SE
Now in production — Ballet tour SEA, Hanoi 12 Dec 2026 / 6inch Dance Camp — Koh Samui 18 Nov 2026 / Enigma — Bangkok encore TBA / Cherry Blossom Festival India — Akon headlining / Token Dubai 2026 — in prep  /  Now in production — Ballet tour SEA, Hanoi 12 Dec 2026 / 6inch Dance Camp — Koh Samui 18 Nov 2026 / Enigma — Bangkok encore TBA / Cherry Blossom Festival India — Akon headlining / Token Dubai 2026 — in prep
EN · RU

Privacy

Privacy Policy

Effective 4 May 2026

We use minimum personal data, store it in named places, keep it for as long as we promise — and no longer. This page explains exactly what runs and why.

1 — Who we are

SROAST Entertainment Pte. Ltd. ("SROAST", "we", "us") is a private limited company incorporated in Singapore.

  • Registered office: 68 Circular Road #02-01, Singapore 049422
  • UEN: 202549936C
  • Operating HQ: Bangkok, Thailand
  • Privacy contact: main@sroast.com

SROAST is the data controller for the personal data described below. For Singapore PDPA purposes, the same address handles Data Protection Officer enquiries.

2 — What we collect, why, and the legal basis

2.1 — Brief form (the main lead capture on this site)

When you submit the contact form on sroast.com you give us:

  • Your name
  • Company / role
  • Email (required — needed to reply within our 24-hour SLA)
  • Phone (optional)
  • Markets you're interested in
  • The brief itself (free text)

We also automatically log the page you submitted from, your browser's user-agent string and the country your IP resolves to (via Cloudflare's cf-ipcountry header). We do not store the IP address itself.

Legal basis: taking steps prior to entering a contract at your request (GDPR Article 6(1)(b) / PDPA Section 13), and our legitimate interest in qualifying enquiries (GDPR Article 6(1)(f)).

2.2 — Theme preference (light / dark)

If you toggle the site theme, your choice is saved in your browser as localStorage["sroast-theme"]. This is purely functional, never leaves your device, and is required for the site to remember your visual preference between visits.

Legal basis: strictly necessary for a service you've requested — no consent required (PECR / GDPR ePrivacy carve-out).

2.3 — Web traffic analytics (always on, no cookies)

Cloudflare Web Analytics records aggregate, server-side metrics: pageviews, referring sites, country, device type, and Core Web Vitals performance. It uses no client-side cookies, no fingerprinting, no cross-site identifiers. Data is anonymised on Cloudflare's edge before storage.

Legal basis: legitimate interest in understanding site performance (GDPR Article 6(1)(f)). EDPB has confirmed cookieless, server-side analytics of this kind do not require consent.

2.4 — Microsoft Clarity (off by default — only with your consent)

If — and only if — you accept the analytics category in our cookie preferences, we load Microsoft Clarity. Clarity records anonymised session replays (mouse movement, clicks, scroll depth) and builds heatmaps so we can see where visitors get stuck. It drops two cookies, _clck and _clsk, and processes data on Microsoft's infrastructure.

Personal identifiers visible in form fields are masked by Clarity at the source. We never link Clarity sessions to lead records. Microsoft's own privacy terms apply: privacy.microsoft.com/en-us/privacystatement.

Legal basis: your explicit consent (GDPR Article 6(1)(a)). You can withdraw it any time via the "Cookie settings" link in the site footer.

2.5 — Server logs

Cloudflare retains short-term operational logs (IP, timestamp, request path) for security, abuse prevention and rate-limiting. We do not access these logs except to investigate an incident.

Legal basis: legitimate interest in network security (GDPR Article 6(1)(f), Article 32).

3 — Where your data is stored (sub-processors)

We use a small set of named third-party processors, each bound by their own data-processing terms:

  • Notion Labs, Inc. (USA) — stores Brief submissions in our internal CRM. Processor under DPA. SCCs in place for EU/UK transfers. Notion's privacy notice.
  • Sendinblue SAS (trading as Brevo, France) — sends transactional notification emails to our team when you submit a brief. EU-based, GDPR-native. Brevo's privacy policy.
  • Google LLC (USA) — Google Workspace hosts our @sroast.com mailboxes. SCCs + Google's Data Processing Amendment apply.
  • Cloudflare, Inc. (USA) — serves the site and its API endpoints, runs Web Analytics, provides DDoS protection. SCCs + Cloudflare's DPA apply.
  • Microsoft Corporation (USA) — runs Clarity, but only after you opt in (see 2.4).
  • GitHub, Inc. (USA, Microsoft subsidiary) — hosts the source code repository. Personal data is not stored here.

4 — How long we keep things

  • Brief submissions in Notion CRM: 24 months from submission, or until you ask us to delete sooner. Won deals roll into commercial files governed by Singapore tax-record retention (typically 5 years).
  • Email correspondence: kept in Google Workspace for the active engagement, then archived for up to 5 years for tax / dispute reasons.
  • Server logs (Cloudflare): 30 days operational, longer only when investigating a security incident.
  • Microsoft Clarity sessions: 13 months (Microsoft's default), or until you withdraw consent — whichever is sooner.
  • Theme preference (localStorage): until you clear your browser storage. Never leaves your device.

5 — Your rights

Under GDPR (if you're in the EU/UK), Singapore PDPA, Thailand PDPA and Russian Federal Law 152-FZ, you have the right to:

  • Know what personal data we hold about you (access)
  • Have it corrected if it's inaccurate
  • Have it deleted ("right to be forgotten")
  • Restrict or object to processing
  • Receive a copy in a portable format
  • Withdraw consent for any consent-based processing (e.g. Clarity) at any time
  • Lodge a complaint with the Singapore PDPC, your national EU data-protection authority (e.g. CNIL in France), the Thai PDPC, or Roskomnadzor in Russia

Email main@sroast.com with subject "Privacy request" and we'll respond within 30 days. We may need to verify your identity before disclosing or deleting records — for security, not bureaucracy.

6 — International transfers

Most of our processors are based in the EU (Brevo) or USA (Notion, Cloudflare, Google, Microsoft, GitHub). Where personal data is transferred outside the EEA / UK / Singapore, we rely on:

  • Standard Contractual Clauses (SCCs) under GDPR Article 46
  • The EU–US Data Privacy Framework where applicable
  • The recipient's PDPA-equivalent obligations under Singapore Section 26

7 — Cookies and similar storage

The full breakdown of what runs on this site, by category:

  • Strictly necessarylocalStorage["sroast-theme"]. Always on. Stores light/dark choice.
  • Analytics & UX — Microsoft Clarity (_clck, _clsk). Off by default, only loads after explicit opt-in.
  • Marketing / advertising — None. We don't run retargeting pixels.

You can change your choice anytime via the Cookie settings link in the footer. We honour the Sec-GPC Global Privacy Control header — if your browser sends it, we automatically reject the analytics category without showing you a banner.

8 — Children

SROAST's services are aimed at promoters, agencies and venue operators — adult B2B audiences. We don't knowingly collect personal data from anyone under 16. If you believe a child has submitted data via our forms, email us and we'll delete it.

9 — Changes to this policy

We update this page when we add, remove or change a processor — not because we want to wear you down with notifications. The Effective date at the top reflects the latest version. Material changes (new categories of data, new high-impact processors, new retention periods) are flagged via a banner on the homepage for at least 14 days.

10 — Contact

main@sroast.com — privacy questions, access requests, deletion requests, anything else covered above. We aim to respond within 5 working days; legal SLAs apply for formal requests.

Terms of Service →

SROAST Entertainment Pte. Ltd. — UEN 202549936C Privacy · Terms · © 2020–2026 · Singapore

COOKIE PREFERENCES

Choose what runs on this site.

You can change this anytime via the "Cookie settings" link in the footer.

Strictly necessary

Always on

Theme preference (light / dark) is remembered locally so the site doesn't flicker on every visit. No identifiers, no third parties, no consent needed under GDPR Article 6(1)(f).

Analytics & UX

Microsoft Clarity records anonymized session replays and heatmaps so we can see where the site frustrates visitors. Drops _clck and _clsk cookies. Off until you turn it on.