Legal · プライバシー
Privacy Policy
Last updated: 21 May 2026
1. Introduction
This Privacy Policy explains how NAOCHA (“we”, “us”, “our”) collects, uses, discloses, and protects your personal data in accordance with the Personal Data Protection Act 2012 of Singapore (“PDPA”). By using our website and services, you acknowledge that you have read and understood this Privacy Policy.
2. Data Protection Officer
We have appointed a Data Protection Officer (“DPO”) to oversee our compliance with the PDPA. If you have any questions, concerns, or requests regarding your personal data, please contact our DPO:
- Name: NAOCHA Team
- Email: naocha.official@gmail.com
- Phone: +65 8824 7472
3. Personal Data We Collect
We collect the following personal data when you create an account or place an order:
| Data | Purpose |
|---|---|
| Full name | To identify you, personalise your account, and address you in communications |
| Email address | For account login, order confirmations, and service-related notifications |
| Phone number | For order-related communications via WhatsApp or SMS, and PayNow payment coordination |
| Date of birth | To issue a birthday voucher (a free-drink voucher valid for 14 days from your birthday) |
| Order history | To fulfil orders, process refunds, maintain accurate records, and calculate Bows earned |
| Bows balance, loyalty tier, annual tier progress, and loyalty transaction history | To administer our Bows loyalty programme, evaluate your tier, issue tier-up rewards, and expire inactive balances |
| Your referral code, your referrer (if any), and referral reward status | To operate our referral programme, attribute referrals, prevent abuse, and issue referral vouchers |
| Vouchers assigned to your account and voucher usage history | To administer the voucher system, including vouchers from the Bow Shop, tier upgrades, birthday rewards, and referrals |
We do not collect any of the following: NRIC/FIN numbers, credit card or bank account details, location or GPS data, or data from minors under the age of 13.
4. Purposes of Data Collection
We collect, use, and disclose your personal data for the following purposes:
- Order fulfilment: Processing and preparing your orders, coordinating payment via PayNow, communicating order status updates, and arranging collection or delivery.
- Account management: Creating and maintaining your user account, authenticating your identity at login, and enabling you to view your order history.
- Bows loyalty programme: Calculating and crediting Bows on completed orders, tracking your annual tier progress, evaluating your loyalty tier (Culinary, Ceremonial, or Reserve), issuing tier-up vouchers when you cross a threshold, maintaining your loyalty transaction audit log, and expiring Bow balances after periods of inactivity.
- Bow Shop: Processing your Bow Shop redemptions (where Bows are exchanged for a single-use voucher assigned to your account) and recording the corresponding deductions in your loyalty transaction history.
- Referral programme: Generating your unique referral code, recording your referrer when you enter another user's referral code on your account page, issuing the paired referral vouchers when your first order is confirmed after attribution, and detecting fraudulent or abusive use.
- Vouchers and promotions: Validating and applying voucher codes at checkout, recording voucher usage, and auto-issuing vouchers from the Bow Shop, tier upgrades, birthday rewards, and the referral programme.
- Service communications: Sending order confirmations, payment instructions, order status updates, and collection reminders. These are transactional in nature and are necessary to provide our services.
- Business operations: Generating anonymised and aggregated sales reports, managing timeslot capacity, and improving our menu and service offerings.
We will not use your personal data for any purpose beyond those stated above without first obtaining your consent.
5. Consent
By creating an account and providing your personal data, you consent to the collection, use, and disclosure of your data for the purposes described in this Privacy Policy.
You may withdraw your consent at any time by contacting our DPO at naocha.official@gmail.com. Please note that withdrawing consent may affect our ability to provide certain services to you. For example:
- Withdrawing consent for phone number use means we will be unable to send you order updates via WhatsApp.
- Withdrawing consent for date of birth means you will no longer receive a birthday voucher.
- Requesting account deletion will result in the forfeiture of any remaining Bows and any unused vouchers assigned to your account.
We will inform you of the likely consequences of withdrawing consent before processing your request.
6. Disclosure of Personal Data
We do not sell, rent, or trade your personal data to any third party.
We may disclose your personal data to the following categories of recipients, solely for the purposes stated in this Privacy Policy:
- Hosting and infrastructure providers: Our website is hosted on cloud infrastructure (Render and Supabase) that stores your account and order data. These providers process data on our behalf and are contractually bound to protect your data.
- Communication services: We use messaging platforms (e.g. WhatsApp) to send you order-related updates. Your phone number is shared with these platforms only for the purpose of delivering messages related to your orders.
- Legal and regulatory authorities: We may disclose your personal data if required by law, regulation, court order, or lawful request by Singapore government authorities.
7. Data Retention
We retain your personal data only for as long as it is necessary to fulfil the purposes for which it was collected:
| Data | Retention period |
|---|---|
| Account data (name, email, phone, birthday) | For the duration of your account. Deleted within 30 days of account deletion request. |
| Order history | 2 years from the date of the order, for business record-keeping and dispute resolution. |
| Bows balance, tier progress, and loyalty transaction history | For the duration of your account. Your Bows balance is automatically reset to zero if no order is completed for 6 consecutive months; the transaction history (an audit log of earns, Bow Shop redemptions, refunds, expiries, and adjustments) is retained for the duration of your account. |
| Referral attribution | For the duration of your account. The link to your referrer (if any) and the timestamp at which your referral reward was issued are kept while your account exists; on account deletion, references from other accounts to yours are cleared. |
| Vouchers and voucher usage records | Vouchers assigned to your account are kept until they are used, expire, or are revoked. Voucher usage records are retained for 1 year from the date of use for business record-keeping. |
After the retention period, personal data will be securely deleted or anonymised such that it can no longer be associated with you.
8. Data Security
We implement reasonable security measures to protect your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. These include:
- Encryption of data in transit (HTTPS/TLS) and at rest
- Password hashing (passwords are never stored in plaintext)
- Access controls limiting data access to authorised personnel only
- Use of established and reputable cloud service providers with industry-standard security certifications
While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.
9. Access and Correction
Under the PDPA, you have the right to:
- Access your personal data held by us and request information about how it has been used or disclosed within the past year.
- Correct any personal data that is inaccurate, incomplete, or out of date.
To make an access or correction request, please contact our DPO at naocha.official@gmail.com. We will respond to your request within 30 days. We may charge a reasonable fee to cover the cost of responding to access requests, and will inform you of the fee before processing the request.
10. Cookies and Analytics
Our website may use essential cookies to maintain your login session and remember your cart contents. These are strictly necessary for the functioning of the website and do not track you across other sites.
We may use privacy-respecting analytics tools to understand general usage patterns (e.g. page views, popular menu items). Any analytics data collected is aggregated and anonymised, and cannot be used to identify you personally.
We do not use third-party advertising cookies or tracking pixels.
11. Data Breach Notification
In the event of a data breach that is likely to result in significant harm to you or is of a significant scale, we will:
- Notify the Personal Data Protection Commission (PDPC) within 3 calendar days of our assessment that the breach is notifiable.
- Notify affected individuals as soon as practicable, informing you of the nature of the breach and the steps we are taking.
12. Transfers Outside Singapore
Your personal data may be stored on servers located outside Singapore (depending on our hosting providers). Where your data is transferred outside Singapore, we ensure that the receiving party provides a standard of protection comparable to that under the PDPA, through contractual arrangements or other legally recognised safeguards.
13. Minors
Our services are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected such data, we will take steps to delete it promptly. If you are between the ages of 13 and 17, you must have consent from a parent or legal guardian to use our services and create an account.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on our website with a revised “Last updated” date. We encourage you to review this page periodically. For significant changes, we will notify you via email or a prominent notice on our website.
15. Complaints
If you have a complaint about how we handle your personal data, please contact our DPO at naocha.official@gmail.com. We will investigate and respond to your complaint within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.