Sol & Luna Privacy Notice

Last updated: 20 May 2026

1. About this Privacy Notice

Welcome to the Sol and Luna Privacy Notice (referred to in what follows as “this Notice”). This Notice walks you through how Sol and Luna goes about collecting, using, disclosing and otherwise processing personal data that relates to you. The Notice covers the full range of touchpoints we maintain with you, namely your visits to our venue, your time on the website at www.solandluna.sg, your engagement with our reservation systems, telephone calls and email exchanges, your activity on our social media channels, and your participation in the 1-Insider loyalty programme. The drafting follows the requirements of the Personal Data Protection Act 2012 of Singapore (referred to as the “PDPA”) together with the regulations made under it.

The term “personal data”, as used throughout this Notice, has the meaning given to it by the PDPA itself: it describes data, whether or not the data is accurate, about an individual who can be identified from the data on its own, or from the data together with other information that we have access to (or are likely to have access to). References to “Sol and Luna”, “we”, “us” or “our” point to the Sol and Luna venue and to the entity that operates it.

2. Who We Are

The company behind Sol and Luna is 1-Spring Pte Ltd, a Singapore incorporated private limited company. Its UEN is 202100939Z and its registered office sits at 88 Market Street, #17-01, Singapore 048948. For PDPA purposes, 1-Spring Pte Ltd is the “organisation” responsible for the personal data we collect about you in connection with the Sol and Luna venue. The term equivalent to “organisation” in other privacy regimes is “data controller”.

3. Our Data Protection Officer

A Data Protection Officer has been appointed, and the role of that officer is to oversee how we live up to our obligations under the PDPA. Should you wish to write to the Data Protection Officer, please use the following details:

Immelia Izalena, Data Protection Officer

1-Spring Pte Ltd

88 Market Street, #17-01

Singapore 048948

Email: marketing@1-group.com.sg

4. Who This Privacy Notice Applies To

This Notice is intended to apply to a broad range of individuals. You are likely to be covered if any of the following statements is true of you:

• you have submitted a job application to Sol and Luna or to 1-Spring Pte Ltd at any time;
• a third party has shared your personal data with us, perhaps because another member of a dining party has booked on your behalf;
• you have communicated with us through some channel, whether by telephone, by email, through social media, or otherwise;
• you have made a reservation, raised an enquiry, completed a purchase, or registered through the website, our reservation systems or the 1-Insider loyalty programme; or
• you have dined at Sol and Luna, attended an event at the venue, or otherwise been physically present at it.

5. Personal Data We Collect

The categories of personal data we may collect about you are described in the subsections that follow.

Identity details and contact channels

Information by which you are identified, and through which we are able to be in contact with you. The information here may include your name, salutation, date of birth (if you have chosen to share it), nationality, gender, a photograph (where relevant to the context), your postal address, your email address, your telephone number, your social media handles, and any further contact details you have shared with us.

Reservation and event details

Information that pertains to your reservations and to events you may attend or organise with us. This information typically includes the date and time of the booking, the particular table or area you have reserved, your party size, the names and contact details of guests in your party, dietary requirements, allergy information, occasion notes, accessibility needs, any special requests you have made, and your booking and attendance history with us.

1-Insider loyalty programme participation

Where you have chosen to participate in 1-Insider, the information we hold includes your membership identifier, your current tier, your points balance, your redemption history, your stated member preferences, your marketing communication preferences, and a record of how you have engaged across the venues that participate in the programme.

Payment information

Information relating to payments. Where you have made a payment, purchased a gift voucher or placed a deposit through our website or our reservation systems, our payment processor (working on our behalf) records billing information, the last four digits of the payment card, the brand of the card, the transaction details and any related invoicing data. The full payment card number is handled directly by the payment processor and we do not retain it in clear text.

Marketing preferences

Information about the channels through which you have consented to receive marketing (and those you have declined), the content categories in which you have indicated an interest, your engagement with the marketing we send (opens, clicks and unsubscribes), and any opt out signals you have given to us.

Website, device and cookie details

Information relating to your device and your use of the website. This may include your IP address (together with geolocation derived from it at city or country level), the type and model of your device, your operating system, the type and version of your browser, your language and time zone settings, the pages on the website you have visited, the referring URL, the links you have clicked, the time you have spent on individual pages, session identifiers, and cookie identifiers (covering both cookies set by us and cookies set by our third party analytics, advertising and attribution partners).

Footage from CCTV and event photography

Closed circuit television footage captured at the Sol and Luna venue, together with photographic and video footage captured at events held at Sol and Luna. The way we operate each of these is described in Section 15 (CCTV) and Section 16 (Photography).

Job applicant details

For applicants to our roles, the information contained in your CV, application form, cover letter, references and interview notes, including your educational background, your employment history, your professional qualifications, your immigration status (where relevant to your eligibility to work in Singapore), and anything further you have chosen to share.

Correspondence with us

Any correspondence, feedback, review, complaint or other message you have sent to us, along with whatever we have sent back, no matter which channel was used.

6. How We Collect Personal Data

Personal data reaches us through a handful of different routes. Those routes are as follows:

• from CCTV cameras that we have installed and operate at Sol and Luna and at other venues we run, as described in Section 15;
• from publicly available sources, such as professional or media profiles, which we make use of in the context of due diligence, marketing or recruitment;
• by automatic means, when you visit our website or interact with our digital channels, through cookies, pixels and similar technologies (as described in Section 13);
• from the third party reservation, payment and loyalty platforms that we rely on to operate Sol and Luna, namely SevenRooms (table reservations and guest management), Tripleseat (event enquiries), Stripe (payment processing) and Eber (the 1-Insider loyalty programme);
• from third parties acting in your interest or on your behalf, for example another member of your party booking a table that includes you, an event organiser, a corporate client, a concierge service or a hotel booking on your behalf; and
• directly from you, for example when you make a reservation, register for 1-Insider, complete a purchase, send us an enquiry, attend an event, fill in a form on the website, write to us, or interact with members of our team at the venue.

7. How We Use Personal Data

There is a set of purposes for which we may use personal data. Those purposes include the following:

• establishing, exercising or defending legal claims, including claims connected with reservations, with transactions or with workplace matters;
• complying with applicable laws and regulations, including the PDPA, accounting and tax laws, food safety laws and licensing requirements, and responding to lawful requests from regulators or law enforcement authorities;
• assessing and selecting job applicants, managing recruitment processes, and (if your application is unsuccessful) retaining your application as described in Section 17;
• managing incidents and security, including investigating complaints, accidents, disputes and potential misconduct, whether arising at the venue or on our digital channels;
• undertaking internal business analysis and improvement, covering menu development, service quality review, and operational planning;
• measuring how our marketing performs through analytics, advertising platform measurement and first party attribution, so that we can keep improving it;
• operating, maintaining, securing and improving the website, our reservation systems and our digital channels, including the diagnosis of technical issues and the review of performance;
• sending marketing communications about Sol and Luna, about 1-Spring Pte Ltd, and about our other concepts that we consider may be of interest to you, where you have consented to receive them or where the law otherwise permits;
• personalising your experience, by recalling dietary requirements, preferences, allergies and accessibility needs across visits;
• operating the 1-Insider loyalty programme, including member registration, points tracking, processing of redemptions and management of tier benefits; and
• delivering the services you have asked for, including the processing of reservations, the fulfilment of event bookings, the processing of payments and refunds, communications about your reservation or visit, and any follow up afterwards.

8. The Legal Bases on Which We Rely

The PDPA recognises a number of legal bases on which personal data can be collected, used and disclosed. The bases on which we rely include the following, and more than one basis may apply at any given time:

• compliance with the legal obligations to which we are subject (one example being our obligation to retain accounting records in line with the Companies Act 1967, the Income Tax Act 1947 and the Goods and Services Tax Act 1993);
• the performance of a contract to which you are a party (for example, the fulfilment of a reservation, or a confirmed event booking);
• the “business improvement” exception under the PDPA, which applies to activities such as the improvement of our goods and services, the development of insights about our customers, and the development or enhancement of our offerings;
• the “legitimate interests” exception under the PDPA, applicable where the legitimate interests of Sol and Luna (or of another person) clearly outweigh any adverse effect on you (relevant, for example, in respect of venue security, fraud prevention and the management of operational risk); and
• your consent, whether given expressly or, where the PDPA permits, deemed by your voluntary provision of personal data for a clearly notified purpose.

Where reliance is placed on your consent, you may withdraw that consent at any time. To do so, please write to the Data Protection Officer using the details set out in Section 3. The withdrawal of consent will not affect the lawfulness of any processing already undertaken before the withdrawal, and it may mean that we are no longer able to provide certain services to you.

9. How We Share Personal Data

Personal data may be shared with three broad categories of recipient. In every case, the sharing is limited to what is reasonably necessary to support the purposes described in Section 7.

Other recipients

Beyond service providers and group entities, personal data may also be shared with our professional advisers, including lawyers, accountants, auditors and tax advisers; with our insurers; with banks and payment networks in connection with transactions and chargebacks; with regulators and law enforcement authorities, where required by law or where disclosure is considered necessary in order to protect our rights or the rights of others; and with any successor in interest in connection with a merger, acquisition or sale of business or assets.

Service providers and processors

Personal data is also shared with service providers engaged to process personal data on our behalf, under written contracts that include PDPA aligned data protection terms. At present, our principal service providers include the following:

• Mailchimp and other email service providers (used for marketing communications);
• Google Analytics, Google Ads, Meta and TikTok (used for analytics, advertising and attribution);
• Slack (used for internal communications);
• Google Workspace (used for productivity, email and document collaboration);
• Vercel and Supabase (used for web hosting and managed database services in respect of our digital channels);
• Google Cloud and Amazon Web Services (used for hosting and infrastructure);
• Stripe (used to process payments);
• Eber (the platform on which the 1-Insider loyalty programme operates);
• Tripleseat (used for private events and event enquiries); and
• SevenRooms (used for table reservations and guest management).

Within the 1-Spring Pte Ltd group

Personal data may be shared with personnel and with entities under common ownership with, or having an operating relationship with, 1-Spring Pte Ltd. This sharing supports activities including the operation of the 1-Insider loyalty programme across the venues that participate in it.

We do not sell personal data.

10. Transfers of Personal Data Outside Singapore

Several of the service providers we use are located outside Singapore. The list of overseas service providers includes SevenRooms, Tripleseat, Eber, Stripe, Google, Amazon Web Services, Vercel, Supabase, Meta and TikTok. Because of this, personal data may be transferred to, stored in or accessed from countries other than Singapore. The countries in question may include the United States, the European Union, the United Kingdom, Australia and other jurisdictions in which these providers operate.

Where any transfer of personal data outside Singapore takes place, the steps required by the PDPA are taken so that the recipient is bound by legally enforceable obligations providing a standard of protection comparable to the protection afforded under the PDPA. The steps we take may include putting in place contractual safeguards (typically data processing agreements that include PDPA aligned data protection clauses), placing reliance on the certifications that are applicable to the recipient, or any other measures permitted by the Personal Data Protection (Transfer of Personal Data Outside Singapore) Regulations 2014.

11. How Long We Keep Personal Data

Personal data is retained only for as long as is necessary for the purpose for which it was originally collected, together with such period as is required in order to satisfy legal, accounting, tax, audit and reporting obligations. To give some examples:

• records concerning job applicants are retained for up to twelve (12) months from the close of the relevant recruitment cycle, unless you have agreed to a longer period;
• CCTV recordings are usually retained for around 30 days from the time of recording, after which they are securely overwritten, except where a particular recording needs to be kept for longer in connection with an investigation, a dispute or a legal matter;
• financial records (including invoices, deposits and refunds) are retained for the periods required under the Companies Act 1967, the Income Tax Act 1947 and the Goods and Services Tax Act 1993, which generally amounts to a minimum of five years;
• records relating to the 1-Insider loyalty programme are retained for as long as you remain a member, along with a reasonable period thereafter, in accordance with the loyalty programme terms; and
• reservation records and guest profiles are retained while your account or profile remains active, along with a reasonable period thereafter for record keeping, dispute handling and audit.

Where personal data is no longer needed for any legal or business purpose, it is securely deleted or anonymised.

12. How We Protect Personal Data

Reasonable security arrangements are maintained, with the aim of safeguarding personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or any similar risk. Those arrangements include access controls, role based access permissions, encryption in transit, secure server hosting, periodic reviews of our security practices, training for members of staff who handle personal data, and contractual safeguards built into our agreements with service providers.

Even with these arrangements in place, no method of transmission of information over the internet, and no method of electronic storage, can be regarded as completely secure. We are not able to guarantee absolute security, and any personal data you choose to provide is provided to us at your own risk.

13. Cookies, Analytics and Marketing Attribution

The website makes use of cookies and similar tracking technologies. A cookie is a small text file that is placed on your device when you visit a website. The cookies in use on our website may be grouped as follows:

• a first party attribution cookie that we set ourselves, named “_1g_attr”, which is used in order to measure the channels through which visitors reach the website and to attribute marketing performance in a more reliable way as support for third party cookies continues to decline;
• advertising and attribution cookies, which allow us to measure how effective our advertising is and to personalise the advertisements you may see on third party platforms (including Google Ads, Meta and TikTok);
• analytics cookies, which help us to understand how visitors make use of the website (for instance through Google Analytics);
• preference cookies, which remember your settings (such as your language); and
• strictly necessary cookies, which the website needs in order to function correctly.

Cookies may be managed through your browser settings. If you choose to disable certain cookies, you may find that parts of the website work differently for you.

14. Marketing Communications, the DNC Registry and the Spam Control Act

Where you have given your consent, or where the PDPA otherwise permits us to do so, marketing communications may be sent to you. The communications may concern Sol and Luna, the 1-Insider loyalty programme, and other concepts operated by 1-Spring Pte Ltd that we believe may be of interest to you. The channels through which the communications may reach you include email, SMS, push notification, in app message, postal mail and other channels.

You may opt out at any time. The available options are:

• writing to the Data Protection Officer using the contact details set out in Section 3;
• updating the marketing preferences within your 1-Insider account;
• replying with the stop word indicated to any marketing SMS we send you; or
• clicking the “unsubscribe” link inside any marketing email we send you.

Before any marketing message is sent to a Singapore telephone number by way of voice call, SMS or fax, the number is checked against the relevant Do Not Call (“DNC”) registers maintained by the Personal Data Protection Commission, unless an exemption applies (for example, where you have given clear and unambiguous consent in writing or in another readable form, or where the message is an “ongoing relationship” message). Commercial electronic messages sent by us comply with the Spam Control Act 2007 of Singapore, including the requirements relating to unsubscribe facilities and to sender identification.

15. CCTV at Our Venues

Closed circuit television is operated at the Sol and Luna venue. The purposes for which CCTV is used at the venue include safety, security, the investigation of incidents, the prevention of fraud, loss prevention, the assurance of service quality, and the protection of our property, our staff and our guests. Signage notifying visitors that CCTV is in operation is displayed in the relevant areas. CCTV recordings are kept for a limited period, typically around 30 days, after which they are securely overwritten, except where a particular recording is retained for longer in connection with an investigation, a dispute or a legal matter. CCTV is not used to monitor staff productivity in the ordinary course of operations.

16. Photography and Videography at Events

Photographs and video may be taken at events that take place at Sol and Luna. The events covered by this include private events, family events, media events and brand activations. The purposes for which the photographs and video are used include marketing, communications, social media and editorial use. When photography or videography is planned, reasonable efforts are made to provide advance notice to guests, for example through signage at the venue or through messaging included within the event invitation. Reasonable requests not to be photographed or filmed will be accommodated where it is operationally practical to do so. Where any photograph or video is subsequently used for marketing purposes, we rely on the PDPA bases set out in Section 8.

17. Job Applicants

When you apply for a position at Sol and Luna or with 1-Spring Pte Ltd, the personal data contained in your application is collected and processed by us. The application may contain your CV, application form, cover letter, references and any interview notes. The processing supports the assessment of your suitability for the role, the conduct of interviews, the conduct of background and reference checks (where applicable and lawful), the making of employment decisions, and our compliance with applicable employment, immigration and other laws. If your application is not successful, your details may be retained for up to twelve (12) months in case other suitable opportunities arise, unless you have asked us to delete them sooner.

18. Your Rights Under the PDPA

The PDPA confers a set of rights on you in respect of your personal data, and those rights are subject to the conditions and exceptions set out in the PDPA itself. The rights are as follows:

• data portability (sections 26F to 26J of the PDPA, once they come into operation): in respect of certain categories of data, the right to ask us to transmit your data to another organisation that has the capacity to receive it;
• withdrawal of consent (section 16 of the PDPA): the right to withdraw any consent you have previously given to the collection, use or disclosure of your personal data, noting that withdrawal may mean we are no longer able to provide certain services to you;
• correction (section 22 of the PDPA): the right to ask us to correct an error or omission in the personal data we hold about you; and
• access (section 21 of the PDPA): the right to ask us to provide information about the personal data we hold about you, together with the ways in which we have used or disclosed it within the year preceding the request.

To exercise any of the rights above, please write to the Data Protection Officer using the details in Section 3. We may need to verify your identity before processing a request. The PDPA permits the charging of a reasonable fee for responding to certain requests; should a fee apply, we will let you know in advance, and the request will not be processed until you have confirmed that you are willing to pay the fee. We will respond to a valid request within the time period required by the PDPA, which is currently thirty (30) days, where reasonably practicable.

19. How to Contact Us

Should you have any questions about this Notice or about how we handle your personal data, the relevant contact details are:

Immelia Izalena, Data Protection Officer

1-Spring Pte Ltd

(operator of Sol & Luna)

88 Market Street, #17-01

Singapore 048948

Email: marketing@1-group.com.sg

General enquiries: enquiry@solandluna.sg

Telephone: +65 9295 2182

20. Complaints to the PDPC

If our response to a query or a complaint leaves you unsatisfied, the matter may be referred to the Personal Data Protection Commission of Singapore (“PDPC”). The PDPC may be contacted using the following details:

Personal Data Protection Commission of Singapore

10 Pasir Panjang Road, #03-01

Mapletree Business City

Singapore 117438

Website: www.pdpc.gov.sg

21. Updates to this Privacy Notice

This Notice will be updated from time to time. The reasons for an update may include changes in the way we operate, changes in the services we offer, or changes in the applicable law. The current version of this Notice is published at www.solandluna.sg/privacy, and the date at the top of the Notice indicates when it was last updated. Where a change is material, reasonable efforts will be made to bring it to your attention, for example through a notice published on the website or, where appropriate, by direct communication.

22. Governing Law

This Notice is governed by, and is to be construed in accordance with, the laws of Singapore.

— End of Privacy Notice —