Foris Asia Pte. Ltd.’s Privacy Notice

Last Updated: April 20, 2022

Introduction

Welcome to Foris Asia Pte. Ltd.’s Privacy Notice (“Privacy Notice”).

We respect your privacy and we are committed to protecting your personal data. This Privacy Notice sets out the basis upon which Foris Asia Pte. Ltd. ("Crypto.com", “we”, “us, or “our”) may collect, use, disclose, manage or otherwise process personal data of our customers, in accordance with the Personal Data Protection Act 2012 of Singapore (“PDPA”), as amended from time to time, when using any of our products, services and/or applications (collectively “Services”) or when visiting or using our mobile application (“App”), site or any of Foris Group’s websites at https://crypto.com/sg/cards (“Website”).

This Privacy Notice applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data for our purposes.

Definitions

In this Privacy Notice, the words and expressions below have the following meaning:

As used in this Privacy Notice Meaning

customer

means an individual who:

(a) visits or has visited our App, site and/or any of our Websites;

(b) has contacted us through any means to find out more about any Services we provide on our App, site and/or Website;

(c) uses the Services, App and/or Website; or

(d) may, or has, entered into a contract for the supply of any Services by us and/or by the organisations which have engaged us to provide Services to you.

Foris Group

means Foris Asia Pte. Ltd., its related corporations, companies, affiliates and/or subsidiaries.

personal data

means data, whether true or not, about a customer who can be identified:

(a) from that data; or

(b) from that data and other information to which we have or are likely to have access.

you, your or yours

means the persons to whom this Privacy Notice applies including customer.

Other terms used in this Privacy Notice shall have the meanings given to them in the PDPA (where the context so permits).

1. Important information

Privacy Notice

This Privacy Notice aims to give you information on how we collect and process your personal data when you visit our Website, or through your use of the Services and any personal data you may provide when you register for or use the Services, sign up for alerts or newsletters, contact us with a question or request for help, participate in any renewals, promotions or surveys.

The Website and the Services are not intended for minors below 18 and we do not knowingly collect data relating to minors.

It is important that you read this Privacy Notice together with any other privacy policies or fair processing notices, we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements other policies and privacy notices and is not intended to override them.

Third-party links

The Website and App may include links to third-party websites, plug-ins and applications ("Third Party Websites"). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these Third-Party Websites and are not responsible for their privacy statements. When you leave our Website or App, we encourage you to read the privacy notice of every Third Party Website you visit or use.

2. Personal Data

Depending on the nature of your interaction with us, some examples of personal data which we may collect, use, process, manage, store and transfer about you include:

Categories of personal data

Details of personal data

Identity Data

● name

first name

maiden name

last name

username or similar identifier

title

date of birth

gender

a visual image of your face

tax identification number

nationality

NRIC number

passports or other form of identification documents including proof of address such as a utility bill or bank statement

Contact Data

billing address

delivery address

home address

work address

email address

telephone numbers

Financial Data

bank account

payment card details

external e-money wallet details

Transactional Data

details about payments to and from you other details of any transactions you enter into using products and services you have purchased from us

Technical Data

internet protocol (IP) address

your login data

browser type and version

time zone setting and location data

browser plug-in types and versions

operating system and platform

other technology or information stored on the devices you allow us access to when you visit the Website or use the Services, such as friends lists or other digital content

Profile Data

your username and password

requests by you for products or services your interests, preferences, feedback and survey responses

Usage Data

information about how you use:

- our Website

- App

- products and services

Marketing and Communications Data

your preferences in receiving marketing from:

- us

- our third parties

- your communication preferences.

As explained above under Identity Data, we will also collect a visual image of your face which we will use, in conjunction with our sub-contractors, to check your identity for onboarding purposes. When we ask to collect a visual image of your face you will be asked for your specific consent. You can refuse to provide this, but it means that we will be unable to register you and provide you with the Services.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.

If you refuse to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you refuse to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

3. Collection of personal data

We generally do not collect your personal data unless:

a) it is provided to us voluntarily by you directly or by organisations which have engaged us to provide the services to you or via a third party who has been duly authorized by you to

disclose your personal data to us (your “authorized representative”) after you (or your authorized representative) or the organization which have engaged us to provide the services to you:

i) have been notified of the purposes for which the data is collected or processed, and ii) have provided written consent to the collection, processing and usage of your personal data for those purposes, or

b) collection, processing and use of personal data without consent is permitted or required by the PDPA or other laws.

We shall seek your consent or an undertaking from the organization which have engaged us to provide the services to you that you have consented before collecting or processing any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorised by law).

Depending on the nature of your interaction with us, we may collect information from and about you from various sources including through:

Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms, providing a visual image of yourself via the Service, by email or otherwise. This includes personal data you provide when you:

apply for our products or services;

create an account;

subscribe to our service or publications;

make use of any of our Services;

request marketing to be sent to you;

enter a competition, promotion or survey; or

give us feedback or contact us.

Automated technologies or interactions. As you interact with us via our Website or App, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We will also collect Transactional Data. We may also receive Technical Data about you if you visit other websites employing our cookies. On our main Website you will be informed about how we use cookies through the Cookie Settings.

Third parties or publicly available sources. We also obtain information about you from third parties (such as employers, credit reference agencies and fraud prevention agencies) who may check your personal data against any information listed on other databases.

4. Use of personal data

We may collect, process, manage and/or use your personal data for any or all of the following purposes:

a. registering you as our new customer or user in connection with your request;

b. developing and providing Services (whether made available by us or through us) and any App features, including but not limited to:

.executing Services, commercial or other transactions and requests;

i.carrying out research, planning and statistical analysis;

ii.analytics for the purposes of developing our websites, products, services, security, service quality, advertising or customization strategies; or

iii.delivering relevant Website content and advertisements to you and measuring or assessing the effectiveness of the advertising we serve;

c. performing obligations in the course of or in connection with our provision of the Services requested by you;

d. enforcing obligations owed to us;

e. verifying your identity before providing our Services, or responding to any of your queries, applications, requests, feedbacks and complaints;

f. conducting credit checks, screenings or due diligence checks as may be required under applicable law, regulation or directive;

g. risk, fraud and crime prevention and detection including performing anti-money laundering, counter terrorism, sanction screening, fraud and other background checks, detect, investigate, report and prevent financial crime in broad sense, obey laws and regulations which apply to us and response to complaints and resolving them;

h. detecting and preventing abuse or misuse of services;

i. responding to, handling, assessing and processing applications, instructions, requests, queries, complaints, and feedback from you or our customers;

j. complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;

k. managing your relationship with us or the organisation which have engaged or partnered with us;

l. managing, processing, collecting and/or transferring payment or credit transactions;

m. monitoring Services provided by or made available through us;

n. communicating with you, including providing you with updates on changes to Services (whether made available by us or through us) including any additions, expansions, suspensions and replacements of or to such Services and their terms and conditions;

o. sending you marketing information about our services including notifying you of our marketing events, initiatives and promotions, membership and rewards schemes and other promotions;

p. managing our business operations and complying with internal policies and procedures;

q. reporting purposes including regulatory reporting, management reporting, audit and record keeping purposes;

r. administering and protecting our business, Website and App(s) including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data;

s. any other purposes for which you have provided the information;

t. transmitting to any unaffiliated third parties including our third party service providers and agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for the aforementioned purposes;

u. to enable you to partake in a prize draw, competition or complete a survey;

v. for purposes set out in the terms and conditions that govern our relationship with you or our customer; and

w. any other incidental business purposes related to or in connection with the above.

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

Promotional offers from us

We may use your Identity, Contact, Technical, Transactional, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased from us and you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product / service purchase, warranty registration, product / service experience or other transactions.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Services or Websites may become inaccessible or not function properly. For more information about the cookies we use, please refer to our main Website.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

The purposes listed above may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with you).

5. Disclosure of personal data

We may disclose your personal data:

a. where such disclosure is required for performing obligations in the course of or in connection with the provision of the services requested by you;

b. to third-party service providers, agents, subcontractors, Foris Group and other organisations we have engaged to perform any of the functions listed in clause 4 above for us; or

c. to other organisations which have engaged us to perform any of the functions listed in clause 4 above for and on their behalf pursuant to your request.

When using third-party service providers, they are required under written agreements, to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We may pass your personal data to the following entities:

companies and organisations that assist us in processing, verifying or refunding transactions you make via our App or the MCO Visa Card and in providing any of the Services that you have requested;

identity verification agencies to undertake required verification checks; fraud prevention agencies to help fight against financial crime including fraud, money laundering and terrorist financing;

mobile application developers;

organisations which assist us with customer service facilities;

anyone to whom we lawfully transfer or may transfer our rights and duties under the relevant Terms & Conditions governing the use of any of the Services;

any third party as a result of any restructure, sale or acquisition of our group or any Affiliates, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us; and

regulatory and law enforcement authorities, whether they are outside or inside of the EEA, where the law allows or requires us to do so.

6. Deemed Consent by Notification

We may collect or use your personal data, or disclose existing personal data for secondary purposes that differ from the primary purpose which it had originally collected for pursuant to clauses 4 and 5. If we intend to rely on deemed consent by notification for such secondary purposes, we will notify you of the proposed collection, use or disclosure of your personal data through appropriate mode(s) of communication.

Before relying on deemed consent by notification, we will assess and determine that the collection, use and disclosure of the personal data will not likely have an adverse effect on you. You will be given a reasonable period to inform us if you wish to opt-out of the collection, use and disclosure of your personal data for such purposes.

After the lapse of the opt-out period, you may notify us that you no longer wish to consent to the purposes for which your consent was deemed by notification by withdrawing your consent for the collection, use or disclosure of your personal data in relation to those purposes.

7. Reliance on Legitimate Interests Exception

In compliance with the PDPA, we may collect, use or disclose your personal data without your consent for our legitimate interests or for the legitimate interests of another. In relying on the legitimate interests exception of the PDPA, we will assess the likely adverse effects on the individual and determine that the legitimate interests outweigh any adverse effect.

8. International transfers

We may transfer, store, process and/or deal with your personal data outside Singapore as we may share your personal data within Foris Group and/or to other external third party service providers, as the case maybe, which will involve transferring your personal data outside Singapore or the origin of where your personal data is collected.

In any event, we will comply with PDPA and other applicable data protection and privacy laws and we will take steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPA.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of Singapore.

9. Your rights

Under certain circumstances, you have rights under the PDPA in relation to your personal data. Access to and correction of personal data

If you wish to make:

a) an access request for access to a copy of the personal data which we hold or process about you or information about the ways in which we use, process or disclose your personal data; or

b) a correction request to correct or update any of your personal data which we hold or process about you;

you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below.

Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.

We will respond to your request as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).

As a security measure to ensure that personal data is not disclosed to any unauthorized person, we may need to request some personal data or information so that we can verify your identity when you request access to your personal data.

We may also contact you to ask you for further information in relation to your request to speed up our response.

Withdrawing your consent

The consent that you provide for the collection, use, processing and disclosure of your personal data will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop using, processing and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below.

Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within thirty (30) business days of receiving it.

Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing the services which you have requested and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described herein.

Please note that withdrawing consent does not affect our right to continue to collect, use, process and/or disclose personal data where such collection, use, processing and/or disclosure without consent is permitted or required under applicable laws.

10. Protection of Personal Data

To safeguard your personal data from unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical, security and technical measures such as up-to-date antivirus protection, encryption and the adoption of privacy filters to secure all storage and transmission of personal data by us, and disclosing personal data both internally and to our authorized third party service providers and agents only on a need-to-know basis.

Depending on the nature of the risks presented by the proposed processing of your personal data, we will have in place the following appropriate security measures:

a) organisational measures (including but not limited to staff training and policy development);

b) technical measures (including but not limited to physical protection of data, pseudonymization and encryption); and

c) securing ongoing availability, integrity and accessibility (including but not limited to ensuring appropriate back-ups of personal data are held).

You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.

We have put in place procedures to deal with any suspected personal data breach and will notify you and/or PDPC of a breach where we are legally required to do so.

11. Accuracy of Personal Data

We generally rely on personal data provided by you (or your authorized representative). In order to ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer in writing or via email at the contact details provided below.

12. Retention of Personal Data

We may retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes.

13. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing enquiries in relation to this Privacy Notice. If you have any enquiries or feedback about this Privacy Notice, our privacy practices or if you wish to make any request pertaining to your rights in respect of your personal data, please contact our DPO Team in the following manner:

Email: [email protected]

14. Effect of Privacy Notice and Changes to Privacy Notice

This Privacy Notice applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use, disclosure, management and processing of your personal data by us.

We may revise this Privacy Notice from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Privacy Notice was last updated. Your continued use of our Services constitutes your acknowledgement and acceptance of such changes.

Foris Asia Pte. Ltd.
1 Raffles Quay, #25-01 Singapore 048583