Last updated: April 13, 2026

1. Introduction

NAO Health operates this store and website, including all related information, content, features, tools, products and services (the "Services"). NAO Health is powered by Shopify, which enables us to provide the Services to you.This Privacy Policy describes how we collect, use, disclose, and protect your personal data when you visit, use, or make a purchase using the Services, or otherwise communicate with us. It complies with the Singapore Personal Data Protection Act 2012 ("PDPA") and its accompanying regulations.If there is a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to the collection, processing, and disclosure of your personal data.By using and accessing any of the Services, you acknowledge that you have read this Privacy Policy and consent to the collection, use, and disclosure of your personal data as described herein.

2. Personal Data We Collect

"Personal data" refers to data about an individual who can be identified from that data, or from that data and other information to which we have access. We may collect the following categories of personal data:

2.1 Data You Provide Directly

•       Contact details: name, billing and shipping address, phone number, and email address.•       Financial information: payment card details, financial account numbers, transaction details, and payment confirmation. Note: full payment card data is processed securely by Shopify and our payment processors, not stored by us.•       Account information: username, password, security questions, and account preferences.•       Communications: information included in your messages to us, such as customer support enquiries.

2.2 Data Collected Automatically

•       Device and technical data: device type, browser type, operating system, IP address, and unique device identifiers.•       Usage data: how you interact with the Services, pages visited, time spent, links clicked, and navigation patterns.•       Cookies and similar technologies: see Section 6 (Cookies) for full details.

2.3 Data From Third Parties

•       From our service providers (e.g., Shopify, payment processors, analytics providers) in connection with the Services.•       From marketing and advertising partners, subject to their own privacy policies.

3. Purposes for Collection, Use, and Disclosure

Under the PDPA, we collect, use, and disclose your personal data only for purposes that a reasonable person would consider appropriate. These purposes include:

3.1 Providing and Improving the Services

We process your personal data to: process orders, payments, returns, and exchanges; manage your account; arrange shipping and fulfilment; send order and account notifications; personalise your shopping experience; and improve our products and services.

3.2 Marketing and Advertising

With your consent where required, we use your personal data to send promotional communications by email, SMS, or post, and to show you relevant online advertisements. You may opt out at any time (see Section 9).

3.3 Security and Fraud Prevention

We use your personal data to authenticate your account, detect and investigate fraudulent or unlawful activity, and secure our Services and systems.

3.4 Customer Support and Communications

We use your personal data to respond to your enquiries, resolve disputes, and maintain our business relationship with you.

3.5 Legal and Regulatory Compliance

We use your personal data to comply with applicable laws (including the PDPA), respond to lawful requests from government or regulatory authorities, and enforce our terms and policies.

4. Disclosure of Personal Data

We may disclose your personal data to the following categories of recipients, for the purposes described in Section 3:•       Shopify and its sub-processors, as our primary platform provider (see Section 7).•       Service providers who perform functions on our behalf, such as payment processing, IT management, data analytics, cloud storage, fulfilment, and shipping. These parties are contractually required to protect your personal data and use it only for the purposes we specify.•       Business and marketing partners for advertising and personalisation, subject to your rights under Section 9.•       Our affiliates and entities within our corporate group.•       Prospective buyers or acquirers in the event of a merger, acquisition, restructuring, or sale of assets, subject to appropriate confidentiality obligations.•       Government, regulatory, or law enforcement authorities where required or permitted by law, including under the PDPA.We do not sell your personal data to third parties for their own independent use.

5. International Transfers of Personal Data

As we use Shopify (headquartered in Canada) and other international service providers, your personal data may be transferred to, stored, and processed outside Singapore. Under the PDPA, we are required to ensure that overseas recipients provide a standard of protection comparable to the PDPA.We take the following steps to protect your data in cross-border transfers:•       Contractual arrangements: we impose data protection obligations on overseas recipients through written contracts, consistent with PDPA requirements.•       Adequacy assessments: we assess whether recipient countries provide an adequate level of data protection before transferring personal data.•       For transfers to the European Economic Area or United Kingdom, we rely on the European Commission's Standard Contractual Clauses or equivalent UK mechanisms where applicable.By using the Services, you consent to your personal data being transferred internationally in the manner described above.

6. Cookies and Tracking Technologies

We use cookies and similar technologies (e.g., pixel tags, web beacons) to operate and improve the Services. These technologies help us:•       Keep you logged in and remember your preferences and cart contents (strictly necessary cookies).•       Analyse how visitors use our website to improve functionality and user experience (analytics cookies).•       Show you relevant advertisements on our site and third-party sites (advertising/targeting cookies).You can control cookies through your browser settings. Most browsers allow you to refuse or delete cookies. However, disabling certain cookies may affect the functionality of the Services (e.g., you may not be able to complete a purchase).For more information about how Shopify uses cookies, please visit the Shopify Cookie Policy.

7. Our Relationship with Shopify

The Services are hosted on Shopify's platform. Shopify collects and processes personal data about your access to and use of the Services in order to provide and improve its services. Information you submit will be transmitted to and shared with Shopify, as well as third parties that may be located in countries other than Singapore.Shopify may also use personal data collected about your interactions with our store, with other Shopify merchants, and with Shopify itself, in order to provide enhanced platform features. In these circumstances, Shopify acts as an independent data controller and is responsible for responding to requests to exercise your rights in relation to such processing.To learn more about how Shopify handles personal data and your rights, please visit: Shopify Consumer Privacy Policy and the Shopify Privacy Portal.

8. Retention of Personal Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention periods are:•       Account and transaction data: retained for the duration of your account, and for 5 years after account closure or the last transaction, to comply with legal and tax obligations.•       Customer communications and support records: retained for 3 years from the date of the communication.•       Marketing preferences and consent records: retained for 3 years from the date of your last interaction, or until you withdraw consent.•       Device and usage data (e.g., logs): retained for up to 12 months.•       Financial and payment records: retained for 7 years in accordance with applicable accounting and tax laws.When personal data is no longer required, we will securely delete or anonymise it in accordance with the PDPA.

9. Your Rights and Choices

Under the PDPA and other applicable laws, you have the following rights in relation to your personal data:

9.1 Right of Access

You may request access to the personal data we hold about you and information about how it has been used or disclosed in the past year.

9.2 Right of Correction

You may request that we correct any personal data we hold about you that is inaccurate, incomplete, or misleading.

9.3 Right to Withdraw Consent

Where we process your personal data based on your consent, you may withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal. Please note that withdrawal may affect our ability to continue providing certain Services to you.

9.4 Right to Opt Out of Direct Marketing

You may opt out of receiving promotional communications from us at any time by:•       Clicking the "unsubscribe" link in any marketing email we send you.•       Contacting us directly using the contact details in Section 12.If you opt out, we may still send you non-promotional communications, such as order confirmations and account notices.

9.5 Right to Data Portability

Where technically feasible, you may request a copy of the personal data you provided to us, in a commonly used machine-readable format.

9.6 Right to Deletion

You may request deletion of your personal data in certain circumstances, subject to our legal and regulatory obligations that require us to retain certain data.To exercise any of these rights, please contact us using the details in Section 12. We may need to verify your identity before processing your request. We will respond within 30 days or such other period as required by applicable law. We will not charge a fee for reasonable access or correction requests.We will not discriminate against you for exercising your rights under this Privacy Policy.

10. Security of Personal Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, disclosure, alteration, or destruction. These measures include:•       Encryption of data in transit using TLS (Transport Layer Security).•       Access controls limiting personal data access to authorised personnel only.•       Regular security assessments of our systems and service providers.•       Payment card data is handled by Shopify and our payment processors, who are PCI-DSS compliant. We do not store full payment card numbers on our systems.However, no method of transmission over the internet or electronic storage is completely secure. While we take commercially reasonable steps to protect your personal data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential. We strongly recommend that you do not share your username, password, or other access details with anyone.In the event of a data breach affecting your personal data, we will notify you and the relevant authorities as required by the PDPA and applicable law.

11. Children's Data

The Services are not directed at children under the age of 18. We do not knowingly collect personal data from individuals under 18 years of age. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us using the details in Section 12 and we will take steps to delete such data promptly.As of the effective date of this Privacy Policy, we do not knowingly sell or share personal data of individuals under 18 years of age.

12. Third-Party Websites and Links

The Services may contain links to third-party websites or platforms. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit. Information you share on public or semi-public third-party platforms (including social media) may be visible to other users without limitation as to its use.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this Policy and, where required by law, provide you with notice (e.g., by email or a prominent notice on our website). We encourage you to review this Policy periodically.Continued use of the Services after any changes take effect constitutes your acceptance of the updated Privacy Policy.

14. Complaints

If you have a complaint about how we handle your personal data, please contact our Data Protection Officer (see Section 15). We will investigate your complaint and respond within 30 days.If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore:Personal Data Protection Commission: www.pdpc.gov.sg

15. Contact Us / Data Protection Officer

NAO Health has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with this Privacy Policy and the PDPA. If you have any questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact our DPO:NAO HealthEmail: hello@naohealth.coAddress: 701 Geylang Road, #04-04 TeamBuild Centre, Singapore 389687We aim to respond to all requests and enquiries within 30 days of receipt. © 2026 NAO Health. All rights reserved.