1. About this Privacy Notice

At 1-Altitude Coast, we respect the importance of safeguarding personal information. This Privacy Notice explains how 1-PRODUCTION PTE LTD (UEN: 201330911D) (“1-Altitude Coast”, “we”, “our” or “us”) collects, uses, stores, shares and protects personal data relating to our guests, visitors, members, vendors, applicants and other individuals who interact with us.
• This Notice is intended to help you understand:
• what personal data we collect;
• why we collect and use it;
• when we may disclose it to others;
• how we protect it; and
• the rights available to you under applicable laws.
Our handling of personal data is carried out in accordance with Singapore’s Personal Data Protection Act 2012 (“PDPA”), the Spam Control Act 2007 and other applicable legal or regulatory requirements.
By accessing our websites, making bookings, attending events, joining loyalty programmes, contacting us or otherwise engaging with our services, you acknowledge that you have read and understood this Privacy Notice.

2. Who We Are
1-Altitude Coast is a rooftop lifestyle and dining destination located in Sentosa, Singapore, offering food and beverage experiences, social events, entertainment and hospitality services. References to “1-Altitude Coast”, “we”, “our” or “us” in this Notice include 1-PRODUCTION PTE LTD and the operating entities managing the following venues and brands:

• 1-Altitude Coast
• Sol & Ora

This Privacy Notice applies to personal data collected through:
• our websites and booking platforms;
• reservation and enquiry channels;
• event and wedding enquiries;
• marketing campaigns and newsletters;
• social media pages;
• loyalty or membership programmes; and
• interactions at our venues and events.

3. Our Data Protection Officer
We have appointed a Data Protection Officer (“DPO”) in accordance with the PDPA to oversee matters relating to personal data protection and compliance.
If you have any questions, concerns or requests regarding your personal data or this Privacy Notice, you may contact our DPO using the contact information listed in Section 19.

4. Who This Notice Applies To
This Notice applies to personal data collected from or relating to the following categories of individuals:
Guests and customers — including diners, reservation holders, walk-in patrons, event attendees, wedding and private event clients, and gift voucher purchasers or recipients.
Marketing subscribers — individuals who have subscribed to receive marketing, promotional or event-related communications from 1-Altitude Coast via email, whatsapp or other channels.
Business contacts and service providers — including current, prospective and former suppliers, partners, vendors, contractors, agents and their representatives or personnel.
Job applicants and prospective workers — including applicants for employment, freelance, casual, part-time or contractor roles, whether applying directly or through recruitment agencies.
Website and platform visitors — including visitors to 1-altitudecoast.sg and any related microsites, booking platforms or digital channels operated by us.
Individuals recorded at our Venues — including individuals captured on CCTV systems for security and operational purposes, and individuals photographed or filmed during events, activations or experiences held at our Venues.

5. Personal Data We Collect
The categories of personal data we collect depend on how you engage with us. They may include:

Identity and contact data
• Name, salutation, title, date of birth, gender, nationality.
• Home and/or business address, postal code, country of residence.
• Email address, mobile and other telephone numbers.
• Identity-document details where required (for example, NRIC/FIN number, passport details — only where necessary, for example for tax-invoice purposes or guest verification at certain events; we do not collect or retain full NRIC numbers except where required by law).

Reservation, event and stay data
• Reservation details — date, time, party size, Venue, table preference, special occasion details, and notes left for the host.
• Event and wedding enquiry details — guest count, budget range, event date, dietary or thematic requirements, vendor preferences.
• Dietary, allergy and accessibility information you provide so we can serve you safely. By providing this information, you consent to our using it for that purpose.
• Purchase, billing and transaction history at our Venues.

Loyalty programme data
• 1-Insider membership data — tier status, points balance, redemption history, transaction history across Venues, communication preferences, and preferences and feedback recorded during visits.
Financial and payment data
• Credit and debit card details (collected and processed by our PCI-DSS-compliant payment processors; we do not store full card numbers).
• Billing addresses, deposit and refund details, and invoicing information.
Marketing preferences and communications data
• Marketing channel preferences (email, SMS, push notification), opt-in and opt-out history, and language preference.
• Engagement data relating to our marketing emails, such as opens and clicks, where we use tracking technologies for analytics.

Website, device and online behaviour data
When you use our websites or online platforms, we may automatically collect:
• IP address;
• browser type;
• device identifiers;
• operating system details;
• referral URLs;
• browsing behaviour;
• website usage analytics; and
• campaign attribution data.

CCTV, photography and event imagery
• CCTV footage captured at our Venues for security, loss-prevention, health-and-safety and incident-investigation purposes.
• Photographs and video recordings taken at events, weddings and private functions held at our venues, including for marketing and editorial purposes where we have a basis to do so.

Job applicant data
• Name, contact details, date of birth, work-permit status, nationality.
• CV, cover letter, employment history, qualifications and references.
• Information you provide during interviews, including any conducted by phone, video or in person.
• Information obtained from publicly available sources such as LinkedIn, and from recruitment agencies.
• Right-to-work, criminal-record and background-check information where the role lawfully requires it.
Correspondence and feedback data
• The content of any messages, emails, calls or chat sessions you exchange with us (including with our reservations team, our concierge, our 1-Insider support, and our event-enquiry team).
• Reviews, survey responses, complaints and feedback you provide.
We do not knowingly collect personal data from children under 13 through our websites. The 1-Insider programme and our online reservation forms are not directed at children. If you believe we have inadvertently collected personal data from a child, please contact our DPO.

6. How Personal Data Is Collected
We collect personal data through the following channels:
• Directly from you — when you make a reservation, dine or attend an event at a Venue, enquire about a wedding or private event, subscribe to marketing, join the 1-Insider programme, redeem a voucher, contact us, complete a survey, apply for a job, or otherwise interact with us.
• Automatically through our websites and apps — through cookies, pixels, scripts, SDKs and similar technologies (see Section 13).
• From third parties acting on our behalf or on your behalf — including reservation platforms (such as SevenRooms and Tripleseat), event and wedding-enquiry platforms, payment processors, recruitment agencies, loyalty-programme processors (Eber), email and SMS service providers, web-analytics providers, social-media platforms, advertising networks and our authorised vendors.
• From publicly available sources — such as social media (e.g. LinkedIn for recruitment), professional directories, and public commentary about our Venues that we monitor for service-improvement purposes.
• From other guests in your party — for example, when a host books on behalf of a group, when a wedding planner provides details of guests, or when a corporate organiser provides attendee lists for a private function. Where you provide us with personal data about another individual, you confirm that you are authorised to share that information with us for the purposes described in this Notice.

7. How We Use Personal Data
We may use personal data for one or more of the following purposes:

Service delivery and operations
Including:
• managing reservations and bookings;
• hosting guests;
• operating events and private functions;
• processing membership benefits; and
• responding to customer enquiries.

Payment processing and financial administration
Including:
• processing transactions;
• issuing invoices or receipts;
• handling refunds; and
• resolving billing matters.

Communications and customer support
Including:
• booking confirmations;
• reminders;
• operational notices;
• event coordination; and
• customer service correspondence.

Marketing and promotional activities
Where permitted under applicable law, we may send:
• newsletters;
• promotional campaigns;
• event announcements;
• seasonal offers; and
• membership-related marketing.

Personalisation and customer experience
We may use preferences and past interactions to customise:
• dining experiences;
• recommendations;
• marketing communications; and
• future engagements.
Website management and analytics
Including:
• monitoring website performance;
• analysing traffic and behaviour;
• improving user experience;
• fraud detection; and
• campaign attribution analysis.

Business analytics and service improvement
We may conduct internal reviews, reporting and analytics to improve operations, customer experience, products, services and marketing effectiveness.

Recruitment and employment management
Personal data submitted during recruitment may be used to:
• assess suitability;
• conduct interviews;
• communicate with candidates; and
• facilitate onboarding.

Safety, security and incident management
Including:
• operating CCTV systems;
• investigating incidents;
• protecting guests and staff; and
• supporting emergency response procedures.

Legal and regulatory compliance
We may process personal data to comply with:
• tax requirements;
• accounting obligations;
• licensing conditions;
• regulatory requests; and
• lawful directives from government authorities.

Protection of legal interests
Including the establishment, defence or enforcement of legal rights, claims or disputes.
Corporate restructuring or transactions
Personal data may be disclosed as part of mergers, acquisitions, financing exercises, restructuring or sale transactions involving our business.

8. The Legal Bases on Which We Rely
Under the PDPA we may only collect, use or disclose personal data with the individual’s consent, unless an exception applies. The bases on which we rely are set out below.
Consent
Where we ask for your consent — for example, when you tick a marketing opt-in box, when you join the 1-Insider programme, or when you submit a wedding enquiry — we will use your personal data for the purposes notified to you at the time of collection.
Deemed consent
In certain circumstances the PDPA treats consent as having been given. For example, where you voluntarily provide your personal data for an evident purpose (such as giving your phone number when booking a table, so we can call you about that reservation), you are deemed to have consented to our using it for that purpose.
We also rely on deemed consent by notification (PDPA s.15A) for certain secondary purposes that are reasonably necessary, where we have notified you of the purpose, given you a reasonable opportunity to opt out, and conducted an assessment that the use would not likely have any adverse effect on you.
Legitimate interests
We rely on the legitimate-interests exception in the PDPA (paragraph 1 of Part 3 of the First Schedule) for certain processing where our legitimate interests in operating, securing and improving our business are not outweighed by any adverse effect on you. Examples include fraud prevention, security at our Venues, internal audit, and certain analytics activities.
Business improvement
We rely on the business-improvement exception (paragraph 1 of Part 5 of the First Schedule) for certain internal analyses to improve our products, services, operations and marketing effectiveness.
Legal obligations and vital interests
We may use personal data without consent where we are required to do so by law, where it is necessary to respond to an emergency that threatens life, health or safety, or where another exception in the PDPA applies.
Withdrawing consent
Where we rely on your consent, you may withdraw it at any time by contacting our DPO. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal. If you withdraw consent, we may be unable to continue providing certain services to you — for example, we cannot manage your 1-Insider membership if you withdraw consent for the use of your membership data — and we will let you know if that is the case.

9. How We Share Personal Data
We may share your personal data with the following categories of recipients:
Within the 1-Group
We may share personal data among 1-Group entities and across our Venues — for example, so that a 1-Insider member can be recognised at any Venue, and so that group-level analytics, marketing and customer-experience teams can serve you consistently.
Our service providers and data intermediaries
We engage third-party service providers (“data intermediaries” under the PDPA) to process personal data on our behalf and under contract. Categories include:
• Reservation and event-management platforms (for example, SevenRooms and Tripleseat).
• Loyalty-programme platforms (for example, Eber, which operates the 1-Insider technology platform).
• Payment processors (for example, Stripe and our point-of-sale and merchant-acquiring partners).
• Cloud and hosting providers (for example, Google Cloud, Amazon Web Services, Vercel, Supabase).
• Productivity and communications providers (for example, Google Workspace, Slack).
• Email, SMS and push-notification service providers.
• Analytics, marketing-attribution and advertising platforms (for example, Google Analytics, Google Ads, Meta, TikTok).
• Customer-feedback, review-monitoring, survey and CRM tools.
• Recruitment, background-check and human-resources platforms.
• Security, CCTV, IT-security and fraud-prevention providers.
• Professional advisers, including lawyers, accountants, auditors and insurers.
We require our data intermediaries to process personal data only in accordance with our instructions, to implement appropriate security measures, and to comply with the PDPA.
Other recipients
• Government agencies, regulators, courts, law-enforcement and other authorities — where required or permitted by law.
• Prospective or actual buyers, investors or financiers — in connection with any corporate transaction involving 1-Group or any Venue, subject to appropriate confidentiality protections.
• Other third parties — with your consent or at your direction.
We do not sell your personal data, and we do not rent our marketing or membership lists to third parties for their own marketing purposes.

10. Transfers of Personal Data Outside Singapore
Some of our service providers — including cloud-hosting, payment, marketing-technology, reservation and loyalty-programme providers — are based outside Singapore or use infrastructure outside Singapore. As a result, your personal data may be transferred to, and processed in, jurisdictions including the United States, the European Union, the United Kingdom, Australia, India, Hong Kong and other countries.
In accordance with section 26 of the PDPA, before transferring personal data outside Singapore we take steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA. These steps include putting in place contractual protections (such as data-processing addenda and standard contractual clauses) with our service providers, and relying on other transfer mechanisms recognised under Singapore law.
You may request additional information about our cross-border transfer arrangements by contacting our DPO.

11. How Long We Keep Personal Data
We retain personal data only for as long as is reasonably necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, regulatory or contractual requirements.
When determining retention periods we consider:
• The nature, volume and sensitivity of the personal data.
• The purposes for which we process the personal data.
• Whether those purposes can be achieved by other means.
• Our legal, tax, accounting and licensing obligations.
• The potential risk of harm from unauthorised use or disclosure.
As examples:
• Reservation data is generally retained for the duration of the guest relationship and for a reasonable period thereafter to support customer service and to defend against claims.
• 1-Insider member data is retained for the duration of your membership and for a reasonable period after dormancy or termination.
• Job-applicant data for unsuccessful candidates is generally retained for up to 12 months after the recruitment decision, unless you ask us to keep it longer in case suitable future roles arise.
• Financial and transaction records are retained in accordance with the Companies Act 1967, the Income Tax Act 1947, and the Goods and Services Tax Act 1993.
• CCTV footage is generally retained for a short period (typically up to 30 days) unless required for a specific incident investigation.
When personal data is no longer required, we will either delete it, anonymise it (so it can no longer be associated with you), or return it to you, in accordance with the PDPA.

12. How We Protect Personal Data
We have implemented physical, technical and organisational security measures designed to protect personal data against accidental or unlawful loss, alteration, disclosure or access. These include access controls, encryption in transit and (where appropriate) at rest, contractual safeguards with our service providers, staff training, and incident-response procedures.
No system can be entirely secure. If we become aware of a data breach that is likely to result in significant harm or affects a significant number of individuals, we will notify the Personal Data Protection Commission (“PDPC”) and (where required) affected individuals in accordance with the PDPA’s Data Breach Notification Obligation.

13. Cookies, Analytics and Marketing Attribution
We use cookies and similar technologies (including pixels, scripts and SDKs) on our websites and in our marketing emails. These technologies allow us to recognise your device, remember your preferences, understand how you use our websites, measure marketing performance, and detect fraud.
Types of cookies we use
• Strictly necessary cookies — required for the website to function (for example, session management and form submission).
• Performance and analytics cookies — to understand how visitors use our websites (for example, Google Analytics).
• Marketing and advertising cookies — to deliver relevant advertising and to measure advertising effectiveness (for example, cookies set by Google Ads and Meta).
• Attribution cookies — including our first-party “_1g_attr” cookie, which captures the source, medium and campaign that brought you to our website and links them to any reservation or enquiry you subsequently make. This information is stored against your booking record so we can understand which of our marketing channels are working.
You can control the use of cookies through your browser settings and, where available, through our on-site cookie-preference tools. Disabling certain cookies may affect website functionality.
For more information about the use of cookies, see our separate Cookie Notice (where published) or contact our DPO.

14. Marketing Communications, the DNC Registry and the Spam Control Act
We send marketing communications only where we have a lawful basis to do so.
Email marketing
Marketing emails are sent in compliance with the Spam Control Act 2007. Every marketing email includes an accurate sender identity, a clear subject line, and a working unsubscribe mechanism. You can unsubscribe at any time by clicking the unsubscribe link in any email or by contacting our DPO.
SMS, telephone calls and fax — DNC compliance
Before sending marketing SMS or making marketing calls to a Singapore telephone number, we either check the relevant DNC Registers maintained by the PDPC, or we rely on a clear and unambiguous consent to receive such marketing from you in writing or other recorded form, or we rely on the “ongoing relationship” exception where it applies.
You can opt out of marketing SMS at any time by replying STOP to the message or by contacting our DPO. You can also register your number on the DNC Register at www.dnc.gov.sg.
Service-related communications
Communications that are not marketing in nature — for example, reservation confirmations, event-planning correspondence, 1-Insider account notices, and operational updates — are necessary to provide our services to you. You may not be able to opt out of these while continuing to use the relevant service.

15. CCTV at Our Venues
Our Venues use CCTV for the purposes of security, loss prevention, health and safety, incident investigation and the protection of guests, staff and property. Notices are posted at our Venues to inform visitors of CCTV operation. CCTV footage is retained for a short period and is accessed only by authorised personnel for the purposes set out above, unless required to be retained for a specific investigation or legal process.

16. Photography and Videography at Events
We may take photographs and video recordings at our Venues, including at events, weddings, openings and other functions. Where we wish to use any such imagery for marketing, social-media or editorial purposes, we will rely on the basis appropriate to the context — for example, your consent (such as a release in your event contract for weddings and private hires), the deemed-consent provisions of the PDPA, or another applicable basis.
If you do not wish to appear in marketing imagery, please let our event team or our DPO know.

17. Job Applicants
When you apply for a role with 1-Group, we use your personal data to assess your suitability, conduct interviews, carry out reference and background checks where relevant, communicate with you during the recruitment process, and (if successful) onboard you as an employee or contractor.
Where your application is unsuccessful, we will generally retain your details for a reasonable period (typically up to 12 months) so that we can consider you for other suitable roles, unless you ask us to delete your details sooner.
We do not use solely automated decision-making to make significant decisions about your application.

18. Your Rights Under the PDPA
Subject to the requirements and exceptions in the PDPA, you have the following rights in relation to your personal data:
• The right to access your personal data — to request information about the personal data we hold about you and how it has been used or disclosed in the year preceding your request (PDPA s.21).
• The right to correct your personal data — to request that we correct any error or omission in personal data we hold about you (PDPA s.22).
• The right to withdraw consent — to withdraw any consent you have given for our collection, use or disclosure of your personal data (PDPA s.16).
• The right to be informed of the purposes for which we use your personal data.
• The right to data portability — once the relevant provisions of the PDPA come into force (PDPA sections 26F to 26J), to request that we transmit your personal data in a structured, commonly used and machine-readable format to another organisation.
We will respond to access and correction requests within 30 days, or notify you if more time is required. We may charge a reasonable fee for access requests, in accordance with the PDPA.
To exercise any of these rights, please contact our DPO using the details in Section 19. We may need to verify your identity before responding.

19. How to Contact Us
Questions, comments, requests and complaints relating to this Privacy Notice, or to the way in which we handle your personal data, should be addressed to our DPO:

Data Protection Officer
Immelia Izalena
1-Production Pte Ltd
The Outpost Hotel Level 7
10 Artillery Avenue, Sentosa Island
Singapore 099951
Email: enquiry@1-altitudecoast.sg

20. Complaints to the PDPC
If you are not satisfied with the way we have handled a privacy-related concern, you have the right to lodge a complaint with the Personal Data Protection Commission, Singapore:
• Website: www.pdpc.gov.sg
• Address: 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438
We would, however, appreciate the opportunity to address your concern first — please contact our DPO before approaching the PDPC.

21. Updates to this Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, our services, or the law. When we make material changes, we will indicate this by updating the “Last updated” date at the top of this Notice and, where appropriate, by giving you additional notice (for example, by email or by a banner on our website).
Please review this Notice periodically to stay informed about how we handle your personal data.

22. Governing Law
This Privacy Notice and our handling of your personal data are governed by the laws of Singapore.

— End of Privacy Notice —