Privacy Policy

• 1.1 As Data Intermediary. When We process Personal Information on behalf of a Restaurant as part of providing the Services, We act as a data intermediary on that Restaurant’s instructions. The Restaurant is the primary organisation responsible for that Personal Information under the PDPA. Our processing is governed by the MSA and its Data Processing Addendum.
• 1.2 As Organisation. When We collect and use Personal Information for Our own purposes. For example, to operate Our website, manage Our customer relationships, bill subscribers, market Our Services, secure Our systems, and comply with law. We act as an organisation under the PDPA and this Policy applies directly.
• 1.3 Restaurant Privacy Notices. When You interact with a Restaurant through Our platform, that Restaurant’s own privacy notice also applies to its use of Your Personal Information. If You have questions about how a Restaurant uses Your data, please contact the Restaurant directly.

We collect the following categories of Personal Information, depending on how You interact with Us:

• 2.1 Information You Provide. Account and business information such as name, business name, role, email, phone, billing address, tax identifiers, and login credentials.
• Diner information such as name, email, phone, delivery address, order history, loyalty balances, dietary preferences, and any notes provided at checkout.
• Payment information processed directly by third-party payment processors; We do not store full card numbers.
• Communications and support content You provide when contacting support, participating in surveys, or responding to marketing.
• 2.2 Information Collected Automatically. Device and usage data, including IP address, browser type, operating system, device identifiers, pages visited, referring URLs, timestamps, and interaction events via cookies and similar technologies.
• 2.3 Information from Third Parties. Information from integrations and service providers, including payment processors, delivery partners, marketing platforms, authentication providers, and publicly available sources.
• 2.4 Sensitive Information. We do not intentionally collect sensitive personal data such as health, biometric, or religious information unless specifically requested.

• provide, operate, maintain, and improve the Site and Services
• process orders, payments, refunds, and loyalty transactions
• authenticate users and secure accounts
• communicate with You about Your account, transactions, support requests, and service announcements
• send marketing communications with consent where required and with an opt-out in every message
• personalise content and recommendations
• conduct analytics, research, and product development, including de-identified and aggregated data
• prevent, detect, and investigate fraud, abuse, and security incidents
• comply with legal, regulatory, tax, accounting, and audit obligations
• establish, exercise, or defend legal claims

Where We process Personal Information as a data intermediary on behalf of a Restaurant, We use it only on the Restaurant’s documented instructions and for the purposes set out in the MSA.

Under the PDPA, We collect, use, and disclose Personal Information only where You have given consent, where consent is deemed under the PDPA, where an exception in the PDPA applies, or where We are required or permitted to do so by law. You may withdraw consent at any time by contacting Us as set out in Section 11. Withdrawal may mean We cannot continue providing certain Services to You.

• 5.1 To Restaurants. We disclose order and contact details to Restaurants so they can fulfil orders, operate loyalty programs, and where consented, send marketing.
• 5.2 To Service Providers (Sub-Processors). We use carefully selected sub-processors for cloud hosting, payment processing, delivery partners, email and SMS, analytics, support tooling, and telephony providers, all bound by confidentiality and data protection obligations.
• 5.3 Corporate Transactions. We may disclose Personal Information in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to equivalent confidentiality protections.
• 5.4 Legal and Safety. We may disclose Personal Information where required by law or where reasonably necessary to protect rights, safety, or prevent fraud or security threats.
• 5.5 With Your Consent. We disclose Personal Information to other third parties only with Your consent or at Your direction.

We do not sell Personal Information to third parties.

Personal Information collected by Next Order may be transferred to, and stored or processed in, countries outside Singapore, including Australia, the United Kingdom, the European Union, India, Pakistan, and the United States, where Our facilities or sub-processors are located. Where We transfer Personal Information outside Singapore, We take reasonable steps as required by the PDPA to ensure a standard of protection comparable to the PDPA through contractual clauses, binding corporate rules, or transfer to jurisdictions recognised as providing comparable protection.

We and Our service providers use cookies, pixels, local storage, and similar technologies to operate the Site and Services, remember preferences, authenticate sessions, measure performance, and provide analytics and, where You consent, marketing. You can control cookies through browser settings and through the cookie banner displayed on the Site. Disabling certain cookies may limit functionality.

We retain Personal Information only for as long as necessary to fulfil the purposes described in this Policy, including to provide the Services, comply with legal, tax, accounting, and regulatory obligations, resolve disputes, and enforce agreements. When We no longer have a lawful or business need to retain Personal Information, We will securely delete or anonymise it in accordance with Our retention schedule and applicable law. Where We process Personal Information as a data intermediary, retention is determined by the Restaurant’s instructions and the MSA.

We maintain industry-standard administrative, physical, and technical safeguards designed to protect Personal Information against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit and at rest, role-based access controls, least-privilege principles, multi-factor authentication for administrative systems, vulnerability testing, and incident response procedures. No method of transmission or storage is completely secure, and We cannot guarantee absolute security. You are responsible for keeping Your credentials confidential.

• Access. Request a copy of the Personal Information We hold about You and information about how it has been used or disclosed in the past year
• Correction. Request correction of Personal Information that is inaccurate or incomplete
• Withdraw Consent. Withdraw consent to Our collection, use, or disclosure of Personal Information on reasonable notice
• Data Portability. Where applicable, request transmission of Your Personal Information to another organisation in a commonly used format
• Lodge a Complaint. With Our Data Protection Officer and, if unresolved, with the Personal Data Protection Commission of Singapore

If Your Personal Information is held by Us as a data intermediary on behalf of a Restaurant, please direct access and correction requests to that Restaurant. We may charge a reasonable fee for access requests and may require identity verification before responding.

All privacy correspondence must be made in writing and sent by mail or courier to the address above. To help Us respond efficiently, please include Your full name, postal return address, a clear description of Your request, and, where relevant, the Restaurant through which You interacted with Us.

Our Services are not directed to, and We do not knowingly collect Personal Information from, children under the age of 13. If You believe a child has provided Personal Information to Us, please contact Our Data Protection Officer and We will take appropriate steps to delete it. Diners must be at least 18 years old, or the legal age of majority in their jurisdiction, to place orders, consistent with the Diner Ordering Terms.

In the event of a data breach affecting Personal Information, We will notify affected Restaurants where We act as data intermediary and, where required by the PDPA, the Personal Data Protection Commission and affected individuals, in accordance with the notification thresholds and timelines set out in the PDPA.

We may update this Privacy Policy from time to time. The “Last Updated” date at the top indicates when it was last revised. Material changes will be communicated through the Site and the Services. Your continued use after the effective date of a revised Policy constitutes acceptance.

This Privacy Policy is governed by the laws of Singapore.