Privacy Policy & PDPA Notice

Lam's Singapore Culinary Enterprise Pte. Ltd. (operating the PaperBakes rewards programme)
Effective: 27 May 2026 · Last updated: 30 May 2026

1. About this notice

This notice explains how Lam's Singapore Culinary Enterprise Pte. Ltd. (UEN 200915143H), referred to below as PaperBakes, we, or us, collects, uses, discloses, and protects your personal data when you sign up for and use the PaperBakes rewards programme. It is provided in accordance with the Personal Data Protection Act 2012 of Singapore (the PDPA).

2. Personal data we collect

When you sign up and use the rewards programme, we may collect the following:

• Identity and contact data, your name, mobile number, and email address.
• Optional profile data, your date of birth (used only to deliver birthday rewards if you choose to share it).
• Transactional data, your orders, points earned and redeemed, vouchers held and used, visit history, and Rewards Boost activity (spin credits earned, spins taken, prizes won). Most of this is captured automatically from your purchases and programme activity at PaperBakes outlets.
• Marketing preferences, whether you've consented to receive marketing SMS, and the timestamp at which you gave or withdrew that consent.
• Operational and security data, your IP address, browser/device information, the line type of your mobile (classified by a verification provider), and a one-time-use SHA-256 hash of your verification code. Used to prevent fraud and protect the integrity of the programme.

3. Purposes, why we collect and use your data

We use your personal data for the following purposes only:

• To create and operate your rewards account, including verifying that the mobile number is yours (via a one-time SMS code).
• To track points earned, expiring, and redeemed; to issue vouchers and other rewards; to apply campaigns (e.g. birthday treats, win-back offers); and to operate the Rewards Boost (Spin & Dine) feature, including determining spin eligibility, recording spin outcomes, and awarding prizes.
• To operate the referral programme, including issuing each member a referral code, attributing a new signup to the referring member when that code is used, and crediting the referral bonus to both members when the new member completes a first qualifying purchase. See Section 4.1 below for the limited cross-account information shown on each member’s Bonus history page.
• To link your in-store and online orders to your account so the right rewards are credited.
• To send you internal marketing communications (by SMS and/or email) about PaperBakes rewards, members-only deals, and offers, only if you have ticked the marketing opt-in box. You can opt out at any time (see Section 7).
• To detect and prevent fraud, multiple-account abuse, and other misuse of the rewards programme.
• To meet our legal, tax, and accounting obligations under Singapore law.

4. We do not share your data with third parties

We do not sell, rent, exchange, or otherwise share your personal data with any third party for their own marketing or commercial purposes. Your data stays inside PaperBakes.

4.1 Limited within-programme disclosure for referrals

The referral programme is the one place where a small, defined slice of your account information may be shown on another member’s account, and vice versa. Specifically, when a referral bonus is credited, the Bonus history page on each side may display:

• The initials of the other party (derived from the registered contact name), and
• The date the referee’s first qualifying purchase was made.

No full names, mobile numbers, email addresses, dates of birth, order details, points balances, or other contact information are ever shared between members. This disclosure is necessary to let each member see that their bonus was legitimately earned. By using a referral code (as the referrer or referee), you consent to this limited disclosure. If you do not consent, please do not share or accept a referral code.

5. Operational service providers (data intermediaries)

To run the programme, we use a small number of trusted service providers who process data strictly on our behalf and on our instructions. They cannot use your data for their own purposes. As at the date of this notice they are:

• SMS gateway, to deliver your verification code and (if you've opted in) marketing messages.
• Email service provider (Brevo, operated by Sendinblue SAS, France), to deliver transactional emails (such as your email-verification link, password-reset confirmations, account-change notifications) and, if you've opted in, marketing emails (offers, birthday perks, member-only news). Brevo receives your email address, name, and the contents of the email being sent. It does not have access to your order history, points balance, or mobile number unless we explicitly include them in a message.
• Bot-protection service, to verify that signup attempts come from real people, not automated bots.
• Phone-line classification service, to detect disposable, VoIP, and other high-risk numbers during signup, to protect the programme from fraud.
• Hosting and infrastructure providers, for the servers and databases that store your account and order history.

These providers are required by contract to protect your data to a standard consistent with this notice and the PDPA.

6. Consent

By signing up for the PaperBakes rewards programme you consent to the collection, use, and processing of your personal data for the purposes set out in Section 3.

Marketing communications require a separate, explicit opt-in. If you don't tick the marketing box on the signup form, we will not send you any marketing messages, only essential service messages such as your verification code, reward expiry alerts, and notices about your account.

7. Withdrawing consent

You may withdraw your consent for any of the following at any time:

• Marketing messages, reply STOP to any marketing SMS, click the unsubscribe link in any marketing email, or contact us at admin@paperbakes.co to opt out of all marketing.
• The rewards programme as a whole, you can permanently close your account yourself by tapping Delete my account on your Profile page at /rewards/profile. (You can also email us if you prefer.) See Section 9.1 below for exactly what is deleted and what is anonymised when you do this.

8. Your rights, access and correction

Under the PDPA you have the right to:

• Request access to the personal data we hold about you, and information about how it has been used or disclosed in the past year.
• Request correction of any inaccurate or incomplete personal data.

To make a request, contact our Data Protection Officer (Section 12). We will respond within 30 days. A reasonable administrative fee may apply for access requests, as permitted by the PDPA.

9. Data retention

We retain your personal data for as long as you remain an active member of the rewards programme. If you close your account, or if your account becomes inactive for an extended period, we will delete or anonymise your personal data, except for the minimum we are legally required to retain (e.g. transaction records for tax purposes, typically up to 5 years from the relevant financial year).

9.1 What happens when you delete your account

When you tap Delete my account on your Profile page, the action is immediate and cannot be undone. Specifically:

• Deleted, your name, email address, date of birth, password, referral code, marketing preferences, PDPA consent record, OTP state, and email-verification state are wiped from your member record. Your mobile number is replaced with an internal tombstone marker so no one can sign up under the same number we previously linked to you.
• Anonymised, your mobile number and email on past order records (so the orders no longer identify you), plus any signup-attempt and verification-attempt audit logs that previously linked back to your account.
• Retained but disconnected, your points-ledger history (earns, redemptions, adjustments, expiries) is kept for financial-audit purposes as required by Singapore corporate-tax law (typically 5 years from the relevant financial year), but the rows no longer carry your identifying information.
• Lost permanently, any unredeemed points balance, unused Rewards Boost spin credits, voucher codes you were holding, and pending win-back offers. We do not transfer balances to a new account.
• Removed from our email service provider, your contact record is also deleted from Brevo (our email service provider) so no further marketing or transactional emails can be addressed to you.
• Kept as a one-way fingerprint for 12 months, then permanently deleted. A SHA-256-based HMAC hash of your mobile number and email is stored in a separate fraud-prevention table for up to 12 months from the deletion date and is then permanently removed. The original mobile and email are not retained, only the hash, which we cannot reverse back to your address. This lets us recognise the same number or email if it tries to sign up again within the 90-day cooldown described below, without retaining your personal data. PDPC has confirmed that one-way-hashed identifiers used for fraud prevention are a legitimate retention purpose under PDPA.

90-day re-signup rules. To prevent abuse of signup offers (e.g. delete-and-resignup loops to repeatedly claim welcome bonuses):

• The mobile number tied to a deleted account cannot be used to register again for 90 days from the deletion date. (Mobile is our primary identifier and is unique per customer.) If you need to rejoin sooner for a legitimate reason, contact admin@paperbakes.co.
• If the same email address (but a different mobile) is used to register within 90 days of a deletion, the signup is allowed but the new account is excluded from welcome-bonus campaigns and other first-time-customer perks.

After deletion you will be logged out, and any future visit to /rewards/me or /rewards/profile will redirect to the public landing page. If you ever want to rejoin (after the cooldown), you would sign up again as a brand-new member.

If you'd rather have a member of our team handle the deletion (for example, if you want a written record of the request), email admin@paperbakes.co.

10. Security

We protect your personal data with reasonable security safeguards, including:

• Encrypted transmission of data over the internet (HTTPS).
• Verification codes are stored only as a one-way SHA-256 hash, the plaintext code never touches our database.
• Access to customer data is limited to authorised PaperBakes personnel who need it to perform their duties.
• Multiple layers of anti-abuse checks to prevent unauthorised signups.

No system is perfectly secure, but we take reasonable steps to protect your data and to notify you of any incident that materially affects you, as required by the PDPA.

11. Cookies and tracking

The PaperBakes rewards web pages use only the minimum cookies and browser storage necessary to operate the programme (for example, to keep you signed in or to load the bot-protection widget). We do not embed third-party advertising pixels or cross-site tracking on the rewards pages.

12. Data Protection Officer & contact

If you have any questions about this notice, want to access or correct your data, or want to make a complaint, please contact our Data Protection Officer:

If you are not satisfied with our response, you may also complain to the Personal Data Protection Commission of Singapore (pdpc.gov.sg).

13. Changes to this notice

We may update this notice from time to time as our programme evolves or as the law changes. Material changes will be communicated to members by SMS or email (if you have opted in), and the latest version will always be available at this URL. The "Last updated" date at the top of this page reflects the most recent change.