Effective Date:3 January 2026

Healthcare GRC Pte. Ltd. dba QUASR+ (“QUASR+”, “we”, “us”) provides a cloud-based healthcare platform for incident reporting and patient safety. We are headquartered in Singapore and support customers globally. This Privacy Policy explains how we collect, use, and protect personal data when you visit our website or use our services.

1) Who this policy applies to

This policy applies to:

• Visitors to QUASR+ websites
• Users of the QUASR+ platform (such as healthcare staff and administrators)
• Individuals who contact us for enquiries, support, or training

When QUASR+ is used by a healthcare organisation, that organisation controls what data is entered into the platform and how it is used. In those cases, QUASR+ processes data on the organisation’s behalf to provide the service.

2) What personal data we collect

Depending on how you interact with QUASR+, we may collect:

User and account information

• Name, work email, job title, organisation
• Login and authentication details

Incident reporting information

• Incident reports and related content entered by authorised users
• This may include staff and patient-related information, depending on customer configuration and legal requirements

Website and technical information

• IP address, device and browser type
• Usage, log, and security data

Communications

• Enquiries, support requests, and training interactions

3) How we use personal data

We use personal data to:

• Provide, operate, and support the QUASR+ platform
• Enable incident reporting, analysis, and patient safety workflows
• Manage user access, security, and audit trails
• Respond to enquiries and provide customer support
• Improve system performance, reliability, and security
• Meet legal, regulatory, and contractual obligations

We do not sell personal data.

4) Sensitivedata, protected health information

QUASR+ may process sensitive or protected health information (PHI) strictly to deliver services to healthcare customers and based on their instructions.

Where applicable:

• Health information is handled in line with healthcare data protection laws, including HIPAA (United States), where QUASR+ acts as a business associate to covered entities
• Additional safeguards are applied, including access controls, audit logging, and encryption

QUASR+ does not use health data for any other unrelated purposes.

5) How we share personal data

We may share personal data with:

• Authorised users and administrators within your organisation
• Trusted service providers who support our operations (such as cloud hosting and security), under strict confidentiality and data protection obligations
• Regulators or authorities, where required by law

Our service providers are not permitted to use personal data for their own purposes.

6) International data transfers

As a global service, personal data may be processed or stored outside Singapore. When we transfer data internationally, we ensure appropriate safeguards are in place to protect personal data in line with Singapore’s PDPA, GDPR (where applicable), HIPAA safeguards, and equivalent international standards.

7) How we protect personal data

We use reasonable administrative, technical, and organisational measures to protect personal data, including:

• Encryption in transit and at rest (where appropriate)
• Role-based access controls
• System monitoring and audit logs
• Secure development and operational practices

8) Data retention

We retain personal data only for as long as necessary to provide our services and meet legal or contractual requirements. Data retention and deletion are governed by customer agreements and applicable laws.

9) Your rights

Singapore (PDPA)

If you are in Singapore, you may request access to or correction of your personal data held by QUASR+, in accordance with the Personal Data Protection Act (PDPA).

European Union / United Kingdom (GDPR)

If you are located in the EU or UK, you may have additional rights under the GDPR, including the right to:

• Access your personal data
• Request correction or deletion
• Request a copy of your data in a portable format
• Object to or restrict certain processing

United States (HIPAA)

If QUASR+ processes protected health information on behalf of a U.S. healthcare organisation, individual rights under HIPAA are handled by the healthcare organisation (as the covered entity). QUASR+ supports those obligations as a service provider.

10) Cookies

Our websites use cookies and similar technologies. Please see our Cookie Policy for details.

11) Contact us

For privacy questions or requests, please contact:

Privacy Contact / Data Protection Officer
QUASR+
Email: vinoth.j@healthgrc.com
Address: Singapore