Privacy Policy

Last updated: 22 October 2025

Gray & Gray, comprising Gray & Gray APAC LLP, Gray & Gray Pte. Ltd., Grays LLC, and each of their respective affiliates and subsidiary undertakings (collectively, "Gray & Gray," the "Company," "we," "us," or "our"), is committed to safeguarding the privacy of visitors to our website, users of our login platform, contacts for our clients and prospective clients, contacts for suppliers of goods and services to the Company, candidates for employment or engagement, and any other individuals about whom the Company obtains personal data (each, "you"). Please read the following policy, which sets out the principles governing the Company's use of personal data that we may obtain about you, to understand how the Company collects, uses, and otherwise processes your personal data as well as the rights that you have in relation to our processing of that data (the "Privacy Policy"). In this Privacy Policy, "personal data" means information that (either in isolation or in combination with other information held by the Company) enables you to be identified or recognized as an individual, or as otherwise defined under applicable laws such as the Singapore Personal Data Protection Act 2012 (the "PDPA"), the Australian Privacy Act 1988 (including the Australian Privacy Principles, or "APPs"), and the UK General Data Protection Regulation (the "UK GDPR") and Data Protection Act 2018.

Gray & Gray is the data controller in relation to any personal data that the Company processes about you and is responsible for ensuring that such processing complies with applicable data protection laws, including the PDPA, APPs, and UK GDPR. Your privacy is important to us. Please be aware that Company personnel are required to comply with the Company’s data privacy practices as set out in this Privacy Policy and other data privacy-related Company policies. This Privacy Policy, together with our website terms of use and any other documents referred to in it, sets out the types of personal data we collect, how we collect and process that data, who we share it with in relation to the services we provide, and certain rights and options that you have in this respect.

Please click on the link below for the contact details of Gray & Gray’s offices and affiliated entities in your jurisdiction: [Insert link to locations page, e.g., https://www.twograys.com/locations].

If you have any comments or questions in connection with this Privacy Policy, or for further information on our processing activities and your rights in relation to your personal data, please contact us via email at DataProtection@twograys.com or by post to Data Protection, Gray & Gray Pte. Ltd., [Singapore Headquarters Address]. Questions, comments, and requests regarding this Privacy Policy are welcomed and should be addressed to our Privacy Team at the above contact details.

Personal Data We Collect

We collect and process the following categories of personal data from you:

  • Identity and Contact Data, including your name, address, telephone number, date of birth, marital status, passport number, employment history, educational or professional background, tax status, employee number, job title and function, and other personal data concerning your preferences relevant to our services;
  • Financial and Payment Data, including your bank account and other data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers, and other related billing information;
  • Business Information, including information provided in the course of the contractual or client relationship between you or your organisation and Gray & Gray, or otherwise voluntarily provided by you or your organisation;
  • Information relevant to our services, including personal data relevant to any dispute, grievance, investigation, arbitration, or other advice or services we have been asked to provide to our client;
  • Profile and Usage Data, including passwords to Gray & Gray’s websites, login platform, or password-protected platforms or services, your preferences in receiving marketing information from us, your communication preferences, and information about how you use our website(s) or login platform, including the services you viewed or searched for, page response times, download errors, length of visits, and page interaction information (such as scrolling, clicks, and mouse-overs). To learn more about our use of cookies or similar technology, please check our Cookie Policy [Insert link];
  • Technical Data, including information collected during your visits to our website(s) or login platform, the Internet Protocol (IP) address, login data, browser type and version, device type, time zone setting, browser plug-in types and versions, operating system, and platform. To learn more about our use of cookies or similar technology, please check our Cookie Policy [Insert link];
  • When we use analytic cookies, Profile and Usage Data and Technical Data (as defined above) are collected and used;
  • Physical Access Data, relating to details of your visits to our premises;
  • Sensitive personal data: In the course of our services, we may collect and use sensitive personal information relating to you (that is, information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life and sexual orientation, genetic or biometric data, or details of criminal offences). For example, in employment-related services, information about medical conditions, race, religion, and/or sexual orientation may be relevant. In tax or regulatory matters, we may collect sensitive personal data if advising on disabilities or other protected characteristics. Where we process sensitive personal data, we do so only with your explicit consent (where required), to establish, exercise, or defend legal claims, or to fulfill rights and obligations under applicable employment, social security, or other laws. In Australia, sensitive personal data also includes membership of a political association or a professional or trade association.

Although you are not required to provide any personal data on the public areas of our website, you may choose to do so by completing forms such as job application forms, newsletter sign-up forms, or through our login platform. Should you do so, we may, for example, keep a record of your name, email address, and any other information you voluntarily provide to us.

We may supplement the information that you provide to us with information that we receive or obtain from other sources, such as from our staff or personnel, clients, professional advisers, partners, and agents of Gray & Gray, third parties with whom we interact, and publicly available sources.

Sources of Personal Data Collected. We obtain categories of personal data listed above from the following categories of sources:

  • Directly from you, such as when you complete forms, register or use our login platform, or interact with our services.
  • Indirectly from you, such as observing your actions on our website or login platform, and from publicly available sources.
  • Third parties, including third-party vendors that support our login platform and store personal information on our behalf under our instructions.

Our website includes a login platform supported by third-party vendors who may store and process personal data on our behalf. These vendors are contractually obligated to handle your personal data only in accordance with our instructions and applicable laws, and we implement measures to ensure the security and confidentiality of such data. We are not responsible for the data policies or procedures of these third-party vendors beyond our contractual arrangements, and we recommend reviewing their privacy policies where applicable.

Information about Other People

If you provide information to us about any person other than yourself, such as your employees, counterparties, advisers, or suppliers, you must ensure that they understand how their information will be used, that they have given their permission for you to disclose it to us, and that you allow us and our service providers to use it in accordance with this Privacy Policy.

How We Collect Your Personal Data

The circumstances in which we may collect personal data about you include:

  • When you or your organisation seek services from us or use our login platform or other online services;
  • When you or your organisation offer to provide, or provide, services to us;
  • When it is provided to us by a third party because you are the subject of, or your data is otherwise included in, services we are asked to provide to that third party (e.g., in an employment dispute or investigation);
  • When you correspond with us by phone, email, or other electronic means, or in writing, or when you provide other information directly to us, including in conversation with our staff;
  • When you or your organisation browse, complete a form, make an enquiry, or otherwise interact on our website, login platform, or other online platforms;
  • When you attend our seminars or other events or sign up to receive information from us, including training;
  • By making enquiries from your organisation, other organisations with whom you have dealings such as former employers and educational institutions, or from third-party sources such as government agencies, credit reporting agencies, information service providers, or publicly available records.

In addition to standard security measures, we may use CCTV or other monitoring for health, safety, and security purposes at our premises.

If You Fail to Provide Personal Data

Where we need to collect personal data by law, or in order to process your instructions, perform a contract we have with you, or provide access to our login platform or services, and you fail to provide that data when requested, we may not be able to carry out your instructions, perform the contract, or provide the services. In such cases, we may have to cancel our engagement or contract with you, but we will notify you if this is the case at the time.

Information Usage

We may use your personal data for the following purposes and, for each purpose, based on the following legal grounds:

  • To fulfil a contract, or take steps linked to a contract, with you or your organisation. This includes:
    • To register you as a client or user of our login platform;
    • To provide and administer services, as instructed by you or your organisation;
    • To process payments, billing, and collection; and
    • To process applications for employment.
  • As required by Gray & Gray to conduct our business and pursue our legitimate interests, in particular:
    • To administer and manage our relationship with you, including accounting, auditing, and taking other steps linked to the performance of our business relationship, including identifying persons authorised to represent our clients, suppliers, or service providers;
    • To carry out background checks, where permitted;
    • To analyse and improve our services, login platform, and communications, and to monitor compliance with our policies and standards;
    • To manage access to our premises and for security purposes;
    • To protect the security of our communications, login platform, and other systems, and to prevent and detect security threats, frauds, or other criminal or malicious activities;
    • For insurance purposes;
    • To exercise or defend our legal rights or to comply with court orders;
    • To provide services to our clients; and
    • To communicate with you to keep you up-to-date on the latest developments, announcements, and other information about our services (including briefings, newsletters, and other information), events, and initiatives; to send you details of client surveys, marketing campaigns, market analysis, or other promotional activities; and
    • To collect information about your preferences to personalise and improve the quality of our communications with you.
  • For purposes required by law, including maintaining records, compliance checks or screening and recording (e.g., anti-money laundering, financial and credit checks, fraud and crime prevention and detection, trade sanctions, and embargo laws). This can include automated checks of personal data you provide about your identity against relevant databases and contacting you to confirm your identity, or making records of our communications with you for compliance purposes.

Save as otherwise set out in this Privacy Policy, where personal data is collected as part of our due diligence processes, such personal data will only be used for the purposes of preventing money laundering, terrorist financing, or other illicit activities. It will not be used for any other purpose without your consent. We will not use your personal data for taking any automated decisions affecting or creating profiles other than as described above, to the maximum extent permitted by applicable laws.

Under the PDPA, we ensure that any collection, use, or disclosure of personal data is for purposes that a reasonable person would consider appropriate in the circumstances. Under the APPs, we adhere to principles such as collecting only necessary data, using it for notified purposes, and ensuring accuracy. Under the UK GDPR, processing is based on lawful bases such as contract, legitimate interests, consent, or legal obligation, with special category data (e.g., health or religious data) processed only with explicit consent or as otherwise permitted.

Information Sharing

We may share your personal data with the following categories of recipients:

  • Other entities within Gray & Gray (including Gray & Gray APAC LLP, Gray & Gray Pte. Ltd., Grays LLC, and their respective affiliates and subsidiary undertakings) to provide services to you and to administer any service provided to you that the Company agrees to undertake;
  • Professional advisers, partners, and agents of Gray & Gray to provide you with local services, as required, and to administer our relationship with you;
  • Vendors that will process your personal data on our behalf and under our written instructions to carry out their services during the course of our business, such as IT service providers (including those supporting our login platform), financial institutions, customer relationship management databases and other platforms, software, tools and solutions that are hosted in the cloud, third-party companies providing us with business analytics and statistics to assist with our marketing campaigns, and third-party venues in which we may host events and seminars. We contract with such vendors to ensure that they only process your personal data under our instructions and ensure the security and confidentiality of your personal data by implementing the appropriate technical and organizational measures for such processing. Third-party vendors supporting our login platform may store personal information, but only as necessary to provide the platform services and in compliance with applicable laws;
  • Any law enforcement, regulatory, or government agency requesting personal data in connection with any inquiry, subpoena, court order, or other legal or regulatory procedures, with which we would need to comply. We may also share personal data to establish or protect the Company’s legal rights, property, or safety, or the rights, property, or safety of others, or to defend against legal claims; and
  • Any third party connected with business transfers; we may transfer your personal data to third parties in connection with a reorganization, restructuring, merger, acquisition, or transfer of assets of the Company, provided that the receiving party agrees to treat your personal data in a manner consistent with this Privacy Policy.

On a confidential basis, we may share personal data with third parties for the purposes of collecting your feedback on the Company’s service provision, to help us measure our performance and improve our services.

We are not responsible for the data policies or procedures or content of any linked websites or third-party platforms beyond our control. We recommend that you check the privacy and security policies of each website or platform you visit. To the maximum extent permitted by applicable laws, we disclaim any liability for losses arising from your interactions with such third parties.

Marketing Choices

We may send you direct marketing messages including by way of email alerts and post provided that we have a lawful ground to do so, such as your consent where required under the PDPA, APPs, or UK GDPR. If you no longer wish to receive our email alerts, to be part of a mailing list, or to receive any marketing communications, you can opt-out of such communications at any time by clicking on the unsubscribe link in the relevant communication or contacting us at Info@twograys.com. Opting out of receiving marketing communications will not affect the processing of personal data for the provision of our services.

Your Rights

Your rights may vary depending on the applicable jurisdiction and the context of our processing. We outline key rights below. Please note that some rights may be limited where we have an overriding interest, legal obligation, or exemption under applicable laws (e.g., legal professional privilege, professional secrecy, or where disclosure would reveal personal data about another individual). To the maximum extent permitted by applicable laws, we reserve the right to deny requests that are manifestly unfounded, excessive, or otherwise not required.

If you are in Singapore (under the PDPA), you have the following rights:

  • Access. You have the right to request access to your personal data and information about how it has been used or disclosed in the past year, subject to certain exemptions.
  • Correction. You have the right to request correction of inaccurate or incomplete personal data.
  • Withdrawal of Consent. You may withdraw consent for the collection, use, or disclosure of your personal data at any time, though this may affect our ability to provide services to you.

If you are in Australia (under the APPs), you have the following rights:

  • Access. You have the right to request access to your personal information, subject to certain exceptions (e.g., where access would pose a serious threat to life or health).
  • Correction. You have the right to request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information.
  • Complaint. You may lodge a complaint with us or the Office of the Australian Information Commissioner if you believe we have breached the APPs.
  • Anonymity and Pseudonymity. Where practicable, you have the right to remain anonymous or use a pseudonym when dealing with us.
  • Additional: If you choose not to provide personal information, or withdraw consent, we may not be able to provide some services.

If you are in the UK (under the UK GDPR), you have the following rights:

  • Access. You have the right to request a copy of the personal data that we are processing about you.
  • Rectification. You have the right to require the correction of any mistake in the personal data, whether incomplete or inaccurate, that we hold about you.
  • Erasure. You have the right to require the erasure of personal data concerning you in certain situations, such as where we no longer need it or if you withdraw your consent (where applicable).
  • Portability. You have the right to receive the personal data concerning you that you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit that data to a third party in certain situations.
  • Objection. You have the right to (i) object at any time to the processing of your personal data for direct marketing purposes and (ii) object to our processing of your personal data where the legal ground of such processing is necessary for legitimate interests pursued by us or by a third party.
  • Restriction. You have the right to request that we restrict our processing of your personal data in certain circumstances, such as when you contest the accuracy of that personal data.
  • Withdrawal of Consent. If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time.

If you are in the UK, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe that we have not complied with applicable data protection laws. The ICO can be contacted at https://ico.org.uk/make-a-complaint/.

To exercise any of these rights, please:

  • Email us at DataProtection@twograys.com;
  • Provide enough information to identify yourself (e.g., name, email address, etc.);
  • Provide proof of your identity and address (a copy of your driver’s license or passport and a recent utility or credit card bill); and
  • Provide the information to which your request relates.

We will respond to your request within the timeframes required by applicable laws (e.g., 30 days under UK GDPR, or as soon as practicable under PDPA and APPs). We aim to keep your personal data accurate, current, and complete. We encourage you to contact us to let us know if any of your personal data is not accurate or changes, so that we can keep your personal data up-to-date. To the maximum extent permitted by applicable laws, we will not be responsible for any losses arising from any inaccurate, inauthentic, deficient, or incomplete personal data that you provide to us.

Security

We have implemented technical and organizational security measures in an effort to safeguard the personal data in our custody and control. Such measures include, for example, limiting access to personal data only to staff and authorized service providers on a need-to-know basis for the purposes described in this Privacy Policy, as well as other administrative, technical, and physical safeguards. These measures are designed to meet the requirements of the PDPA, APPs, and UK GDPR, including conducting privacy impact assessments where appropriate.

We endeavor to take all reasonable steps to protect your personal data, but cannot guarantee the security of any data you disclose online, including through our login platform. Please note that email is not a secure medium and should not be used to send confidential or sensitive information. By providing information online, you accept the inherent security risks of providing information over the Internet and will not hold us responsible for any breach of security, unless it is due to our negligence or willful default. To the maximum extent permitted by applicable laws, we disclaim liability for any unauthorized access, loss, or breach of personal data.

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data Transfer

Gray & Gray is an international company with offices in Singapore, Australia, and the UK. Details regarding our offices and affiliated entities (including Gray & Gray APAC LLP, Gray & Gray Pte. Ltd., Grays LLC, and their respective affiliates and subsidiary undertakings) can be found at [Insert link to locations page]. Your personal data may be transferred to or shared across our integrated computer networks with one or more of Gray & Gray’s offices in these jurisdictions and potentially other countries that may not be subject to data protection laws similar to those prevailing in the jurisdiction in which such information is provided to or received by us. However, all of our offices adhere to the same procedures with respect to your personal data, including this Privacy Policy.

It may be necessary to transfer personal data across borders to provide our services, enable access for our personnel (including via the login platform), and for related purposes as set out in this Privacy Policy, including updates and enhancements to our records, analysis to help us manage our practice, statutory returns, legal and regulatory compliance, the administration and management of the Company’s global IT systems, and our other legitimate business interests.

Under the PDPA, we ensure that overseas recipients provide a standard of protection comparable to the PDPA. Under the APPs, we take reasonable steps to ensure that overseas recipients do not breach the APPs (unless an exception applies). Under the UK GDPR, when we transfer personal data from the UK to countries that are not recognized as offering an adequate level of protection by the ICO, we implement adequate safeguards, such as UK International Data Transfer Agreements or Addendums incorporating standard contractual clauses. These safeguards are designed to protect your privacy rights and provide you with remedies in the unlikely event that your personal data is misused. You may ask for further information on the safeguards that we have put in place by contacting us at DataProtection@twograys.com.

Cookies

Our website and login platform use certain tags, log files, web beacons, and similar tracking technologies from third parties (collectively, “cookies”), of which you should be aware. Please see our Cookie Policy [Insert link] to find out more about the cookies we use and how to manage and delete cookies.

Do Not Track

Please note that we do not support “Do Not Track” browser settings at this time.

Information Retention

Your personal data is only stored and retained for as long as necessary for the purposes set out in this Privacy Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements and, where required, to assert or defend against legal claims until the end of the relevant retention period or until the claims in question have been settled. In determining the appropriate retention period, we consider the nature and duration of our relationship with you, the type of services provided (including access to the login platform), and the impact on our services if certain information is deleted. In all cases, the Company may retain personal data for additional time as required by applicable law; to establish, exercise or defend our legal rights; or, for other legitimate business purposes, including archiving and historical purposes. We will maintain such data in an anonymized form where practical. Retention periods comply with requirements under the PDPA (e.g., as long as necessary for the purpose), APPs (e.g., not longer than necessary), and UK GDPR (e.g., no longer than necessary for the purposes). If you want to learn more about our specific retention periods, you may contact us at DataProtection@twograys.com. Upon expiry of the applicable retention period, we will securely destroy your personal data in accordance with applicable laws and regulations.

Notification of Changes

We may occasionally update this Privacy Policy as our services and privacy practices change, or as required by applicable legal or regulatory requirements. Where it is practicable, we will notify you by email of any significant changes. However, the last update date is posted below, and we encourage you to review this Privacy Policy periodically to be informed of how we use your personal data. We reserve the right to update and change this Privacy Policy from time to time to reflect any changes to the way in which we process your personal data or changing legal requirements.

Last Updated: October 13, 2025

Gray & Gray Group

Gray&Gray Group is a global collective of management consulting and professional services firms comprising affiliated firms and entities operating under the umbrella brand of Gray & Gray, and its network of member firms operating in their respective brands from time to time. Gray & Gray Group, and each of its affiliated firms and entities, member firms and related entities are legally separate and independent entities.

Gray & Gray APAC

Gray&Gray APAC is a group of management consulting firms operating under the Gray and Gray Group, which provides management consulting services to businesses.

Gray & Gray Ventures

Gray&Gray Ventures is a venture initiative developed to provide relevant expertise to early stage start-ups and unicorn technology companies, with respect to fundraising and business structuring.

© 2025 Gray&Gray. All Rights Reserved

Privacy PolicyTerms of ServiceContact