Privacy Policy

Last Updated: 1 July 2026

This Privacy Policy explains how Habitus Creative Pte. Ltd. ("The Old Post", "The Old Post Mail Club" "we", "us", or "our"), a company incorporated in Singapore (Company Registration No. 202512839K), collects, uses, discloses, and protects your personal data when you visit https://theoldpost.store (the "Site"), place an order, subscribe to our dispatches, or otherwise interact with us.

We are committed to handling your personal data responsibly and in accordance with the Singapore Personal Data Protection Act 2012 (PDPA), the EU General Data Protection Regulation (GDPR), and the UK General Data Protection Regulation (UK GDPR), as applicable to you.

By using the Site or providing us with your personal data, you acknowledge that you have read and understood this Privacy Policy.

1. Who We Are (Data Controller)

For the purposes of the GDPR, UK GDPR, and PDPA, the data controller responsible for your personal data is:

Habitus Creative Pte. Ltd.

Company Registration No. (UEN): 202512839K

For any questions about this Privacy Policy or how we handle your personal data, or to exercise your rights, you may contact our Data Protection Officer at:

  • Email: support@theoldpost.store
  • Contact form: https://theoldpost.store/contact

2. What Personal Data We Collect

We collect and process the following categories of personal data:

Information you provide to us directly:

  • Identity and contact details — your name, shipping address, billing address and email address.
  • Order and subscription details — the products you purchase, your subscription status and preferences, gift recipient details where you send a dispatch as a gift, and your correspondence and dispatch history with us.
  • Communications — the content of any messages you send us via email or our contact form.

Information we collect automatically:

  • Technical and usage data — your IP address, browser type and version, device information, operating system, referring website, and information about how you use our Site, collected via cookies and similar technologies (see Section 8).

Information we receive from third parties:

  • Payment confirmation and fraud-prevention data from our payment processor. We do not collect or store your full card details ourselves; these are handled directly by our payment processor.

We do not knowingly collect any special categories of sensitive personal data, and we ask that you do not provide any to us.

3. How and Why We Use Your Personal Data (Purposes and Legal Bases)

We use your personal data for the purposes set out below. Where the GDPR or UK GDPR applies to you, we also identify the legal basis we rely on. Where the PDPA applies, we process your data on the basis of your consent (including deemed consent) or as otherwise permitted under the PDPA.

PurposeLegal Basis (GDPR / UK GDPR)
To process and fulfil your orders, deliver your dispatches, and manage your subscriptionPerformance of a contract with you
To process payments and prevent fraudulent transactionsPerformance of a contract; our legitimate interests in securing our business
To communicate with you about your order, subscription, or enquiries (transactional messages)Performance of a contract
To send you marketing communications about new dispatches, offers, and updatesYour consent (which you may withdraw at any time)
To operate, maintain, and improve our Site and services, including analyticsOur legitimate interests in running and improving our business
To comply with legal, accounting, and tax obligationsCompliance with a legal obligation
To establish, exercise, or defend legal claimsOur legitimate interests in protecting our business

Where we rely on legitimate interests, we have considered these against your rights and interests. You may object to such processing (see Section 6).

4. Who We Share Your Personal Data With

We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary:

Service providers (data processors) acting on our behalf:

  • Payment processing — Stripe, Inc., which processes your payment securely. See Stripe's privacy policy at https://stripe.com/privacy.
  • Order and customer management — our content management and order-management platform, which stores and processes order and customer information to enable us to fulfil your orders.
  • Business operations and formation services — Atlas, used in connection with the administration of our business.
  • Analytics — [Google Analytics], which helps us understand how the Site is used.
  • Shipping and postal services — national and international postal carriers, to whom we provide the delivery details necessary to send your dispatch.
  • Email and communications platforms — where used, to send you transactional and (with consent) marketing communications.

Others:

  • Professional advisers (such as accountants, auditors, and lawyers) where necessary.
  • Regulatory authorities, law enforcement, or other third parties where we are required to do so by law, or to protect our rights.
  • A successor entity in the event of a business sale, merger, or reorganisation.

We require our service providers to protect your personal data and to use it only for the purposes we specify.

5. International Transfers of Your Personal Data

We are based in Singapore, and some of our service providers are located outside Singapore, the European Economic Area (EEA), and the United Kingdom — including in the United States. This means your personal data may be transferred to, stored in, and processed in countries whose data protection laws may differ from those of your own country.

Where we transfer personal data internationally, we take steps to ensure an adequate level of protection, including relying on:

  • adequacy decisions, where the recipient country has been recognised as providing adequate protection; and/or
  • appropriate safeguards, such as the European Commission's and UK's Standard Contractual Clauses, in the contracts we hold with our service providers.

Under the PDPA, we will ensure that any overseas recipient is bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA.

6. Your Rights

Depending on the law applicable to you, you have the following rights in relation to your personal data.

If the GDPR or UK GDPR applies to you, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request that we correct inaccurate or incomplete data.
  • Erasure — request that we delete your data in certain circumstances ("right to be forgotten").
  • Restriction — request that we restrict processing in certain circumstances.
  • Data portability — request that we provide your data in a structured, commonly used, machine-readable format.
  • Object — object to processing based on our legitimate interests, and to direct marketing at any time.
  • Withdraw consent — where we rely on consent, withdraw it at any time (without affecting the lawfulness of processing before withdrawal).
  • Lodge a complaint — with your local supervisory authority (in the UK, the Information Commissioner's Office, https://ico.org.uk).

If the PDPA applies to you, you have the right to:

  • Access — request access to the personal data we hold about you and information about how it has been used or disclosed.
  • Correction — request correction of any error or omission in your personal data.
  • Withdraw consent — withdraw your consent to our collection, use, or disclosure of your personal data at any time, upon reasonable notice, subject to legal or contractual restrictions.

To exercise any of these rights, please contact us using the details in Section 1. We may need to verify your identity before responding. We will respond within the timeframes required by applicable law. These rights are not absolute and may be subject to legal exemptions; where we cannot fulfil a request, we will explain why.

7. How Long We Keep Your Personal Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, tax, or reporting requirements.

  • Order, subscription, and transaction records are generally retained for the duration of your relationship with us and for a period afterward as required by Singapore tax and accounting law (currently at least five years).
  • Marketing contact details are retained until you unsubscribe or withdraw consent.
  • Where personal data is no longer required and we are not legally obliged to retain it, we will securely delete or anonymise it.

8. Cookies and Similar Technologies

Our Site uses cookies and similar technologies to function properly, to remember your preferences, and to help us understand how the Site is used.

  • Strictly necessary cookies enable core functionality such as checkout and cannot be switched off.
  • Analytics cookies help us measure and improve Site performance. Where required by law, we will only set these with your consent, obtained via our cookie banner.

You can manage your cookie preferences through the banner on our Site and through your browser settings. Disabling certain cookies may affect how the Site functions. For more detail on the specific cookies we use, please refer to our cookie banner or contact us.

9. How We Protect Your Personal Data

We implement reasonable technical and organisational security measures designed to protect your personal data against unauthorised access, loss, misuse, or alteration. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security. You provide your personal data to us at your own risk, and you are responsible for keeping any account credentials confidential.

10. Children's Privacy

Our Site and products are intended for adults. We do not knowingly collect personal data from children under the age of 16 (or the equivalent minimum age under applicable local law). If you believe we have inadvertently collected such data, please contact us and we will take steps to delete it.

11. Third-Party Links

Our Site may contain links to third-party websites, including social media platforms. This Privacy Policy does not apply to those sites, and we are not responsible for their content or privacy practices. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated "Last updated" date. Where changes are significant, we will take reasonable steps to notify you. Your continued use of the Site after any changes constitutes acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Habitus Creative Pte. Ltd.

  • Email: support@theoldpost.store
  • Contact form: https://theoldpost.store/contact