FLNT At 1-ATICO PRIVACY NOTICE

1. ABOUT THIS PRIVACY NOTICE

1-ATICO PTE LTD (UEN: 201907382W) (“1-Atico”, “we”, “us” or “our”) is dedicated to safeguarding the personal data of our guests, members, corporate contacts, employment candidates, and digital visitors. This Privacy Notice outlines the specific personal data we gather, our methods for utilizing and safeguarding it, the external parties we share it with, and your legal rights regarding your personal information.

 

We process all personal data in strict alignment with the Singapore Personal Data Protection Act 2012 (the “PDPA”), the Spam Control Act 2007, and all other relevant statutory regulations. Please review this Notice thoroughly to comprehend our practices regarding your personal data. By navigating our websites, booking a table, enrolling as a 1-Insider member, or interacting with us in any other manner, you confirm that you have read this Notice.

 

2. WHO WE ARE

1-Atico operates as a premier multi-concept sky-high dining destination situated at ION Orchard, Singapore. Within this Notice, terms like “1-Atico”, “we”, “us” or “our” encompass 1-ATICO PTE LTD alongside the respective operating subsidiaries managing the following brands and venues (collectively referred to as our “Venues”):

FIRE: An authentic Argentinian grill concept.

FLNT: A high-energy Japanese-Peruvian (Nikkei) restaurant.

Atico Lounge: A versatile day-to-night destination specializing in elegant high tea by day and transitioning into a sophisticated social space for curated cocktails and tapas by night.

1-HOST: Our dedicated team managing weddings, private events, and corporate hires at 1-Atico.

Notice governs all personal data gathered by or on behalf of 1-Atico via our distinct brands, our digital sites (including 1-atico.sg and individual Venue web pages), our mobile applications, the 1-Insider loyalty scheme, our booking and event-enquiry channels, our marketing distributions, or any other touchpoint. We may also process data to comply with regulations, respond to a subpoena, search warrant, or alternative lawful requests for information, maintain Site integrity, or defend our legal rights.

3. OUR DATA PROTECTION OFFICER

In compliance with section 11(3) of the PDPA, we have designated a Data Protection Officer (“DPO”) tasked with overseeing our PDPA alignment and managing inquiries, requests, or complaints concerning your personal data. You can reach out to our DPO via the contact paths listed in Section 19 (How to Contact Us).

4. WHO THIS NOTICE APPLIES TO

We gather and manage personal data connected to the following groups of individuals:

Guests and customers: Including diners, reservation holders, walk-in guests, event attendees, wedding and private event clients, and gift voucher recipients.

1-Insider loyalty programme members: Current, prospective, and past members.

Marketing list subscribers: Individuals who have explicitly registered to receive our email or SMS marketing collateral.

Business contacts and suppliers: Including current, potential, and former suppliers, partners, agents, contractors, vendors, and their associated staff.

Job applicants and prospective workers: Candidates seeking full-time, part-time, casual, or contract roles, as well as applicants forwarded by recruitment agencies.

Website visitors: Users navigating 1-group.sg, our specific Venue websites, or any connected 1-Group platform or microsite.

CCTV and media subjects: Anyone captured on CCTV at our Venues, or individuals photographed or recorded during events hosted at our Venues.

5. PERSONAL DATA WE COLLECT

The exact types of personal data we collect depend on your specific interactions with us, which may encompass:

  • Identity and contact data: Full name, salutation, title, date of birth, gender, and nationality. This also includes home/business addresses, postal codes, country of residence, email addresses, and mobile or alternative telephone numbers. Identity-document details (e.g., NRIC/FIN or passport info) are requested only when strictly necessary, such as for tax-invoice generation or event verification; we never collect or store full NRIC numbers unless mandated by law.
  • Reservation, event and stay data: Booking specifics like date, time, party size, Venue choice, table preference, special occasions, and host notes. For functions, this covers event/wedding enquiry details like guest count, budget range, date, dietary or thematic needs, and vendor preferences. It also includes any dietary, allergy, and accessibility requirements you share to ensure your safety; providing this info constitutes consent for us to use it for that purpose. We also record purchase, billing, and transaction histories at our Venues.
  • Loyalty programme data: 1-Insider membership details, including tier status, points balances, redemption records, transaction history across Venues, communication choices, and preferences or feedback logged during your visits.
  • Financial and payment data: Credit and debit card specifics (gathered and processed securely by our PCI-DSS-compliant payment processors; we do not store complete card numbers) , alongside billing addresses, deposit/refund histories, and invoicing details.
  • Marketing preferences and communications data: Preferred marketing channels (email, SMS, push notifications), opt-in/opt-out timelines, and language settings. We also track engagement data from marketing emails, such as opens and clicks, utilizing tracking tech for analytical insights.
  • Website, device and online behaviour data: Technical parameters including IP addresses, device identifiers, operating systems, browser types/versions, time-zone settings, and referring URLs. Usage metrics cover pages viewed, links clicked, search phrases used, time spent on pages, navigation flows, and the dates/times of your visits.
  • Attribution data: First-touch and last-touch source, medium, and campaign specifics gathered via our marketing attribution cookie (the “_1g_attr” cookie), which are saved against your reservation or enquiry record if you submit one.
  • CCTV, photography and event imagery: Video footage captured via CCTV across our Venues for security, asset protection, health-and-safety, and incident investigations. This also includes photographs and video recordings taken at events, weddings, and private functions for marketing and editorial use where a valid legal basis exists.
  • Job applicant data: Name, contact details, date of birth, work-permit status, nationality, CVs, cover letters, employment history, qualifications, and professional references. We also retain information shared during phone, video, or in-person interviews , data pulled from public sources like LinkedIn or recruitment platforms , and right-to-work, criminal-record, or background check data where lawfully mandated for the role.
  • Correspondence and feedback data: Complete contents of messages, emails, calls, or chat logs exchanged with our teams (including reservations, concierge, 1-Insider support, and event enquirers) , as well as reviews, survey responses, complaints, and general feedback.

We do not intentionally gather personal data from children under 13 via our online platforms. The 1-Insider scheme and online booking forms are not meant for children. If you believe we have accidentally gathered data from a minor, please alert our DPO immediately.

6. HOW WE COLLECT PERSONAL DATA

We collect data through the following primary methods:

  • Directly from you: When making a reservation, dining or attending functions at a Venue, inquiring about weddings or private events, opting into marketing, enrolling in 1-Insider, redeeming vouchers, contacting us, finishing a survey, applying for employment, or otherwise interacting with us.
  • Automated systems: Collected passively via our websites and applications using cookies, tracking pixels, scripts, SDKs, and identical digital tools.
  • Third parties acting on our or your behalf: Including reservation systems (such as Seven Rooms and Tripleseat), event/wedding inquiry channels, payment processors, recruitment partners, loyalty processors (Eber), email/SMS deployment services, web analytics providers, social media networks, advertising networks, and approved vendors.
  • Publicly accessible sources: Including social media platforms (e.g., LinkedIn for hiring), professional directories, and public reviews about our Venues monitored for quality control.
  • Other individuals in your party: Such as when a coordinator books a group table, a wedding planner shares guest lists, or a corporate organizer submits attendee details for a private booking. When you provide data regarding another individual, you verify that you hold the authorization to share that information for the reasons detailed in this Notice.

7. HOW WE USE PERSONAL DATA

We utilize personal data for the following essential purposes:

  • To deliver our services: Managing and confirming bookings, hosting your dining experiences, serving food and drinks safely (accounting for dietary, allergy, or accessibility details), executing events, offering concierge and customer support, and running the 1-Insider loyalty program.
  • To process financial transactions: Handling payments, generating receipts and tax invoices, issuing refunds, and rectifying billing inquiries.
  • To communicate effectively: Dispatching booking confirmations, reminders, event planning updates, service notifications, enquiry replies, and 1-Insider account updates.
  • To send marketing communications: Sharing newsletters, promotional deals, event invites, seasonal specials, and member perks, provided you have consented or where permitted under the PDPA, Spam Control Act 2007, and Do Not Call (“DNC”) frameworks.
  • To personalize your journey: Remembering your preferences (such as table choices, dietary needs, top Venues, and past orders) to customize subsequent visits and messages.
  • To operate, improve and secure platforms: Handling troubleshooting, analytics, system monitoring, fraud prevention, abuse detection, and tracking marketing attribution to see which channels drive bookings.
  • To execute research and analytics: Conducting aggregated, de-identified studies on guest trends, marketing success, and general operational efficiency across Venues.
  • To manage staffing: Recruiting, evaluating, and onboarding talent as referenced in Section 16/17.
  • For venue health, safety and security: Running CCTV networks, responding to incidents, and aligning with emergency services.
  • To satisfy legal obligations: Meeting tax, accounting, licensing, and public health mandates, and responding to statutory demands from regulators or law enforcement.
  • To protect our legal interests: Establishing, executing, or defending legal positions and handling active disputes.
  • For corporate activities: Managing mergers, acquisitions, re-organizations, financing, asset sales, or matching corporate actions tied to 1-Group or any specific Venue.

8. ACCESS AND CORRECTION OF PERSONAL DATA

Under the PDPA, we collect, use, or share personal data only with your consent unless a statutory exception applies. We rely on the following frameworks:

  • Consent: When you check a marketing permission box, enroll in 1-Insider, or submit an event inquiry, we use your data strictly for the reasons detailed at collection.
  • Deemed consent: Triggered when you willingly provide data for a transparent purpose (e.g., sharing your phone number when booking so we can call you regarding that specific reservation). We also utilize deemed consent by notification (PDPA s.15A) for vital secondary purposes where we have notified you, given a fair chance to opt-out, and verified via assessment that the action will not negatively impact you.
  • Legitimate interests: We rely on this PDPA exception (Part 3, First Schedule) where our business operational, security, or optimization needs do not infringe upon your personal rights. Examples include fraud prevention, venue security, internal audits, and core analytics.
  • Business improvement: We leverage this exception (Part 5, First Schedule) for internal analytical practices to refine our food, services, management, and marketing efficacy.
  • Legal obligations and vital interests: We may process data without consent when statutory laws dictate, or during emergency crises threatening life, health, or safety.
  • Withdrawing consent: You can revoke your consent at any point by contacting our DPO. This will not impact the legality of any data processing handled before your withdrawal. Note that pulling consent may restrict our ability to offer specific services—for instance, we cannot maintain your 1-Insider account without membership data processing. We will clarify if this applies when you contact us.

9. HOW WE SHARE PERSONAL DATA

We may distribute your personal data to the following select entities:

  • Within the 1-Group network: Shared across 1-Atico and our respective Brands so 1-Insider members enjoy unified recognition, and to let group-level marketing, analytics, and service teams maintain a uniform experience.
  • Our service providers and data intermediaries: Contracted third parties processing data strictly under our guidance. These encompass:
  • Booking and event management platforms (e.g., Seven Rooms, Tripleseat).
  • Loyalty infrastructure platforms (e.g., Eber, which handles 1-Insider tech).
  • Payment processors (e.g., Stripe, POS systems, merchant acquirers).
  • Cloud storage and hosting providers (e.g., Google Cloud, AWS, Vercel, Supabase).
  • Internal productivity and communications suites (e.g., Google Workspace, Slack).
  • Email, SMS, and push notification distribution systems.
  • Analytics, marketing attribution, and ad platforms (e.g., Google Analytics, Google Ads, Meta, TikTok).
  • Guest feedback, review monitoring, surveys, and CRM software.
  • Hiring, background checking, and HR platforms.
  • Physical security, CCTV, IT defenses, and fraud mitigation providers.
  • Professional experts, including legal counsel, accountants, auditors, and insurers.

All intermediaries are contractually obliged to follow our directives, enforce rigorous security, and comply with the PDPA.

  • Other recipients: Government agencies, statutory regulators, courts, or law enforcement bodies where legally mandated. This also applies to prospective or actual buyers, investors, or financial partners during corporate transitions involving 1-Group or our Venues, protected by confidentiality terms , or other external entities authorized directly by you.
  • We never sell your personal data, nor do we lease marketing or membership registries to third parties for their independent commercial outreach.

10. TRANSFERS OF PERSONAL DATA OUTSIDE SINGAPORE

Certain service partners handling cloud storage, payment processing, marketing software, or reservations operate or use infrastructure outside Singapore. Consequently, your personal data may be shared with and processed in global territories including the United States, European Union, United Kingdom, Australia, India, Hong Kong, and others.

In line with section 26 of the PDPA, we execute rigorous checks before any cross-border transfer to confirm that the overseas recipient is legally bound to provide data protection matching the standard of the PDPA. This involves establishing strict data processing addenda and standard contractual clauses with partners, alongside utilizing other approved legal transfer mechanisms under Singapore law. Detailed information regarding cross-border data pathways can be requested from our DPO.

11. HOW LONG WE KEEP PERSONAL DATA

We store personal data exclusively for the duration required to fulfill the baseline collection goals, including satisfying legal, financial, regulatory, or contractual mandates. In determining lifecycle rules, we assess:

  • The scale, nature, and sensitivity of the data alongside the processing goals.
  • Potential alternative paths to achieve those goals.
  • Legal, fiscal, accounting, and operational licensing obligations.
  • The risk of harm stemming from unauthorized access or exposure.

For example:

  • Reservation records: Maintained throughout the guest lifecycle and for a justifiable period afterward to manage client service and protect against legal claims.
  • 1-Insider data: Retained through active membership and for a reasonable window following account dormancy or closure.
  • Unsuccessful job applications: Retained for up to 12 months post-decision, unless you request an extension for future openings.
  • Financial and transaction records: Held in line with the Companies Act 1967, Income Tax Act 1947, and Goods and Services Tax Act 1993.
  • CCTV footage: Typically held short-term (up to 30 days) unless pulled for an active incident investigation.

Once data is no longer necessary, we securely delete, return, or completely anonymize it so it cannot link back to you, following PDPA baselines.

12. HOW WE PROTECT PERSONAL DATA

We utilize physical, electronic, and operational safeguards built to protect personal data from accidental loss, adjustments, unauthorized viewing, or exposure. These steps cover access restriction, transit encryption, rest encryption (where applicable), provider contractual mandates, employee compliance training, and breach response routines.

Because no platform is entirely flawless, should a data breach occur that threatens notable harm or impacts a major pool of individuals, we will alert the Personal Data Protection Commission (“PDPC”) and affected users in complete alignment with the PDPA Data Breach Notification Obligation.

13. COOKIES, ANALYTICS AND MARKETING ATTRIBUTION

We utilize cookies and tracking technologies (pixels, scripts, SDKs) across our web spaces and digital marketing emails. These tools let us identify your device, recall your options, understand web usage patterns, gauge marketing success, and detect fraudulent behavior.

Our cookie categories encompass:

  • Strictly necessary cookies: Essential for basic web mechanics, such as form submissions or session management.
  • Performance and analytics cookies: To measure how visitors navigate our sites (e.g., Google Analytics).
  • Marketing and advertising cookies: To provide targeted promotional material and evaluate ad impact (e.g., cookies from Google Ads and Meta).
  • Attribution cookies: Includes our first-party “_1g_attr” cookie, which logs the source, medium, and specific campaign that steered you to our site, connecting it to any subsequent booking or enquiry. This is recorded within your reservation profile to help us understand which marketing pipelines succeed.

You can manage cookie settings inside your browser or via our native cookie preference tools where provided. Turning off cookies can disrupt web performance. For deeper cookie breakdowns, consult our Cookie Notice or connect with our DPO.

14. MARKETING COMMUNICATIONS, THE DNC REGISTRY AND THE SPAM CONTROL ACT

Marketing communications are dispatched exclusively through lawful channels.

  • Email marketing: Deployed in full compliance with the Spam Control Act 2007. Every marketing broadcast features clear sender data, transparent subject lines, and an active opt-out link. You can opt-out at any juncture via the email link or by contacting our DPO.
  • SMS, telephone calls and fax (DNC Compliance): Before launching marketing SMS or making calls to Singapore numbers, we systematically cross-reference the DNC Registers managed by the PDPC, or rely on distinct, clear consent.

16. PHOTOGRAPHY & VIDEOGRAPHY AT EVENTS

We routinely capture photography and video assets at our Venues during events, weddings, grand openings, and functions. If we use this media for social platforms, promotions, or editorial press, we establish an appropriate contextual basis—such as your explicit consent (like a release clause within your wedding/private hire contract), standard PDPA deemed-consent rules, or another valid legal path. If you want to be excluded from marketing assets, please notify our event managers or our DPO.

17. JOB APPLICANTS

When applying for a career position with 1-Atico, we leverage your data to review qualifications, arrange interviews, conduct background or reference screenings where applicable, manage communications, and onboard you if hired as an employee or contractor. If your application is not successful, we typically preserve your data for a justifiable window (normally up to 12 months).

18. ACCESS AND CORRECTION RIGHTS

We pledge to handle formal data access and correction inquiries within 30 days, or we will notify you if an extension is required. A justifiable administrative fee may be levied for access requests, matching PDPA provisions. To initiate these requests, contact our DPO via Section 19; identity verification is required before data release.

19. HOW TO CONTACT US

For queries, feedback, requests, or formal complaints linked to this Privacy Notice or our personal data management protocols, please reach out to our designated DPO:

  • Data Protection Officer: Immelia Izalena
  • Company: 1-Atico Pte Ltd
  • Address: 211 Henderson Rd, #04-03, Singapore 159552
  • Email: enquiry@1-atico.sg

20. COMPLAINTS TO THE PDPC

If you feel your data privacy concerns have not been satisfactorily handled by us, you retain the right to submit an official complaint to the Personal Data Protection Commission, Singapore:

  • Website: www.pdpc.gov.sg
  • Address: 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438

We would, however, welcome the opportunity to resolve any issues directly with you first.

21. GOVERNING LAW

This Privacy Notice and our data handling ecosystems are bound by and interpreted under the statutory laws of Singapore.

23. CONTACT US

If you have any remaining questions about this Privacy Policy, please email our team directly at enquiry@1-atico.sg.