We collect the following categories of personal data:

• Account information: Name, email address, and password (hashed by our authentication provider) when you register an account.
• Profile information: Display name and profile picture if you choose to provide them.
• Campaign data: Project titles, descriptions, images, rewards, milestones, and other content Creators submit. Creators are responsible for the accuracy and lawfulness of the content they publish.
• Pledge and payment data: Pledge amounts, selected rewards, and shipping details where a reward requires them. Card data is handled directly by Stripe — we never see or store full card numbers.
• Creator verification (KYC): For Creators who verify via Singpass MyInfo, we store the verified UINFIN/NRIC, full name, date of birth, nationality, and residency status returned by GovTech. We also retain a peppered HMAC-SHA256 hash of the UINFIN as an indexed dedup key (one person, one Creator account), and consent metadata (the timestamp you authorised the disclosure, the data fields you consented to, and the MyInfo transaction reference issued by GovTech) to evidence your consent. See Section 8.
• Trust-score signal data (Creators only): If you provide a LinkedIn URL or a company website on your Creator profile, we automatically retrieve and analyse the public content at those URLs to compute a Creator trust score that gates campaign creation. We retain the analysed text excerpts, derived signal flags (e.g. experience-mentioned, role-mentioned, content-quality indicators), the score breakdown, and the timestamp of the analysis. We do not sign in to LinkedIn or scrape behind authentication; we read only what is publicly accessible. You can remove these inputs at any time by clearing the relevant fields on your Creator profile, which will trigger a rescore on the next eligible event.
• Uploaded images:Profile pictures, campaign artwork, and reward imagery are stored in Supabase Cloud Storage. Campaign and reward images are publicly accessible via CDN as part of a campaign's public page; profile pictures follow your profile visibility.
• In-app messages:Messages between Creators and Backers inside a campaign's review threads are stored for the lifespan of that campaign plus a 30-day grace period after the final milestone is released or the campaign is cancelled.
• Usage data: IP address, browser type, pages visited, and interaction data collected via our hosting provider (Vercel) and analytics provider (Google Analytics 4 — see Section 6).
• Error diagnostics: When something breaks, we collect technical error context via Sentry. This may include a session replay recording of the failing interaction — see Section 7.
• Communications: Messages you send to us via email or support channels.

We use your personal data to:

• Create and manage your account on the platform.
• Process pledges and Creator payouts securely via Stripe.
• Send transactional emails (pledge confirmations, campaign status updates, payout notifications, password resets, refund notices). We do not send marketing emails.
• Screen campaigns and Creator applications against our platform policies on a reasonable-endeavours basis. Such screening does not constitute an audit, endorsement, or guarantee of any Creator's identity, accuracy, conduct, or legal compliance.
• Verify Creator identity for payout eligibility and anti-fraud.
• Compute a Creator trust score from Singpass verification, public LinkedIn profile content, and public company-website content. The score gates campaign creation: Creators must reach a minimum threshold before they can publish a campaign. No automated decision has legal effect against you on its own — Creators below the threshold can request manual admin review.
• Respond to customer support enquiries and PDPA rights requests.
• Diagnose technical issues via error tracking and limited session replay (Section 7).
• Improve platform usability via aggregated usage analytics.

We do not sell your personal data. We share data only in the following circumstances:

Service providers

We share data with the following service providers solely to operate the platform:

• Stripe — payment processing and Creator payouts. Subject to Stripe's Privacy Policy.
• Supabase — database, authentication, and storage hosting. Data is stored in Supabase-managed infrastructure.
• Vercel — website hosting and deployment. May log anonymised request data.
• Resend — transactional email delivery.
• Sentry — error tracking and error-only session replay (Section 7).
• Google Analytics 4 (Google) — platform usage analytics with IP anonymisation enabled. Loaded only when you opt in via the cookie banner.
• HubSpot— visitor identification + chat widget for follow-ups when you contact us. Loaded only when you opt in to “Marketing” cookies via the cookie banner. Subject to HubSpot's Privacy Policy.

Sharing with campaign Creators

When you pledge to a campaign, we may share the following data with the Creator to enable reward fulfilment:

• Your name
• Your contact email address
• Your shipping address (where a physical reward requires it)
• Any note you choose to include with your pledge

This data is shared on the basis that it is necessary to fulfil the reward you have requested. We share only what is reasonably required for that purpose.

Creators as independent data controllers

Once personal data has been shared with a Creator for fulfilment purposes, that Creator acts as an independent data controller under the PDPA. This means:

• The Creator is solely responsible for their own compliance with the PDPA and any other applicable data protection laws.
• We do not control, monitor, audit, or have visibility into how Creators store, use, retain, or handle your personal data after it has been shared with them.
• We are not responsible for any loss, misuse, unauthorised access, breach, or unlawful processing of your personal data by a Creator.
• We cannot compel a Creator to delete, correct, or return your personal data once it has been shared with them. Any such request must be made directly to the Creator.

Creator obligations

By launching a campaign on get that bread, Creators agree to our Terms of Service, which require them to:

• Use personal data only for the purpose of fulfilling campaign rewards and necessary campaign communication.
• Not use personal data for marketing, profiling, or any unrelated purpose without obtaining separate, explicit consent from you.
• Handle personal data in accordance with the PDPA and any other applicable laws.

However, we do not guarantee Creator compliance with these obligations. If you believe a Creator has misused your personal data, please contact us at hello@getthatbread.sg — we will take reasonable steps to investigate and, where appropriate, take action against that Creator under our Terms.

Legal disclosures

We may also disclose your data if required by law, court order, or government or regulatory authority in Singapore.

International data transfers

Some of our service providers process personal data outside Singapore. When we transfer data to them, we do so on the basis that (a) the recipient country provides a standard of protection comparable to Singapore's PDPA, or (b) contractual protections are in place requiring the recipient to provide a comparable level of protection.

• Stripe — processes payment data in the United States and other jurisdictions. Subject to Stripe's cross-border transfer safeguards.
• Vercel — platform hosting served globally; requests may be processed outside Singapore.
• Google — analytics data processed in the United States with IP anonymisation enabled.
• Sentry — error and session replay data processed in the United States.

We bucket the storage we use into three categories. Each behaves differently for consent purposes under PDPA.

Strictly necessary (always on, exempt from consent)

These are required for the platform to work. You can't opt out without losing core functionality.

• Supabase auth cookies (sb-*) — keep you signed in across requests. Set by our authentication provider.
• gtb_session — a 30-day first-party cookie we set for every visitor to attribute campaign-view and pledge events to a session in our own analytics table. Used purely for product metrics; not shared with third parties.
• theme (localStorage) — remembers your light/dark mode preference.
• creator-apply-form-draft, launch-checklist progress(localStorage) — autosaved in-progress forms so you don't lose work if you refresh.

Analytics (opt-in)

Google Analytics 4 (_ga, _ga_*) — page views, traffic sources, and aggregated interaction metrics. We enable IP anonymisation so your full IP address is never stored by Google. We do not use advertising or retargeting cookies, and we do not share analytics data with ad networks.

Marketing (opt-in)

HubSpot (__hstc, __hssc, hubspotutk) — visitor identification + chat widget. If you contact us via the website chat or fill in a form, HubSpot lets us follow up and recognise you on a return visit. Set as 1-year first-party cookies for cross-session continuity. Subject to HubSpot's Privacy Policy.

Payment / fraud prevention (loaded only on payment pages)

Stripe (__stripe_mid, __stripe_sid) — fraud-prevention cookies set by Stripe.js when you visit a page that handles a card payment. Treated as functional under PDPA s17 because they're necessary for secure payment processing; we cannot offer card payments without them.

How to control these

• On first visit, our cookie banner asks you to accept or reject the opt-in categories. Reject-all is the default if you dismiss without choosing.
• Browser-level signals — if your browser sends Do-Not-Track or Global Privacy Control, we silently set reject-all and skip the banner. We honour your browser preference.
• Change your mind later — clear the gtb_cookie_consent key in your browser's localStorage to re-show the banner, or email our DPO (Section 15).
• GA-specific opt-out — even with analytics accepted, you can install the Google Analytics opt-out browser add-on for an additional layer. Opting out of analytics does not affect your access to or use of the platform.

Creators are required to verify their identity before they can receive payouts. We support two paths and you may choose either:

• Singpass MyInfo (preferred) — government-backed identity verification via Singpass.
• Manual review (alternative) — admin review of an NRIC document plus selfie. Used during pre-launch and as a fallback for users who decline Singpass.

What you consent to with Singpass

When you click Allow on the Singpass consent screen, you authorise GovTech to disclose the following MyInfo fields to get that bread for the purpose of payout-eligibility verification:

• UINFIN — your NRIC or FIN identifier
• Name — your full registered name
• Date of birth
• Nationality
• Residential status

We request only those five fields and no others. The list of fields requested is governed by the OIDC scopes registered for our Singpass developer account; we cannot request fields outside that registered scope.

What we store

From a successful Singpass verification we persist:

• Verified UINFIN/NRIC— shown back to you on your verification screen so you can confirm what was retrieved, and provided to GovTech / regulators if our KYC processes are audited. Stored unmasked per Singpass's brand-toolkit display requirement.
• Verified full name (used for payout records and admin compliance review)
• Date of birth (used to confirm you are at least 18 — required for AML / age-verification checks)
• Nationality and residential status (AML / counter-terrorism financing checks)
• Timestamp of verification
• A peppered HMAC-SHA256 hash of the UINFIN— an indexed dedup key used to enforce one-person-one-account; stored alongside the raw value so duplicate checks don't require scanning UINFINs in plaintext.
• Consent metadata: the timestamp you granted consent on the Singpass screen, the OIDC scopes the access token actually granted, and the MyInfo transaction reference (txnNo) returned by GovTech. This is our audit trail evidencing that you consented and what you consented to.

How the UINFIN is protected: row-level security on the verifications table limits reads to the verified Creator (their own row) and authorised admins; no anonymous or other-user access is permitted. The separate hash column is keyed with a server-side pepper held only on our backend so duplicate-account checks can be done without scanning the raw values.

How we use this data

This data is used strictly for: payout-eligibility verification, anti-fraud (duplicate-account detection), and AML / counter-terrorism financing compliance. It is not used for marketing, not shared with any Backer or other Creator, and not shared with any third party except where legally required (for example, in response to a lawful order from a Singapore regulator or court).

Singpass-derived fields are accessible only to the Creator themselves (via their dashboard) and to platform admins performing compliance review. Access by admins is logged.

Withdrawing consent

You may withdraw consent for our use of your Singpass-derived data at any time by emailing our DPO (Section 16). Withdrawal results in your creator account being closed, because payout eligibility cannot be maintained without verified identity. Records subject to AML retention obligations (see Section 9) will be retained for the legally required period after closure but will not be used for any other purpose.

Legal basis

We collect this data on the basis of your consent (PDPA section 13) given at the Singpass screen, and on the basis that it is necessary for compliance with legal obligations applicable to a payment-related platform operating in Singapore (PDPA First Schedule, Part 3). Where the two bases overlap, the legal-obligation basis governs records we are required by law to retain.

Different categories of data are retained for different periods depending on the legal and operational reason we hold them.

• Account (name, email, profile): For as long as the account is active. Deleted or anonymised within 30 days of a deletion request.
• Pledges and payout records: 7 years from the transaction date (financial record-keeping under Singapore law).
• Creator KYC (Singpass): 7 years from account closure (AML record-keeping requirements).
• Campaign content (projects, rewards, updates, milestones): For the lifetime of the platform unless you specifically request deletion; anonymised on account deletion.
• In-app messages: Lifespan of the campaign + 30 days grace after final milestone release or cancellation.
• Sentry error data and session replays: 30 days.
• Server and request logs (Vercel): Provider default, typically 30 days or less.
• Stripe webhook event log: 7 years from event receipt (payment reconciliation).

Legal and financial retention obligations override deletion requests for affected records — when you exercise your PDPA rights, we'll confirm which records fall under this.

Creator-held data:Once personal data has been shared with a Creator to fulfil a reward, we have no visibility into or control over that Creator's retention practices. We cannot guarantee that a Creator will delete your data on request. For any data held independently by a Creator, you must contact that Creator directly.

Under Singapore's PDPA, you have the right to:

• Access the personal data we hold about you.
• Correct any inaccurate personal data we hold.
• Withdraw consent for the use of your personal data for any purpose (subject to legal and contractual obligations).
• Data portability — request a structured, machine-readable copy of personal data you have provided to us (such as your account and pledge history), where technically feasible.

Self-service download.If you're signed in, you can download a copy of the personal data we hold about you (profile, pledges, creator application, dispute concerns, campaign drafts) at /api/me/export — the response is a structured JSON file you can save locally. Self-service covers the data we hold about you directly; for anything held by Creators or third-party processors, email the DPO below.

Other rights. To request correction, withdrawal of consent, or account deletion (subject to retention obligations for completed transactions and AML records), email our Data Protection Officer at hello@getthatbread.sg. We respond within 30 days as required by the PDPA. We may verify your identity before acting on access or correction requests to protect you against impersonation.

Scope of your rights under this policy: Your PDPA rights under this policy apply only to personal data that we hold and process as data controller. For personal data held by Creators or third-party service providers acting as independent data controllers (see Section 5), you must exercise your rights directly with those parties. We are not able to act as an intermediary for such requests.

Our Data Protection Officer can be reached at: hello@getthatbread.sg

This mailbox handles all PDPA rights requests, privacy questions, and any concerns about how we use your data. We respond within a business day for general questions and within 30 days for formal PDPA requests.