top of page
Mandai Smoke Co. lion flame logo in ember orange
WILD FLAVOUR, SLOW FIRE

Barbecue Delivery

Privacy Policy

Mandai Smoke Co. ("Mandai Smoke Co", "we", "our", "us") respects your privacy. This policy explains what personal data we collect when you order from us, sign up for our newsletter, or visit mandaismokeco.com — how we use it,

who we share it with, and what rights you have over it. If anything below is unclear, write to us at hello@mandaismokeco.com and we'll explain in plain English.



1. Who we are

Mandai Smoke Co is a Singapore home-based BBQ delivery business operating at mandaismokeco.com. Our customer database and ordering systems are hosted in Singapore on Amazon Web Services (AWS), in the Asia Pacific (Singapore) region. We are the data controller for any personal data we collect through our website, email, SMS, WhatsApp, and direct customer messages.

2. What we collect

We collect only what we need to take your order, deliver it, and keep you informed. Specifically:

  • Contact details — your name, email address, mobile number, and (when you order) delivery address.

  • Order history — what you ordered, when, and any delivery instructions you gave us.

  • Loyalty data — Embers points, streak progress, and rewards you've redeemed (only if you sign up for our loyalty program).

  • Communication preferences — whether you've opted in or out of marketing emails or SMS, and your unsubscribe history.

  • Sign-in identifiers — if you log in via Google or Facebook, we store the unique account ID those providers give us so we can recognise you on return visits. We do not store your social media password.

  • Payment information — processed entirely by our payment provider (see section 8). We never see or store your full card number.

  • Website usage data — basic analytics like pages viewed, browser type, and approximate location (city-level), described in section 7.

3. How we use your information

We use the data above to:

  • Process your order, prepare your food, and deliver it to you.

  • Send you order confirmations, delivery ETAs, and receipts.

  • Reply when you write to us with a question, request, or feedback.

  • Run our loyalty program — track points, streaks, and tier progression, and tell you when you've unlocked something.

  • Send you marketing emails about new menu items and weekend specials, but only if you've opted in (see section 4).

  • Improve our website, menu, and delivery service based on aggregated, non-identifying patterns.

  • Comply with our legal and tax obligations (e.g., keeping order records for IRAS).

We do not use your data for automated decision-making that has a legal or significant effect on you.

4. Email communications

When you place an order, sign up for our newsletter, or join our loyalty program, we collect your email address so we can:

  • Send order confirmations, delivery updates, and receipts

  • Tell you about new menu items, weekend specials, and small-batch drops

  • Share loyalty milestone rewards and referral credits

  • Reply to you when you write to us at hello@mandaismokeco.com

You're in control. Every email we send (apart from one-off order confirmations) includes a one-click unsubscribe link in the footer and the same option natively in Gmail and Apple Mail. When you unsubscribe, we stop sending you marketing emails immediately and add your address to our internal suppression list so it doesn't slip back in.

You can also email us directly at hello@mandaismokeco.com to:

  • Ask what data we hold about you

  • Correct any details that are wrong

  • Withdraw consent for any communications

  • Have your data deleted entirely

We'll respond within 30 days — usually much faster.

 

5. How your email data is handled

Your email address is stored in our customer database (FLAME) hosted in Singapore (AWS Asia Pacific region). Marketing emails are sent through Amazon Web Services Simple Email Service (AWS SES), our email infrastructure provider. AWS processes your email address solely to deliver the email — they don't use it for their own purposes. AWS's privacy commitments are at https://aws.amazon.com/privacy/.

When emails bounce (e.g., the inbox is full or the address doesn't exist) or when you mark them as spam, AWS notifies us so we can stop sending. Our suppression list is permanent unless you ask us to remove your address from it.

We do not:

  • Sell, rent, or share your email address with anyone

  • Send your details to advertisers

  • Use your data for purposes outside what's described in this policy

 

6. SMS and WhatsApp messages

We may send you SMS or WhatsApp messages for time-sensitive delivery updates (e.g., "your driver is 10 minutes away") and one-time passwords when you log in. These are operational messages tied to an active order or sign-in, not marketing.

SMS and WhatsApp are sent via Twilio, our messaging provider. Twilio processes your phone number solely to deliver the message. Their privacy notice is at https://www.twilio.com/legal/privacy.

You can opt out of all non-essential messaging by replying STOP to any SMS we send, or by emailing hello@mandaismokeco.com. Order confirmations and delivery-day updates may still be sent if you have an active order, since they're necessary to fulfil it.

7. Cookies and tracking

Our website uses cookies and similar technologies for the following purposes:

  • Strictly necessary cookies — keep you signed in, remember items in your cart, and enable secure checkout. These cannot be turned off.

  • Analytics cookies — we use privacy-respecting analytics to understand how visitors use the site (which pages are popular, how customers find us). The data is aggregated and does not identify individuals personally.

  • Marketing cookies — if we run paid advertising in the future, we may use cookies from advertising platforms (e.g., Meta or Google Ads) to measure campaign effectiveness. You'll be able to opt out via the cookie banner.

You can clear or block cookies through your browser settings. Doing so may break parts of the site (e.g., your cart or sign-in).

 

8. Payment processing

Payments on mandaismokeco.com are processed by our payment provider (Wix Payments and its underlying card networks). When you pay, your card details are sent directly to the payment provider over an encrypted connection — they never touch our servers. We receive a confirmation that the payment succeeded along with a transaction reference, but not your card number, CVV, or expiry date.

Wix Payments' privacy practices are described at https://www.wix.com/about/privacy.

9. Third parties we work with

To run our business, we share specific data with the following processors. Each is contractually limited to processing your data only for the purpose listed:

  • Amazon Web Services (AWS) — hosts our customer database and sends our emails. Singapore region.

  • Wix — hosts our website, processes payments, and provides our content management system.

  • Twilio — sends SMS and WhatsApp messages (delivery updates, OTP).

  • Google — if you sign in with Google, Google verifies your identity for us.

  • Meta (Facebook) — if you sign in with Facebook, Meta verifies your identity for us.

We do not share your data with anyone else. We do not sell, rent, or trade personal data under any circumstances. If our processors change, we'll update this list.

10. Data security and retention

Your data is stored on encrypted databases in AWS Asia Pacific (Singapore). Access is restricted to a small number of authorised staff and administrative tools, all protected by strong authentication. We use TLS encryption for every connection between your browser and our servers.

We retain personal data only for as long as we need it:

  • Order records: 7 years (required for Singapore tax compliance).

  • Marketing email consent and unsubscribes: kept indefinitely so we honour your unsubscribe forever.

  • Loyalty data: retained while your account is active; archived 12 months after your last order or interaction.

  • Inactive accounts: deleted on request, or after 5 years of complete inactivity.

11. Your rights

Under Singapore's Personal Data Protection Act 2012 (PDPA), you have the right to:

  • Access the personal data we hold about you (PDPA s.21).

  • Correct inaccurate or incomplete data (PDPA s.22).

  • Withdraw consent for any processing where consent was the legal basis (PDPA s.16).

  • Request deletion of your data, subject to legal retention requirements above.

  • Lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

If you're an EU/UK resident, you have equivalent rights under GDPR including the right to data portability and the right to object to processing. To exercise any of these rights, email hello@mandaismokeco.com. We'll respond within 30 days.

12. Children's privacy

Mandai Smoke Co is intended for adult customers placing food orders. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with data, please contact us and we'll delete it.

13. Changes to this policy

We may update this policy as our business changes (new features, new processors, new legal requirements). When we make material changes, we'll update the "Last updated" date at the top of this page and — if the change is significant — notify you via email. Your continued use of mandaismokeco.com after a change constitutes acceptance of the updated policy.

14. Contact us · PDPA Data Protection Officer

Mandai Smoke Co complies with the Singapore Personal Data Protection Act 2012. For data protection enquiries, please contact our Data Protection Officer at hello@mandaismokeco.com

bottom of page