Terms of Service

Kaarla Privacy Notice

Last updated: 20 May 2026

1. About this Notice

Kaarla cares about your privacy. This Privacy Notice (“this notice”) sets out, in plain terms, what we do with the personal data we hold about you. It covers visits to our venue, time spent on our website at www.kaarla.sg, contact through our reservation systems, calls and emails, your activity on our social channels, and your participation in the 1-Insider loyalty programme. The notice has been drafted to fit the requirements of the Personal Data Protection Act 2012 of Singapore (the “PDPA”) and the regulations that sit alongside it.

Throughout this notice, the phrase “personal data” carries the same meaning as in the PDPA: it covers data, whether accurate or not, about an individual who can be identified from the data alone, or from the data combined with other information that we already have or are likely to obtain. References to “Kaarla”, “we”, “us” and “our” are references to the venue and to the entity that operates it.

2. Who We Are

The entity behind Kaarla is 1-Spring Pte Ltd, a private limited company incorporated in Singapore with UEN 202100939Z. Its registered office address is 88 Market Street, #51-01, Singapore 048948. For the purposes of the PDPA, 1-Spring Pte Ltd is the “organisation” (in other regimes, the equivalent term is data controller) for personal data we collect about you in relation to Kaarla.

3. Our Data Protection Officer

Our Data Protection Officer is the person inside the business who is accountable for our PDPA compliance. You can write to the DPO at:

Immelia Izalena, Data Protection Officer

1-Spring Pte Ltd

88 Market Street, #51-01

Singapore 048948

Email: marketing@1-group.com.sg

4. Who This Notice Applies To

You are covered by this notice if any of the following describes you:

  • you have applied (or are applying) for a role at Kaarla or with 1-Spring Pte Ltd;
  • you have contacted us by phone, email, social media or via any other channel;
  • someone else (for instance, a host in your party) has shared your personal data with us;
  • you have booked, enquired, purchased or signed up through our website, our reservation systems, or the 1-Insider loyalty programme; or
  • you have dined at, joined an event at, or otherwise spent time at the Kaarla venue.

5. Personal Data We Collect

Personal data we may collect about you falls into the following groups.

Who you are and how to reach you

Name, salutation, date of birth (where you elect to share it), nationality, gender, photo (where relevant), postal address, email address, phone number, social handles, and anything else you choose to give us as a contact channel.

Your bookings and events

Date and time of your reservation, table or area held, party size, names and contact details of guests in the party, dietary needs, allergies, occasion or celebration notes, accessibility needs, any special requests, and a running record of bookings and attendance.

1-Insider loyalty programme

For 1-Insider members, the membership identifier, current tier, points balance, redemption history, stated preferences, communication preferences, and the cross-venue interaction record built up over the time you remain in the programme.

Payment-related information

When a payment, gift-voucher purchase or deposit is processed through our website or reservation systems, we (working with our payment processor) record billing information, the last four digits of the payment card, card brand, the transaction record and related invoicing data. The full card number is handled directly by our payment processor; we do not retain it in clear text.

Your communication preferences

The channels you have authorised us to use for marketing (and the ones you have declined), topic-level interests, signals from your engagement with messages we send (opens, clicks, unsubscribes), and any opt-out signals you have given.

Web and device information

When you arrive at our website, we record your IP address, geolocation derived from it at city or country level, device make and model, operating system, browser and version, language and time-zone settings, the pages you view, the URL that referred you, the links you select, time spent on individual pages, session identifiers, and cookie identifiers, both first-party and from third-party analytics, advertising and attribution partners.

CCTV and photo or video footage

Closed-circuit television footage captured at Kaarla and at other venues we run, plus photographic and video footage captured at events at Kaarla. Sections 15 and 16 explain how we operate each of these.

Job-application information

For people applying to work with us, the contents of the CV, application form, cover letter, references and any interview notes. This typically includes your education, your past roles, professional qualifications, work-eligibility status in Singapore, and any extra detail you choose to share.

Things you have written to us

Any messages, feedback, reviews, complaints or other communications you have sent us (and the responses that have gone the other way), no matter which channel you used.

6. How We Collect Personal Data

There are several routes by which personal data reaches us:

  • cameras: through CCTV operating at Kaarla and at other venues we run (see Section 15);
  • automatically: while you are on our website or using our digital channels, by means of cookies, pixels and similar tools (see Section 13);
  • public sources: where we look at publicly available information such as professional or media profiles in the context of due diligence, marketing or recruitment;
  • platform partners: through the third-party reservation, payment and loyalty platforms we rely on, namely SevenRooms (table reservations and guest management), Tripleseat (event enquiries), Stripe (payment processing) and Eber (the 1-Insider loyalty programme);
  • someone acting in your interests: where another member of your party makes a booking that includes you, or where an event organiser, a corporate client, a concierge service or a booking hotel passes your data along; and
  • direct contact: when you reserve, sign up for 1-Insider, buy something, send an enquiry, attend an event, complete a form, message us, or talk to one of our team at the venue.

7. How We Use Personal Data

Once we have personal data, here is what we do with it:

  • we look after legal claims and disputes, whether arising from a reservation, a transaction, or a workplace matter;
  • we meet our obligations under applicable law, which includes the PDPA, accounting and tax laws, food-safety rules and licensing requirements, and we respond to lawful regulator or law-enforcement requests;
  • we run our hiring processes, assess candidates, interview them, make hiring decisions, and (for unsuccessful applications) retain records in line with Section 17;
  • we manage incidents and security, both at the venue and online, looking into complaints, accidents, disputes and potential misconduct;
  • we plan and run the business internally, including menu development, service-quality review and operational planning;
  • we measure how our marketing performs through analytics, advertising-platform measurement, and first-party attribution, so that we can improve it;
  • we keep the website, the reservation systems and the digital channels running, secure and improving, including diagnostic and performance work;
  • we send you marketing about Kaarla, 1-Spring Pte Ltd and our other concepts where you have agreed to receive it or where the law otherwise allows;
  • we personalise your experience by remembering dietary requirements, preferences, allergies and accessibility needs visit to visit;
  • we keep the 1-Insider loyalty programme running, including sign-ups, points tracking, redemptions and tier benefits; and
  • we deliver the things you have asked for, which includes processing reservations, fulfilling event bookings, handling payments and refunds, communicating about your visit, and following up afterwards.

8. The Legal Bases We Rely On

The PDPA allows us to collect, use and disclose personal data on a few different bases, and we may rely on more than one at a time:

  • our legal obligations require us to retain or process some data, for example to meet accounting record obligations under the Companies Act 1967, the Income Tax Act 1947 and the Goods and Services Tax Act 1993;
  • contract performance allows us to handle reservations, confirmed event bookings and similar arrangements you have entered into with us;
  • the “business improvement” exception under the PDPA supports activities like improving our goods and services, understanding our customers better, and developing new offerings;
  • the “legitimate interests” exception under the PDPA supports activities where Kaarla’s interests (or those of another person) clearly outweigh the adverse effect on you, such as venue security, fraud prevention and operational-risk management; and
  • your consent, whether you give it expressly or whether the PDPA deems it given by your voluntary provision of data for a clearly notified purpose, underpins many other uses.

You can pull your consent back at any point by writing to the Data Protection Officer using the address in Section 3. We will respect the withdrawal going forward; however, anything that has already been done in reliance on your earlier consent is unaffected, and the withdrawal may leave us unable to continue providing certain services to you.

9. How We Share Personal Data

There are three broad groups of recipient. We share with each only what is reasonably needed for the purposes described in Section 7.

Other recipients

These include our professional advisers (lawyers, accountants, auditors and tax advisers), our insurers, banks and payment networks where transactions and chargebacks require it, regulators and law-enforcement authorities where we are obliged to disclose or where disclosure is necessary to protect our rights or the rights of others, and any party stepping into our shoes in a merger, acquisition or sale of business or assets.

Service providers and processors

These are companies that process personal data on our behalf, under written contracts with PDPA-aligned data-protection terms. At present the main ones are:

  • Mailchimp and similar email-service providers (marketing communications);
  • Google Analytics, Google Ads, Meta and TikTok (analytics, advertising and attribution);
  • Slack (internal communications);
  • Google Workspace (productivity, email and document collaboration);
  • Vercel and Supabase (web hosting and managed database for our digital channels);
  • Google Cloud and Amazon Web Services (hosting and infrastructure);
  • Stripe (payment processing);
  • Eber (1-Insider loyalty-programme platform);
  • Tripleseat (private-events and event-enquiries platform); and
  • SevenRooms (table reservation and guest-management platform).

The 1-Spring Pte Ltd group

Personnel and entities under common ownership with, or having an operating relationship with, 1-Spring Pte Ltd, including for the purpose of running the 1-Insider loyalty programme across the venues that participate.

Personal data is not sold by us. Full stop.

10. Transfers of Personal Data Outside Singapore

Several of the providers listed above (including SevenRooms, Tripleseat, Eber, Stripe, Google, Amazon Web Services, Vercel, Supabase, Meta and TikTok) sit outside Singapore. That means your personal data may be transferred to, stored in or accessed from places like the United States, the European Union, the United Kingdom, Australia and other countries those providers operate in.

Whenever a transfer of that kind happens, the PDPA requires us to take steps so that the receiving party is bound by legally enforceable obligations giving a standard of protection comparable to the PDPA. We do this through contractual safeguards (typically data-processing agreements with PDPA-aligned clauses), through reliance on certifications the recipient already holds, or through other measures permitted by the Personal Data Protection (Transfer of Personal Data Outside Singapore) Regulations 2014.

11. How Long We Keep Personal Data

Retention is kept to what is needed for the purpose at hand, plus what we need for legal, accounting, tax, audit or reporting requirements. As specific examples:

  • job-applicant records sit on file for up to twelve (12) months from the close of the relevant recruitment cycle, unless you have agreed to a longer period;
  • CCTV footage is typically held for around 30 days from the time of capture, after which it is securely overwritten, unless we need to keep a particular recording in connection with an investigation, dispute or legal matter;
  • financial records (invoices, deposits, refunds and the like) are held for the periods required under the Companies Act 1967, the Income Tax Act 1947 and the Goods and Services Tax Act 1993, which works out to at least five years in most cases;
  • 1-Insider loyalty records are held while you are a member, plus a reasonable period thereafter, in line with the loyalty-programme terms; and
  • reservation records and guest profiles are held while your account or profile is active, and for a reasonable period afterwards for record-keeping, dispute-handling and audit.

Once data is no longer needed for any legal or business purpose, it is securely deleted or anonymised.

12. How We Protect Personal Data

Reasonable security arrangements are in place to guard personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risk. Practically, that involves access controls, role-based permissions, encryption in transit, secure server hosting, periodic reviews of how our security stack is performing, training for staff who handle personal data, and contractual safeguards in our service-provider agreements.

No method of transmitting information over the internet, or storing it electronically, is fully secure. We do our best, but we cannot guarantee absolute security, and any personal data you choose to share with us is shared at your own risk.

13. Cookies, Analytics and Marketing Attribution

Cookies and similar tracking technologies appear on our website. Cookies are small text files put onto your device when you visit a website. The cookies on ours fall into these groups:

  • first-party attribution: a cookie named “_1g_attr” that we set ourselves to measure the channels that bring visitors to our website, so we can attribute marketing performance reliably as third-party cookie support fades;
  • advertising and attribution: cookies that help us gauge how our advertising performs and tailor the ads you see on third-party platforms, including Google Ads, Meta and TikTok;
  • analytics: cookies that help us understand how visitors interact with the website, including Google Analytics;
  • preferences: cookies that retain settings such as language; and
  • strictly necessary: cookies the website cannot function without.

You can manage cookies through your browser settings. Turning off some cookies may leave parts of our website working differently.

14. Marketing Communications, the DNC Registry and the Spam Control Act

With your consent, or under another basis the PDPA allows, we may send you marketing communications by email, SMS, push notification, in-app message, postal mail or through other channels. The subjects we may write to you about are Kaarla, the 1-Insider loyalty programme, and other concepts run by 1-Spring Pte Ltd that we think might interest you.

Opting out is always available. You can:

  • write to the Data Protection Officer using the contact details in Section 3;
  • update your marketing preferences inside your 1-Insider account;
  • reply with the indicated stop word to a marketing SMS; or
  • click the “unsubscribe” link inside any marketing email.

For voice calls, SMSes or faxes to Singapore phone numbers, we check those numbers against the relevant Do Not Call (“DNC”) registers maintained by the Personal Data Protection Commission before sending. The exceptions we may rely on are limited (for example, where you have given clear and unambiguous consent in writing or in another readable form, or where the message is an “ongoing relationship” message). Commercial electronic messages from us follow the Spam Control Act 2007 of Singapore, including its rules on unsubscribe facilities and sender identification.

15. CCTV at Our Venues

Closed-circuit television operates at the Kaarla venue. The reasons we use it include safety, security, incident investigation, fraud prevention, loss prevention, service-quality assurance, and the protection of our property, our staff and our guests. Signage indicating CCTV is in use is displayed in the relevant areas. Recordings are kept for a limited time, generally about 30 days, and only authorised personnel can access them. We do not deploy CCTV to monitor staff productivity in the ordinary course of operations.

16. Photography and Videography at Events

At events at Kaarla, including private events, media events and brand activations, we may take photographs and shoot video for marketing, communications, social-media and editorial purposes. Where this is planned, we will make a reasonable effort to give advance notice through signage at the venue, through the event invitation, or in another suitable way. We will accommodate reasonable requests not to be photographed or filmed wherever this is operationally workable. When the resulting photos or video are used for marketing, we rely on the bases in Section 8.

17. Job Applicants

A job application puts personal data into our hands: the application form, the CV, the cover letter, references, and any notes that come out of interviews. We use that information to assess your suitability, interview you, carry out background and reference checks where appropriate and lawful, make hiring decisions, and meet our employment, immigration and other legal obligations. If you are not selected this time, we may keep your details on file for up to twelve (12) months in case another suitable role opens up, unless you ask us to delete them earlier.

18. Your Rights Under the PDPA

The PDPA gives you a set of rights in respect of your personal data, subject to the conditions and exceptions in the Act itself:

  • data portability (sections 26F to 26J of the PDPA, once in operation): for certain categories of data, the right to ask us to transmit your data to another organisation able to receive it;
  • withdrawal of consent (section 16): the right to withdraw any consent you have previously given for collection, use or disclosure, recognising that withdrawal may leave us unable to continue providing certain services;
  • correction (section 22): the right to ask us to correct an error or omission in the personal data we hold; and
  • access (section 21): the right to be told what personal data we hold about you and the ways we have used or disclosed it in the year before your request.

To exercise any right, write to the Data Protection Officer using the address in Section 3. Identity verification may be needed before we respond. Where the PDPA permits us to charge a reasonable fee for responding (this applies to some requests), we will tell you in advance, and we will not begin work until you have confirmed you will pay the fee. Valid requests are responded to within the time required by the PDPA, currently thirty (30) days where reasonably practicable.

19. How to Contact Us

For anything to do with this notice or how we handle your personal data, the relevant contacts are:

Immelia Izalena, Data Protection Officer

1-Spring Pte Ltd

(operator of Kaarla)

88 Market Street, #51-01

Singapore 048948

Email: marketing@1-group.com.sg

General enquiries: reservation@kaarla.sg

Phone: +65 9837 8248

20. Complaints to the PDPC

Should our response to a query or complaint leave you unsatisfied, the next step is to raise it with the Personal Data Protection Commission of Singapore (“PDPC”). Their contact details are:

Personal Data Protection Commission of Singapore

10 Pasir Panjang Road, #03-01

Mapletree Business City

Singapore 117438

Website: www.pdpc.gov.sg

21. Updates to this Notice

From time to time we will refresh this notice, whether to keep up with our practices, the services we offer, or the law. The latest version sits at www.kaarla.sg/privacy, and the date at the top tells you when it was last refreshed. Where a change is material, we will make a reasonable effort to flag it for you, whether through a notice on the website or, where appropriate, via direct communication.

22. Governing Law

The laws of Singapore govern this notice, and this notice is to be read accordingly.

— End of Privacy Notice —