Privacy Policy

Effective date: 5 September 2025
Website: https://mrbutlerholiday.com
Entity: Mr. Butler Holiday Pte. Ltd. (“we”, “us”, or “our”)
Jurisdiction: Republic of Singapore (PDPA)

Quick summary: We collect and use personal data to provide travel planning and related services. We keep it secure, retain it only as long as necessary, and give you rights to access, correct, and withdraw consent. This policy explains the details.

1) Scope & Who We Are

This Privacy Policy explains how we collect, use, disclose, and protect personal data of individuals who interact with Mr. Butler Holiday through our website, booking channels, social media pages, customer support, and in connection with our travel services.

We have appointed a Data Protection Officer (DPO) responsible for our compliance with Singapore’s Personal Data Protection Act 2012 and its regulations (“PDPA”).
DPO contact: Shawn— [operations@mrbutlerholiday.com] — +65 8181 3190

2) Personal Data We Collect

The types of personal data we may collect include:

Identity & contact: full name, NRIC/FIN/passport number, nationality, date of birth, gender, billing/shipping address, email, phone, emergency contact.
Travel details: itineraries, booking references, loyalty numbers, visa/passport information, preferences (e.g., seating, dietary), travel companions’ details.
Payment & transaction: masked payment card data (processed by payment providers), bank transfer info, invoices and receipts, purchase history.
Communications & customer support: enquiries, feedback, recordings or transcripts (where applicable), marketing preferences.
Technical & usage: IP address, device/browser info, logs, cookies and similar technologies, pages viewed, referral URLs.
Sensitive or special information (if provided): medical or mobility information needed to arrange assistance (e.g., wheelchair access), religious or dietary preferences. We collect and use such data only where necessary to provide requested services and with your explicit consent where required.

If you provide us with personal data of another individual (e.g., a family member), you confirm that you have their consent or are otherwise legally permitted to do so.

3) How We Collect Personal Data

Directly from you: when you browse our site, submit forms, chat with us, make bookings or payments, or communicate via phone/email/WhatsApp/social platforms.
From partners & providers: hotels, airlines, ground operators, insurance providers, payment processors, analytics and cloud vendors who support our services.
Automatically: via cookies, pixels, SDKs, and similar technologies when you use our website or our partners’ sites.

4) Purposes of Collection, Use & Disclosure

We collect, use, and/or disclose personal data for purposes including:

Service delivery: processing enquiries and bookings; arranging transport, accommodation, tours, insurance and concierge services; issuing confirmations and travel documents.
Customer care: responding to requests, after‑sales support, handling complaints and refunds.
Account & payments: fraud prevention, billing, receipts, audits, chargebacks, and tax/accounting compliance.
Operations & security: site administration, troubleshooting, incident management, monitoring and improving our services, risk management, and security (including access controls and logs).
Communications & marketing: sending service notices, pre‑trip updates, and—with your consent or where permitted—promotional messages (email, SMS, WhatsApp, calls) about our services and promotions.
Legal & compliance: compliance with laws, law‑enforcement requests, dispute resolution, or to establish/exercise/defend legal claims.

We will notify you of any additional purposes at or before collection, and seek consent where required. If we use personal data for a purpose not covered above, we will obtain your further consent unless an exception under the PDPA applies.

5) Our Legal Bases under the PDPA

We rely on the following PDPA bases:

Consent (including deemed consent when you provide data to us to fulfil your request, or when necessary to perform a contract you have entered into with us).
Legitimate interests exception (where applicable) for purposes such as fraud detection, network security, or service improvement after we conduct and document a balancing test and provide appropriate safeguards.
Other PDPA exceptions (where applicable), e.g., emergencies threatening life/health, investigations, legal claims, or where data is publicly available.

You may withdraw consent at any time (see Section 11). If you do so, we will inform you of the likely consequences (e.g., we may be unable to complete your booking).

6) Marketing, DNC & Unsubscribe

Email & online marketing: You can unsubscribe at any time by using the unsubscribe link in our emails or by contacting us (see Section 16).
Calls/SMS/WhatsApp to Singapore numbers: We comply with the PDPA Do Not Call (DNC) provisions. We will not send marketing to numbers listed on the DNC Registry unless an exemption applies or you have given clear and unambiguous consent. You may opt out of such messages at any time.

Operational/transactional messages (e.g., booking updates, safety notices) are not considered marketing and may still be sent as needed to provide our services.

7) Cookies & Similar Technologies

We use cookies, pixels and similar technologies to:

enable core site functions,
remember your preferences,
measure site performance and improve user experience,
support analytics and advertising.

You can manage cookies via your browser settings or our cookie banner (where available). Disabling certain cookies may impact site functionality.

8) Disclosure of Personal Data

We may disclose personal data to:

Travel suppliers (e.g., hotels, airlines, transport operators, guides), insurance and visa partners, strictly as needed to fulfil your booking.
Service providers acting on our behalf (e.g., payment processors, IT hosting, communications, analytics, fraud tools, professional advisers, couriers). These providers are bound by contractual obligations to protect your data and use it only for our instructions.
Authorities & regulators where required by law, legal process, or to protect rights, property and safety.
Business transfers: if we undergo a restructuring, merger, or asset sale, your data may be transferred to the relevant third parties under appropriate safeguards.

We do not sell your personal data.

9) International Data Transfers

Our services may require transfers of personal data to countries outside Singapore (for example, to overseas hotels or booking systems). Where we transfer personal data overseas, we will ensure that the recipient provides a standard of protection comparable to the PDPA, for example by:

using contractual clauses with recipients,
transferring to recipients certified under recognised frameworks (e.g., APEC CBPR/PRP), or
obtaining your consent after notifying you of any risks if comparable protection cannot be ensured.

10) Retention

We retain personal data only for as long as necessary to fulfil the purposes above and to meet legal, accounting, or business requirements (e.g., tax/audit). When no longer needed, we will anonymise or securely dispose of the data.

11) Your Rights — Access, Correction & Withdrawal of Consent

Access & copies: You may request access to your personal data in our possession or control and information about how it has been used or disclosed in the past year.
Correction: You may request that we correct or update your personal data.
Withdrawal of consent / opt‑out: You may withdraw consent for any purpose, including marketing.

To exercise these rights, contact our DPO (Section 16). We may need to verify your identity and may charge a reasonable fee for access requests. We will respond within a reasonable time and in the manner required by the PDPA.

12) Protection & Security

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit and at rest where appropriate, network security, vulnerability management, staff confidentiality obligations, and ongoing monitoring. However, no method of transmission or storage is completely secure; we cannot guarantee absolute security.

13) Data Breaches

If we assess that a data breach is likely to result in significant harm to individuals or involves 500 or more affected individuals, we will notify the Singapore PDPC and, where required, the affected individuals as soon as practicable. We maintain internal procedures to detect, assess and respond to incidents.

14) Children’s Privacy

Our services are not directed to children under 13. We do not knowingly collect personal data from children without verifiable parental consent where required. If you believe a child has provided personal data to us without consent, please contact our DPO and we will take appropriate steps.

15) Third‑Party Sites & Services

Our website may contain links to third‑party sites or services (including booking engines, payment gateways, or social platforms). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

16) Contacting Us (DPO)

For any requests, questions, or complaints about how we handle your personal data, please contact our Data Protection Officer:

Email: operations@mrbutlerholiday.com
Telephone: +65 81813190

17) Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or for legal, regulatory, or operational reasons. We will post the updated version on this page with a new Effective date. Material changes may be notified to you by email or via a notice on our website.

18) Governing Law

This Privacy Policy is governed by the laws of the Republic of Singapore.

Tips for Implementation (not part of the policy)

Replace placeholders (DPO name, phone, address).
Ensure your email templates include a working unsubscribe link.
If you use analytics/ads cookies, deploy a banner and cookie preferences page.
Keep a record of consent (including for marketing, WhatsApp/SMS, and for any sensitive assistance needs).
Maintain a breach response plan and DPO register.