Privacy Policy

1. Who We Are

Velarys is a board and executive-level advisory firm headquartered in Singapore. We provide strategic, governance, financial, and risk advisory services to institutional clients across Asia, the Middle East, and Africa. We act as data controller in respect of personal data processed in connection with our website and client engagements.

2. Personal Data We Collect

We may collect the following categories of personal data:

• Identity data: name, professional title, designation, and credentials
• Contact data: business email address, telephone number, and mailing address
• Enquiry data: content submitted through the website contact form or direct correspondence
• Usage and technical data: IP address, browser type, device type, pages visited, and session duration, collected through cookies and analytics tools
• Engagement data: corporate records, financial information, ownership details, and personal data of officers or counterparties provided in the course of an advisory engagement
• Communications data: records of correspondence, meeting notes, and preferences maintained in the course of a client relationship

We do not intentionally collect sensitive personal data (including health data, government identification numbers, or biometric data) through our website. Any such data arising within a client engagement is governed by the relevant engagement letter and a separate data processing agreement where required.

3. How We Collect Personal Data

We collect personal data through the following channels:

• Direct submission via the website contact form, email, or telephone
• Business introductions, referrals, or correspondence received at meetings or events
• Client-provided documentation and third-party disclosures in the course of an engagement
• Publicly available sources including corporate registries, regulatory filings, and professional directories
• Cookies and analytics tools embedded in our website (see Section 9)

4. Purposes of Collection and Use

We collect and process personal data for the following purposes:

• Responding to website enquiries and assessing suitability for an advisory engagement
• Performing advisory, strategic, financial, and governance services pursuant to a client engagement
• Conducting due diligence, conflict-of-interest checks, and know-your-client assessments as required by professional standards
• Complying with legal, regulatory, and professional obligations in applicable jurisdictions
• Managing client relationships and maintaining internal records
• Sending relevant publications, insights, or event invitations where consent has been given or a legitimate interest applies
• Improving the content and functionality of our website through aggregated analytics

We will not use personal data for purposes materially different from those stated above without your prior consent, except as required by law.

5. Legal Bases for Processing

Under the PDPA, we rely on the following bases for processing personal data:

• Consent: where you have voluntarily provided personal data through the website contact form, subscribed to our communications, or expressly agreed to processing
• Contractual necessity: where processing is required to perform or prepare for an advisory engagement
• Legitimate interests: where we have a bona fide business interest not overridden by your data protection rights, such as maintaining client records, conducting conflict checks, and improving our services
• Legal obligation: where processing is required to comply with applicable law, regulatory requirements, or court orders

Where consent is the applicable basis, you may withdraw it at any time without affecting the lawfulness of prior processing. Withdrawal should be communicated to [email protected].

6. Disclosure of Personal Data

We may disclose personal data to the following parties:

• Members of our advisory network or associated firms engaged to assist on a specific mandate, under confidentiality obligations
• Third-party service providers including cloud platforms, CRM systems, document management tools, and email infrastructure, contracted to process data on our behalf
• Regulatory, judicial, or governmental authorities where disclosure is required by applicable law or legal process
• Counterparties in a transaction or restructuring where disclosure is necessary to complete the engagement and the data subject has been informed

We do not sell, rent, or commercially exploit personal data. All third-party service providers are bound by contractual data protection obligations consistent with the PDPA.

7. Cross-Border Data Transfers

Our operations span multiple jurisdictions including Singapore, India, Indonesia, the United Arab Emirates, and Sri Lanka. Personal data may be transferred to and processed in these jurisdictions in the ordinary course of our advisory work.

Where personal data is transferred outside Singapore, we take reasonable steps to ensure that the recipient provides a standard of protection comparable to that required under the PDPA, whether through contractual safeguards, binding professional obligations, or equivalent measures.

8. Retention of Personal Data

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law, professional obligations, or regulatory requirements. The following schedule applies:

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised. Anonymised or aggregated data from which individuals cannot reasonably be identified is not subject to these retention limits.

9. Cookies and Website Analytics

Our website uses cookies and analytics tools to understand visitor behaviour and improve user experience. Three categories of cookies are used:

A cookie notice is displayed on your first visit to the Site. You may configure or disable non-essential cookies at any time through your browser settings or through the cookie preference controls on the Site. Disabling non-essential cookies will not impair access to the substantive content of our website. We do not use cookies for behavioural advertising or cross-site tracking.

10. Your Rights

Under the PDPA, you have the following rights in respect of your personal data:

• Access: to request confirmation of what personal data we hold about you and to obtain a copy
• Correction: to request correction of inaccurate or incomplete personal data
• Withdrawal of consent: to withdraw consent previously given, subject to reasonable notice and any overriding legal or contractual constraints
• Do-Not-Call: to register your Singapore telephone number against marketing communications, in accordance with the PDPA Do-Not-Call provisions

To exercise any of these rights, please contact our Data Protection Officer at [email protected]. We will acknowledge your request within 5 business days and respond in full within 30 calendar days. Where a request is complex or voluminous, we may extend this period by a further 30 days and will notify you accordingly. We do not charge a fee for routine requests.

11. Security

We implement administrative, technical, and physical safeguards commensurate with the nature and volume of personal data we handle. Measures include role-based access controls, encryption of data in transit, secure cloud infrastructure with access logging, and contractual data protection obligations imposed on third-party service providers.

In the event of a personal data breach likely to result in significant harm to affected individuals, we will notify the Personal Data Protection Commission and those individuals in accordance with the mandatory breach notification obligations under the PDPA within 3 business days of completing our assessment.

12. Do-Not-Call Registry

Velarys complies with the Do-Not-Call provisions of the PDPA. Before sending any marketing message to a Singapore telephone number, we screen against the DNC Registry. You may register your number at www.dnc.gov.sg. If you have received an unsolicited marketing message from us in error, please notify us at [email protected] and we will investigate and remediate promptly.

13. Contact and Data Protection Officer

For questions, complaints, or requests relating to this Privacy Policy or our data handling practices, please contact:

If you are dissatisfied with our response, you may lodge a complaint with the Personal Data Protection Commission of Singapore at www.pdpc.gov.sg.

14. Other Jurisdictions

Velarys currently operates exclusively with clients in Asia, the Middle East, and Africa and does not direct its services at individuals in the EU or EEA. Accordingly, the EU General Data Protection Regulation does not apply to our current operations.

Should Velarys expand to serve clients or individuals in jurisdictions with distinct data protection regimes, including the EU/EEA (GDPR), India (Digital Personal Data Protection Act 2023), or Indonesia (PDP Law No. 27/2022), this policy will be reviewed and updated before any such processing commences. Affected individuals will be notified of material changes prior to processing.

15. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or regulatory guidance. Material changes will be announced on our website with a revised effective date. Continued use of our website following notification constitutes acceptance of the updated policy.