“My GLP+” Privacy Statement

This privacy statement is effective as of June 17, 2022. Please note that this privacy statement will regularly be updated to reflect any changes in the way we handle your personal data or any changes in applicable laws.

This page and its sub-pages tell you everything you need to know about how GLP Pte Ltd and/or its affiliates, subsidiaries and newly acquired companies ("GLP"; "we") protect the personal data we process and control relating to you (“your personal data”; "your data") in “My GLP+” mobile application (“My GLP+”; “APP”) and which rights you have in relation to the processing of your personal data.

We attach great importance to your rights to privacy and the protection of your personal data. We want you to feel secure that when you use the APP, your personal data are in good hands. We protect your personal data in accordance with all local applicable laws and local data privacy policies. In addition, we maintain the appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing and/or against accidental loss, alteration, disclosure or access, or accidental or unlawful destruction of or damage thereto.

The following sections provide further details as to how the APP processes your personal data:

• Which types of personal data do we collect and how do we process such personal data?

• For which purposes and on which legal basis do we use your personal data?

• What about data security?

• Where will your personal data be processed?

• How long will your personal data be retained by us?

• Which rights do you have with respect to the processing of your personal data?

1. Which types of personal data do we collect and how do we process such personal data?

Fundamentally, “My GLP+” is an GLP internal application and do NOT collect any personal data from the APP directly, except for “Instance IDs” in order to determine which devices to deliver in-app messages to. Below is also a chart describing the categories of personal data we collect:

* “Firebase Cloud Messaging” is used to transmit push messages or so-called in-app messages (messages that are only displayed within the respective app). A pseudonymized push reference is assigned to the mobile device, which serves as a target for the push messages or in-app messages. The push messages can be deactivated and reactivated at any time in the settings of the mobile device. Firebase Cloud Messaging uses “Instance IDs” to determine which devices to deliver messages to. The push messages can be deactivated and reactivated at any time in the settings of the mobile device.

** “Instance IDs” identify individual installations of your app. Since each Instance ID is unique to a particular app and device, they give Firebase services a way to refer to specific app instances. For example, Cloud Messaging uses Instance IDs to determine which devices to send messages to. This data does not represent personally identifiable information for Firebase, nor do Firebase make any efforts to personalize it subsequently.

The above-mentioned types of personal data have been obtained either directly from you offline with your consent (e-business card) or indirectly from certain GLP internal systems (for example, through OA, JDE, G-people and AD). Except where certain information is required by law or by GLP policies (including management of an employment relationship with GLP), your decision to provide any personal data to us is voluntary. Please note that if you do not provide certain information, we may not be able to accomplish some or all of the purposes outlined in this privacy statement, and you may not be able to use certain functions in APP which require the use of such personal data.

2. For which purposes and on which legal basis do we use your personal data?

GLP uses your personal data only where required for specific purposes in the APP. Please view the table below for (i) a list of the purposes for which GLP uses your personal data and (ii) an overview of the legal basis for each such purpose based on APP functions and types of personal information captured in above section:

As a mobile platform to integrate data of selected GLP internal systems only. We will process your personal information for the purposes mentioned above based on your prior consent either offline or inherit from the consents you provided to certain GLP internal systems. If the data we collect are not listed in this privacy statement, we will give individuals (when required by law) appropriate notice of which other data will be collected and how they will be used.

We will process your personal information for the purposes mentioned above based on your prior consent, to the extent such consent is mandatory under applicable laws.

To the extent you are asked to click on/check “I accept”, “I agree” or similar buttons/checkboxes/functionalities in relation to a privacy statement, doing so will be considered as providing your consents to process your personal information, only where such consent is required by mandatory law.

We will not use your personal information for purposes that are incompatible with the purposes of which you have been informed unless it is required or authorized by law. We will not share your personal data with any third parties, except for “Instance IDs” shared with the Firebase service from Google LLC in order to determine which devices to deliver in-app messages to. You may refer to Firebase's key security and privacy information @ Privacy and Security in Firebase (google.com)

3. What about data security?

We maintain organizational and technical security arrangements for all the personal data we hold in the APP. We follow overall GLP enterprise Cybersecurity protocols, controls and relevant policies, procedures, and guidance to maintain these arrangements taking into account the risks associated with the categories of personal data and the processing we undertake.

4. Where will your personal data be processed?

In general, the APP is hosted on AWS cloud for GLP in Singapore and its data is hosted in GLP global data center in China. As a global organization with offices and operations throughout the world, personal data we collect may be transferred or be accessible internationally between Singapore, China and other APP in-scope countries listed in section 1.

Any such transfers throughout GLP’s global business take place are considered as GLP internal communication only and in accordance with the applicable data privacy laws.

5. How long will your personal data be retained by us?

We will retain your personal data only for as long as is necessary. We maintain specific records management and retention policies and procedures, so that personal data are deleted after a reasonable time according to the following retention criteria:

• We retain your data as long as we have an ongoing relationship with you.

• We will only keep the data while your account is active or for as long as needed to provide services to you.

• We retain your data for as long as needed in order to comply with our global legal and contractual obligations.

• Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days.

6. Which rights do you have with respects to the processing of your personal data?

You are entitled (in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law) to:

• Request access to the personal data we process about you: this right entitles you to know whether we hold personal data about you and, if we do, to obtain information on and a copy of that personal data.

• Request a rectification of your personal data: this right entitles you to have your personal data be corrected if it is inaccurate or incomplete.

• Object to the processing of your personal data: this right entitles you to request that GLP no longer processes your personal data.

• Request the erasure of your personal data: this right entitles you to request the erasure of your personal data, including where such personal data would no longer be necessary to achieve the purposes.

• Request the restriction of the processing of your personal data: this right entitles you to request that the APP only processes your personal data in limited circumstances, including with your consent.

• Request portability of your personal data: this right entitles you to receive a copy (in a structured, commonly used and machine-readable format) of personal data that you have provided to the APP.

If, despite our commitment and efforts to protect your personal data, you believe that your data privacy rights have been violated, we encourage and welcome individuals to come to GLP first to seek resolution of any complaint. You have the right at all times to register a complaint directly with the relevant supervisory authority or to make a claim against GLP with a competent court.

You may exercise would like to exercise your rights by contacting us via itgov@glp.com.