Prata Alley

Privacy Policy

How we handle your data.

Last updated: 4 June 2026. We’ll update this page if anything changes; significant changes will be flagged on the homepage for at least 14 days.

At a glance

  • We collect the personal data you give us — name, phone, email, and event/loyalty details.
  • We use it only to respond to your enquiry, run the loyalty programme, and meet our legal obligations.
  • We don’t sell your data. We don’t reuse it for marketing without separate consent.
  • You can ask us to access, correct, export, or delete your data at any time.
  • Contact us about your data: prataalley2@gmail.com

Who we are

Prata Alley is operated by Prata Alley 2 Pte Ltd (UEN 202518900G), an Indian-Muslim casual-dining brand based in Singapore.

Our designated privacy contact (for the purposes of Singapore’s Personal Data Protection Act): prataalley2@gmail.com. You can also WhatsApp us at +65 9181 4511.

What we collect

We collect personal data in three situations:

  • Enquiry forms (Catering, Live Station, Contact): name, phone, email, optional company, optional event date/time/pax, the message body.
  • Loyalty signup at /join: name, phone, optional email, optional birthday, optional preferred outlet, marketing consent.
  • WhatsApp ordering: when you click through from this site to WhatsApp, the conversation (number and messages) is handled by Meta (WhatsApp) under their own privacy policy. We only see what you choose to send.

We do not use advertising or analytics cookies on this site. We do not build profiles of your browsing. The only cookies we set are strictly necessary session cookies on /admin/* pages (Supabase Auth) — these are exempt from cookie-consent requirements as they’re essential to the service.

Why we collect it (purpose)

  • To respond to your enquiry and prepare a quotation.
  • To deliver the catering or live-station service you booked.
  • To run the loyalty programme — issue stamps and rewards, and (if you consented) send promo updates and your birthday surprise.
  • To meet our legal and accounting obligations (Singapore tax law requires we keep transactional records).

Marketing reuse: we do not reuse enquiry data for marketing. We only send marketing messages to people who explicitly signed up to the loyalty programme via /join with consent. If you signed up to loyalty, you agreed to be contacted; you can withdraw at any time (see Your rights).

Marketing channels we may use

If you opted into marketing via the loyalty signup, we may contact you via:

  • WhatsApp (typical channel — promos and reminders)
  • Email (birthday rewards, occasional updates)

We do not use SMS for marketing. If we ever add it, we will check the Singapore Do Not Call (DNC) registry first and seek fresh consent from you. We also don’t send voice (phone) marketing calls.

Who we share it with (current service providers)

We use a small number of trusted service providers to operate this website. Each receives only the data necessary for its function. The current list:

  • Supabase (database hosting) — stores enquiry records and loyalty members. Our project is hosted in Singapore (ap-southeast-1).
  • Vercel (website hosting) — serves the website and runs form-submission endpoints. Vercel’s infrastructure spans regions globally; for our deployment, edge requests are served from the nearest region (typically Singapore for SG traffic).
  • Resend (transactional email) — delivers enquiry notifications and loyalty / birthday emails. Resend operates from the United States.
  • Upstash (rate-limit cache) — anonymously tracks request counts per IP to protect the site from spam. No personal data is stored. Our database is in Singapore.

Our list of service providers may change over time. The current list is always available by emailing prataalley2@gmail.com; we’ll update this page when there are material changes.

We do not sell personal data. We do not share it with advertising networks, data brokers, or other restaurants.

Cross-border data transfers

Some of our service providers (notably Resend and Vercel) operate from outside Singapore. When your data crosses borders, we ensure the receiving party offers a comparable standard of protection to Singapore’s PDPA, either through their compliance certifications (SOC 2, ISO 27001) or via contractual data processing agreements with binding privacy commitments.

If you have concerns about cross-border transfers of your specific data, contact prataalley2@gmail.com and we’ll explain where your records live.

How long we keep it

  • Enquiry records: up to 18 months from the date of submission, then archived or deleted.
  • Loyalty programme records: kept while you remain an active member. If you unsubscribe, we keep the record (with status = unsubscribed) for 18 months, then delete it.
  • Confirmed booking records (invoice, receipt, quotation): retained for 5 years to satisfy Singapore tax-law obligations under the Income Tax Act.

You can request earlier deletion at any time — see Your rights below.

How we protect it

  • Personal data is stored in an access-controlled database with row-level security enabled by default.
  • The admin interface that reads personal data is gated by single-use sign-in links (magic-link authentication) limited to named team members.
  • We use HTTPS across the site.
  • Form submission endpoints are rate-limited to prevent abuse and bulk scraping.
  • We don’t log raw email addresses or phone numbers in our application logs; only masked identifiers and error categories.
  • Service-role credentials are stored only on the server (never sent to the browser) and rotated when team members change.

Data breach notification

If we become aware of a personal data breach that is likely to result in significant harm to affected individuals, or that affects 500 or more individuals, we will notify the Singapore Personal Data Protection Commission (PDPC) within 3 calendar days and notify affected individuals as soon as practicable, in line with PDPA section 26D.

Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Our birthday cron (which automatically issues birthday rewards) is a fixed-rule scheduled task, not a profiling engine.

Your rights

Under Singapore’s Personal Data Protection Act, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correct — ask us to fix any inaccuracies.
  • Port — receive your data in a structured, commonly-used, machine-readable format (typically JSON or CSV) for use elsewhere.
  • Withdraw consent — opt out of marketing or any specific processing. Easiest paths:
  • Delete — ask us to remove your data (subject to legal-retention obligations like tax records).
  • Object — object to specific uses of your data.

To exercise any of these rights, email prataalley2@gmail.com. We’ll acknowledge within one working day and complete the request within 30 days (or sooner — most are processed within a few days).

Children

This site is intended for adults. The loyalty programme requires members to be 13 or older. We don’t knowingly collect personal data from children below that age. If you believe we have, contact us and we’ll delete it.

Changes to this policy

If we change this policy in a way that materially affects how we handle your data, we’ll update the “Last updated” date and flag the change on the homepage for at least 14 days. For material changes affecting marketing or sharing, we’ll seek fresh consent where required.

Complaints and PDPC contact

We aim to resolve all privacy concerns directly. If you’re unhappy with our response, you can contact Singapore’s Personal Data Protection Commission:

pdpc.gov.sg · their public hotline and complaint form are listed on the site.

View MenuOrder