Privacy Policy
Last updated: March 2026
1. Introduction
Ellie N Leo Pte. Ltd. ("Ellie N Leo", "we", "us", or "our") is a Singapore-registered company operating a children's toy e-commerce platform. We are committed to protecting your personal data in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore.
This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our website, services, and applications.
2. Data Controller
The data controller responsible for your personal data is:
3. Personal Data We Collect
We may collect the following categories of personal data:
3.1 Account Information
- Full name
- Email address
- Phone number
- Delivery address(es)
- Account password (encrypted)
3.2 Child Profile Information
- Child's name
- Child's date of birth
- Child's interests and preferences
Child profiles are used solely for personalised toy recommendations and age-appropriate product suggestions. We do not share child profile data with third parties for marketing purposes.
3.3 Payment Information
- Payment card details are processed securely by Stripe and are never stored on our servers
- Billing address
- Transaction history and order records
3.4 Educator Information
- Institution name and address
- Professional role and credentials
- Verification documents
3.5 Technical Data
- IP address
- Browser type and version
- Device information
- Cookies and usage data (see our Cookie Policy)
4. How We Use Your Data
We collect and use your personal data for the following purposes:
- Order fulfilment: processing purchases, rentals, and exchanges, including payment and delivery
- Account management: creating and managing your Ellie N Leo account
- Loyalty programme: tracking points, managing tier status, and redeeming rewards
- Personalised recommendations: suggesting age-appropriate toys based on child profiles and purchase history
- Educator verification: verifying educator accounts and processing bulk/institutional orders and quotations
- Customer support: responding to enquiries, processing returns and refunds
- Communications: sending order confirmations, shipping updates, and (with consent) promotional emails
- Legal obligations: complying with tax, audit, and regulatory requirements
- Website improvement: analysing usage patterns to enhance our platform
5. Third-Party Service Providers
We share personal data with the following trusted third parties solely for the purposes described above:
Stripe (Payment Processing)
Processes payments securely. Payment card data is handled directly by Stripe under their PCI-DSS compliant infrastructure and is never stored on our servers.
Resend (Email Delivery)
Delivers transactional emails such as order confirmations, shipping updates, and account notifications.
Vercel (Website Hosting)
Hosts our website and application infrastructure. May process technical data such as IP addresses and request logs.
Neon (Database)
Provides secure, serverless PostgreSQL database hosting where account and order data is stored with encryption at rest.
We do not sell, rent, or trade your personal data to any third parties for their marketing purposes.
6. Data Retention
- Account data: retained for as long as your account is active. Upon a valid deletion request, account data will be deleted within 30 days, subject to legal retention requirements.
- Order history and transaction records: retained for 7 years to comply with Singapore tax and accounting regulations (Income Tax Act, GST Act).
- Payment data: handled and retained by Stripe in accordance with their data retention policies. We do not store payment card details.
- Marketing consent records: retained for as long as consent is valid, plus 1 year after withdrawal for audit purposes.
- Technical logs: retained for up to 90 days for security and debugging purposes.
7. Your Rights Under the PDPA
Under the Singapore PDPA, you have the following rights regarding your personal data:
- Right of Access: you may request to know what personal data we hold about you and how it has been used in the past year.
- Right of Correction: you may request the correction of any inaccurate or incomplete personal data.
- Right to Withdraw Consent: you may withdraw your consent for the collection, use, or disclosure of your personal data at any time. Note that withdrawal of consent may affect our ability to provide certain services.
- Right to Deletion: you may request deletion of your personal data, subject to legal retention requirements.
To exercise any of these rights, please contact us at privacy@ellienleo.sg. We will respond to your request within 30 business days.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure password hashing
- Regular security reviews and vulnerability assessments
- Access controls limiting data access to authorised personnel only
- PCI-DSS compliant payment processing via Stripe
9. International Data Transfers
Some of our third-party service providers may process data outside of Singapore. Where data is transferred internationally, we ensure that the receiving party provides a standard of protection comparable to that under the PDPA, in accordance with the PDPA's transfer limitation obligation.
10. Children's Data
Our services are intended for parents and guardians purchasing products for their children. We collect child profile information (name, date of birth, interests) only with the consent of the parent or guardian who holds the account. Children under 13 should not create accounts or submit personal data directly. If we become aware that we have collected data from a child without parental consent, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. We encourage you to review this page periodically.
12. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact our Data Protection Officer: