Privacy Policy

This Privacy Policy describes how TABAOUS PTE. LTD. (UEN 202611389H) and its affiliates (collectively, "Tabao Us", the "Company", "we", "us" or "our") collect, use, disclose and protect personal data in connection with the Tabao Us website at tabaous.com, the manage dashboard at manage.tabaous.com, all merchant storefronts hosted on or under the tabaous.com domain, and our other services (collectively, the "Service").

This Privacy Policy applies to (a) Merchants who use the Service to operate a business, (b) end customers who order from a Merchant's storefront, (c) authorised users of a Merchant account, (d) visitors to our marketing website, and (e) any other individual whose personal data we collect in connection with the Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

We comply with the Singapore Personal Data Protection Act 2012 (the "PDPA") and the regulations made under it. In respect of personal data collected through a Merchant's storefront, the Merchant is the data controller and the Company acts as a data intermediary processing such personal data on the Merchant's behalf.

"Personal data" has the meaning given to it in the PDPA: data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access.

"Process" means any operation performed on personal data, including collection, storage, use, disclosure and disposal.

From Merchants and Merchant users

• Identification and contact data: full name, business name, business code or slug, email address, mobile number, WhatsApp number, Telegram handle and user identifier.
• Account credentials: hashed password, session tokens, multi-factor approval identifiers (e.g., Telegram chat IDs of approvers).
• Business data: Singapore Unique Entity Number (UEN) where provided, registered business address, opening hours, menu items, modifiers, pricing, photographs, order history.
• Subscription billing data: Stripe customer record on the Company's Singapore Stripe account, Stripe subscription identifier, plan (Monthly or Yearly), trial status and trial expiry, billing cycle dates, invoice history and the last four digits and brand of any payment card you place on file with Stripe to pay Subscription Fees. We do not store full card numbers, CVV codes or PayNow account credentials.
• Stripe Connect data: encrypted Stripe API keys (where applicable), Stripe connected-account identifiers for the Connected Account that accepts customer payments on your behalf, application-fee configuration, payout settings, linked bank-account identifiers, KYC status and documents collected by Stripe on our behalf.
• Communication and support data: messages exchanged with our team via WhatsApp, Telegram, email, in-app chat or any other channel, including attachments.
• Usage data: log records of dashboard activity, IP addresses, device and browser information, timestamps and pages visited.

From end customers ordering on a Merchant storefront

• Order details: full name, mobile number, optional email, items ordered, modifiers, pickup or fulfilment time, special instructions and order notes.
• Optional Telegram chat identifier, where the customer chooses to link Telegram to receive order status updates.
• Loyalty data: where the Merchant operates a loyalty programme, the customer's points balance, redemption history and any associated identifier.
• Payment data: payment status, payment intent identifier, last four digits of the payment instrument and other non-sensitive payment metadata returned by Stripe. We do not collect or store full card numbers, CVV codes, full PayNow account details or bank-account credentials; these are processed and stored by Stripe.

Collected automatically

• Server logs: IP address, user-agent, timestamp, referrer, request path and response code, used to operate, secure, audit and debug the Service.
• Cookies and local storage: a session JSON Web Token used to authenticate Merchant users, an x-tenant-slug cookie used by our reverse proxy to route requests to the correct storefront, and limited functional storage used by individual storefronts. We do not deploy third-party advertising cookies and we do not engage in cross-site behavioural tracking.

From third-party sources

• Stripe: payout, dispute, fraud-screening, KYC and account-status information necessary to operate Stripe Connect on the Merchant's behalf.
• Telegram: identifiers and message metadata of users who interact with our bot, used to deliver order notifications and to authorise sensitive Merchant actions.
• Public sources: business registry information (such as ACRA filings) used for onboarding and verification.

We collect, use and disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that have been notified to you. These purposes include:

• Providing, operating, maintaining and securing the Service, including processing orders, generating PayNow QR codes, dispatching notifications, calculating analytics, and delivering payouts via Stripe.
• Onboarding, verifying and providing in-person setup support to Merchants, including assistance with Stripe and Telegram configuration.
• Authenticating users and authorising sensitive actions, including the use of Telegram-based approval workflows for password resets, payouts and other destructive operations.
• Communicating with you about your account, transactions, support requests, security incidents and changes to the Service or to our terms.
• Detecting, investigating, preventing and responding to fraud, abuse, security incidents and breaches of our terms or applicable law, including cooperating with payment networks, regulators and law-enforcement authorities.
• Complying with legal, regulatory, tax, accounting, audit, anti-money-laundering and recordkeeping obligations under Singapore law and any other applicable law.
• Improving and developing the Service, including aggregated analytics, product research, debugging and quality assurance.
• Marketing the Service, including by featuring Merchant names, logos and storefronts in case studies and promotional materials, subject to a Merchant's right to opt out as set out in our Terms of Service.
• Enforcing our agreements, exercising our legal rights, and recovering amounts owed to us, including by referral to credit bureaus, debt-collection agencies and legal counsel.

We do not sell personal data. We do not use personal data for cross-context behavioural advertising. We do not use customer order data to train artificial-intelligence models for any purpose other than improving the Service for the Merchant whose data it is, and only after appropriate aggregation or de-identification.

We rely on one or more of the following bases under the PDPA: (a) your consent (express or deemed), including consent given by a customer at checkout on a Merchant's storefront; (b) the necessity of processing for the performance of a contract to which you are party (for example, processing an order or operating your subscription); (c) the legitimate interests of the Company or a third party (for example, fraud prevention, network security, debt recovery and direct marketing of the Service to existing Merchants); and (d) compliance with a legal obligation to which we are subject.

Where we rely on consent, you may withdraw it at any time by contacting hello@tabaous.com. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal and may, depending on the data, prevent us from continuing to provide the Service to you.

We disclose personal data only to the following categories of recipients, and only to the extent necessary for the purposes described in this Privacy Policy:

• Stripe, Inc. and Stripe Singapore Pte. Ltd., for (a) charging Subscription Fees on the Company's Singapore Stripe account that bills the Merchant for use of the Service, and (b) processing the Merchant's customer payments through Stripe Connect, including KYC, payouts, fraud prevention and dispute handling.
• Get Convex, Inc., as the operator of our primary serverless database and function runtime where Merchant and order records are stored.
• Cloudflare, Inc., as the operator of the R2 object-storage service used to host menu photographs, banners and tutorial videos.
• Vercel, Inc., as the hosting provider for the marketing website and the customer-facing storefronts.
• Resend.com Inc. (operating as Resend), as the provider of transactional email delivery.
• Telegram FZ-LLC, as the messaging platform used for owner notifications, customer order updates and multi-factor approvals, where the user has chosen to link their Telegram account.
• Professional advisers, including lawyers, accountants, auditors and insurers, where reasonably required to advise the Company or to enforce its rights.
• Acquirers, investors and financiers, in connection with any actual or proposed merger, acquisition, financing, reorganisation or sale of all or substantially all of the Company's assets, in which case the recipient will be bound by appropriate confidentiality obligations.
• Government, regulatory, law-enforcement, tax and judicial authorities, where required by law, court order or lawful request, or where we believe in good faith that disclosure is necessary to protect the rights, property or safety of the Company, our Merchants or any other person.
• Credit bureaus and licensed debt-collection agencies, in connection with the recovery of amounts owed to the Company.

We do not disclose personal data to any other third party for that party's own purposes without your consent, except as expressly permitted or required by law.

Some of our service providers store and process personal data outside Singapore, including in the United States, the European Union, the United Kingdom, Australia and the United Arab Emirates. Where personal data is transferred outside Singapore, we take reasonable steps under section 26 of the PDPA to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection to the personal data that is comparable to that under the PDPA, whether by way of contract, the recipient's binding corporate rules, or any specified certification mechanism.

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, to comply with our legal, accounting, tax and reporting obligations, to enforce our agreements, and to defend against actual or anticipated claims:

• Active Merchant account data is retained while the account is active and for at least thirty (30) days after termination, after which we may delete it (subject to longer retention required by law).
• Customer order records and related transaction data are retained for a minimum of seven (7) years to satisfy financial-record-keeping obligations under Singapore tax and accounting law.
• Server logs are retained for up to thirty (30) days, subject to longer retention required for security investigations.
• Telegram identifiers used for notifications are retained until the user unlinks their Telegram or the associated account is deleted.
• Backups are retained on a rolling basis in accordance with our backup schedule, after which they are overwritten.

After the applicable retention period expires, we will securely delete or anonymise personal data, except where continued retention is required by law or for the establishment, exercise or defence of legal claims.

Subject to the limitations and exceptions set out in the PDPA, you have the right to:

• Request access to the personal data about you that is in our possession or under our control, and information about the ways in which it has been or may have been used or disclosed within a year before the request.
• Request correction of an error or omission in personal data about you that is in our possession or under our control.
• Withdraw any consent that you have previously given for the collection, use or disclosure of personal data, subject to reasonable notice and to the legal or contractual consequences of withdrawal.

To exercise these rights, please send a written request to hello@tabaous.com from the email address associated with your account. We may require you to verify your identity before responding. We will respond within thirty (30) days where reasonably practicable, and may charge a reasonable fee for access requests as permitted by the PDPA. If you ordered as a customer through a Merchant's storefront, please contact the Merchant first; we will assist the Merchant in fulfilling your request to the extent we are able.

We implement reasonable administrative, technical and physical safeguards designed to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. These measures include encryption in transit using Transport Layer Security, encryption at rest of sensitive credentials, password hashing, per-tenant data isolation enforced at the query layer, role-based access control, audit logging, multi-factor approvals for sensitive operations, and limiting access to production systems to a small number of authorised personnel on a need-to-know basis.

Notwithstanding the foregoing, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot and do not warrant the absolute security of personal data. You are responsible for keeping your account credentials confidential and for promptly notifying us of any actual or suspected security incident.

If we become aware of a data breach affecting personal data in our control that is likely to result in significant harm or that meets the notification thresholds under the PDPA, we will notify the Personal Data Protection Commission and the affected individuals as required by law.

When we process personal data of a Merchant's customers in connection with the operation of the Merchant's storefront (such as order data and contact details collected at checkout), we do so as a data intermediary on the Merchant's behalf. The Merchant remains responsible, as the data controller, for ensuring that all required notifications and consents have been obtained from its customers, for responding to data-subject requests in respect of such customer data, and for complying with all of its obligations under the PDPA. Our processing of such data on behalf of the Merchant is governed by the Terms of Service.

The Service is intended for use by adults running or buying from Singapore home-based businesses. We do not knowingly collect personal data from children under the age of thirteen (13). If you believe that we hold personal data of a child under thirteen, please contact us at hello@tabaous.com and we will take reasonable steps to delete the data.

We may update this Privacy Policy from time to time. The date of the most recent update appears at the top of this page. Where a change is material, we will notify you by email or through the manage dashboard at least fourteen (14) days before the change takes effect, except where a shorter period is required by law or to address a security or operational risk. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

Our Data Protection Officer can be reached at hello@tabaous.com. Mailing address: TABAOUS PTE. LTD. (UEN 202611389H), Singapore. WhatsApp: +65 8083 6924. If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission of Singapore.