GRUB MATES SG PTE LTD – Terms of Service & Privacy Policy

Effective Date: 21st May 2025
Version: 1.0

🧾 Executive Summary

This policy outlines GRUB MATES SG PTE LTD’s commitment to protecting personal data in accordance with Singapore’s Personal Data Protection Act 2012 (PDPA). It explains how we collect, use, disclose, store, and safeguard your personal data across our platforms including our website, Take.app, and WhatsApp Business API.

1. Personal Data Collection & Use

1.1 Types of Personal Data Collected

  • Full name
  • Company name
  • Phone number (personal or work)
  • Email address (personal or work)
  • Transaction details via Take.app (Card/PayNow)
  • Average monthly food order volume
  • Average monthly food order monetary amount

1.2 Collection Methods

  • Website forms (secured with SSL encryption)
  • WhatsApp Business API
  • Take.app order platform

1.3 Purposes of Collection

  • Account & Order Management: User authentication, order processing, and customer support
  • Marketing & Analytics: Email promotions and user behavior analysis via Google Analytics (IP anonymized)
  • Third-Party Fulfillment: Coordination with logistics and payment partners to process and deliver your orders

2. Consent & Withdrawal

  • Implied Consent: Given when you submit data through forms or initiate contact via WhatsApp.
  • Express Consent: Obtained via opt-in tickboxes (e.g., for marketing).
  • You may withdraw consent anytime by replying “UNSUBSCRIBE” or emailing contactus@grubmates.sg.

3. Cross-Border Data Transfers

Personal data may be transferred outside Singapore to partners in Malaysia, Thailand, and Vietnam. Safeguards include:

  • Contractual clauses aligned with GDPR/PDPA standards
  • AES-256 encryption for secure transmission
  • ISO 27001-certified systems and routine audits

4. Data Retention

Data Type Retention Period Legal/Business Basis
Customer profiles 5 years after last transaction Limitation Act (Cap. 163)
Marketing lists 2 years from opt-in PDPC Advisory Guidelines
Payment records 7 years Inland Revenue Authority of Singapore (IRAS)

5. Security Measures

  • Access Controls: Role-based permissions via Microsoft Azure AD
  • Encryption: TLS 1.3 during transmission; AES-256 at rest
  • Infrastructure: FortiGate firewalls, regular penetration tests
  • Compliance: Annual PDPA staff training and ISO 27001 audits

6. Third-Party Data Processors

We work with trusted vendors who meet PDPA or GDPR standards:

Partner Role
Take.app Order and customer management
DHL/Flash Express Logistics and delivery
Stripe Payment processing

All partners are bound by:

  • Data Processing Agreements (DPAs)
  • SOC 2 / ISO 27001 certification
  • 24-hour data breach response protocols

7. Accuracy of Personal Data

We take reasonable steps to ensure that personal data in our possession is accurate and complete, especially when it is used to make decisions that affect you. You are encouraged to update us if your details change.

8. Your Rights Under PDPA

You may request to:

  • Access or correct your personal data
  • Delete or restrict the use of your data (where applicable)
  • Withdraw consent at any time
  • Request data portability (on a case-by-case basis)

Email contactus@grubmates.sg. We will respond within 21 business days. A nominal fee of $40/hour may apply for complex cases.

9. Data Breach Notification

In the event of a data breach that poses a significant risk to individuals, we will:

  • Notify the Personal Data Protection Commission (PDPC)
  • Inform affected users within 72 hours of discovery

10. Policy Updates

This policy is reviewed annually or when regulatory changes occur. Please refer to the latest version at grubmates.sg/policies.

11. Contact Information

Data Protection Officer
GRUB MATES SG PTE LTD
60 Paya Lebar Road, #07-54, Singapore 409051
Tel: +65 8079 4263
Email: contactus@grubmates.sg