Privacy Policy

This Privacy Policy describes how Astra Hospitality Pte. Ltd. (UEN: [your UEN]), trading as Tessera ("we", "us", or "our"), collects, uses, discloses, and protects personal data in connection with our website at tesserasystems.io and the Tessera club management platform (together, the "Services").

We are incorporated in Singapore and are bound by the Personal Data Protection Act 2012 (PDPA). Where we process personal data of individuals in the European Economic Area (EEA) or United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and applicable UK data protection law. Where we process personal data of California residents, we comply with the California Consumer Privacy Act (CCPA).

By using our Services you acknowledge you have read this Privacy Policy. If you do not agree, please discontinue use of the Services.

1. Who We Are

The data controller for personal data collected through this website and the Tessera platform is:

Astra Hospitality Pte. Ltd.
Registered in Singapore
Email: info@tesserasystems.io
Phone: +65 9640 4227

Where Tessera processes personal data on behalf of our business customers (clubs), we act as a data processor and our customers act as data controllers. Such processing is governed by separate Data Processing Agreements.

2. Personal Data We Collect

2.1 Information you provide directly

• Demo request & contact forms: first name, last name, club name, work email address, phone number, and any free-text enquiry you submit.
• Business correspondence: information contained in emails or calls you initiate with us.

2.2 Information collected automatically

• Usage data: pages visited, time spent, referral source, browser type, operating system, and device identifiers.
• Cookies & similar technologies: see Section 7 below.
• IP address & approximate location: derived from your internet connection for security and analytics purposes.

2.3 Platform data (B2B customers)

When clubs deploy the Tessera platform, they may process personal data about their members and staff through our software. This may include:

• Member profiles: name, contact details, membership tier, purchase history, preferences.
• Biometric identifiers: fingerprint or facial recognition templates used for Retail Kiosk authentication (processed under the club's own consent and disclosure obligations).
• Payment instrument tokens (we do not store raw card numbers; payment processing is handled by PCI-DSS compliant payment processors).
• Staff scheduling, task, and performance data.

Clubs are responsible for obtaining all necessary consents from their members and staff before processing such data through Tessera. We process it only on the documented instructions of the club.

3. How We Use Personal Data

• To respond to enquiries and provide the Services – including booking demos, onboarding customers, and delivering platform functionality.
• To manage our business relationship – contract administration, invoicing, and support.
• To improve our Services – analysing aggregated usage patterns, fixing bugs, and developing new features.
• To communicate with you – service announcements, security alerts, and (where you have opted in) marketing updates about Tessera.
• To comply with legal obligations – including applicable Singapore law, tax obligations, and responding to lawful government requests.
• To protect our legitimate interests – fraud detection, security monitoring, and enforcing our terms.

4. Legal Bases for Processing (GDPR)

For individuals in the EEA or UK, we rely on the following legal bases:

• Contract performance – processing necessary to deliver the Services you have requested.
• Legitimate interests – analytics, security, and direct marketing to existing business contacts, balanced against your privacy rights.
• Legal obligation – where processing is required by applicable law.
• Consent – for non-essential cookies and optional marketing communications. You may withdraw consent at any time.

5. Disclosure of Personal Data

We do not sell personal data. We may share it with:

• Service providers and sub-processors: cloud hosting, email delivery, analytics, customer support, and payment processing vendors who are contractually bound to protect data and process it only on our instructions.
• Professional advisors: lawyers, auditors, and insurers, under obligations of confidentiality.
• Business transfers: in connection with a merger, acquisition, or sale of assets, provided the successor entity upholds equivalent data protection standards.
• Law enforcement & regulators: where we are required by law or court order, or where disclosure is necessary to protect the safety of any person.

6. International Data Transfers

Our servers and sub-processors may be located outside Singapore, including in the United States, European Union, and Asia-Pacific. Where we transfer personal data from the EEA or UK to countries without an adequacy decision, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA).

By using the Services, you acknowledge that your data may be transferred to and processed in countries outside your home jurisdiction.

7. Cookies

We use the following categories of cookies on our website:

• Strictly necessary: required for core site functionality. Cannot be disabled.
• Analytics: help us understand how visitors interact with our site (e.g. Google Analytics). Activated only with your consent.
• Marketing: used to deliver relevant advertising and track campaign performance. Activated only with your consent.

You can manage cookie preferences via the consent banner displayed on your first visit, or through your browser settings. Note that disabling certain cookies may affect site functionality.

8. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Policy, or as required by law. Specifically:

• Demo enquiry data: up to 24 months from last contact, unless you enter a commercial relationship with us.
• Customer account and transaction data: for the duration of the contract plus 7 years (to meet Singapore tax and accounting obligations).
• Platform member/staff data: as directed by the club customer, subject to their own retention policies.
• Server logs: up to 12 months for security purposes.

9. Your Rights

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

• Access – request a copy of the personal data we hold about you.
• Correction – request correction of inaccurate or incomplete data.
• Deletion – request erasure of your personal data, subject to legal retention obligations.
• Restriction – request that we restrict processing in certain circumstances.
• Portability – receive your data in a structured, machine-readable format (GDPR / CCPA).
• Objection – object to processing based on legitimate interests or for direct marketing.
• Withdraw consent – at any time, for consent-based processing.

To exercise any of these rights, please contact us at info@tesserasystems.io. We will respond within 30 days (or sooner as required by applicable law). You also have the right to lodge a complaint with your local data protection authority.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. These include encryption in transit (TLS) and at rest, role-based access controls, audit logging, and regular security assessments. However, no transmission over the internet is entirely secure, and we cannot guarantee absolute security.

11. Biometric Data

The Tessera Retail Kiosk may process biometric data (fingerprint or facial recognition templates) to authenticate club members at point of sale. This is done strictly on behalf of our club customers, who are responsible for obtaining explicit, informed consent from their members in accordance with applicable law before enabling biometric features. We do not use biometric data for any purpose beyond the authentication function specified by the club.

12. Children's Privacy

Our website and marketing materials are directed at business professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, where the changes are material, notify you by email or via a prominent notice on our website. Your continued use of the Services after any update constitutes acceptance of the revised Policy.

14. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our Data Protection Officer at:

Astra Hospitality Pte. Ltd.
Attn: Data Protection Officer
Email: info@tesserasystems.io
Phone: +65 9640 4227