1. About This Policy

This Privacy Policy explains how KLIKIT PTE. LTD. (UEN: 202139290W) and its affiliated entities (collectively, "klikit," "we," "us," or "our") collect, use, store, disclose, and protect personal data in connection with the klikit platform, websites, mobile applications, APIs, and related services (the "Services").

This Policy applies to:

Merchants who subscribe to the klikit platform;
Merchant Personnel (employees, agents, or contractors) who access the platform on a merchant's behalf;
End Consumers who interact with klikit-powered webshops, QR ordering, kiosks, or loyalty programs;
Website Visitors who browse klikit.io or related domains; and
Prospective Customers who engage with our sales or marketing channels.

By accessing or using our Services, you acknowledge that you have read and understood this Policy. Where we rely on consent as a legal basis, we will obtain your consent separately.

2. Contracting Entities

Depending on the jurisdiction in which you access the Services, the data controller responsible for your personal data is:

Jurisdiction	Entity	Registration
Singapore	KLIKIT PTE. LTD.	UEN 202139290W
Indonesia	PT SHADOWCHEF TEKNOLOGI INDONESIA	—
Philippines	SHADOWCHEF TECHNOLOGIES INC.	—
Malaysia	SHADOWCHEF TECHNOLOGIES SDN BHD	—
Japan	KLIKIT KABUSHIKI KAISHA (klikit 株式会社)	—
Australia & New Zealand	SHADOWCHEF HOLDINGS PTY LTD	—
All other jurisdictions	KLIKIT PTE. LTD.	UEN 202139290W

References to "klikit" in this Policy include the relevant local entity where applicable.

3. Personal Data We Collect

We collect personal data directly from you, automatically through your use of the Services, and from third-party sources. The categories of data we collect depend on how you interact with us.

3.1 Data Provided Directly by You

Account & Identity Data: Full name, email address, phone number, business name, business address, job title or role, date of birth (where required for identity verification).
Billing & Payment Data: Payment instrument details (credit/debit card numbers, bank account details, e-wallet identifiers) as required by our payment processors (Stripe, Xendit, CIMB Niaga, or TapPay depending on your jurisdiction). klikit does not store full card numbers; these are tokenized and held by the relevant payment processor.
Merchant Operational Data: Menu data, product listings, pricing, store hours, branch locations, staff rosters, inventory records, and business configuration settings.
Communications Data: Support tickets, chat transcripts, emails, and other correspondence with our team.

3.2 Data Collected Automatically

Usage & Log Data: IP address, device identifiers, browser type and version, operating system, referring URLs, pages viewed, features used, timestamps, session duration, and click/tap interactions.
Order & Transaction Data: Order details (items, quantities, prices, order status, fulfillment method), transaction identifiers, and payment confirmation status.
Location Data: Approximate location derived from IP address. We do not collect precise GPS location unless you explicitly enable location services for a specific feature (e.g., delivery radius configuration).
Cookie & Tracking Data: See Section 10 (Cookies and Tracking Technologies).

3.3 Data from Third-Party Sources

Aggregator & Marketplace Data: Order, menu, and store data received from third-party delivery aggregators (e.g., GrabFood, GoFood, Foodpanda, ShopeeFood, Deliveroo, Uber Eats, TikTok Shop) connected through your klikit account.
Payment Processor Data: Transaction status, settlement data, and fraud screening results from Stripe, Xendit, CIMB Niaga, or TapPay.
Public & Business Data: Publicly available business registration data used for merchant onboarding and verification.

4. Legal Bases for Processing

We process personal data on the following legal bases, as applicable under the laws of your jurisdiction:

Purpose	Legal Basis
Providing and operating the Services	Performance of contract
Processing payments and transactions	Performance of contract; legal obligation
Customer support and communications	Performance of contract; legitimate interest
Product improvement and analytics	Legitimate interest (improving our Services)
Security, fraud prevention, and abuse detection	Legitimate interest; legal obligation
Marketing and promotional communications	Consent (where required); legitimate interest
Compliance with legal and regulatory obligations	Legal obligation
Enforcing our Terms of Use	Legitimate interest

Where we rely on legitimate interest, we have conducted balancing assessments and concluded that our interests do not override your fundamental rights. You may request details of these assessments by contacting us.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

Service Delivery: Operating the platform, processing orders, managing menus, handling payments, fulfilling subscriptions, and enabling integrations with third-party aggregators and payment providers.
Account Administration: Creating and managing merchant accounts, authenticating users, managing roles and permissions, and processing billing.
Customer Support: Responding to inquiries, troubleshooting issues, and providing technical assistance.
Analytics & Improvement: Analyzing usage patterns, measuring feature adoption, diagnosing technical issues, and improving the platform's functionality, performance, and user experience. Analytics are performed on aggregated or pseudonymized data wherever practicable.
Security: Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity; maintaining the integrity and security of our systems.
Communications: Sending transactional notifications (order confirmations, payment receipts, system alerts), and, where you have opted in or where permitted by law, marketing communications about our products, features, and promotions.
Legal & Regulatory Compliance: Complying with applicable laws, regulations, legal processes, or enforceable governmental requests; maintaining records as required by tax, accounting, or regulatory authorities.

We do not sell your personal data. We share personal data only in the following circumstances:

6.1 Service Providers and Sub-processors

We engage trusted third-party service providers who process personal data on our behalf, subject to written data processing agreements that require them to protect data to standards no less protective than this Policy. Key categories of sub-processors include:

Cloud Infrastructure: Hosting, storage, and compute services.
Payment Processors: Stripe (Singapore, Japan, Australia, New Zealand), Xendit (Philippines, Malaysia, Indonesia), CIMB Niaga (Indonesia), TapPay (Taiwan).
Delivery Aggregators: Where you have connected third-party aggregator accounts, order and menu data flows between klikit and those aggregators as necessary to process orders.
Analytics & Monitoring: Services used for platform performance monitoring and anonymized usage analytics.
Communication Tools: Email delivery, in-app messaging, and customer support platforms.

A current list of material sub-processors is available upon request by emailing privacy@klikit.io.

6.2 Merchant-to-Consumer Data Flows

Where end consumers place orders through a merchant's klikit-powered webshop, QR ordering system, or kiosk, the merchant is the data controller for that consumer's personal data. klikit processes such data as a data processor on the merchant's behalf. Merchants are responsible for maintaining their own privacy policies governing end-consumer data.

6.3 Legal and Regulatory Disclosure

We may disclose personal data where required by law, regulation, legal process, or governmental request, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of klikit, our users, or the public.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, asset sale, or similar transaction, personal data may be transferred to the acquiring or successor entity, subject to the commitments in this Policy. We will provide notice of any such transfer.

6.5 With Your Consent

We may share personal data with third parties where you have provided specific, informed consent.

7. Cross-Border Data Transfers

klikit operates across multiple jurisdictions. Your personal data may be transferred to and processed in countries other than your country of residence, including Singapore (where our headquarters and primary infrastructure are located).

Where personal data is transferred across borders, we implement appropriate safeguards, which may include:

Standard contractual clauses or equivalent transfer mechanisms recognized under applicable law;
Binding data processing agreements with recipients;
Ensuring the receiving jurisdiction provides an adequate level of data protection as recognized by the relevant authority; or
Obtaining your explicit consent where required.

For transfers from specific jurisdictions, additional protections apply as set out in Section 12 (Jurisdiction-Specific Provisions).

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, or as required or permitted by applicable law. Our general retention periods are:

Data Category	Retention Period
Active merchant account data	Duration of the subscription plus 12 months
Billing and transaction records	7 years from the transaction date (tax/accounting requirements)
Order data	3 years from the order date
Customer support records	2 years from resolution of the inquiry
Usage and log data	12 months (rolling)
Marketing consent records	Duration of consent plus 12 months after withdrawal
End-consumer data (processed on behalf of merchants)	As directed by the merchant, subject to a maximum of 3 years from last interaction unless the merchant instructs earlier deletion

When data is no longer required, we securely delete or irreversibly anonymize it. Anonymized data that can no longer be linked to any individual may be retained indefinitely for statistical and analytical purposes.

9. Data Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

Encryption of data in transit (TLS 1.2+) and at rest;
Role-based access controls and the principle of least privilege;
Regular security assessments and vulnerability testing;
Secure software development practices;
Monitoring and logging of access to personal data; and
Incident response procedures.

No system is perfectly secure. While we take commercially reasonable steps to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

10. Cookies and Tracking Technologies

We use cookies and similar technologies (pixels, local storage, device fingerprinting) on our websites and platform for the following purposes:

Category	Purpose	Duration	Consent Required?
Strictly Necessary	Authentication, security, load balancing, session management	Session or up to 12 months	No
Functional	User preferences, language selection, saved settings	Up to 12 months	Varies by jurisdiction
Analytics	Aggregated usage statistics, feature adoption, performance monitoring	Up to 24 months	Yes (where required)
Marketing	Behavioral targeting, remarketing (e.g., Google Ads, Meta Ads), conversion tracking	Up to 24 months	Yes

You can manage cookie preferences through your browser settings or, where available, through our cookie consent mechanism. Disabling certain cookies may affect the functionality of the Services.

Do Not Track: We currently do not respond to "Do Not Track" browser signals, as there is no universally accepted standard for how to respond to such signals.

11. Your Rights

Subject to applicable law, you may have some or all of the following rights with respect to your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete personal data.
Deletion: Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (subject to our legal retention obligations).
Restriction: Request that we restrict processing of your personal data in certain circumstances.
Portability: Request a machine-readable copy of personal data you have provided to us, where processing is based on consent or contract and is carried out by automated means.
Objection: Object to processing based on legitimate interest, including profiling and direct marketing.
Withdrawal of Consent: Where processing is based on consent, withdraw your consent at any time (without affecting the lawfulness of processing prior to withdrawal).
Complaint: Lodge a complaint with the relevant data protection authority in your jurisdiction.

To exercise any of these rights, contact us at privacy@klikit.io with the subject line "Data Rights Request." We will respond within the timeframe required by applicable law (generally 30 days). We may need to verify your identity before processing your request.

12. Jurisdiction-Specific Provisions

The following provisions apply in addition to the rest of this Policy, to the extent required by local law.

12.1 Singapore — Personal Data Protection Act 2012 (PDPA)

The data controller is KLIKIT PTE. LTD. You may contact our Data Protection Officer at privacy@klikit.io. We collect, use, and disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances, and for which we have obtained consent (unless an exception under the PDPA applies). You may withdraw consent by contacting us, subject to legal or contractual restrictions and reasonable notice.

12.2 Philippines — Data Privacy Act of 2012 (Republic Act No. 10173)

The data controller is SHADOWCHEF TECHNOLOGIES INC. You have the right to be informed, to object, to access, to rectification, to erasure or blocking, to damages, and to data portability. Complaints may be filed with the National Privacy Commission (NPC).

12.3 Indonesia — Personal Data Protection Law (UU PDP, Law No. 27 of 2022)

The data controller is PT SHADOWCHEF TEKNOLOGI INDONESIA. We process personal data based on consent or other lawful bases under the UU PDP. Cross-border transfers are conducted in compliance with applicable transfer requirements. You have the right to access, correct, delete, withdraw consent, object to automated decision-making, and seek compensation for violations.

12.4 Japan — Act on the Protection of Personal Information (APPI)

The data controller is KLIKIT KABUSHIKI KAISHA. We handle personal information in accordance with the APPI, including obtaining consent for the use of personal information beyond the stated purpose and for provision to third parties (unless an exception applies). Cross-border transfers are conducted with appropriate safeguards as required by the APPI.

12.5 Malaysia — Personal Data Protection Act 2010 (PDPA)

The data controller is SHADOWCHEF TECHNOLOGIES SDN BHD. We process personal data in compliance with the Malaysian PDPA's data protection principles. Cross-border transfers are conducted in accordance with the requirements of the Commissioner.

12.6 Australia — Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)

The data controller is SHADOWCHEF HOLDINGS PTY LTD. We comply with the APPs, including in relation to the collection, use, disclosure, security, and cross-border transfer of personal information. You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

12.7 New Zealand — Privacy Act 2020

Where we process personal information of New Zealand individuals, we do so in accordance with the Information Privacy Principles. You may lodge a complaint with the Office of the Privacy Commissioner.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms (or where notification is otherwise required by applicable law), we will:

Notify the relevant data protection authority within the timeframe required by law (generally 72 hours where practicable); and
Notify affected individuals without undue delay where the breach is likely to result in high risk.

14. Children's Data

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us at privacy@klikit.io, and we will take steps to delete the data promptly.

15. Third-Party Links and Integrations

Our platform may contain links to, or integrations with, third-party websites, applications, and services (including delivery aggregators, payment processors, and social media platforms). This Policy does not apply to those third parties. We encourage you to review their privacy policies before providing personal data to them.

16. Automated Decision-Making

We do not currently use solely automated decision-making (including profiling) that produces legal effects or similarly significant effects on you. If this changes, we will update this Policy and, where required by law, obtain your consent or provide you with the right to request human review.

17. Changes to This Policy

We may update this Policy from time to time. Where changes are material, we will provide prominent notice through the platform, by email, or by other appropriate means at least 30 days before the changes take effect. The "Effective Date" at the top of this page indicates when the Policy was last updated. Continued use of the Services after the effective date of a revised Policy constitutes your acknowledgment of the changes.

18. Contact Us

If you have questions about this Policy or wish to exercise your data rights, contact us at:

Data Protection Enquiries
Email: privacy@klikit.io

General Support
Email: support@klikit.io

Registered Office
KLIKIT PTE. LTD.
Singapore

This Privacy Policy is governed by the laws of the Republic of Singapore, without regard to its conflict-of-law provisions, except to the extent that the mandatory data protection laws of your jurisdiction require otherwise.