Privacy Policy

Keong Saik Bakery Pte Ltd ("we", "us", or "our") operates keongsaikbakery.com and the Bakery Order System (BOS). We are committed to protecting your personal data in accordance with Singapore's Personal Data Protection Act 2012 (PDPA).

This policy explains what personal data we collect, why we collect it, how we use it, and your rights as a data subject.

---

1. Who We Are

Keong Saik Bakery Pte Ltd
70 Bendemeer Road, #01-03, Singapore 339940
Email: hello@keongsaikbakery.com
WhatsApp: +65 9021 9626

We are the data controller for personal data collected through our website and order systems.

2. Personal Data We Collect

When you place an order, make an enquiry, or interact with us, we may collect the following:

Category	Examples	How Collected
Identity & Contact	Full name, email address, phone number	Website checkout, contact form, WhatsApp
Delivery Details	Delivery address, delivery date and time preferences	Website checkout, BOS order form
Order Information	Products ordered, quantities, special requests, dietary notes	Website checkout, BOS
Communications	Messages sent to us via WhatsApp, email, or contact form	WhatsApp, email, website contact form
Technical Data	IP address, browser type, pages visited, session duration	Automatically via cookies and analytics tools (see Section 7)

We do not collect sensitive personal data such as NRIC numbers, passport numbers, or health information unless you voluntarily provide dietary requirements for a specific order.

3. How We Use Your Personal Data

We use your personal data only for the purposes for which it was collected:

• Order fulfilment — processing, packing, and delivering your order; confirming order details; sending delivery updates.
• Customer service — responding to enquiries, resolving issues, and managing order changes or refunds.
• Invoicing and accounting — issuing tax invoices for corporate orders where required.
• Legal compliance — meeting obligations under applicable Singapore laws.
• Website analytics — understanding how visitors use our website so we can improve it (see Section 7).
• Marketing communications — only if you have expressly opted in. You may withdraw consent at any time (see Section 8).

We will not use your personal data for any purpose incompatible with the above without first notifying you and, where required, obtaining your consent.

4. Payment Data

All payment transactions on our website are processed by HitPay, a licensed payment service provider. We do not store, handle, or have access to your full card number, CVV, or other payment credentials. HitPay's own privacy policy governs the handling of your payment data. We receive only a payment confirmation status and a transaction reference number.

5. Who We Share Your Data With

We share personal data only where necessary and never sell it to third parties.

Recipient	Purpose	Basis
HitPay	Payment processing	Contractual necessity
Delivery partners	Delivery of your order (name, address, phone for the driver)	Contractual necessity
Cloud hosting provider	Secure hosting of our website and order systems	Legitimate interests
Google Analytics / Microsoft Clarity	Website usage analytics (anonymised/aggregated)	Legitimate interests
Government or regulatory authorities	If required by law or a valid court order	Legal obligation

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes.

6. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes set out in this policy, and in accordance with our legal and business obligations:

• Order records — retained for 5 years from the date of the order, in accordance with Singapore accounting and tax requirements.
• Customer communications — retained for up to 2 years from the date of last contact.
• Marketing opt-in records — retained until you withdraw consent, plus 1 year thereafter as a compliance record.
• Website analytics data — retained in accordance with the third-party provider's retention settings (typically 14–26 months).

When personal data is no longer required, we securely delete or anonymise it.

7. Cookies and Analytics

Our website uses the following types of cookies and tracking technologies:

• Essential cookies — required for the website and cart to function. These cannot be disabled.
• Analytics cookies — Google Analytics (GA4) and Microsoft Clarity collect anonymised data on how visitors use our site (pages visited, session duration, device type). This helps us improve the site experience. No personally identifiable information is sent to these services.
• Marketing pixels — Meta (Facebook) Pixel tracks website events (page views, add-to-cart actions) for advertising measurement. This is subject to Meta's data policy. You may opt out via Facebook Ad Preferences.

You can control cookies via your browser settings. Disabling analytics or marketing cookies will not affect your ability to place orders.

8. Your Rights Under the PDPA

As a data subject in Singapore, you have the following rights:

• Right of access — you may request a copy of the personal data we hold about you.
• Right of correction — you may request that we correct any inaccurate or incomplete personal data.
• Right to withdraw consent — where we rely on your consent to process your data (e.g. marketing emails), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to be informed of use — you have the right to know how your data is being used.

To exercise any of these rights, please contact our Data Protection Officer at hello@keongsaikbakery.com. We will respond within 30 days as required under the PDPA. We may need to verify your identity before processing your request.

9. How We Protect Your Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include:

• HTTPS encryption on all pages of our website.
• Access controls — only staff who need your data to process orders have access to it.
• Secure cloud infrastructure hosted in data centres with physical and network security controls.
• Regular review of access permissions and system security.

No transmission over the internet is 100% secure. If you believe your data has been compromised, please contact us immediately.

10. Transfers Outside Singapore

Some of our service providers (e.g. Google, Microsoft, Meta) process data on servers outside Singapore. Where this occurs, we ensure that comparable data protection standards apply, consistent with the requirements of the PDPA. We only use providers who have adopted internationally recognised data protection frameworks or contractual protections.

11. Children's Privacy

Our website is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Future Loyalty Programme

Keong Saik Bakery may introduce a loyalty programme in future. If we do, we will update this policy to describe any additional personal data collected and how it will be used. Existing customers will be notified before any new data collection begins, and participation will require explicit consent.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page will be revised accordingly. We encourage you to review this page periodically. For significant changes that materially affect how we handle your data, we will notify you by email (if you are a registered customer) or by a prominent notice on our website.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or want to make a complaint about how we have handled your personal data, please contact us:

You also have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg if you are not satisfied with our response.