicable laws.
We shall seek your consent before collecting any additional personal data or before using your personal data for any purpose not previously notified (except where otherwise permitted or required by law).
II. Consent and Authorisation
By registering an account or otherwise using the Platform, you consent to our collection, use, and disclosure of your personal data as described in this Privacy Policy.
Clinics and healthcare providers are solely responsible for obtaining valid consent from their patients before uploading, disclosing, or transmitting any patient data to the Platform. Refora reserves the right to suspend processing of any data if there are reasonable grounds to believe that such data was provided without proper consent or authorisation. Any liability for breach arising from unauthorised uploads shall rest solely with the uploading clinic or provider.
Where a patient is a minor or otherwise lacks legal capacity, the clinic-user confirms that valid consent has been obtained from a parent, legal guardian, or authorised representative before any personal data is uploaded to the Platform.
III. Purposes of Collection and Use
Clinic-users should only upload data that is reasonably necessary for referral and continuity of care. We are not responsible for excessive or inappropriate uploads that are outside the stated purposes.
We may collect and use personal data for any or all of the following purposes:
(a) Performing obligations in connection with the provision of services via the Platform, including facilitating referrals, maintaining referral records, and enabling communication between clinics and patients.
(b) Verifying identities of users and ensuring account integrity.
(c) Responding to and processing queries, requests, and feedback.
(d) Administering, operating, and improving the Platform.
(e) Processing billing and subscription payments, and issuing invoices or receipts.
(f) Facilitating claims or payment settlements through authorised third parties.
(g) Enhancing service quality through audits, testing, analytics, and de-identified reporting.
(h) Creating anonymised or de-identified datasets for research, analytics, or quality-improvement purposes.
(i) Automated extraction and structuring of referral data from unstructured sources (such as inbound emails) using AI-assisted processing, as further described in Section 6.IX below.
(j) Conducting AI-powered conversations with patients and prospective patients via WhatsApp on a clinic-user's behalf, including answering enquiries about the clinic's services, encouraging appointment booking, detecting booking intent, escalating to clinic staff when appropriate, and sending re-engagement messages to patients who have not responded, as further described in Section 6.XI below.
(k) Classifying inbound messages to determine whether they originate from patients or non-patients, and routing them accordingly.
(l) Complying with applicable laws, regulations, and codes of practice, or assisting law-enforcement or regulatory investigations.
(m) Transmitting personal data to third-party service providers (including cloud hosts, data processors, or consultants) for the above purposes under strict confidentiality obligations.
(n) Any other incidental business purposes reasonably related to or in connection with the above.
IV. Inbound Email Intake and Third-Party Email-Origin Data
Where a clinic-user configures the inbound email intake feature, Refora will receive, read, and process emails forwarded to its intake address on that clinic's behalf. Such emails may originate from practitioners who are not registered on the Platform and may contain personal data and health information relating to patients who have not directly interacted with the Platform.
Clinic-users are solely responsible for ensuring they hold a sufficient lawful basis to route such emails (and any personal data contained therein) through the Platform. Refora processes this data strictly as a data intermediary acting on the clinic-user's instructions. Refora will apply the same security, encryption, and access controls to email-origin data as to data entered directly through the Platform.
Data extracted from inbound emails will be used only for the purposes of creating and managing the relevant referral record. Raw inbound email content is retained as part of the referral record and is subject to the same retention rules as other referral data under the Data Retention and Deletion Policy.
V. Passive Collection
As you use the Platform, certain information may be collected automatically, including:
- Site-usage data such as search queries and referral activity;
- Device and browser information (IP address, device ID, connection speed, access times);
- Cookies and similar technologies used to maintain session security and improve functionality;
- Real-time location data (where you have enabled GPS functions); and
- Crash logs or performance metrics collected to enhance system stability.
You may manage cookies through your browser settings. Certain strictly necessary cookies are required for security and session management. Disabling non-essential cookies may impact performance but will not affect your legal rights.
VI. Storage and Processing
Personal and health data may be stored on secure servers operated by third-party providers engaged by Refora. These providers may be located in Singapore or other jurisdictions with comparable data-protection standards. Where data is transferred outside Singapore, cross-border transfers are subject to legally enforceable obligations ensuring a standard of protection comparable to that under the PDPA. In particular, health information processed by Amazon Web Services Bedrock is governed by a signed AWS Business Associate Agreement (BAA), which constitutes the legally enforceable transfer mechanism for that processing activity.
All clinical records (including notes, images, and x-rays) and identifiers (patient names, emails, dates of birth) will be encrypted at rest and in transit. Clinic and doctor names or public business details need not be encrypted but remain subject to access controls.
Where clinic-users export or integrate data from the Platform into third-party systems, the clinic-user remains responsible for the security and lawful processing of the data within those external environments.
Where personal data is transferred or made available outside Singapore, we will ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to the protection under the PDPA.
VII. Disclosure
We may disclose personal data where such disclosure is necessary for the purposes described above, including to:
(a) Our subsidiaries, affiliates, or partners supporting Platform operations;
(b) Third-party contractors and service providers engaged to provide data-hosting, analytics, or customer-support services, subject to written confidentiality obligations;
(c) Regulators, law-enforcement agencies, or other competent authorities as required by law;
(d) Successor entities in the event of a merger, sale, or corporate reorganisation; or
(e) Any other party you have authorised or been notified of at the time of collection.
Refora will ensure that all external recipients of sensitive health information are contractually bound to meet data-protection and breach-notification standards comparable to those required under the PDPA.
Refora requires third-party service providers that process personal data on its behalf to enter into written data protection agreements that include confidentiality, security, breach notification and deletion-on-termination obligations. Refora may obtain attestations or audit summaries from such providers to verify compliance.
Key sub-processors currently engaged by Refora that handle personal data or health information include:
| Sub-processor | Role | Data Processed | Agreement |
|---|---|---|---|
| Amazon Web Services (S3) | Secure file storage | Attachments, diagnostic images, documents | AWS BAA + Data Processing Addendum |
| Amazon Web Services (Bedrock) | AI inference for data extraction | Inbound email content and attachments (where intake feature is used) | AWS BAA + Data Processing Addendum |
| Resend | Transactional email delivery and inbound email relay | Referral notification emails (including patient name, clinical notes, and referral details); forwarded referral emails | Data Processing Agreement (DPA) |
| Stripe | Payment processing | Billing and subscription data only — no health or clinical data | Stripe Data Processing Agreement |
| Meta Platforms (WhatsApp Business API) | Messaging channel for patient communication | WhatsApp messages (text, media, metadata), phone numbers, profile information, delivery status, message history | Meta Data Processing Terms; WhatsApp Business Terms |
| Inngest | Event-driven background job processing | Enquiry and referral identifiers, message routing metadata, scheduling data for nurture sequences and re-engagement | Data Processing Agreement (DPA) |
Refora retains copies of all sub-processor agreements and may make them available to the Data Protection Officer upon request. This list may be updated from time to time. The current version will always be reflected in this Policy.
VIII. Withdrawal of Consent
Your consent remains valid until withdrawn in writing. You may withdraw consent by contacting our Data Protection Officer ("DPO") at dpo@refora.app. Upon receiving your request, we will process it within ten (10) business days and notify you of any legal or service consequences. Withdrawal of consent does not affect our right to retain data where required by law or for legitimate business or regulatory purposes.
IX. AI-Assisted Processing
Refora uses AI inference services (currently Amazon Web Services Bedrock, using large language models) in two contexts:
A. Referral data extraction. Where clinic-users make use of the inbound email intake feature, the content of received emails (including subject lines, body text, and any extracted text from attachments) may be submitted to the AI inference service for the purpose of automatically extracting structured referral information such as patient name, contact details, referral reason, and referring practitioner details.
B. Inbound message classification. When a message is received via WhatsApp or another inbound channel, the AI inference service may be used to classify the message — for example, to determine whether it originates from a patient or a non-patient (such as a vendor or spam sender) — and to route it accordingly.
The following safeguards apply to the processing described in this Section 6.IX:
- Data submitted to the AI inference service is used solely to generate the extracted referral record or classification result and is not used to train, fine-tune, or improve the underlying AI model.
- Refora has executed an AWS Business Associate Agreement (BAA) with Amazon Web Services, which governs the processing of health information through the Bedrock service and includes confidentiality, security, and breach-notification obligations consistent with Refora's obligations under the PDPA.
- The AI inference endpoint is operated within a jurisdiction that provides a comparable standard of data protection to Singapore.
- Extracted and classified data is stored on the Platform under the same encryption, access control, and retention rules as other referral and enquiry data.
- AI extraction and classification are automated processes. Refora does not make any legally or clinically significant decision solely on the basis of AI-processed information. Clinical accuracy remains the responsibility of the relevant clinic-user.
- The confidence level of extractions and the model version used are logged alongside the relevant record for audit purposes.
Clinic-users who wish to use the inbound email intake feature or WhatsApp integration should ensure that their consent notifications and privacy practices adequately disclose the use of AI-assisted processing to their patients.
For AI-powered patient conversations via WhatsApp (the nurture agent), see Section 6.XI below.
X. WhatsApp Data Collection and Processing
Where a clinic-user connects a WhatsApp Business account to the Platform, the following provisions apply in addition to the rest of this Policy.
Data collected. When an individual sends a message to a clinic-user's connected WhatsApp Business number, Refora receives and processes the following data via the WhatsApp Business API (Meta Cloud API):
- The sender's phone number, WhatsApp profile name, and profile photo (as provided by Meta);
- Message content, including text, images, documents, audio, video, reactions, and other media types supported by the WhatsApp Business API;
- Message metadata, including timestamps, message identifiers, delivery status, and read receipts; and
- Any replies sent by clinic staff via the WhatsApp Business App, which are received by Refora through Meta's business message echo functionality.
Contact deduplication. Refora creates a unified Contact record for each unique phone number per practice. All messages — whether from the patient, the AI nurture system, or clinic staff — are stored in a single conversation thread associated with that Contact. This thread may span multiple enquiries and referrals.
Refora's role. Refora acts as a data intermediary processing WhatsApp message data on the clinic-user's instructions. The clinic-user remains the data controller and is responsible for ensuring that its use of WhatsApp Business in connection with the Platform complies with applicable law, including Meta's WhatsApp Business Terms and any applicable professional standards.
Message history import. When a clinic-user first connects a WhatsApp Business account, Refora may request historical message data from Meta's SMB App Data API for the purpose of importing existing conversation context. Imported messages are stored as Contact Messages and are used for context only — they do not trigger automated replies or create new enquiries. The clinic-user authorises this import by completing the WhatsApp connection flow.
Purpose of processing. WhatsApp message data is processed for the following purposes:
- Creating and managing patient enquiry records;
- Enabling AI-powered nurture conversations (see Section 6.XI below);
- Providing clinic staff with a unified view of patient communications;
- Sending pre-approved WhatsApp template messages for re-engagement and notifications;
- Tracking the Meta 24-hour conversation window to ensure compliance with WhatsApp Business API messaging rules; and
- Generating anonymised analytics about message volumes and response times for clinic-users.
WhatsApp template messages. Refora manages pre-approved WhatsApp message templates on behalf of clinic-users. Template approval status is tracked per practice and is subject to Meta's template review process. Templates are used for outbound messages sent outside the 24-hour conversation window, including re-engagement messages and referral patient notifications.
XI. AI-Powered Patient Conversations (Nurture Agent)
Where a clinic-user has enabled WhatsApp integration, Refora operates an AI-powered nurture agent that conducts conversations with patients and prospective patients via WhatsApp on the clinic-user's behalf. This is distinct from the one-time AI extraction described in Section 6.IX and involves ongoing, interactive messaging.
How the nurture agent works. When a patient sends a WhatsApp message to a clinic-user's connected number:
- The message is classified by AI to determine whether it is from a patient or a non-patient (e.g., vendor, spam).
- If classified as a patient message, an enquiry record is created and the nurture agent begins an automated conversation.
- The AI generates contextual replies using information about the clinic's services, location, and operating hours (as configured by the clinic-user), and sends these replies to the patient via WhatsApp.
- The AI monitors the conversation for booking intent (e.g., the patient asks about availability or requests an appointment) and escalates to clinic staff when detected.
- If the patient requests to speak with a human, the AI hands off the conversation and disables itself for that enquiry.
- If the patient does not reply within 24 hours, the system may send a pre-approved re-engagement template message. After two unsuccessful re-engagement attempts, the enquiry is marked as lost.
Safeguards. The following safeguards apply to AI nurture conversations:
- The AI does not provide medical or dental advice, diagnosis, or treatment recommendations. Its role is limited to answering general enquiries about the clinic's services and facilitating appointment booking.
- Message content submitted to the AI inference service is used solely to generate the conversation reply and is not used to train, fine-tune, or improve the underlying AI model.
- The AI inference service is governed by the same AWS Business Associate Agreement described in Section 6.IX.
- All conversation messages (patient inbound, AI-generated replies, and clinic staff messages) are stored on the Platform under the same encryption, access control, and retention rules as other health information.
- Clinic staff can disable the AI nurture agent for any individual conversation at any time. When clinic staff reply to a patient via the WhatsApp Business App, the AI nurture agent is automatically paused for that conversation.
- Refora does not make any clinically significant decision on the basis of AI nurture conversations. Booking and appointment decisions are made by the clinic-user.
Transparency. Refora does not independently identify AI-generated messages to patients as coming from an AI rather than a human. It is the clinic-user's responsibility to determine whether and how to disclose the use of AI-assisted responses to their patients, in accordance with applicable professional and regulatory standards.
Clinic-user obligations. Clinic-users who enable WhatsApp integration and AI nurture are responsible for:
- Ensuring that their use of automated messaging complies with applicable law and professional standards;
- Reviewing and responding to escalated conversations in a timely manner;
- Configuring accurate clinic information (services, location, hours) for the AI to reference; and
- Determining whether disclosure of AI use to patients is required under applicable professional or regulatory guidelines.
XII. Retention and Export
Personal data will be retained for as long as necessary to fulfil the purpose for which it was collected, or for a minimum of fifteen (15) years for healthcare records, whichever is longer, unless otherwise required by law.
Clinics may export their own referral data from the Platform for integration with their internal management systems, provided that such export complies with all applicable data-protection and confidentiality requirements.
Backups containing personal data are subject to the same retention controls and are purged on a defined cycle as set out in the Data Retention and Deletion Policy.
For more information on how data is stored, archived, and permanently deleted, please refer to our Data Retention and Deletion Policy, which sets out detailed timelines, procedures, and safeguards governing the retention and disposal of personal and health information.
7. Protection of Personal Data
Refora implements encryption, user authentication, and automatic session timeouts to safeguard personal data. Each clinic user has a unique login credential. Account sharing is prohibited. Clinic-users must ensure each user has a unique credential. Any loss, alteration or disclosure of personal data arising from shared or compromised credentials will be the responsibility of the clinic-user.
To safeguard your personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, Refora has implemented appropriate administrative, physical, and technical measures, including but not limited to:
- Use of up-to-date antivirus and security protection;
- Sensitive identifiers such as patient names, email addresses, and dates of birth are encrypted at rest and in transit, while publicly available information such as clinic names or doctor details are protected through access controls rather than encryption;
- Access controls and unique user authentication for each clinic account;
- Automatic session time-outs and audit logs for system activities; and
- Disclosure of personal data internally and to authorised third-party service providers strictly on a need-to-know basis.
You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, Refora strives to protect the confidentiality and integrity of your personal data and continuously reviews and enhances its information-security measures in accordance with recognised industry standards.
In the event of a data-breach incident (as defined under the Personal Data Protection Act 2012 (PDPA)), Refora shall comply with all applicable breach-notification obligations, including the duty to detect, assess, and report any qualifying data breach to the relevant authorities and, where applicable, to affected individuals without undue delay. Refora will assess suspected incidents promptly and will notify the Personal Data Protection Commission (PDPC) and affected individuals of any notifiable data breach without undue delay and in accordance with statutory timelines.
8. Accuracy of Personal Data
Refora generally relies on the accuracy and completeness of personal data provided by you or your authorised representatives. You may update or correct your own account information (such as your contact details or profile information) directly through the Platform. For any clinical or medical information, updates and corrections must be made by your healthcare provider. If you believe any clinical data is inaccurate, please inform your clinic directly. We will provide reasonable assistance to facilitate the clinic's response, where required.
9. Access and Correction Requests
You may access and update certain personal account information (such as your contact details or profile information) directly through the Platform. Requests to access or correct clinical or medical information (including referral notes, diagnostic reports, or any data uploaded by your healthcare provider) must be directed to the clinic-user that originally uploaded the data. Clinics act as the data controller for such medical records and are responsible for ensuring their accuracy. If we receive a request relating to clinical data, we will notify the relevant clinic-user and provide reasonable assistance to facilitate their response, where appropriate. We do not amend or alter medical records on our own.
10. Effect of Privacy Policy and Changes to Privacy Policy
This Privacy Policy applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
We may revise this Privacy Policy from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Privacy Policy was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes and you agree to be bound by the prevailing terms of this Privacy Policy as may be updated from time to time.
11. Contact
You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:
Email Address: dpo@refora.app
Last updated: 20 June 2026
Effective date: 20 June 2026