Vyblee Singapore Pte. Ltd. – Privacy Policy

Effective Date: 1 November 2025
Last Updated: 1 November 2025

1) Who we are and scope

This Privacy Policy applies to your access and use of the VyBlee Singapore ordering and delivery platform (the “Platform”) operated by VyBlee Singapore Pte. Ltd. (“VyBlee”, “we”, “us”), as well as to the use of the Service (defined below). This Privacy Policy is incorporated as part of the Platform Terms of Use, accessible at https://citadinesbs-preorder.vyblee.com/terms-of-use (the “Terms of Use”).

We have adopted this Privacy Policy to inform you about how we collect, use, discloses, and protects personal data in Singapore when you use the Platform and/or the Service. It applies to guests, property staff who place orders on behalf of guests, and other individuals whose personal data we process under the Personal Data Protection Act 2012 (PDPA). For the purposes of this Privacy Policy, “personal data” shall have the meaning ascribed to it in the PDPA.

Except as otherwise defined herein, capitalised terms in this Privacy Policy have the same meanings as those given in the Terms of Use.

2) Personal data we collect

The exact types of personal data that may apply in your case will vary depending on how you have interacted with us. Some examples of such personal data you may provide to us include:

  • Identity & contact: name, email address, (optional) mobile number.
  • Stay details: room number (for order routing, verification, and delivery).
  • Order & payment data: items ordered, delivery windows, transaction identifiers (card data handled by our PCI-compliant payment provider).
  • Technical data: device identifiers, IP address, cookies/analytics where applicable (see Section 10).

We do not collect NRIC/FIN, passport numbers, or facial images in connection with your use of the Platform and/or the Service.

3) How we collect personal data

Generally, we collect and/or receive your personal data in the following ways:

  • Directly from you when you use the Platform and/or the Service, such as when you place an order or interact with our ordering system (QR codes, web links, digital menus), and/or when you contact or engage with us in connection with the foregoing;
  • From the Property Partners (limited verification of room/guest status if required to complete delivery); and/or
  • Automatically via our systems (timestamps, device logs, analytics).

4) Purposes and our legal basis under PDPA

We collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances, including:

  • To personalise your user experience on the Platform and in your use of the Service.
  • Customer support: handle enquiries, refunds, product recalls.
  • Operations & security: fraud monitoring, service integrity, audit logs.
  • Legal/compliance: record-keeping, responding to lawful requests.
  • Marketing (optional): if you opt in, to inform you of updates and offers regarding the Platform and the Service (withdraw consent anytime—see Section 9).

We process and use personal data with your consent or as allowed by law, such as to:

  • Meet legal requirements.
  • Enter into or fulfill our contractual obligations to you.
  • Fulfill our legitimate interests or in the interest of others.

5) Disclosure to third parties

We disclose personal data only as needed for the purposes above, including but not limited to:

  • Any of our agents, contractors or third-party service providers that process or will be processing your personal data on our behalf including but not limited to those which provide administrative or other services to us;
  • Kitchen operators/food partners preparing your order;
  • Delivery/logistics providers coordinating pickups and delivery windows;
  • Payment processors;
  • IT/cloud vendors acting as data intermediaries under our instructions; and
  • Government/regulatory authorities where required by law.

All intermediaries are contractually bound to provide a comparable level of data protection.

6) Cross-border transfers

Your personal data is processed at our operating offices and in any other places where the parties involved in the processing are located. Depending on the user’s location, transfers of personal data may involve transferring the user's personal data to a country other than their own.

If personal data is transferred outside Singapore (e.g., for cloud hosting, analytics, regional back office operations or support), we ensure the recipient provides a comparable standard of protection under the PDPA via contractual and/or technical safeguards.

7) Retention

We retain personal data only as long as necessary to fulfil the purposes above or for any other legal or business purposes, after which we delete or anonymise it.

Room-number–linked order data is typically retained for up to 180 days after checkout, unless a longer period is required for any other legal or business purposes.

8) Security

We maintain administrative, technical, and physical safeguards (e.g., encryption where appropriate, role-based access, secure transmission, vendor due diligence) to protect against unauthorised access, disclosure, alteration, or loss. However, we cannot assume responsibility for any unauthorised use of your personal data by third-parties which are wholly attributable to factors beyond our control.

9) Your rights and choices

Subject to applicable law, you may:

  • Access your personal data and information on how it has been used or disclosed in the preceding 12 months;
  • Correct inaccurate data; and
  • Withdraw consent for future uses/disclosures (please note however that if you withdraw such consent, it may not be possible for us to continue to enable your use of the Platform and the Service).

Requests will be processed within 30 days where reasonably possible, and if that is not possible, we will inform you of the time by which we will respond to you. Reasonable fees may apply to access requests.

The rights set out in this Section may be exercised at any time by contacting us through the contact details listed in Section 12 of this Privacy Policy.

10) Cookies and analytics

We may use cookies or similar technologies for session management, performance measurement, and service improvement. You can manage cookies in your browser; some features may not function if cookies are disabled.

11) Data breach management and notifications

We maintain an incident response process. If a breach results in significant harm or affects 500 or more individuals, we will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of determining the breach is notifiable, and notify affected individuals as required.

12) Contact — Data Protection Officer (DPO)

Data Protection Officer: Sam Plumptre
Email: admin@vyblee.com
Mail: VyBlee Singapore Pte. Ltd., 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914

If you are not satisfied with our response, you may contact the Personal Data Protection Commission (PDPC).

13) Third-party services and property partners

Our service integrates with hotel/serviced apartment partners and other third-party providers. Their privacy practices are governed by their own policies. VyBlee is not responsible for third-party sites/services outside our control.

14) Children’s data

Our service is intended for hotel/serviced apartment guests. We do not knowingly collect personal data from children under 13 without appropriate consent via the property or a guardian.

15) Changes to this Policy

We may update this Policy periodically to reflect changes in law or practice. We will post updates with a revised “Last updated” date and, where changes are material, provide a prominent notice or seek consent where required.