Privacy Policy

 
 

WEBSITE PRIVACY POLICY
Last Updated: 15 May 2026

1. Our Commitment

TwoSpuds Pte Ltd ("we", "us", "our") is committed to protecting your personal data in compliance with Singapore's Personal Data Protection Act 2012, as amended by the Personal Data Protection (Amendment) Act 2020 (collectively, the "PDPA"). This Policy sets out how we collect, use, disclose, retain, and protect personal data in connection with your use of our website at www.twospuds.com (the "Site").

We have appointed a Data Protection Officer ("DPO") who is responsible for overseeing compliance with this Policy and the PDPA. You may contact our DPO at the details set out in Section 11 below.

2. Personal Data We Collect

2.1 Data You Provide Directly

When you interact with us, you may provide personal data including:

  • Name and contact details (email address, telephone number, mailing address)

  • Date of birth and gender

  • Payment information (bank account or credit card details), processed via secure third-party payment processors

  • Any other information you choose to share with us through our contact forms, surveys, or correspondence

Note on NRIC/FIN Numbers: We only collect your Singapore identity card number (NRIC/FIN) where we are legally required or permitted to do so under applicable law. We do not collect NRIC/FIN numbers for general marketing or administrative convenience.

2.2 Data Collected Automatically

When you browse our Site, we automatically collect certain technical data, including:

  • IP address and general geographic location

  • Browser type and version

  • Pages visited, time spent, and clickstream data

  • Device identifiers and operating system

  • Referring URLs

This technical data is collected via cookies and similar tracking technologies (see Section 3) and is used in aggregate, anonymised form to improve our Site and services.

3. Cookies and Tracking Technologies

Cookies are small text files placed on your device when you visit our Site. We use only the following categories of cookies:

3.1 Strictly Necessary Cookies

These cookies are essential for the Site to function and cannot be switched off. They do not collect personal data for marketing purposes and do not require consent under the PDPA.

3.2 Analytics Cookies (Google Analytics)

We use Google Analytics to collect information about how visitors use the Site -- for example, which pages are visited most frequently and how users navigate between pages. This helps us improve the Site and our services. Google Analytics sets cookies on your device (including the _ga and _gid cookies) and transmits data to Google's servers. While this data is used primarily in aggregate form, the unique identifiers assigned by Google Analytics cookies may constitute personal data under the PDPA.

Our legal basis for this processing is deemed consent by notification under the PDPA -- by continuing to use our Site after reading this Policy, a reasonable person in your position would understand that analytics data is being collected for the purpose of improving our services. We consider this purpose to be one that a reasonable person would consider appropriate in the circumstances.

We have configured Google Analytics with the following privacy measures:

  • IP anonymisation is enabled, meaning your full IP address is truncated before being stored or processed by Google

  • Data sharing with Google's advertising products is disabled

  • Data retention is set to the minimum available period

Google Analytics data is transferred to and processed by Google LLC in the United States. Google LLC is certified under applicable data transfer frameworks and processes this data as a data processor on our behalf under Google's Data Processing Terms.

3.3 Opting Out of Google Analytics

You may opt out of Google Analytics tracking at any time using either of the following methods:

  • Install the Google Analytics Opt-Out Browser Add-On, available at https://tools.google.com/dlpage/gaoptout

  • Configure your browser to block or delete cookies. Instructions for major browsers are available at www.allaboutcookies.org

Please note that opting out of analytics cookies will not affect your ability to use the Site.

4. Purposes for Collecting, Using, and Disclosing Personal Data

We collect and use your personal data only for purposes that are legitimate, clearly identified, and where we have a valid legal basis under the PDPA. These purposes include:

  • Administering and maintaining your account with us

  • Processing and fulfilling orders for goods and services you purchase from us

  • Verifying and processing payments

  • Communicating with you about your account, transactions, and membership benefits

  • Sending you marketing and promotional communications where you have consented or where deemed consent applies under the PDPA (you may opt out at any time -- see Section 8)

  • Customer profiling, market research, and analytics to improve our products and services

  • Engaging third-party service providers to deliver aspects of our services on our behalf

  • Complying with legal obligations, including responding to lawful requests from regulatory and law enforcement authorities

  • Enforcing our legal rights and remedies

  • Notifying you of material changes to this Policy

  • Responding to your queries and feedback

We will not use your personal data for any purpose that is materially different from those listed above without first notifying you and, where required, obtaining your consent.

5. Legal Basis for Processing

Under the PDPA, we rely on the following bases for collecting and using your personal data:

  • Consent: Where you have given us express consent (e.g. subscribing to our mailing list).

  • Deemed consent by contractual necessity: Where the collection or use of your personal data is reasonably necessary to perform a contract to which you are a party (e.g. processing an order).

  • Deemed consent by notification: Where we have notified you of the purpose and you have not opted out within a reasonable period.

  • Legal obligation: Where we are required by law to collect or disclose your personal data.

  • Legitimate interests: Where our legitimate business interests are not overridden by your rights (e.g. fraud prevention and Site security).

6. Disclosure of Personal Data to Third Parties

We may disclose your personal data to the following categories of third parties:

  • Service providers: Including IT infrastructure providers, cloud hosting providers, payment processors, email service providers, and analytics platforms acting on our behalf under contractual obligations of confidentiality.

  • Professional advisers: Including lawyers, auditors, and insurers.

  • Regulatory and law enforcement authorities: Where required by law, court order, or to protect our legal rights.

  • Business transferees: In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity subject to equivalent protections.

We do not sell your personal data to third parties for their own marketing purposes.

7. Transfer of Personal Data Overseas

In carrying out the purposes described in this Policy, we may transfer your personal data to recipients located outside Singapore, including our cloud service providers and analytics partners. Before doing so, we will ensure that the recipient is bound by legally enforceable obligations to provide the transferred personal data a standard of protection that is at least comparable to that under the PDPA, whether through:

  • Contractual clauses binding the recipient to PDPA-equivalent standards;

  • Confirmation that the recipient operates in a jurisdiction whose data protection laws are recognised as providing adequate protection; or

  • Such other mechanisms as are permitted under the PDPA.

8. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law or regulation. Our general retention criteria are:

  • Transactional and account data: Retained for 7 years following the end of our business relationship, in line with statutory record-keeping requirements.

  • Marketing preferences and consent records: Retained for the duration of our relationship plus 3 years to demonstrate compliance.

  • Website analytics data: Typically retained in aggregate, anonymised form for up to 26 months.

  • Correspondence and support records: Retained for 3 years from the date of last contact.

Once personal data is no longer required, we will securely destroy, delete, or anonymise it in accordance with our internal data disposal procedures.

9. Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals, we will comply with our mandatory breach notification obligations under the PDPA Amendment Act 2020. This includes:

  • Notifying the Personal Data Protection Commission (PDPC) as soon as practicable, and in any case within 3 calendar days of assessing that the breach is notifiable;

  • Notifying affected individuals as soon as reasonably practicable where the breach is likely to result in significant harm to them.

We maintain an internal incident response plan to detect, assess, contain, and remediate data breaches promptly.

10. Protection of Personal Data

We implement reasonable and appropriate administrative, technical, and physical security measures to protect personal data in our possession or under our control against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. These measures include:

  • Encrypted transmission of data (TLS/SSL)

  • Access controls and authentication requirements for systems handling personal data

  • Regular security assessments of our infrastructure and third-party providers

  • Staff training on data protection obligations

No method of transmission over the internet or method of electronic storage is completely secure. While we take reasonable steps to protect your personal data, we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately using the contact details in Section 12.

11. Your Rights

11.1 Right of Access

You have the right to request access to the personal data we hold about you and information about how it has been or may have been used or disclosed in the year prior to your request. We may charge a reasonable administrative fee for processing access requests.

11.2 Right of Correction

You have the right to request that we correct any personal data we hold about you that is inaccurate, incomplete, or misleading. We will correct the data as soon as practicable and, where reasonable, notify third parties to whom the data was disclosed.

11.3 Right of Data Portability

Where we process your personal data by automated means on the basis of your consent or by contractual necessity, you may request that we transmit a copy of your personal data to another organisation in a machine-readable format, to the extent technically feasible and required under the PDPA.

11.4 Right to Withdraw Consent

You may withdraw consent to our use of your personal data at any time by contacting us using the details in Section 12. Withdrawal of consent will not affect the lawfulness of any processing carried out prior to withdrawal. Please note that withdrawal of consent for certain purposes may affect our ability to provide you with some or all of our services.

11.5 Right to Opt Out of Marketing

To unsubscribe from our marketing communications, click the unsubscribe link in any email we send you, or contact us directly. We will process your request within 10 business days. Please note that we may continue to send you transactional or service-related communications.

Do Not Call (DNC) Registry: We will not send marketing messages to Singapore telephone or facsimile numbers registered with the DNC Registry unless you have provided us with clear and unambiguous consent to do so.

12. Contact Us

If you have any questions about this Policy, wish to exercise your rights, or wish to report a potential violation, please contact our Data Protection Officer:

TwoSpuds Pte Ltd
Data Protection Officer: Fred Johns

By post:    1B Trengganu Street, Singapore 058455
By email:   Privacy@TwoSpuds.com
By phone:   +65 6909 1415

We will acknowledge your request within 5 business days and respond within 30 calendar days, or such other period as may be permitted under the PDPA.

13. Changes to This Policy

We reserve the right to update this Policy at any time to reflect changes in our data practices or applicable law. The most current version will always be posted at www.twospuds.com/privacy. Where changes are material, we will provide you with prominent notice, such as by email or a notice on our Site, prior to the changes taking effect.

Your continued use of the Site following the posting of any changes constitutes your acknowledgement of the updated Policy.