Last updated: October 15, 2025
This Privacy Notice for Nattynites Pte. Ltd. (“Nattynites”, “we”, “us”, or “our”) explains how and why we access, collect, use, store, share, transfer, and otherwise process personal data when you use our websites and services, including nattynites.club and app.nattynites.club (collectively, the “Services”).
Please read this Notice carefully to understand your rights and our responsibilities. If you do not agree with this Notice, please do not use the Services.
For the purposes of the Singapore Personal Data Protection Act 2012 (“PDPA”), Nattynites Pte. Ltd. is the organisation responsible for decisions on the processing of personal data.
We have appointed a Data Protection Officer (DPO). Business contact for PDPA matters (email only): [email protected].
We collect personal data you provide directly and data collected automatically when using the Services. Categories may include:
Sensitive / identification data. We do not collect or retain national identification numbers (e.g., NRIC/FIN) or passport numbers unless required by law or strictly necessary for identity verification or hotel check-in compliance. Where collected, access is restricted and retention is minimised.
From other sources. Where allowed by law, we may receive limited data from partners (e.g., hotel partners, analytics providers) to update records, prevent fraud, or tailor experiences.
Social logins. If you register/login via third-party providers (e.g., Apple, Google, Meta), we receive profile elements permitted by your settings (e.g., name, email). Use is limited to account and security purposes.
Google API data. Any use of Google APIs adheres to the Google API Services User Data Policy (including Limited Use).
PDPA (Singapore). We generally collect, use, and disclose personal data with your consent, including deemed consent (e.g., when you voluntarily provide data to use the Services or when disclosure is reasonably necessary to conclude or perform a contract). We may also rely on PDPA statutory exceptions (e.g., investigations, emergencies, business asset transactions, legitimate interests with assessment/notification, business improvement) where applicable. You may withdraw consent at any time (see “Your Rights & Requests”).
GDPR/UK GDPR (where applicable). Depending on your location, we may also rely on consent, performance of a contract, legitimate interests, legal obligations, or vital interests as legal bases.
Canada (where applicable). We rely on express or implied consent as permitted; you may withdraw consent at any time.
We use cookies and similar technologies to enable core functionality, remember preferences, measure performance, and improve the Services. You can control cookies in your browser settings. For details and management options, see our Cookie Notice.
We provide optional features powered by AI/ML to enhance your experience, including:
We engage reputable AI providers (e.g., OpenAI) under agreements requiring strong security and limited use. We do not permit AI providers to train their general models on your personal data without clear notice and, where required, your consent. Human review may occur for safety/quality. You can opt out of non-essential AI features by contacting our DPO.
We do not sell your personal data. We currently do not directly collect or store full payment card details. If/when we onboard a payment processor, we will update this Notice and link to that provider’s privacy notice.
We may transfer personal data across borders. Our primary infrastructure providers are located in Singapore (e.g., DigitalOcean and Neon), and we may disclose data to hotel partners across East and Southeast Asia. Where data is transferred out of Singapore, we take steps to ensure a standard of protection comparable to the PDPA, including contractual safeguards.
Our primary infrastructure providers are located in Singapore, including DigitalOcean (compute/object storage) and Neon (database). Our static site hosting and CDN delivery may be provided by Netlify, which operates infrastructure in the United States and other regions.
Where personal data is transferred out of Singapore (e.g., for CDN/static delivery or global performance), we implement measures to ensure a standard of protection comparable to the PDPA, including contractual safeguards and access controls. For more on cross-border transfers, see the section “International Data Transfers”.
We implement reasonable administrative, technical, and physical safeguards to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. However, no method of transmission or storage is completely secure.
If we assess a data breach to be notifiable under the PDPA (e.g., likely to result in significant harm or affecting a significant number of individuals), we will notify the PDPC and, where required, affected individuals as soon as practicable and no later than 3 calendar days after such assessment.
We retain personal data only as long as necessary for the purposes described in this Notice or as required by law. When no longer needed, we anonymise or securely dispose of it. We take reasonable steps to ensure personal data is accurate and complete where it is likely to be used to make a decision about you or to be disclosed to another organisation.
Depending on your location, you may have rights to access, rectify, erase, restrict or object to processing, withdraw consent, and obtain a copy of your data. Under the PDPA, you may submit access and correction requests; we generally respond within 30 calendar days (a reasonable fee may apply for access, where permitted).
To submit a request or withdraw consent, please contact our DPO or use our request form: Data Subject Request Form.
We currently do not send marketing via SMS/WhatsApp/voice calls. If we do so in the future, we will obtain consent or check the Singapore Do Not Call Registers, unless an exception applies. You can opt out of marketing at any time by contacting our DPO.
The Services may link to third-party websites or services that are not operated by us. We are not responsible for their content or privacy practices. Any data you provide to third parties is governed by their policies; we encourage you to review them.
Many browsers include a Do-Not-Track (DNT) setting. No standard for recognising DNT signals has been finalised, so we do not respond to them at this time. If such a standard is adopted, we will update this Notice.
If you are a resident of states such as California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you may have rights (subject to exceptions) to know/access, correct, delete, obtain a copy (portability), and opt out of targeted advertising, sale, or certain profiling. Submit requests via the Data Subject Request Form.
Personal information categories we may collect include identifiers; customer records; commercial information; internet/network activity; geolocation (coarse); and in limited cases, sensitive information (e.g., account login credentials). We do not sell or “share” personal information as defined by applicable state laws, and we do not use sensitive personal information to infer characteristics. We disclose personal information to service providers for business purposes as described in “How We Share Information.”
We honour Global Privacy Control (GPC) signals where required by law. Appeals of request outcomes can be submitted to the DPO email listed below.
Australia / New Zealand. We process personal information in line with the Privacy Act 1988 (AU) and the Privacy Act 2020 (NZ). You may request access/correction at any time via our DPO contact or the DSAR form. If you believe we are unlawfully processing your information, you may contact the OAIC (AU) or the NZ Privacy Commissioner.
South Africa. You may request access/correction under POPIA via our DPO contact or the DSAR form. If unsatisfied with our handling, you may contact the Information Regulator (South Africa).
The Services are not directed to children. Where appropriate, we may seek parental/guardian consent or verify an individual’s capacity to consent in accordance with PDPA guidance. If you believe a minor has provided personal data, please contact us so we can take appropriate action.
We may update this Notice from time to time. We will post the updated version with an updated “Last updated” date. Your continued use of the Services after any changes constitutes acceptance of the revised Notice.
For privacy questions or requests:
DPO (email only): [email protected]
Company: Nattynites Pte. Ltd., 32 Pekin Street, #05-01, Singapore 048762