Data Policy
A technical companion to our Privacy Policy. This document describes exactly what data we collect, how it is stored, which third-party processors handle it, how long we keep it, and how to make a data subject request.
01 Overview
This Data Policy is a technical document that describes the specific data handling practices of Wetopia Global Pte. Ltd. in relation to this website (wetopiaglobal.org). It is intended to complement — not replace — our Privacy Policy, which provides the legal framework governing our data practices.
While the Privacy Policy addresses why we collect data, the legal bases for doing so, and your rights under various jurisdictions, this Data Policy focuses on the technical what: which data points are collected, which tools collect them, where data is stored, how long it is retained, and the mechanisms through which you can access or delete it.
Together, these two documents provide full transparency about how personal data flows through our website. If there is any conflict between the two documents, the Privacy Policy shall take precedence for matters of legal rights and obligations.
02 Data We Collect
We collect data through four distinct mechanisms. Each is described below.
(a) Form & Contact Data
When you voluntarily complete a form on the Site, we collect the fields you submit along with a server-side timestamp. The exact fields collected are:
| Form | Fields Collected | Timestamp Recorded |
|---|---|---|
| Join / Interest Form | Full name, email address, role or intention (e.g. consumer, business owner, investor, volunteer) | Yes — date and time of submission (UTC) |
| Contact Form | Full name, email address, message text | Yes — date and time of submission (UTC) |
Form data is not shared with any third-party marketing platform in its raw form. We do not use form submission data to build advertising audiences unless you have explicitly consented to marketing communications.
(b) Analytics Data via Google Analytics 4
Google Analytics 4 (GA4) is loaded on all pages of the Site once analytics cookies are accepted. GA4 collects the following categories of data:
- Page URLs and navigation paths — which pages are visited, in what order, and where users enter and exit the Site.
- Session data — session count, session duration, bounce rate, and engagement rate.
- Device and browser — device category (desktop/tablet/mobile), operating system, browser name and version, and screen resolution.
- Geographic data — country and city, derived from IP address. The full IP address is discarded by Google immediately after geolocation; we have configured GA4 with IP anonymisation enabled.
- Traffic source — referral source (e.g. Google Search, direct, social media), UTM parameters where present.
We do not use GA4 User ID or cross-device linking features. GA4 data is aggregated; individual user profiles are not accessible to us.
(c) Behavioural Data via Microsoft Clarity
Microsoft Clarity is loaded on all pages of the Site once UX/session cookies are accepted. Clarity collects the following behavioural signals:
- Mouse movement coordinates — used to generate heatmaps showing where users hover and move their cursor.
- Click events — clicks on buttons, links, and interactive elements, including "dead clicks" (clicks on non-interactive elements) and "rage clicks" (repeated rapid clicking).
- Scroll depth — how far down a page a user scrolls, expressed as a percentage.
- Session recordings — anonymised video-like replays of a user's session on a single page or across multiple pages.
All form input fields are automatically masked by Clarity. Text typed into any input, textarea, or password field is replaced with asterisks (****) before the data leaves the browser. We do not receive the content of any form field through Clarity. For further details, see Section 7.
(d) Marketing Data via Meta Pixel
The Meta Pixel is loaded on all pages of the Site once marketing cookies are accepted. The Pixel sends the following events to Meta's servers:
- PageView events — fired on every page load, recording that a page was viewed, along with the page URL and browser metadata.
- Custom conversion events — where configured, fired when a user completes a specific action (e.g. form submission).
- Hashed email for audience matching — if a user submits their email via a form on a page where the Pixel is also active, the email address is hashed (SHA-256) by the browser before transmission. The raw email address is never sent to Meta.
Meta uses Pixel data to provide us with aggregated advertising analytics and to enable us to build Custom Audiences for future advertising campaigns. We do not use Meta Pixel for retargeting campaigns without ensuring appropriate consent is in place.
03Data Storage & Security
Form submission data collected directly by Wetopia Global is stored on our servers with the following security controls in place:
- HTTPS / TLS 1.2+: All data in transit between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all pages and reject non-secure connections.
- Encryption at rest: Personal data stored on our servers is encrypted at rest using industry-standard encryption.
- Role-based access control: Access to stored personal data is restricted to specific authorised personnel with a documented legitimate operational need. Access privileges are reviewed periodically.
- Access logging: Access to personal data stores is logged for audit purposes.
Third-party tools (Google Analytics, Meta Pixel, Microsoft Clarity) store the data they collect on their own infrastructure, under their own security controls and data processing agreements with us. Each processor's security practices are governed by:
- Google: Google Cloud Security Infrastructure — cloud.google.com/security
- Meta: Meta Security Practices — facebook.com/security
- Microsoft: Microsoft Trust Center — microsoft.com/trust-center
04 Retention Schedule
The table below sets out the specific retention period, storage location, and deletion method for each category of data we collect or process:
| Data Type | Retention Period | Storage Location | Deletion Method |
|---|---|---|---|
| Join form submissions | 24 months from date of submission | Wetopia Global servers | Automatic purge at expiry; manual deletion available on request |
| Contact form submissions | 24 months from date of submission | Wetopia Global servers | Automatic purge at expiry; manual deletion available on request |
| GA4 analytics data | 14 months | Google servers (Google Analytics infrastructure) | GA4 data retention settings; automatic deletion on expiry |
| Clarity session recordings | 30 days | Microsoft servers (Clarity infrastructure) | Automatic deletion by Microsoft after 30 days |
| Meta Pixel event data | Per Meta's data retention policy | Meta servers (Meta Business Tools infrastructure) | Governed by Meta's own data retention controls and privacy policy |
You may request early deletion of any personal data we hold directly (form submissions) by contacting us at [email protected] with the subject line "Data Request". For data held by third-party processors, we will assist you in exercising your rights with those processors to the extent we are able under our agreements with them.
05 Third-Party Data Processors
The following third-party organisations process personal data on our behalf as data processors. Each is bound by a data processing agreement (DPA) with Wetopia Global and is prohibited from using personal data for their own independent purposes except as permitted by that agreement and applicable law.
| Processor | Service | Country | DPA / Agreement | Privacy Policy |
|---|---|---|---|---|
| Google LLC | Google Analytics 4 | United States | Google Ads Data Processing Terms (incorporating SCCs) | Google Privacy Policy |
| Meta Platforms, Inc. | Meta Pixel (Facebook Pixel) | United States | Meta Business Tools Terms (incorporating SCCs) | Meta Privacy Policy |
| Microsoft Corporation | Microsoft Clarity | United States | Microsoft Products and Services Data Processing Agreement (incorporating SCCs) | Microsoft Privacy Statement |
We periodically review our processor relationships to ensure continued compliance with applicable data protection law. If we engage a new data processor, we will update this page accordingly.
06Cookies & Tracking Technologies
The following table lists every cookie set or read by the Site or its third-party tools. This list is reviewed and updated whenever we add or remove a service.
| Cookie Name | Category | Purpose | Expiry | Provider |
|---|---|---|---|---|
| (Session cookie) | Strictly Necessary | Core website functionality; maintains your session state while browsing the Site. | Session (deleted on browser close) | Wetopia Global |
| _ga | Analytics | Used by Google Analytics to distinguish individual users by assigning a randomly generated number as a client identifier. | 2 years | |
| _ga_* | Analytics | Used by Google Analytics 4 to maintain session state and store session-level event data. | 2 years | |
| _gid | Analytics | Used by Google Analytics to distinguish users. Stores and updates a unique value for each page visited. | 24 hours | |
| _fbp | Marketing | Used by the Meta Pixel to identify browsers for the purposes of providing advertising services and tracking visitor behaviour across websites that have the Pixel installed. | 90 days | Meta |
| _fbc | Marketing | Stores the Facebook click ID parameter (fbclid) from the landing URL when a user arrives via a Facebook advertisement. | 90 days | Meta |
| _clsk | UX / Session | Used by Microsoft Clarity to link multiple page views by a single user into a single Clarity session recording. | Session (deleted on browser close) | Microsoft |
| _clckv | UX / Session | Used by Microsoft Clarity to persist the Clarity user identifier across sessions, enabling long-term behavioural analysis and heatmap generation. | 1 year | Microsoft |
You can manage cookie preferences via the cookie consent banner displayed on your first visit to the Site. Strictly necessary cookies cannot be disabled as they are required for the Site to function. You may disable analytics, marketing, or UX/session cookies without affecting your ability to access the content of the Site.
07 Session Recording (Microsoft Clarity)
Microsoft Clarity records anonymised session replays of user activity on the Site. This section provides detailed information about what is and is not captured, how data is accessed, and how to opt out.
What Is Recorded
When Clarity is active (i.e. you have accepted UX/session cookies), the following user interactions are captured within your browser session:
- Mouse cursor movement coordinates and paths across the page.
- Click events — including which element was clicked, its position, and whether the click resulted in a page action.
- Scroll position and depth throughout the page.
- Page navigation events — when a user moves from one page to another within the Site.
- Browser window resizes and viewport dimensions.
What Is Masked
Microsoft Clarity applies automatic masking to protect sensitive input data:
- All form input fields (text inputs, email fields, textareas, password fields, and dropdowns) are automatically masked before data leaves the browser. The content of any field you type into is replaced with asterisks (****) in the session recording.
- Clarity does not record keystrokes or the specific text entered into any form field.
- Clarity does not capture payment card numbers, passwords, or other sensitive credentials.
Data Access Controls
Session recordings stored in Microsoft Clarity are accessible only to authorised Wetopia Global team members through the Clarity dashboard. Access is restricted on a role-based basis. Recordings are used exclusively to identify usability issues, broken navigation flows, and areas of friction on the Site — they are not used for surveillance or to profile individual users for marketing purposes.
GDPR Consent Requirement
Under GDPR and the EU ePrivacy Directive, session recording tools require prior consent from users located in the EU/EEA. Clarity is categorised as a UX/session cookie on our consent banner, and is only activated after you accept that cookie category. For users in the UK, the same consent requirement applies under PECR and UK GDPR.
How to Opt Out
You can prevent Microsoft Clarity from recording your sessions in several ways:
- Cookie consent banner: Decline or withdraw consent for the "UX / Session" cookie category. This prevents the Clarity script from loading entirely.
- Microsoft Privacy Dashboard: Manage Microsoft's use of your data at account.microsoft.com/privacy.
- Browser-level opt-out: Use browser privacy settings or an ad/tracker blocking extension to block the Clarity script hosted at
clarity.ms.
08 Data Subject Requests
You have the right to exercise a range of rights over your personal data depending on your jurisdiction. This section explains how to submit a request and what to expect.
How to Submit a Request
Send an email to [email protected] with the subject line "Data Request". Please include the following information in your email:
- Your full name and the email address you used when submitting a form on the Site (so we can locate your records).
- Your jurisdiction or country of residence.
- The specific right or action you are requesting (e.g. access, correction, deletion, export, opt-out).
- Any additional context that will help us locate the relevant data (e.g. approximate date of form submission).
We may ask for additional verification of your identity before processing sensitive requests such as access or deletion, to protect against unauthorised requests.
Response Times
| Jurisdiction / Law | Statutory Response Period |
|---|---|
| GDPR (EU/EEA) | 30 days from receipt of request; extendable by a further 60 days for complex or multiple requests (with notification within the initial 30 days). |
| UK GDPR | 30 days (same as GDPR). |
| CCPA / CPRA (California) | 45 days from receipt of verifiable consumer request; extendable by a further 45 days with notice. |
| PDPA (Singapore) | 30 days. |
| All other jurisdictions | 30 days (our standard commitment). |
What We Can Do
- Access: Provide you with a copy of the personal data we hold about you, including the data fields, timestamps, and any processing we have applied to it.
- Correct: Update inaccurate or incomplete personal data records.
- Delete: Erase your personal data from our records, subject to any legal obligations that require us to retain it (e.g. financial record-keeping requirements).
- Export: Provide your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) for portability purposes.
For data held by third-party processors (Google, Meta, Microsoft), we will notify the relevant processor of your deletion or access request to the extent required by our agreements with them. However, some data held by those processors may be subject to their own privacy policies and may require you to contact them directly.
09 Data Breach Notification
We maintain procedures to detect, investigate, and report personal data breaches in accordance with applicable law. Our key commitments are as follows:
Supervisory Authority Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR (and the equivalent provision of the UK GDPR). The notification will include:
- A description of the nature of the breach, including categories and approximate number of data subjects affected.
- The name and contact details of our data protection point of contact.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach.
User Notification
Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals directly without undue delay. Notifications will be made by email (using the address provided in form submissions) and/or by a prominent notice on the Site, and will include a plain-language description of the breach and the steps individuals should take to protect themselves.
Internal Breach Register
We maintain an internal data breach register documenting all actual or suspected personal data breaches, regardless of whether they meet the threshold for supervisory authority or user notification. The register records the date of discovery, a description of the incident, the data affected, the response taken, and the outcome. This register is reviewed periodically as part of our information security governance process.
10 Contact
For any questions about this Data Policy, to exercise your data rights, or to report a concern about our data practices, please contact us:
- Email: [email protected]
- Phone: +65 3106 4133
- Postal Address: Wetopia Global, 10 Anson Road, Singapore
For data subject requests, use the subject line "Data Request". You may also refer to our Privacy Policy for the legal framework governing your rights, or our Terms of Use for the conditions governing use of the Site.