Privacy Policy

1. About This Policy

Halfway Hungry LLP (“Halfway Hungry”, “we”, “us”, or “our”) is a peer-to-peer food delivery platform for students and staff at Singapore Management University (“SMU”).

This Privacy Policy explains how we collect, use, disclose, and protect your personal data in compliance with the Personal Data Protection Act 2012 (“PDPA”) of Singapore. By using Halfway Hungry, you agree to the practices described in this policy.

2. Data Protection Officer

We have designated a Data Protection Officer (“DPO”) who is responsible for ensuring our compliance with the PDPA. For any questions, concerns, or requests relating to your personal data, please contact our DPO:

• Email: halfwayhungryadmin@gmail.com
• Address: Halfway Hungry LLP, Singapore Management University, 81 Victoria Street, Singapore 188065

3. What Personal Data We Collect

We collect the following personal data when you use our platform:

• Account information — your full name, SMU email address, and password (encrypted)
• Phone number — PayNow mobile number, collected only from Runners for reimbursement purposes
• Delivery information — campus building and room number for each order
• Order history — items ordered, vendors, amounts, timestamps, and special instructions
• Payment information — processed securely by Stripe; we store only transaction references (e.g. Stripe session IDs), never your bank details or card numbers
• Photos — receipt photos and delivery proof images uploaded by Runners
• Technical data — browser type and IP address collected automatically by our hosting provider for security and performance purposes

4. Why We Collect Your Data

We collect and use your personal data only for the following purposes:

• Order processing — to process, fulfil, and deliver your food orders
• Coordination — to coordinate between Customers and Runners for delivery
• Payments — to process payments via Stripe and handle refunds
• Runner reimbursement — to reimburse Runners for food purchases via PayNow
• Communications — to send order confirmations, delivery updates, and service notifications
• Service improvement — to improve our platform and resolve disputes
• Legal compliance — to comply with applicable laws, regulations, and legal processes

We will not use your personal data for any purpose beyond those stated above without obtaining your consent first.

5. Consent

We obtain your consent for the collection, use, and disclosure of your personal data when you create an account. During signup, you are required to explicitly agree to this Privacy Policy and our Terms of Service by checking a consent checkbox.

Withdrawal of consent: You may withdraw your consent at any time by deleting your account through the Profile page in the app, or by emailing our DPO at halfwayhungryadmin@gmail.com. Please note that withdrawing consent will result in the deactivation of your account, as we cannot provide our services without processing your personal data. We will notify you of the likely consequences of your withdrawal before processing it.

6. Third-Party Services & International Transfers

We share your data with the following third-party service providers, only as needed to operate our platform:

• Stripe (United States) — payment processing via PayNow. Stripe handles all payment data under their own privacy policy. We share your name and email with Stripe to process payments.
• Supabase (United States / AWS) — database hosting and user authentication. Stores your account information and order data.
• Vercel (United States) — application hosting. May collect technical data such as IP addresses and browser information for security purposes.
• Resend (United States) — transactional email service for order notifications. Receives your email address to deliver notifications.
• Telegram (various locations) — used to notify Runners of available orders and notify administrators of delivery completions. Only order IDs, vendor names, delivery locations, and order amounts are shared; your full personal details are not sent to Telegram channels.

These service providers are located outside of Singapore. We ensure that they maintain data protection standards comparable to those required under the PDPA. We do not sell your personal data to any third party.

7. Data Security

We implement the following security measures to protect your personal data:

• Encryption in transit — all data is transmitted over HTTPS
• Row-Level Security — each user can only access their own data in our database; other users' records are not accessible
• Column-level access control — sensitive fields (e.g. consent records, wallet balances, admin flags) are protected from direct modification by users
• Service role separation — administrative operations that modify sensitive data run on a separate, restricted server-side channel
• Payment security — payment information is handled entirely by Stripe and never passes through or is stored on our servers
• Rate limiting — API endpoints are rate-limited to prevent abuse

While we take reasonable steps to protect your data, no system is completely secure. If you suspect any unauthorised access to your account, please contact our DPO immediately.

8. Data Accuracy

We make reasonable efforts to ensure your personal data is accurate and up to date. You can view and update your profile information directly in the app. If you believe any of your data is inaccurate, please contact our DPO to request a correction.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data (name, email, phone) — retained while your account is active
• Order history — retained for 2 years after order completion for dispute resolution and record-keeping
• Payment transaction references — retained for 2 years for tax and audit purposes
• Receipt and delivery proof photos — retained for 6 months after order completion
• Deleted accounts — personal data will be anonymised within 30 days of a deletion request

When personal data is no longer needed for any business or legal purpose, it will be securely deleted or anonymised.

10. Your Rights

Under the PDPA, you have the following rights regarding your personal data:

• Right of access — you may request a copy of all personal data we hold about you. Use the “Download My Data” button on your Profile page to export your data in JSON format, or email our DPO.
• Right of correction — you may request correction of any inaccurate personal data. You can update your profile directly in the app, or contact our DPO.
• Right of data portability — you may request your data in a commonly used, machine-readable format (JSON). Use the “Download My Data” feature on your Profile page.
• Right to withdraw consent — you may withdraw consent at any time by deleting your account via the Profile page or by contacting our DPO. Withdrawal of consent will result in account deactivation.
• Right to deletion — you may request deletion of your account and personal data. Use the “Delete My Account” button on your Profile page, or email our DPO. Your data will be anonymised within 30 days.

We will respond to all requests within 30 days. There is no fee for exercising these rights. To exercise any of these rights, contact our DPO at halfwayhungryadmin@gmail.com.

11. Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals or is of a significant scale:

• We will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of becoming aware of the breach
• We will notify affected individuals as soon as practicable, informing them of the nature of the breach and steps they can take to protect themselves
• We will take immediate steps to contain the breach and prevent further unauthorised access

If you suspect any unauthorised access to your personal data or our platform, please contact our DPO immediately at halfwayhungryadmin@gmail.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting a notice on the platform. Your continued use of Halfway Hungry after such notification constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions, data requests, or complaints, contact our Data Protection Officer:

halfwayhungryadmin@gmail.com

Halfway Hungry LLP
Singapore Management University
81 Victoria Street, Singapore 188065

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.