Personal data protection policy

Introduction

This Personal Data Protection Policy (“Policy”) sets out the basis upon which PunchPoint Singapore Pte. Ltd. (UEN No: 202430277M), whose registered address is Blk 213 Henderson Road #02-04 Singapore 159553 (“PunchPoint”, “we”, “us”, or “our”) may collect, use, disclose, and/or otherwise process personal data in accordance with the Personal Data Protection Act 2012 (2020 Rev. Ed.) of Singapore (“PDPA”) and all the associated regulations and guidelines as may from time to time be issued under it. Please read the following carefully to understand our policies and practices regarding the handling of your personal data. This Policy, together with our: (i) end-user licence agreement as set out at: Terms of Use (“EULA”); (ii) Client Merchant Agreement (as applicable); and (iii) any additional terms of use incorporated by reference into the EULA andClient Merchant Agreement (as applicable), together “Our Terms of Use”, applies to your use of and access to

• PunchPoint web portal (“YQueue Website”) and other sites of ours including YQueue (“Services Sites”) (collectively, “Our Sites”);and
• Any of the services, features, tools, data, software and content accessible through PunchPoint site, including as may be updated, upgraded or supplemented by YQueue from time to time

unless the EULA states that a separate data protection or privacy policy applies to a particular Service, in which case only that data protection or privacy policy applies.

By continuing your interactions with us, such as by submitting personal data to us, or using our PunchPoint Services, you confirm that you understand and consent to the collection, use, disclosure, and processing of your personal data (or the personal data of any individual you provide) in the manner as set forth in this Policy.

If you do not agree to any portion of this Policy or any of Our Terms of Use, please stop using the YQueue Services. If you have already provided any personal data to us, please contact us about how you would like us to handle such data.

Questions, comments and requests regarding this Policy are welcomed and should be addressed to:

Data Protection Officer, PunchPoint Singapore Pte Ltd, Blk 213 Henderson Road #02-04 Singapore 159553

Phone: +65 88037562 during business hours (Singapore time)
Email: [email protected]
Scope of the policy

As used in this Policy, “personal data” means data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which we (and all our affiliated entities and relevant unaffiliated third parties) have or are likely to have access. Personal data may include (depending on the nature of your interaction with us), without limitation, your (or such person’s): name; address; telephone number(s); email addresses; date of birth; gender; nationality; marital status; passport number, date and place of issue; NRIC number; driver’s licence number and expiration; photographs and other audio-visual material; employment information; marketing preferences; and preferred communication methods.

However, “business contact information” (which means your or such person’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and other similar information about you or such person, not provided by you or such person solely for your or his/her personal purposes, as the case may be) is not regarded as personal data for the purposes of this Policy.

Data we collect from you

We may collect and process the following data about you:

• Data you give us (“Submitted information”): This is data you give us about you by filling in forms on the PunchPoint Services or by corresponding with us (for example, by e-mail). It includes data you provide when you subscribe to any of our PunchPoint Services, or when you otherwise provide data to us through the PunchPoint Services. If you contact us, we will keep a record of that correspondence. The information you give us may include (but are not limited to) your name, address, e-mail address and phone number, gender and date of birth, username, password and other registration information.

• Data we automatically collect about you and your Device. Each time you use PunchPoint Services, we may automatically collect, process and store the following data (as applicable:

  • technical data, including the type of Device you use, a unique device identifier (for example, your Device’s IMEI number, the MAC address of the Device’s wireless network interface, or the mobile phone number used by the Device), mobile network or other computer or connection information, your mobile operating system, the type of mobile browser you use and time zone setting, IP address and standard web log information (“Device Information”);
  • details of your use of the PunchPoint Services including, but not limited to traffic data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise (“Log Information”); and
  • data relating to the ordering system function found in the applicable PunchPoint Service, including but not limited to data on your orders made at stores such as your frequent purchases, your decisions to dine in/out, and the size of the group that you booked a table for (“Ordering System Information”).

• Data about your location (“Location Information”). When you use any of our location-enabled services in connection with the applicable PunchPoint Services, we may collect and process data about your current actual location, which we use GPS technology to determine, as well as the locations of Merchants which you have previously visited and utilised our PunchPoint Services. Some of our location-enabled service require your personal data for the feature to work. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose. You may withdraw this consent at any time by turning off the location services on the Device settings.

• Data we receive from other sources (“Third Party Information”). We are working closely with third parties (including, for example, Facebook Inc., Google Inc., merchants such as restaurants and cafes (“Merchants”) and other business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers and credit reference agencies), and may receive data about you from such third parties. Further, if you interact with us through any other third-party social media sites and applications, we may have access to certain information from your social media account such as user name, profile picture, information about friends and followers, and content posted or viewed through the social media sites and applications. We will take reasonable steps to check that you have provided consent to such third parties or that no consent is required. We will only use such information for the purposes as set out in clause 5 of this Policy.

Cookies

We may use cookies to track your usage of the PunchPoint Services, remember your preferences and distinguish you from other users of the PunchPoint Services. This helps us to provide you with a good experience when you use the PunchPoint Services and also allows us to improve the PunchPoint Services.

Cookies are small text files stored in your computing or other electronic devices which allow us to remember you or other data about you. The cookies placed by our server are readable only by us, and cookies cannot access, read or modify any other data on an electronic device. For the avoidance of doubt, our cookies do not collect personal data and we do not combine the general information collected through our cookies with other personal data such as to render you identifiable.

Your web-browser may offer the option to refuse cookies, and if you refuse our cookie then we do not gather any information on you through our cookies. Should you wish to disable the cookies, you may do so by changing the setting on your browser. However, you may not be able to access some of the service(s) on the PunchPoint Services. Your user experience may also be affected.

Use of the data

We use the following types of data held about you in the following ways:

• Submitted Information, Location Information and Ordering System Information:

  • to deliver the PunchPoint Services to you and to allow Merchants to deliver the Services to you;
  • to carry out our obligations arising from any agreements entered into between you and us and to provide you with such information or PunchPoint Services as you may request from us;
  • to allow you to participate in interactive features of Our Sites or any of our PunchPoint Services (when you choose to do so);
  • for our business improvement purposes or for legitimate interests, which are: to help improve the design, functionality, performance, and content of Our Sites and our PunchPoint Services; and for the internal operational and administrative purposes of Our Sites and our Services;
  • to contact you to send you information about our PunchPoint Services, and to notify you about changes or updates to the PunchPoint Services; and
  • in respect of Location Information and Ordering System Information only: to facilitate Merchants in carrying out the following purposes: targeted marketing through trend analysis; determining staffing needs based on demand and peak times; and reconnecting with customers who have not visited within a predetermined period. Any Location Information and Ordering System Information provided to Merchants will be aggregated and anonymised

• Device Information, Content Information and Log Information: to administer the PunchPoint Services, and for our internal operations, including to keep the PunchPoint Services safe and secure, to understand how well our PunchPoint Services are working as well as for troubleshooting, data analysis, testing, research, statistical and survey purposes. This allows us to help improve the design, functionality, performance, and content of our PunchPoint Services to you, personalise your user experience and measure overall effectiveness.

• Third Party Information: In addition to the purposes set out above, we may use this information to confirm your identity, deliver personalised content or as part of the operation of the PunchPoint Services in accordance with this Policy.

Disclosure of the information

We may disclose your personal data to third parties:

• to our employees and associated entities;
• to Merchants, for the purpose of order fulfilment and as otherwise required to provide you with the PunchPoint Services;
• to our business partners;
• to our suppliers and subcontractors who assist us in providing the PunchPoint Services (including the improvement and optimisation of the PunchPoint Services) or in our business operations, including payment processing, professional advisors, website services and analytics providers, and as otherwise required for the performance of any contract we enter into with them or you (such as Facebook Inc and Google Inc)
• subject to clause 12, advertisers and advertising networks solely to select and serve relevant advertisements to you and others; in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
• if we are under a duty to disclose or share your personal data (or disclosure or sharing of your personal data is reasonably required) in order to comply with any legal obligation and applicable laws and regulations (including but not limited to in response to a subpoena, warrant, court order, order or notice of any government authority, public agency or law enforcement agency);
• to assist us in conducting or co-operating in investigations or proceedings relating to fraud or other illegal activity where we believe it is reasonable and appropriate to do so;
• for our business improvement purposes or for legitimate interests, which are: the prevention and/or detection of fraud or crime; to assess financial and insurance risks; to develop customer relationships, services and systems; to enforce or apply our EULA and other applicable agreements; and to protect the rights, property, or safety of PunchPoint, our customers, Merchants or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection, insurance and credit risk reduction (including conducting or cooperating in investigations or proceedings relating to fraud or other illegal activity where we believe it is reasonable and appropriate to do so);
• to recover debt or in relation to your insolvency;
• for or in connection with the purposes set out in Clause 5 of this Policy; or
• with your consent.

Where we store your personal data

The data that we collect from you may be transferred to, and stored at, a destination outside Singapore. It may also be processed by staff operating outside Singapore, who work for us or for one of our suppliers. These staff may be engaged in the fulfilment of your request, order or reservation, the processing of your payment details and the provision of support services. By submitting your personal data to us, you agree to such transfer, storage and processing of your personal data. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy and the applicable laws and regulations. When personal data is transferred to outside Singapore, we will ensure that the overseas recipients are bound by legally enforceable obligations to provide the transferred data a standard of protection that is at least comparable to the protection under the PDPA, unless the overseas transfer is otherwise permitted on other grounds under the PDPA.

All data you provide to us, except your credit card information, will be stored via cloud computing with a third party provider. We do not store your credit card information, or carry out any payment transactions. For the purposes of any such payment transactions, you will be directed to the payment webpage(s) of the relevant third-party provider of payment processing services. You may choose to save your credit card information on your Device for use in conjunction with the PunchPoint Services (where applicable). Our third-party providers of payment processing services are PCI DSS compliant and certified. Any payment transactions carried out by our chosen third-party provider of payment processing services will be encrypted using the following: Advance Encryption Standard (AES), RSA Algorithm, and Secure Sockets Layer (SSL) / Transport Layer Security (TLS). Further information on such encryption methods may be available on the payment webpage(s) and/or website(s) of the relevant third-party provider of payment processing services. Where we have given you (or where you have chosen) a password that enables you to access certain parts of the PunchPoint Services, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

As you will know, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, as we cannot guarantee the security of your data transmitted to the PunchPoint Services; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. We continuously educate and train our employees about the importance of confidentiality and protection of customer information. We maintain physical, electronic and procedural safeguards that comply with applicable laws and regulations (including, without limitation, the PDPA to protect your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.

Third Party Sites

The PunchPoint Services may, from time to time, contain links to and from the websites of third parties, including but not limited to our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these have their own data protection or privacy policies and that we do not accept any responsibility or liability for them. Please check these respective policies before you submit any personal data to these websites.

Data activity relating to minors

We do not knowingly collect or retain personal data about persons under the age of 18 years. Any person who provides their personal data to us via the PunchPoint Services represents that they are 18 years of age and above. We encourage parents and legal guardians to monitor the activity of those under 18 years of age.

Parents or legal guardians of minors can contact us to review any personal data collected about their child or ward, have this information deleted, and/or request that there be no further collection or use of their child or ward’s personal data. We will take steps to verify the identity of anyone requesting personal data about a minor and to ensure that the person is in fact the minor’s parent or legal guardian.

Your rights, including access to and correction of information

You have certain rights in relation to the personal data we hold about you under the PDPA.

On giving reasonable notice to us, you have the right to ask to stop collecting, using, disclosing, and/or otherwise processing your personal data for any or all purposes, by contacting us at [email protected] and indicating the specific purposes for which you would like us to cease collecting, using, disclosing and/or otherwise processing your personal data.

Within 5 Business Days from our receipt of your request, we will notify you of the consequences of our acceding to the same. Please note that, depending on the nature and scope of your request, we may not be in a position to continue providing our products or services to you. If you do not respond to our notice within 5 Business Days of such notice (e.g., by confirming or retracting your request), we will proceed to process your request.

Notwithstanding any such request, we may be entitled to continue retaining your personal data in accordance with applicable laws and regulations.

You also have the right to request access to your personal data that is in our possession or under our control, as well as information about the ways in which such personal data has been or may have been used or disclosed by us. To meet our costs in providing you with details of the information we hold about you, we may charge a reasonable fee. This fee will vary on a case by case basis, depending on the scope of the access request. Should a fee apply, we will inform you of the fee in writing for your agreement, prior to providing access to the personal data requested. We reserve the discretion to waive such fees and to refuse access to personal data where applicable laws and regulation allow us to do so. Within a reasonable period after receiving a request (not to exceed 30 days), we will take reasonable steps to respond to your request.

Subject to applicable laws and regulations, you may also have the right to request for us to correct your personal data that is in our possession or under our control.

If the correction request is made by a person other than the individual who is the subject of the personal data, the request will be refused unless the consent of the individual is obtained.

All access and correction requests must be made in writing and delivered either by post or electronic mail to the DPO whose contact details are listed out in Clause 1 of this Policy.

When contacting us, please provide as much as detail as possible in relation to the request, query, or complaint. All requests, queries and complaints will be taken seriously and will be assessed by an appropriate person. We will consider and respond in a timely and efficient manner. We request that you cooperate with us during this process and provide any relevant information that may be required.

Marketing

You consent to us collecting, using and disclosing your personal data for marketing purposes. However,in the event that we will be conducting direct marketing to your email and/or your telephone number, we will send you such marketing messages only if you have clearly opted into these modes of communication where required by applicable law. If you wish to stop receiving marketing communications, you can click unsubscribe in any marketing e-mail or SMS from us, change your preferences in your account settings or contact us by e-mail at [email protected].

Changes to data protection policy

The date of this Policy is set out below. We may change this Policy at any time in our discretion by posting a revised version on this page. The revised version will be effective once it is posted. Where we consider appropriate (for example, where we make significant changes to this Policy), we may notify you of those changes to this Policy by email. Please check back frequently to see if there are any updates or changes to our Policy. By continuing to use our PunchPoint Services or otherwise continuing to deal with us, you accept this Policy as it applies from time to time.