Instagram Linkedin-in
Appointment

Privacy Policy
Last Updated: [17 Novembe r2025]

The Curious Bonsai (“we,” “us,” “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data in compliance with Singapore’s Personal Data Protection Act 2012 (“PDPA”) and other applicable data protection laws.

1. Data Protection Officer (DPO)
For any questions or concerns regarding your personal data or this policy, you can contact our Data Protection Officer at:

Email: [hello@thecuriousbonsai.com]

Address: [12 Purvis Street, 02-01, Suite C, Singapore 188591]

2. Personal Data We Collect
We may collect the following types of personal data:

  • Identity and Contact Data: Name, email address, phone number, date of birth.
  • Client Service Data: Information you provide during intake and sessions, including session notes, background information, and goals. This may include sensitive health information, which we handle with the utmost care.
  • Corporate Client Data: Your name, work email, and job title if you are using our services through your employer.
  • Financial and Transaction Data: Payment card details (processed securely by our third-party payment processor) and billing information.
  • Technical and Usage Data: IP address, browser type, device information, and information about how you use our website, collected via cookies and similar technologies.
  • Sensitive Data: We avoid collecting sensitive clinical details through general website contact forms. Such data is collected only through secure channels during our formal intake process, with your explicit consent.

3. How We Use Your Personal Data
We use your personal data for the following purposes:

  • Providing Services: To schedule appointments, conduct therapy or coaching sessions, and manage your client file.
  • Communication: To respond to your inquiries and send you service-related information (e.g., appointment reminders).
  • Billing and Administration: To process payments and manage our accounts.
  • Improving Our Services: To analyze website usage and improve our offerings.
  • Marketing and Outreach: To send you newsletters or promotional materials, only with your explicit consent.
  • Legal and Safety Obligations: To comply with legal requirements, professional ethical standards, or to protect the safety of you or others in situations of imminent harm.


4. Marketing, DNC, and Spam Control
We distinguish between service-related communications and marketing communications.

We will only send you marketing materials (e.g., newsletters, workshop announcements) via email, SMS, or WhatsApp if you have given us clear, opt-in consent.
For marketing messages sent to Singapore telephone numbers, we will check the Do Not Call (DNC) Registry, unless we have your explicit consent to send you such messages.
You can unsubscribe from marketing communications at any time by clicking the “unsubscribe” link in an email or by replying “STOP” to an SMS/WhatsApp message. We will process your request within 10 business days.
Our commercial electronic messages comply with the Spam Control Act, including providing a clear unsubscribe facility.


5. Cookies and Analytics
Our website uses cookies. A cookie is a small file placed on your device. We use them to operate our site, analyze performance, and, with your consent, for marketing purposes.

Consent: For visitors from jurisdictions requiring prior consent (like the EU/UK), we will not set non-essential (e.g., analytics, marketing) cookies until you have provided consent via our cookie banner. You can manage your cookie preferences at any time.

Cookie Purpose Duration Provider
sessionid: To maintain your session on the site. Essential for site function. Session The Curious Bonsai
_ga, _gid: To distinguish users for website analytics. Non-essential. 2 years Google Analytics
[Payment_Cookie] :To facilitate secure payments. Essential. Session [e.g., Stripe]
You can block cookies by activating the setting on your browser that allows you to refuse all or some cookies.

6. Your Rights Under the PDPA
You have the following rights regarding your personal data:

  • Right to Access: You can request a copy of the personal data we hold about you.
  • Right to Correction: You can request to correct any inaccurate or incomplete data.
  • Right to Withdraw Consent: You can withdraw your consent for the collection, use, or disclosure of your personal data at any time (though this may affect our ability to provide Services).

To exercise these rights, please contact our DPO. We will aim to respond to your request within 30 calendar days. If we require more time, we will inform you in writing. A reasonable fee may be charged for access requests to cover our administrative costs.

7. Data Breach Notification
In the event of a data breach, we will take immediate steps to assess the situation. If we determine that the breach is a “notifiable data breach” under the PDPA (i.e., it is likely to result in significant harm to affected individuals, or it affects 500 or more individuals), we will:

  • Notify the Personal Data Protection Commission (PDPC) within 3 calendar days.
  • Notify affected individuals as soon as practicable.


8. Data Security
We have implemented appropriate administrative, physical, and technical security measures to protect your personal data from unauthorized access, use, or disclosure. These include access controls, encryption of data in transit, and regular security reviews of our third-party data processors.

9. Data Retention
We will only retain your personal data for as long as necessary to fulfill the purposes for which it was collected, or as required by law or professional guidelines.

  • Clinical/Psychotherapy Notes: Retained for  7 years after the last client contact, in line with professional body guidelines.
  • Coaching Notes: Retained for 3 years after the last client contact.
  • Financial Records: Retained for at least 5 years as required by Singapore tax law.
Once the retention period expires, we will securely destroy or anonymize your personal data.

10. Cross-Border Data Transfers
To provide our Services, we may use third-party service providers (e.g., for cloud hosting, scheduling, video conferencing) located outside of Singapore. When we transfer your personal data overseas, we will ensure a standard of protection comparable to that provided under the PDPA. We achieve this through:

  • Legally enforceable obligations, such as the PDPC’s Model Clauses.
  • Binding corporate rules.
For EU/UK Data Subjects: Please note that Singapore does not have an “adequacy decision” from the European Commission. For transfers of personal data from the EU/UK, we rely on Standard Contractual Clauses (SCCs) or the UK’s International Data Transfer Agreement (IDTA) to provide appropriate safeguards.

11. Data of Minors
We are committed to protecting the privacy of children and young persons.

  • For individuals below the age of 13, we require verifiable consent from a parent or legal guardian before collecting personal data.
  • For individuals aged 13 to 17, they may be able to provide consent on their own behalf if they have sufficient understanding of the nature and consequences of giving consent. We will assess this on a case-by-case basis.


12. Data Portability
The PDPA includes a Data Portability Obligation that is not yet in effect. We will update this policy to reflect your rights under this obligation once the relevant regulations commence.

Addendum for Individuals in the European Economic Area (EEA) and United Kingdom (UK)
If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR. This addendum supplements our main Privacy Policy.

Lawful Basis for Processing: We process your personal data on the following lawful bases:

  • Consent: For marketing communications and the use of non-essential cookies.
  • Contract: To fulfill our contractual obligations to you when providing our Services.
  • Legitimate Interests: For security, website analytics, and administrative purposes, provided your rights do not override these interests.
  • Legal Obligation: To comply with our legal and professional obligations.


Your Additional Rights:

  • Right to Erasure (‘Right to be Forgotten’): You can ask us to delete your personal data in certain circumstances.
  • Right to Restrict Processing: You can ask us to suspend the processing of your personal data in certain circumstances.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to Object: You can object to our processing of your data where we are relying on a legitimate interest.


To exercise these rights, please contact our DPO. You also have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK).

13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the “Last Updated” date.