GDPR Compliance Statement

General Data Protection Regulation

Last updated: May 13, 2026

Our Commitment to GDPR

Settom Goal Setting is committed to complying with the General Data Protection Regulation (GDPR) and protecting the rights of individuals in the European Economic Area (EEA) regarding their personal data.

This page outlines how we fulfill GDPR requirements and respect your data protection rights.

Data Controller Information

Data Controller: Settom Goal Setting
Address: Marina Bay Financial Centre, 8 Marina Boulevard, #12-07, Singapore 018981
Email: [email protected]

Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so under Article 6 of the GDPR:

Consent (Article 6(1)(a))

We obtain your explicit consent for:

  • Marketing communications and newsletters
  • Non-essential cookies and tracking technologies
  • Sharing testimonials or case studies

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Contract Performance (Article 6(1)(b))

Processing is necessary for:

  • Delivering coaching and transformation programs you've enrolled in
  • Communicating about your program sessions and progress
  • Processing payments and maintaining service records

Legal Obligation (Article 6(1)(c))

Processing is required to comply with:

  • Tax and accounting regulations
  • Financial record-keeping requirements
  • Response to lawful requests from authorities

Legitimate Interests (Article 6(1)(f))

We process data based on legitimate interests for:

  • Improving our services and website functionality
  • Preventing fraud and ensuring security
  • Internal analytics and business operations

We conduct balancing tests to ensure our interests do not override your rights and freedoms.

Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your data and request a copy of that data. We will provide the information within one month of your request.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. We will make corrections promptly and notify relevant third parties if necessary.

Right to Erasure / Right to be Forgotten (Article 17)

You can request deletion of your personal data when:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent and no other legal basis exists
  • You object to processing and no overriding legitimate grounds exist
  • The data has been unlawfully processed
  • Deletion is required to comply with a legal obligation

This right is not absolute and may be limited by legal obligations to retain certain data.

Right to Restriction of Processing (Article 18)

You can request limitation of processing when:

  • You contest the accuracy of the data (for the period while we verify)
  • Processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you need it for legal claims
  • You object to processing (pending verification of our legitimate grounds)

Right to Data Portability (Article 20)

You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller when:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making (Article 22)

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. All decisions regarding our services involve human judgment.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at:

Email: [email protected]
Subject Line: GDPR Rights Request

Please include:

  • Your full name and email address
  • The specific right you wish to exercise
  • Any relevant details about your request
  • Proof of identity (if required for verification)

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of the extension.

Data Protection Measures

We implement appropriate technical and organizational measures to ensure data security:

Technical Measures

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure authentication and access controls
  • Regular security audits and vulnerability assessments
  • Firewalls and intrusion detection systems
  • Secure backup and disaster recovery procedures

Organizational Measures

  • Data protection training for all staff
  • Strict access policies limiting data access to authorized personnel
  • Confidentiality agreements with employees and contractors
  • Data protection impact assessments for high-risk processing
  • Incident response and data breach notification procedures

International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions confirming equivalent data protection standards
  • Additional supplementary measures where necessary

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware
  • We will notify affected individuals without undue delay if the breach poses a high risk
  • Notifications will include the nature of the breach, likely consequences, and measures taken or proposed

Data Retention

We retain personal data only as long as necessary for the purposes it was collected:

  • Client program data: Duration of program + 3 years
  • Financial records: 7 years (legal requirement)
  • Marketing data: Until consent is withdrawn
  • Technical logs: 2 years

After retention periods expire, data is securely deleted or anonymized.

Third-Party Processors

We work with third-party service providers who process data on our behalf. All processors:

  • Are bound by Data Processing Agreements compliant with Article 28 GDPR
  • Process data only on our documented instructions
  • Implement appropriate security measures
  • Assist with responding to data subject rights requests
  • Delete or return data upon termination of services

Children's Data

Our services are not directed at children under 16 years of age. We do not knowingly collect or process data of children without parental consent. If we become aware of such processing, we will delete the data immediately.

Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.

For Singapore-based operations, the relevant authority is:
Personal Data Protection Commission (PDPC)
Website: www.pdpc.gov.sg

Updates to GDPR Compliance

We regularly review and update our GDPR compliance measures. Material changes will be communicated through our website and, where appropriate, via direct notification.

Contact Information

For questions about our GDPR compliance or to exercise your rights:

Data Protection Officer
Email: [email protected]
Address: Marina Bay Financial Centre, 8 Marina Boulevard, #12-07, Singapore 018981