Privacy policy
What data we collect, why we collect it, who we share it with, and your rights under Singapore's PDPA and GDPR.
Last updated: 2026-04-26
This policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have. We try to keep it plain. If anything is unclear, email inq@sgaconline.com.
Who we are
SGAC Online is a Singapore-based commercial service that submits Singapore Arrival Cards (SGAC) to Singapore's Immigration & Checkpoints Authority (ICA) on behalf of travellers. We are not part of the Singapore government and are not affiliated with ICA. See our disclaimer.
What data we collect
Data you give us through the application form
To file your SGAC with ICA, we collect:
- Full name (as it appears on your passport)
- Passport details (number, country of issue, expiry)
- Nationality
- Date of birth
- Email address
- Phone number
- Residential address (in your home country)
- Travel details (arrival date, departure date, mode of travel, flight or vehicle details)
- Where you're staying in Singapore (hotel name or private address)
- Last country of departure and next country of travel
For group applications, we collect the same data for each traveller.
Data we receive automatically
- Your IP address and rough location (used for fraud prevention and rate limiting)
- Your browser type, operating system, and screen size
- Cookies (see our cookie policy for details)
- Pages you visit on our site, if you've consented to analytics
Data from our payment processor
Stripe handles your payment. We never see your full card details. We do receive:
- A payment intent ID (so we can match your payment to your application)
- The amount you paid, the currency, and whether the payment succeeded
- The last four digits of your card, the card brand, and the country of issue (for fraud detection)
Why we collect this data
| Purpose | Lawful basis |
|---|---|
| Filing your SGAC with ICA | Performance of contract |
| Sending you your approval email | Performance of contract |
| Sending operational updates about your application | Performance of contract |
| Processing your payment | Performance of contract |
| Tax records and accounting | Legal obligation under Singapore law |
| Audit trail of admin actions on your application | Legitimate interest (fraud prevention, dispute resolution) |
| Analytics (Google Analytics, Microsoft Clarity) | Your consent |
| Marketing tracking (Meta Pixel) | Your consent |
Who we share your data with
- ICA (Immigration & Checkpoints Authority of Singapore). This is the entire point of our service. We submit your SGAC application to ICA. Their privacy policy applies to what they do with it.
- Stripe. Our payment processor. They have their own privacy policy and are PCI-DSS Level 1 certified.
- SendGrid. Our email service provider. They process the emails we send to you and store them briefly to deliver them.
- Google Analytics, Microsoft Clarity, Meta Pixel. Only if you've granted consent. These services analyse how visitors use our site. Microsoft Clarity may record your mouse movements and clicks (but not what you type into form fields).
- Our hosting provider (DigitalOcean). They host the servers our site runs on and necessarily have access to data flowing through.
- Government and law enforcement. If we are legally required to share data (court order, valid subpoena, regulatory request), we will, and we will tell you unless legally prohibited.
We do not sell your personal data to anyone, ever.
Where your data is stored
Our servers are in Singapore. Some of our processors store data in other countries:
- Stripe: USA, EU
- SendGrid: USA
- Google Analytics: globally
- Microsoft Clarity: USA
- Meta Pixel: USA
- DigitalOcean: Singapore (primary), USA (backups)
When personal data leaves Singapore, we rely on the legal mechanisms each processor provides (Standard Contractual Clauses, adequacy decisions, etc.) to protect it.
How long we keep your data
| Data | Retention period |
|---|---|
| SGAC application data | 12 months from your arrival date |
| Payment records | 7 years (Singapore tax law requirement) |
| Email logs | 12 months |
| Admin audit logs | 24 months |
| Analytics data | Per the third-party tool's defaults (typically 14 to 26 months) |
After the retention period, we delete or anonymise the data.
Your rights at a glance
Under Singapore's PDPA, you have the right to:
- Access the personal data we hold about you
- Correct any inaccurate data
- Withdraw your consent at any time (though this may affect our ability to provide the service)
- Ask us to delete your data, subject to our legal retention obligations
If you're in the EU or UK, you also have GDPR rights including data portability and the right to object to certain processing.
To exercise any of these rights, email inq@sgaconline.com with the subject line "Privacy request" and your reference code if you have one. We respond within 30 days.
Cookie consent
You control which cookies we set on your device. Manage your preferences via the cookie banner on your first visit, or by clicking the link in our footer. See the cookie policy for the full list.
Children's data
Our service is for travellers of all ages, including children. For travellers under 18, a parent or guardian fills in the application on their behalf. We don't knowingly collect data directly from children under 13.
Security
We protect your data with:
- HTTPS encryption for all data in transit
- Encrypted database storage at rest
- Strict access controls (only authorised staff can view your data)
- Regular security audits
No system is perfectly secure. If we discover a breach affecting your data, we will notify you and the relevant authorities within 72 hours, as required by PDPA and GDPR.
Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated via email to active customers and via a notice on this page.
Other policies
For the full picture of how we work with you, see also our disclaimer, terms of service, refund policy, and cookie policy.
Privacy questions or data requests
Email us through the contact page with the subject line "Privacy request". We respond to data requests within 30 days, usually faster.