Privacy Policy

Version 2.0

Last updated: April 6, 2026

Meridian Rock, PTD LTE ("we," "us," or "our") operates the Hedges VIP product platform, including mobile wallet passes, the enrollment portal, and the management portal at www.hedgesvip.com. This Privacy Policy describes how we collect, use, store, and protect your personal information in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore.

1. Information We Collect

Customer Information (VIP Card Holders): When you enroll in the VIP card program, we collect your first and last name, phone number, zip code, and optionally your email address. We also record your age attestation confirming you are 21 years of age or older, and your IP address at the time of consent for compliance recordkeeping.

Usage Data: We track venue visits (door scans), ticket issuance and redemption, benefit usage (cover charges, drink discounts), and offer redemptions to administer the VIP program and detect fraud.

Wallet Data: When you add your VIP card to Apple Wallet or Google Wallet, we store device registration tokens and wallet pass identifiers necessary to deliver and update your digital card.

Staff Account Information: For staff portal users, we collect name, email address, role assignment, and login credentials. If you sign in with Google, we receive your Google profile information (name, email, profile picture) and store an OAuth account link.

Concierge Information: For concierge program participants, we may also collect employer or affiliation and a payment handle (e.g., bank account or payment service identifier) solely for the purpose of processing commission payouts.

2. How We Use Your Information
We use the information we collect to:
  • Issue and manage your VIP card and digital wallet passes
  • Process venue entry, ticket issuance, and benefit redemptions
  • Send promotional offers and program updates (if you provided an email)
  • Detect and prevent fraud, including repeated invalid scan attempts and suspicious activity
  • Generate anonymized analytics for venue operators
  • Maintain audit records for compliance and dispute resolution
  • Authenticate and manage staff portal access
  • Process concierge commission payouts where applicable
3. Data Sharing and Sub-Processors

Venue Operators: Participating venues can access your visit history, benefit redemptions, and card status for their location(s) through the management portal.

We engage the following sub-processors to operate the platform. Each is bound by data protection obligations consistent with this policy:

  • Railway Inc. (US) — cloud infrastructure hosting for the platform and database
  • Resend Inc. (US) — transactional and promotional email delivery
  • Better Stack Inc. (US) — application log management (personally identifiable information is automatically redacted before transmission to this service)
  • Apple Inc. (US) — Apple Wallet pass issuance and updates
  • Google LLC (US) — Google Wallet pass issuance and Google sign-in for staff
  • Stripe Inc. (US) — platform billing (we do not store customer payment card data; Stripe processes it directly)

We do not sell your personal information. We may disclose information when required by law or to protect the safety and security of our users and platform.

4. Data Storage and Security

Your data is stored in encrypted databases with strict access controls. Each venue operator's data is isolated through multi-tenant architecture, meaning one operator cannot access another's customer data.

We implement industry-standard security measures including encrypted connections (TLS), hashed passwords, rate limiting, and comprehensive audit logging of all staff actions.

5. Data Retention

We retain data according to the following schedule:

  • Active card data: retained while your VIP card is active
  • Inactivity expiration: cards with no door-scan event for six consecutive months are automatically expired; associated data is retained as below
  • Soft-deleted customer data: purged two years after deletion or expiration
  • Audit and fraud detection data: minimum two years for compliance purposes; archived and restricted after seven years
  • Sales lead data: two years from submission
  • Staff account data: duration of employment or engagement, plus seven years
  • Consent records (including age attestation and Terms acceptance): retained indefinitely as legal proof of consent
6. Your Rights Under the PDPA

Under the Personal Data Protection Act 2012 (Singapore), you have the following rights with respect to your personal data:

  • Access: request a copy of the personal data we hold about you (we will respond within 30 days)
  • Correction: request that inaccurate or incomplete personal data be corrected
  • Withdraw consent: withdraw consent for processing activities based on consent (such as marketing emails) — withdrawal does not affect the lawfulness of processing carried out before withdrawal
  • Deletion: request deletion of your personal data, subject to our legal retention obligations set out in Section 5
  • Opt out of marketing: opt out of promotional emails at any time via the unsubscribe link in any email we send, or by contacting privacy@hedgesvip.com
  • Data portability: request a portable copy of personal data you have provided to us

To exercise any of these rights, contact the staff at your participating venue or email privacy@hedgesvip.com. We will respond within 30 days.

7. Cross-Border Data Transfers

Meridian Rock, PTD LTE is incorporated in Singapore. The Hedges VIP platform is hosted in the United States by Railway Inc. As a result, your personal data is transferred to and processed in the United States, which may have different data protection laws than Singapore.

We take steps to ensure that cross-border transfers are protected by contractual data protection agreements with our infrastructure and service providers, consistent with the requirements of the PDPA and the PDPC's advisory guidelines on cross-border transfers.

8. Cookies and Tracking

The management portal uses session cookies for authentication. We do not use third-party tracking cookies or advertising pixels. The enrollment portal does not require cookies for basic functionality.

9. Age Requirement

The Hedges VIP program is available only to individuals 21 years of age or older. We do not knowingly collect information from anyone under 21. If we learn that we have collected data from someone under 21, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the platform after changes constitutes acceptance of the updated policy.

11. Data Protection Officer and Contact

Meridian Rock, PTD LTE has appointed a Data Protection Officer (DPO) as required under the PDPA:

  • DPO: Adam Seyer
  • Email: privacy@hedgesvip.com
  • Organisation: Meridian Rock, PTD LTE

To exercise your data rights or raise any concern about how we handle your personal data, please email privacy@hedgesvip.com. We will acknowledge your request promptly and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at pdpc.gov.sg or call +65 6377 3131.

© 2026 Meridian Rock, PTD LTE. All rights reserved.