Version 2.0 | Last Updated: 26/02/2026

1. Introduction

Rhumbl Group Pte. Ltd. ("Rhumbl", "we", "us", or "our") is a professional executive search firm incorporated in Singapore (UEN: 202542983W). We value your trust and are committed to responsibly handling and protecting personal data in accordance with applicable data protection laws, including Singapore's Personal Data Protection Act 2012 ("PDPA") and, where applicable, the EU General Data Protection Regulation (2016/679) ("GDPR") and UK GDPR.

This Policy explains how we collect, use, disclose, transfer, retain, and protect personal data in the course of our executive search and advisory services. It applies to all individuals whose personal data we process, including candidates, potential candidates, clients, client representatives, business partners, suppliers, and visitors to our website or digital platforms.

Candidates and potential candidates should also refer to our separate Candidate Privacy Notice for full details of how we process their personal data in connection with executive search services. Our Candidate Privacy Notice is available at www.rhumblgroup.com/candidateprivacy and forms part of our overall data protection framework alongside this Policy.

Where Rhumbl processes personal data in connection with a client engagement, the terms of the Data Processing Addendum incorporated into the relevant Engagement Letter shall also apply.

2. Scope

This Policy applies globally to all personal data processed by Rhumbl in connection with its executive search and advisory services, business operations, and digital platforms. It covers personal data of candidates, potential candidates, clients and client representatives, business partners, suppliers, employees, contractors, and website visitors.

3. Personal Data We Collect

We may collect and process the following categories of personal data depending on your relationship with us:

Identity and contact information, including name, job title, employer, email address, telephone number, postal address, and professional profile information.

Professional and career information, including employment history, educational background, qualifications, professional achievements, and career aspirations.

Compensation information, including current and expected remuneration and benefits, where provided.

Assessment and reference information, including interview notes, professional assessments, and information provided by nominated referees.

Business and engagement information, including details of client organisations, engagement scope, contractual terms, and billing information.

Technical and usage information, including IP address, browser type, and pages visited when you interact with our website or digital platforms.

Event and image information, including photographs taken at Rhumbl hosted networking events, roundtables, or other professional gatherings where you have provided consent for such use. Where photographs are taken at events, attendees will be informed in advance and images will only be shared online where appropriate consent has been obtained.

If you provide personal data relating to other individuals, you confirm that you have the authority to do so and to permit us to use that information in accordance with this Policy.

We do not routinely collect sensitive personal data. Where sensitive data is relevant and you choose to provide it, we will obtain your explicit consent and apply appropriate additional safeguards.

4. How We Collect Personal Data

We collect personal data in the following ways:

Directly from you, when you contact us, respond to our outreach, submit your CV or professional profile, attend an interview or assessment, or otherwise engage with us.

From publicly available sources, including professional networking platforms such as LinkedIn, company websites, industry publications, and professional directories.

From third parties, including referees, professional networks, and in some cases clients who refer individuals to us.

Through our research activities, as part of our executive search methodology, where we identify individuals who may be suitable for specific senior assignments based on their publicly available professional profile.

Through our website and digital platforms, as described in the Cookies and Online Tracking section of this Policy.

5. Purposes of Processing

We collect, use, and disclose personal data for the following purposes:

• Providing executive search and advisory services, including identifying, assessing, and introducing candidates to clients

• Assessing the suitability of individuals for specific roles and assignments

• Presenting candidate profiles to clients and supporting the recruitment process

• Conducting reference checks and professional verification

• Managing client relationships and fulfilling contractual obligations

• Billing, invoicing, and financial administration

• Complying with legal, regulatory, and reporting obligations

• Business development and maintaining professional relationships

• Hosting and promoting professional events and networking activities

• Operating and improving our website and digital platforms

6. Legal Bases for Processing

Singapore PDPA

Under Singapore's PDPA, we process personal data where we have obtained consent or where processing is otherwise permitted under the PDPA, including for purposes that a reasonable person would consider appropriate in the circumstances.

GDPR and UK GDPR

Where GDPR or UK GDPR applies, we process personal data on one or more of the following legal bases:

Legitimate interests — including executive search and candidate identification, client relationship management, business development, and internal administrative purposes. Where we rely on legitimate interests, we have assessed that our interests are proportionate and do not override the rights and freedoms of the individuals concerned. A copy of our Legitimate Interests Assessment is available upon request.

Performance of a contract — including recruitment, placement, and advisory activities carried out at the request of the individual or client.

Compliance with legal obligations — including employment, tax, regulatory, and reporting requirements.

Consent — where the individual has provided clear and informed consent for specific processing activities, including event photography and certain marketing communications.

Where we rely on consent, individuals may withdraw it at any time by contacting our Data Protection Officer. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

7. Disclosure of Personal Data

We may share your personal data with the following categories of recipients:

Our clients and prospective employers, where we consider an individual to be a suitable candidate for a specific assignment. We will not disclose a candidate's identity to a client without first making them aware of the relevant opportunity, except where broader consent has been provided.

Our technology and service providers, including providers of applicant tracking systems, candidate relationship management platforms, video interview tools, cloud storage, and communication platforms. These providers act as processors on our behalf and are subject to written data protection obligations.

Professional referees, where nominated by the candidate and in connection with a specific assignment.

Professional advisers, including lawyers and auditors, where necessary for obtaining professional advice or in connection with legal proceedings.

Regulatory and legal authorities, where required by law, court order, or legitimate regulatory requirement.

We do not sell personal data to any third party under any circumstances.

8. International Transfers

Rhumbl operates from Singapore and personal data is primarily processed and stored there. In the course of our operations, personal data may be transferred to or accessed from other countries, including Australia, China, Hong Kong, Switzerland, the United Kingdom, and the United States of America, among others, where our clients, candidates, or technology providers are based.

Where personal data subject to GDPR is transferred to a country not recognised by the European Commission as providing adequate protection, we will ensure appropriate safeguards are in place, which may include:

• Standard Contractual Clauses approved by the European Commission

• The International Data Transfer Agreement approved by the UK Information Commissioner's Office, for transfers subject to UK GDPR

• Other transfer mechanisms approved under applicable law

Where transfers are subject to Singapore's PDPA, we will ensure that recipients provide a standard of protection comparable to that required under the PDPA.

You may request further information about the specific transfer mechanisms we rely on in relation to your personal data by contacting our Data Protection Officer.

9. Data Retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, to maintain accurate business records, and to comply with our legal, regulatory, and contractual obligations. The appropriate retention period for any given category of personal data is determined by reference to the nature and sensitivity of the data, the purpose for which it was collected, applicable legal minimum or maximum retention periods, and the potential need to establish, exercise, or defend legal claims.

As a general principle:

·       Candidate and professional data is retained for a reasonable period following our last meaningful interaction with the individual, sufficient to support ongoing search activities and potential future opportunities

·       Client and engagement records are retained for a period sufficient to meet our contractual, accounting, tax, and legal obligations

·       Communication records are retained for a reasonable period following the conclusion of our relationship with the individual

·       Event photographs are retained for as long as they remain relevant to our professional communications

In all cases, personal data is securely deleted or anonymised when it is no longer required for any of the above purposes. You may request further information about the retention period applicable to your personal data, or request early deletion of your data, by contacting our Data Protection Officer using the details in Section 14, subject to any legal obligation we may have to retain certain records.

10. Security

Rhumbl implements appropriate technical and organisational security measures to protect personal data against unauthorised access, use, disclosure, alteration, or loss. These measures include access controls and authentication requirements, encryption of personal data in transit and at rest where appropriate, regular review and testing of security measures, and staff training on data protection obligations.

While we take all reasonable steps to protect your personal data, no method of transmission or storage is completely secure. We encourage you to contact us immediately if you have any concerns about the security of your personal data.

11. Data Breach Management

Rhumbl maintains procedures to detect, assess, contain, and respond to personal data breaches. Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority and, where required, affected individuals in accordance with applicable law including PDPA and GDPR notification requirements and timeframes.

12. Automated Decision-Making

Rhumbl does not make decisions about individuals solely by automated means that produce legal or similarly significant effects. All candidate assessments, shortlisting decisions, and placement recommendations involve human review and professional judgement.

13. Your Rights

Depending on your location and the data protection laws applicable to your personal data, you may have some or all of the following rights:

Right of access — to request a copy of the personal data we hold about you and information about how we use it.

Right to rectification — to request correction of inaccurate or incomplete personal data.

Right to erasure — to request deletion of your personal data in certain circumstances.

Right to restriction — to request that we restrict processing of your personal data in certain circumstances.

Right to data portability — to receive your personal data in a structured, commonly used, and machine-readable format where processing is based on consent or contract and carried out by automated means.

Right to object — to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to withdraw consent — to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

Right to lodge a complaint — to lodge a complaint with the relevant supervisory authority in your jurisdiction:

• Singapore: Personal Data Protection Commission (PDPC) — www.pdpc.gov.sg

• European Union: the data protection authority in your country of residence

• United Kingdom: the Information Commissioner's Office (ICO) — www.ico.org.uk

We would welcome the opportunity to address any concerns directly before you contact a supervisory authority and encourage you to reach out to us in the first instance.

To exercise any of your rights, please contact our Data Protection Officer using the contact details set out in Section 14 below. We will acknowledge your request promptly and respond in full within thirty (30) days of receipt. We will not charge a fee for handling your request in ordinary circumstances, though we reserve the right to charge a reasonable fee or decline to act where requests are manifestly unfounded or excessive. We may need to verify your identity before processing your request.

14. Data Protection Officer

Rhumbl's Data Protection Officer may be contacted for any data protection matter, including to exercise your rights, raise a concern, or provide feedback:

Email: dpo@rhumblgroup.com

Address: 160 Robinson Road, #14-04 SBF Center, S068914

You may contact the Data Protection Officer to:

• Request access to personal data we hold about you.

• Request correction or updates to your personal data.

• Request deletion of your personal data.

• Request further information about this Policy or our data protection practices.

• Withdraw consent to the use or disclosure of your personal data.

• Lodge a complaint about our handling of personal data or a potential breach of this Policy or applicable data protection laws.

15. Cookies and Online Tracking

Our website uses only strictly necessary cookies that are essential for the website to function correctly and securely. We do not use analytics, marketing, or tracking cookies, and no consent is required for strictly necessary cookies. If you have any questions about our use of cookies please contact our Data Protection Officer at dpo@rhumblgroup.com. Where our website incorporates third-party integrations or embedded content, those third parties may place their own strictly necessary cookies on your device. We do not control third-party cookies and recommend reviewing the relevant third-party privacy policies for further information.

16. Changes to This Policy

This Policy may be updated from time to time to reflect changes in our data processing practices, legal requirements, or business operations. Where we make material changes we will publish the updated Policy on our website and, where appropriate, notify affected individuals directly. The version number and date at the top of this Policy indicate when it was last updated. We encourage you to review this Policy periodically.

Continued use of our website or services, or continued provision of personal data to us following an update to this Policy, constitutes acknowledgement of the updated version.