Retention and Deletion Policy
This Retention and Deletion Policy ('Policy') governs the retention, archival, and deletion of personal and medical data handled by Refora Pte. Ltd. (UEN: 202555125N) ("Refora" , "we", "us", or "our") on our online referral platform at refora.app (the "Platform").
1. Purpose
This Policy establishes the principles and procedures governing the retention and deletion of personal data processed by Refora, ensuring compliance with the Personal Data Protection Act 2012 (PDPA), Ministry of Health (MOH) guidelines, and other applicable regulatory obligations.
It balances Refora's operational requirements for continuity of care with individuals' rights to data protection and privacy.
2. Scope
This Policy applies to all personal data (including health and referral data) collected, stored, processed, or transmitted through the Platform, whether held electronically or in physical form, and covers all user categories (clinics, healthcare providers, patients, and authorised staff).
3. Roles and Responsibilities
Refora acts as a data intermediary for clinic-users when processing patient information via the Platform.
Clinic-users remain the data controllers responsible for determining the purpose and duration of retention of medical data under applicable healthcare regulations.
Refora is responsible for implementing secure storage, retention, and deletion processes consistent with this Policy.
4. Retention Period
Referral and clinical data shall be retained for at least 15 years following the last date of treatment or referral activity, in line with MOH recommendations.
| Data Type | Minimum Retention Period | Basis / Justification |
|---|---|---|
| Clinical and Referral Records (including diagnostic images, notes, attachments, treatment plans, inbound email content, and directory-submitted referral data) | 15 years from the date of last treatment or referral activity | MOH Guidelines on Retention of Medical Records |
| Patient Personal Data (e.g. name, email, date of birth) | While the patient's account remains active, and for 2–3 years after last clinical/referral activity or completion of clinical purpose, unless required for audit or legal purposes | PDPA Retention Limitation Principle; Operational and audit requirements |
| Clinic and Doctor Account Information | While account remains active and up to 5 years thereafter | Contractual and business audit requirements |
| Billing and Financial Records | 7 years | Statutory accounting and tax retention rules |
| System Logs and Audit Trails | 2 years from creation | Security and incident tracking |
| Backups | Rolling retention; older backups purged within 90 days of deletion events | Operational continuity and security |
| Incomplete Website Widget Upload Sessions (abandoned before referral submission) | 7 days from creation, then permanently deleted | No clinical relationship established; minimal operational need |
| AI Extraction Metadata (model version, confidence scores, extraction logs) | Same period as the associated referral record | Audit and quality-assurance purposes |
| Directory Profile Data (headline, biography, photo, publication status, slug) | While the profile remains active; up to 5 years after the associated doctor account is closed or the profile is permanently deleted | Contractual and business audit requirements; mirrors clinic/doctor account retention |
| Directory Analytics Events (page views, submission events, IP addresses, UTM parameters, user agents) | 2 years from the date of the event | Analytics and security purposes; mirrors system-log retention |
| Orphaned Directory Upload Files (files uploaded via the directory submission form but never associated with a completed referral record) | 7 days from upload, then permanently deleted | No clinical relationship established; minimal operational need; mirrors widget upload session retention |
Note: 15 years under MOH guidance is a minimum period, not a cap. Refora may retain data longer where legally required or where ongoing clinical, legal, or compliance needs justify continued retention.
5. Deletion Procedure
Users may request account deletion by contacting dpo@refora.app. Upon confirmation of deletion:
- All user access credentials will be revoked;
- Associated referral and communication data will be flagged for archival according to the applicable retention rules; and
- Refora will have no further obligation to provide services once the deletion process completes. Refora reserves the right, subject to law, to retain or destroy records in accordance with its internal retention and content-destruction policies.
Upon expiry of the retention period, all identifiable data will be permanently deleted or anonymised. Backups will be purged within 90 days of deletion.
6. Deletion and Anonymisation Procedures
Upon expiry of the applicable retention period, Refora will:
- Permanently delete electronic records using secure erasure tools that render data irretrievable;
- Anonymise datasets where continued retention is necessary for statistical or research purposes; and
- Purge backups containing the same data within 90 days of primary deletion.
Deletion activities are logged and periodically reviewed by Refora's Data Protection Officer.
7. Inbound Email and AI Processing Data
Raw inbound email content (subject, body, and extracted attachment text) received through the email intake feature is treated as part of the referral record to which it relates and is subject to the same 15-year minimum retention period as other clinical and referral records. The email content is encrypted at rest and accessible only to authorised users of the receiving clinic.
AI extraction metadata (including the model identifier, confidence score, and timestamp of extraction) is stored alongside the referral record and retained for the life of that record for audit and quality-assurance purposes.
Incomplete website widget upload sessions that are never converted to a referral record (e.g. because the user abandoned the form) are retained for 7 days and then permanently deleted.
8. Directory Data
Directory Profile data. The headline, biography, photo reference, publication status, and public URL slug associated with a clinic-user's Directory Profile are retained while the profile is active and for up to 5 years after the associated doctor account is closed or the profile is permanently deleted, consistent with the retention period for clinic and doctor account information.
Directory analytics events. Page-view events, submission events, and associated technical metadata (IP addresses, user agents, UTM parameters, referrer URLs) logged in connection with the Directory are retained for 2 years from the date of the event, consistent with the retention period for system logs and audit trails. These analytics records are not linked to named individuals unless a form submission was completed.
Directory-submitted referral and appointment data. Personal data and Health Information submitted by Directory Visitors that results in a referral or appointment record is treated as part of that referral record and is subject to the same 15-year minimum retention period as other clinical and referral records.
Orphaned directory upload files. Files uploaded via the directory submission form (e.g. diagnostic attachments) that are never associated with a completed referral record — for example because the user abandoned the form after uploading — are retained for 7 days from the date of upload and then permanently deleted from storage.
9. Exceptions
Data may be retained longer where required by law, or if subject to ongoing disputes, investigations, or compliance checks.
10. Data Breach Response
In the event of a data breach, Refora Pte. Ltd. will preserve relevant logs and evidence until investigations are concluded. Please refer to our Privacy Policy for more details.
11. Review and Updates
This Policy will be reviewed at least annually or upon significant regulatory or operational changes to ensure continued compliance and adequacy.
12. Contact
For questions regarding this Policy, please contact: dpo@refora.app
Last updated: 20 April 2026
Effective date: 20 April 2026