1-Group Privacy Notice

Last updated: [12 May 2026]

1. About this Privacy Notice

JARDIN ENCHANTE PTE LTD (UEN: 200504773E) (“1-Group”, “we”, “us” or “our”) is committed to protecting the personal data of our guests, members, business contacts, job applicants and visitors to our websites. This Privacy Notice explains what personal data we collect, how we use and protect it, the parties with whom we share it, and the rights you have in relation to your personal data.

We process personal data in accordance with the Singapore Personal Data Protection Act 2012 (the “PDPA”), the Spam Control Act 2007, and any other applicable laws.

Please read this Notice carefully so that you understand our practices in relation to your personal data. By using our websites, making a reservation, becoming a 1-Insider member, or otherwise engaging with us, you acknowledge that you have read this Notice.

2. Who We Are

1-Group is a Singapore-based hospitality group operating restaurants, bars, lifestyle venues and event spaces. References in this Notice to “1-Group” include [JARDIN ENCHANTE PTE LTD] and the related operating entities responsible for the following venues and brands (collectively, our “Venues”):

• 1-Altitude
• 1-Altitude Coast
• 1-Atico
• 1-Arden
• The River House
• The Alkaff Mansion
• Monti
• 1-Alfaro
• The Summer House
• The Garage
• 1-Flowerhill
• 1-HOST (weddings, events and private hire)
• Any other 1-Group venue, brand or platform introduced from time to time

This Notice applies to all personal data collected by or on behalf of 1-Group through any of our Venues, our websites (including 1-group.sg and the websites of individual Venues), our mobile applications, our 1-Insider loyalty programme, our reservation and event-enquiry channels, our marketing communications, and any other interaction with us.

3. Our Data Protection Officer

In accordance with section 11(3) of the PDPA, we have appointed a Data Protection Officer (“DPO”) who is responsible for ensuring our compliance with the PDPA and for handling questions, requests and complaints relating to your personal data.

You may contact our DPO using the details set out in Section 19 (How to Contact Us).

4. Who This Notice Applies To

We collect and handle personal data relating to the following categories of individuals:

• Guests and customers — including diners, reservation-holders, walk-in patrons, event guests, wedding and private-hire clients, and recipients of gift vouchers.
• 1-Insider loyalty programme members — current, prospective and former members.
• Marketing list subscribers — individuals who have subscribed to our email or SMS marketing communications.
• Business contacts and suppliers — including current, potential and former suppliers, partners, agents, contractors, vendors and their personnel.
• Job applicants and prospective workers — including applicants for full-time, part-time, casual and contractor positions, and applicants introduced through recruitment agencies.
• Website visitors — including visitors to 1-group.sg, our Venue websites, and any 1-Group platform or microsite.
• Individuals captured on CCTV at our Venues, and individuals photographed or recorded at events held at our Venues.

5. Personal Data We Collect

The categories of personal data we collect depend on how you engage with us. They may include:

Identity and contact data

• Name, salutation, title, date of birth, gender, nationality.
• Home and/or business address, postal code, country of residence.
• Email address, mobile and other telephone numbers.
• Identity-document details where required (for example, NRIC/FIN number, passport details — only where necessary, for example for tax-invoice purposes or guest verification at certain events; we do not collect or retain full NRIC numbers except where required by law).

Reservation, event and stay data

• Reservation details — date, time, party size, Venue, table preference, special occasion details, and notes left for the host.
• Event and wedding enquiry details — guest count, budget range, event date, dietary or thematic requirements, vendor preferences.
• Dietary, allergy and accessibility information you provide so we can serve you safely. By providing this information, you consent to our using it for that purpose.
• Purchase, billing and transaction history at our Venues.

Loyalty programme data

• 1-Insider membership data — tier status, points balance, redemption history, transaction history across Venues, communication preferences, and preferences and feedback recorded during visits.

Financial and payment data

• Credit and debit card details (collected and processed by our PCI-DSS-compliant payment processors; we do not store full card numbers).
• Billing addresses, deposit and refund details, and invoicing information.

Marketing preferences and communications data

• Marketing channel preferences (email, SMS, push notification), opt-in and opt-out history, and language preference.
• Engagement data relating to our marketing emails, such as opens and clicks, where we use tracking technologies for analytics.

Website, device and online behaviour data

• Technical data such as IP address, device identifier, operating system, browser type and version, time-zone setting, and referring URL.
• Usage data such as pages viewed, links clicked, search terms, time on page, navigation paths, and dates and times of visits.
• Attribution data — first-touch and last-touch source, medium and campaign details collected via our marketing attribution cookie (the “_1g_attr” cookie) and stored against your reservation or enquiry where you make one.

CCTV, photography and event imagery

• CCTV footage captured at our Venues for security, loss-prevention, health-and-safety and incident-investigation purposes.
• Photographs and video recordings taken at events, weddings and private functions held at our Venues, including for marketing and editorial purposes where we have a basis to do so.

Job applicant data

• Name, contact details, date of birth, work-permit status, nationality.
• CV, cover letter, employment history, qualifications and references.
• Information you provide during interviews, including any conducted by phone, video or in person.
• Information obtained from publicly available sources such as LinkedIn, and from recruitment agencies.
• Right-to-work, criminal-record and background-check information where the role lawfully requires it.

Correspondence and feedback data

• The content of any messages, emails, calls or chat sessions you exchange with us (including with our reservations team, our concierge, our 1-Insider support, and our event-enquiry team).
• Reviews, survey responses, complaints and feedback you provide.

We do not knowingly collect personal data from children under 13 through our websites. The 1-Insider programme and our online reservation forms are not directed at children. If you believe we have inadvertently collected personal data from a child, please contact our DPO.

6. How We Collect Personal Data

We collect personal data through the following channels:

• Directly from you — when you make a reservation, dine or attend an event at a Venue, enquire about a wedding or private event, subscribe to marketing, join the 1-Insider programme, redeem a voucher, contact us, complete a survey, apply for a job, or otherwise interact with us.
• Automatically through our websites and apps — through cookies, pixels, scripts, SDKs and similar technologies (see Section 13).
• From third parties acting on our behalf or on your behalf — including reservation platforms (such as SevenRooms and Tripleseat), event and wedding-enquiry platforms, payment processors, recruitment agencies, loyalty-programme processors (Eber), email and SMS service providers, web-analytics providers, social-media platforms, advertising networks and our authorised vendors.
• From publicly available sources — such as social media (e.g. LinkedIn for recruitment), professional directories, and public commentary about our Venues that we monitor for service-improvement purposes.
• From other guests in your party — for example, when a host books on behalf of a group, when a wedding planner provides details of guests, or when a corporate organiser provides attendee lists for a private function. Where you provide us with personal data about another individual, you confirm that you are authorised to share that information with us for the purposes described in this Notice.

7. How We Use Personal Data

We use personal data for the following purposes:

• To provide our services to you — including taking and managing reservations, hosting your visit, serving food and beverages safely (including in light of any dietary, allergy or accessibility information you provide), facilitating events and private hires, providing concierge and customer-service support, and operating the 1-Insider loyalty programme.
• To process transactions — including taking payment, issuing receipts and tax invoices, processing refunds, and resolving billing queries.
• To communicate with you — including sending reservation confirmations and reminders, event-planning communications, service-related notices, responses to enquiries, and 1-Insider member service communications.
• To send marketing communications — including newsletters, promotions, event announcements, seasonal offers and member-only benefits, where you have given your consent or where we are otherwise permitted to do so under the PDPA, the Spam Control Act 2007 and the Do Not Call (“DNC”) provisions.
• To personalise your experience — including by remembering your preferences (such as table preference, dietary requirements, favourite Venues and previous orders) so we can tailor future visits and communications.
• To operate, improve and secure our websites and apps — including troubleshooting, analytics, performance monitoring, fraud prevention, abuse detection, and the use of marketing-attribution technology to understand how our marketing channels drive enquiries and bookings.
• To carry out market research, analytics and reporting — including aggregated and de-identified analysis of guest behaviour, marketing effectiveness, and operational performance across our Venues.
• To recruit, assess and onboard staff — including for the purposes set out in Section 16.
• For health, safety and security at our Venues — including the operation of CCTV systems, incident response, and emergency-services coordination.
• To comply with legal and regulatory obligations — including tax and accounting obligations, licensing requirements, public-health obligations, and responding to lawful requests from regulators, law-enforcement or other authorities.
• To protect our legal interests — including establishing, exercising or defending legal claims, and managing disputes.
• For corporate transactions — including in the event of a merger, acquisition, restructuring, financing, sale of assets, or similar transaction involving 1-Group or any Venue.

8. The Legal Bases on Which We Rely

Under the PDPA we may only collect, use or disclose personal data with the individual’s consent, unless an exception applies. The bases on which we rely are set out below.

Consent

Where we ask for your consent — for example, when you tick a marketing opt-in box, when you join the 1-Insider programme, or when you submit a wedding enquiry — we will use your personal data for the purposes notified to you at the time of collection.

Deemed consent

In certain circumstances the PDPA treats consent as having been given. For example, where you voluntarily provide your personal data for an evident purpose (such as giving your phone number when booking a table, so we can call you about that reservation), you are deemed to have consented to our using it for that purpose.

We also rely on deemed consent by notification (PDPA s.15A) for certain secondary purposes that are reasonably necessary, where we have notified you of the purpose, given you a reasonable opportunity to opt out, and conducted an assessment that the use would not likely have any adverse effect on you.

Legitimate interests

We rely on the legitimate-interests exception in the PDPA (paragraph 1 of Part 3 of the First Schedule) for certain processing where our legitimate interests in operating, securing and improving our business are not outweighed by any adverse effect on you. Examples include fraud prevention, security at our Venues, internal audit, and certain analytics activities.

Business improvement

We rely on the business-improvement exception (paragraph 1 of Part 5 of the First Schedule) for certain internal analyses to improve our products, services, operations and marketing effectiveness.

Legal obligations and vital interests

We may use personal data without consent where we are required to do so by law, where it is necessary to respond to an emergency that threatens life, health or safety, or where another exception in the PDPA applies.

Withdrawing consent

Where we rely on your consent, you may withdraw it at any time by contacting our DPO. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal. If you withdraw consent, we may be unable to continue providing certain services to you — for example, we cannot manage your 1-Insider membership if you withdraw consent for the use of your membership data — and we will let you know if that is the case.

9. How We Share Personal Data

We may share your personal data with the following categories of recipients:

Within the 1-Group

We may share personal data among 1-Group entities and across our Venues — for example, so that a 1-Insider member can be recognised at any Venue, and so that group-level analytics, marketing and customer-experience teams can serve you consistently.

Our service providers and data intermediaries

We engage third-party service providers (“data intermediaries” under the PDPA) to process personal data on our behalf and under contract. Categories include:

• Reservation and event-management platforms (for example, SevenRooms and Tripleseat).
• Loyalty-programme platforms (for example, Eber, which operates the 1-Insider technology platform).
• Payment processors (for example, Stripe and our point-of-sale and merchant-acquiring partners).
• Cloud and hosting providers (for example, Google Cloud, Amazon Web Services, Vercel, Supabase).
• Productivity and communications providers (for example, Google Workspace, Slack).
• Email, SMS and push-notification service providers.
• Analytics, marketing-attribution and advertising platforms (for example, Google Analytics, Google Ads, Meta, TikTok).
• Customer-feedback, review-monitoring, survey and CRM tools.
• Recruitment, background-check and human-resources platforms.
• Security, CCTV, IT-security and fraud-prevention providers.
• Professional advisers, including lawyers, accountants, auditors and insurers.

We require our data intermediaries to process personal data only in accordance with our instructions, to implement appropriate security measures, and to comply with the PDPA.

Other recipients

• Government agencies, regulators, courts, law-enforcement and other authorities — where required or permitted by law.
• Prospective or actual buyers, investors or financiers — in connection with any corporate transaction involving 1-Group or any Venue, subject to appropriate confidentiality protections.
• Other third parties — with your consent or at your direction.

We do not sell your personal data, and we do not rent our marketing or membership lists to third parties for their own marketing purposes.

10. Transfers of Personal Data Outside Singapore

Some of our service providers — including cloud-hosting, payment, marketing-technology, reservation and loyalty-programme providers — are based outside Singapore or use infrastructure outside Singapore. As a result, your personal data may be transferred to, and processed in, jurisdictions including the United States, the European Union, the United Kingdom, Australia, India, Hong Kong and other countries.

In accordance with section 26 of the PDPA, before transferring personal data outside Singapore we take steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA. These steps include putting in place contractual protections (such as data-processing addenda and standard contractual clauses) with our service providers, and relying on other transfer mechanisms recognised under Singapore law.

You may request additional information about our cross-border transfer arrangements by contacting our DPO.

11. How Long We Keep Personal Data

We retain personal data only for as long as is reasonably necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, regulatory or contractual requirements.

When determining retention periods we consider:

• The nature, volume and sensitivity of the personal data.
• The purposes for which we process the personal data.
• Whether those purposes can be achieved by other means.
• Our legal, tax, accounting and licensing obligations.
• The potential risk of harm from unauthorised use or disclosure.

As examples:

• Reservation data is generally retained for the duration of the guest relationship and for a reasonable period thereafter to support customer service and to defend against claims.
• 1-Insider member data is retained for the duration of your membership and for a reasonable period after dormancy or termination.
• Job-applicant data for unsuccessful candidates is generally retained for up to 12 months after the recruitment decision, unless you ask us to keep it longer in case suitable future roles arise.
• Financial and transaction records are retained in accordance with the Companies Act 1967, the Income Tax Act 1947, and the Goods and Services Tax Act 1993.
• CCTV footage is generally retained for a short period (typically up to 30 days) unless required for a specific incident investigation.

When personal data is no longer required, we will either delete it, anonymise it (so it can no longer be associated with you), or return it to you, in accordance with the PDPA.

12. How We Protect Personal Data

We have implemented physical, technical and organisational security measures designed to protect personal data against accidental or unlawful loss, alteration, disclosure or access. These include access controls, encryption in transit and (where appropriate) at rest, contractual safeguards with our service providers, staff training, and incident-response procedures.

No system can be entirely secure. If we become aware of a data breach that is likely to result in significant harm or affects a significant number of individuals, we will notify the Personal Data Protection Commission (“PDPC”) and (where required) affected individuals in accordance with the PDPA’s Data Breach Notification Obligation.

13. Cookies, Analytics and Marketing Attribution

We use cookies and similar technologies (including pixels, scripts and SDKs) on our websites and in our marketing emails. These technologies allow us to recognise your device, remember your preferences, understand how you use our websites, measure marketing performance, and detect fraud.

Types of cookies we use

• Strictly necessary cookies — required for the website to function (for example, session management and form submission).
• Performance and analytics cookies — to understand how visitors use our websites (for example, Google Analytics).
• Marketing and advertising cookies — to deliver relevant advertising and to measure advertising effectiveness (for example, cookies set by Google Ads and Meta).
• Attribution cookies — including our first-party “_1g_attr” cookie, which captures the source, medium and campaign that brought you to our website and links them to any reservation or enquiry you subsequently make. This information is stored against your booking record so we can understand which of our marketing channels are working.

You can control the use of cookies through your browser settings and, where available, through our on-site cookie-preference tools. Disabling certain cookies may affect website functionality.

For more information about the use of cookies, see our separate Cookie Notice (where published) or contact our DPO.

14. Marketing Communications, the DNC Registry and the Spam Control Act

We send marketing communications only where we have a lawful basis to do so.

Email marketing

Marketing emails are sent in compliance with the Spam Control Act 2007. Every marketing email includes an accurate sender identity, a clear subject line, and a working unsubscribe mechanism. You can unsubscribe at any time by clicking the unsubscribe link in any email or by contacting our DPO.

SMS, telephone calls and fax — DNC compliance

Before sending marketing SMS or making marketing calls to a Singapore telephone number, we either check the relevant DNC Registers maintained by the PDPC, or we rely on a clear and unambiguous consent to receive such marketing from you in writing or other recorded form, or we rely on the “ongoing relationship” exception where it applies.

You can opt out of marketing SMS at any time by replying STOP to the message or by contacting our DPO. You can also register your number on the DNC Register at www.dnc.gov.sg.

Service-related communications

Communications that are not marketing in nature — for example, reservation confirmations, event-planning correspondence, 1-Insider account notices, and operational updates — are necessary to provide our services to you. You may not be able to opt out of these while continuing to use the relevant service.

15. CCTV at Our Venues

Our Venues use CCTV for the purposes of security, loss prevention, health and safety, incident investigation and the protection of guests, staff and property. Notices are posted at our Venues to inform visitors of CCTV operation. CCTV footage is retained for a short period and is accessed only by authorised personnel for the purposes set out above, unless required to be retained for a specific investigation or legal process.

16. Photography and Videography at Events

We may take photographs and video recordings at our Venues, including at events, weddings, openings and other functions. Where we wish to use any such imagery for marketing, social-media or editorial purposes, we will rely on the basis appropriate to the context — for example, your consent (such as a release in your event contract for weddings and private hires), the deemed-consent provisions of the PDPA, or another applicable basis.

If you do not wish to appear in marketing imagery, please let our event team or our DPO know.

17. Job Applicants

When you apply for a role with 1-Group, we use your personal data to assess your suitability, conduct interviews, carry out reference and background checks where relevant, communicate with you during the recruitment process, and (if successful) onboard you as an employee or contractor.

Where your application is unsuccessful, we will generally retain your details for a reasonable period (typically up to 12 months) so that we can consider you for other suitable roles, unless you ask us to delete your details sooner.

We do not use solely automated decision-making to make significant decisions about your application.

18. Your Rights Under the PDPA

Subject to the requirements and exceptions in the PDPA, you have the following rights in relation to your personal data:

• The right to access your personal data — to request information about the personal data we hold about you and how it has been used or disclosed in the year preceding your request (PDPA s.21).
• The right to correct your personal data — to request that we correct any error or omission in personal data we hold about you (PDPA s.22).
• The right to withdraw consent — to withdraw any consent you have given for our collection, use or disclosure of your personal data (PDPA s.16).
• The right to be informed of the purposes for which we use your personal data.
• The right to data portability — once the relevant provisions of the PDPA come into force (PDPA sections 26F to 26J), to request that we transmit your personal data in a structured, commonly used and machine-readable format to another organisation.

We will respond to access and correction requests within 30 days, or notify you if more time is required. We may charge a reasonable fee for access requests, in accordance with the PDPA.

To exercise any of these rights, please contact our DPO using the details in Section 19. We may need to verify your identity before responding.

19. How to Contact Us

Questions, comments, requests and complaints relating to this Privacy Notice, or to the way in which we handle your personal data, should be addressed to our DPO:

Data Protection Officer

Immelia Izalena

Jardin Enchante Pte Ltd

211 Henderson Road, #04-03, Singapore 159552

Email: marketing@1-group.com.sg

20. Complaints to the PDPC

If you are not satisfied with the way we have handled a privacy-related concern, you have the right to lodge a complaint with the Personal Data Protection Commission, Singapore:

• Website: www.pdpc.gov.sg
• Address: 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438

We would, however, appreciate the opportunity to address your concern first — please contact our DPO before approaching the PDPC.

21. Updates to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, our services, or the law. When we make material changes, we will indicate this by updating the “Last updated” date at the top of this Notice and, where appropriate, by giving you additional notice (for example, by email or by a banner on our website).

Please review this Notice periodically to stay informed about how we handle your personal data.

22. Governing Law

This Privacy Notice and our handling of your personal data are governed by the laws of Singapore.

— End of Privacy Notice —