GDPR Compliance
Last updated: May 26, 2026
Our Commitment to GDPR
While Affort Racu operates primarily in Singapore, we recognize that some of our students and website visitors may be located in the European Union. We are committed to complying with the General Data Protection Regulation (GDPR) for all individuals whose personal data we process.
Data Controller
For the purposes of GDPR, Affort Racu acts as the data controller for personal information collected through our website and course enrollment processes.
Contact details:
Affort Racu
152 Beach Road, Gateway East Building
Singapore 189721
Email: [email protected]
Legal Basis for Processing
We process your personal data under the following legal bases as defined by GDPR:
- Article 6(1)(b) - Contract: Processing necessary for the performance of a contract (course enrollment and delivery)
- Article 6(1)(a) - Consent: You have given explicit consent for specific processing activities (e.g., marketing communications)
- Article 6(1)(f) - Legitimate interests: Processing necessary for our legitimate business interests (e.g., fraud prevention, service improvement)
- Article 6(1)(c) - Legal obligation: Processing necessary to comply with legal requirements
Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
Right to Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and to access that data along with specific information about the processing.
Right to Rectification (Article 16)
You can request correction of inaccurate personal data and completion of incomplete data.
Right to Erasure (Article 17)
Under certain circumstances, you can request deletion of your personal data, including when:
- The data is no longer necessary for the purposes for which it was collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
Right to Restriction of Processing (Article 18)
You can request restriction of processing when:
- You contest the accuracy of the data
- Processing is unlawful but you oppose erasure
- We no longer need the data but you need it for legal claims
- You have objected to processing pending verification of legitimate grounds
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, workplace, or where an alleged infringement occurred.
How to Exercise Your Rights
To exercise any of these rights, contact us at [email protected] with:
- Your full name and contact information
- Specific details of your request
- Proof of identity (to prevent unauthorized disclosure)
We will respond to your request within one month. In complex cases, we may extend this by two additional months and will inform you of any extension.
Data Protection Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Pseudonymization and encryption of personal data
- Ongoing confidentiality, integrity, availability, and resilience of processing systems
- Regular testing and evaluation of security effectiveness
- Ability to restore availability and access to data in a timely manner after incidents
Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
- Notify affected individuals without undue delay if the breach poses a high risk
- Provide information about the nature of the breach, likely consequences, and measures taken or proposed
International Data Transfers
When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions recognizing equivalent data protection standards
- Binding Corporate Rules for intra-organizational transfers
Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Retention periods vary depending on:
- The nature of the data and processing purpose
- Legal or regulatory retention requirements
- The need to preserve data for legal claims
After the retention period expires, we securely delete or anonymize the data.
Children's Data
Our services are not directed at children under 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate parental consent, we will delete it promptly.
Updates to This Statement
We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Material changes will be communicated through our website with an updated "Last updated" date.
Contact Information
For questions about GDPR compliance or to exercise your rights:
Email: [email protected]
Address: 152 Beach Road, Gateway East Building, Singapore 189721