PIPO Privacy Policy

Last updated: March 2021

1. Introduction

PIPO ("we", "our", "us") is committed to protecting and respecting your privacy. This policy sets out the basis on which we will process the personal data we collect from you, you provide to us or a merchant provides to us. Please read this policy carefully so that you understand your rights in relation to your personal data, and how we will collect, use and process your personal data.

2. How does this Privacy Policy apply?

We provide our Services to merchants to facilitate payment processing. During this payment processing, personal data is needed to process specific transactions. Where we process this personal data acting on behalf of the merchant we process personal data on their behalf. For more information on how the merchant processes your personal data, please see the relevant merchant's privacy policy. In certain jurisdictions and under certain specific limited purposes, we may process personal data in accordance and under our own instructions and as such this Privacy Policy would apply as such.

3. What types of information do we collect?

We receive, collect and use the following types of personal data when you use the Services.

• Basic information: we receive information such as your user ID, IP address, and country from the merchant; and we collect information such as your name, mobile number, and email address.
• Payment information: We collect payment information depending on which payment method you choose to facilitate the payment processing, and such information we collect may also vary based on the local requirements in your jurisdiction. For instance, when you need to pay any amount and choose your bank card to pay such amount, we collect your card information such as the name on your card, card type, card number, billing address, and expiration date. For another instance, when you need to withdrawal or receive any amount, depending on the method you choose to withdraw or receive such amount, we may collect your bank account information such as beneficiary name, account number or IBAN, SWIFT BIC, beneficiary address, or collect your account information about the account you open with other payment service providers.
• Identity information: We collect information such as your name, billing address, device information such as your device type and your device's network connections, information about your device web browser and internet connection, and technical usage information such as your IP address. In necessary cases, we collect your identity information such as your local identification card number, passport number, local identification card copy or passport copy to process the transactions or conduct anti-money laundering and/or fraud prevention checks. We will only do so under necessary scenarios, and you will be notified when such requests happen.

4. How do we use this information?

We use your personal data for a range of legitimate purposes related to processing payments on behalf of the relevant merchant, including:

• To administer our Services including facilitating payment processing in a secure and reliable manner;
• To verify your identity. We do this to help protect merchants from fraud as part of the Services we provide. It also allows us to comply with laws which require us to assist with identifying illegal activities, such as Anti-Money Laundering and Know-Your Customer obligations and to meet financial reporting obligations;
• To comply with our legal and regulatory obligations; and
• Where it is in our legitimate business interests:
  • To ensure our Services are safe and secure; and
  • To monitor, analyse and improve our services.

In addition, we may use de-identified of aggregated data that can no longer identify you to develop new PIPO products or other purposes as permitted by law.

5. How do we share your personal data?

Third party services providers.

We share your information with selected recipients. These categories of recipients include:

• Payment service providers that process the payment or facilitate the payment processing. These payment service providers may also process your payments and for anti-money laundering and fraud prevention purposes.

  Among others, we use Worldpay, a UK-based payment service provider. Under UK law, some of Worldpay's data processing activities are performed as an independent data controller. For details of its data processing activities, please read Worldpay's Privacy Statement (link);

• Service providers such as cloud storage providers and providers of IT support services that assist us in providing the Services;

• Analytics and search engine providers that assist us in the improvement and optimisation of the Services; and
• Third parties that provide us with fraud and risk management services including checking the payment information provided to them to identify fraudulent transactions. Some of these third parties may use device fingerprinting technology to collect information about your device for fraud prevention, identity check, or security reasons. A device fingerprint refers to a collection of attributes about a device that enable the device to be recognised or uniquely distinguished from other devices.

Our corporate group

We also share your information within our corporate group, including parent, subsidiary or affiliate companies as needed to provide the Services or for the purposes set out in this policy.

Law enforcement

We will share your information with law enforcement agencies, public authorities or other organisations if legally required to do so, or based on our legitimate business interest if such use is reasonably necessary to:

• comply with a legal obligation, process or request;
• enforce any agreement we have with you or with third parties, including investigation of any potential violation thereof;
• detect, prevent or otherwise address security, fraud or technical issues; or
• protect the rights, property or safety of us, our merchants, a third party or the public as required or permitted by law (exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).

Corporate reorganisation

We will disclose your information to third parties in our legitimate business interests in the event that we:

• sell, buy, transfer, merge, consolidate or re-organise any part(s) of our business, or merge with, acquire, or are acquired by, or form a joint venture or partner with, any other business, in which case we may disclose your data to any prospective buyer, new owner, or other third party involved in such change to our business; or
• sell, buy or transfer any business or assets (whether as a result of liquidation, bankruptcy or otherwise), in which case we will disclose your data to the prospective seller or buyer of such business or assets.

6. Where do we store your personal data?

The personal data that we collect from you will be transferred to and stored at/processed in countries outside your country (and, for EU data subjects, outside of the European Economic Area (the "EEA")) including in Singapore and the United States.

If you are a user of our merchants' platforms which enable the Services in the European Union, where we transfer your personal data to countries outside the EEA, we do so under the Commission's model contracts for the transfer of personal data to third countries (i.e. Standard Contractual Clauses) pursuant to 2004/915/EC or 2010/87/EU (as appropriate). For a copy of these Standard Contractual Clauses, please contact us at: dpo@oneunita.com.

7. The security of your personal data

We take steps to ensure that your information is treated securely and in accordance with this policy. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, for example, by encryption, we cannot guarantee the security of your information transmitted via the Platform; any transmission is at your own risk.

We have appropriate technical and organizational measures to ensure a level of security appropriate to the risk of varying likelihood and severity for the rights and freedoms of you and other users of our merchants' platforms. We maintain these technical and organizational measures and will amend them from time to time to improve the overall security of our systems.

8. How long do we store your personal data?

We retain your information for as long as it is necessary for us to provide our Services and fulfil our contractual obligations and rights in relation to the information involved. We retain your information only for so long as we have a legitimate business purpose or legal obligation to keep such data (including where it is necessary for the establishment, exercise or defence of legal claims).

9. Your Rights

For information about the rights you have in relation to your personal data, please see the Jurisdiction-specific Terms below.

10. Complaints

In the event that you wish to make a complaint about how we process your personal data, please contact us in the first instance at dpo@oneunita.com and we will endeavour to deal with your request as soon as possible. This is without prejudice to your right to launch a claim with the data protection supervisory authority in the country in which you live or work where you think we have infringed data protection laws.

11. Changes

Any changes we will make to this policy in the future will be posted on this page. Please check back frequently to see any updates or changes to this policy.

12. Contact

Questions, comments and requests regarding this policy are welcomed and should be addressed to dpo@oneunita.com.

Our registered address is:

PIPO (HK) Limited, Suite 3707-09 37/F, Tower Two Times Square, 1 Matheson Street Causeway Bay, Hong Kong SAR.

If you are located in the EEA, our representative is: PIPO Europe Limited, 10 Earlsfort Terrace, Dublin 2, D02 T380, Ireland.

******************************************************************************

13. Jurisdiction-specific terms

Some jurisdiction-specific laws contain additional terms, which are set out in this section. If you are a user of our merchants' platforms to which the laws of the jurisdictions set out below apply, the terms set out below apply to you in addition to the terms set out above and, in the event of a conflict, the terms set out below prevail.

Australia

Overseas recipients: We take reasonable steps to make sure that third party recipients located outside Australia handle your personal information securely and in accordance with this Policy. However, because we manage personal information on a global basis, we cannot always require these recipients to handle your personal information in a manner consistent with Australian privacy laws. That means if a third party recipient does not handle your personal information in a manner consistent with Australian privacy law, we will not be accountable to you and you will not be able to seek redress under Australian privacy law. By providing us your personal information, you consent to us disclosing your personal information to recipients outside Australia on this basis.

Access: You have the right to access your personal information including information on how we use it and who we share it with. If you believe we hold any other personal information about you, please contact us at dpo@oneunita.com.

Correction: You have the right to correct your personal information where it is inaccurate. If you believe we hold any inaccurate personal information about you, please contact us at dpo@oneunita.com.

Your rights: If you have any questions, concerns or complaints in relation to our handling of your personal data, you may contact us at dpo@oneunita.com. We will respond to let you know who will be handling your matter and when you can expect a further response.

California

This Policy applies to all users of our merchants' platforms, including California residents. As a California resident, there are certain additional provisions that may apply to you.

To the extent we are processing consumers' payment transactions on behalf of merchants, we are acting as a service provider to that merchant. Such consumers may exercise their rights by contacting the relevant merchant.

To the extent that you have provided information to us as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit or government agency, the additional provisions that may apply to you as a California resident are more limited.

The following terms used in this section and not otherwise defined have the meanings given to such terms under the California Consumer Privacy Act of 2018 (CCPA): "personal information," and "sale."

No Sales. We do not and have not in the last twelve (12) months sold personal information about you. In the past 12 months we have disclosed for a business purpose the categories of personal information described in section 5 of this policy.

Freedom from Discrimination. You may have the right not to be discriminated against for properly exercising any rights under the CCPA that are applicable to you.

Rights Relating to Direct Marketing. You may be able to request certain details about our disclosure of information about you to third parties for their own direct marketing purposes during the preceding calendar year. This request is free and may be made once a year.

Exercising Your California Privacy Rights. To submit a request, please contact us by email at dpo@oneunita.com.

European Union

You have the right to ask us to access the personal data we hold about you and be provided with certain information about how we use your personal data and who we share it with. You also have the right to ask us to correct your personal data where it is inaccurate or incomplete.

Where you have provided your personal data to us with your consent, you have the right to ask us for a copy of this data in a structured, machine readable format and to ask us to share (port) this data to another data controller.

In certain circumstances, you have the right to ask us to delete the personal data we hold about you:

• where you believe that it is no longer necessary for us to hold your personal data;
• where we are processing your personal data on the basis of legitimate interests and you object to such processing and we cannot demonstrate an overriding legitimate ground for the processing;
• where you have provided your personal data to us with your consent and you wish to withdraw your consent and there is no other ground under which we can process your personal data; or
• where you believe the personal data we hold about you is being unlawfully processed by us. In certain circumstances, you have the right to ask us to restrict (stop any active) processing of your personal data:
  • where you believe the personal data we hold about you is inaccurate and while we verify accuracy;
  • where we want to erase your personal data as the processing is unlawful but you want us to continue to store it;
  • where we no longer need your personal data for the purposes of our processing but you require us to retain the data for the establishment, exercise or defense of legal claims; or
  • where you have objected to us processing your personal data based on our legitimate interests and we are considering your objection.

In addition, you can object to our processing of your personal data based on our legitimate interests and we will no longer process your personal data unless we can demonstrate an overriding legitimate ground.

To exercise any of these rights above, please contact us by email at dpo@oneunita.com. In addition, you have the right to complain to the Information Commissioner's Office or other applicable data protection supervisory authority.

Please note that these rights are limited, for example, where fulfilling your request would adversely affect other individuals or company trade secrets or intellectual property, where there are overriding public interest reasons or where we are required by law to retain your personal data.

India

Consent: By enabling the Services through our merchants' platforms, you are accepting and consenting to the practices described in this Policy.

Transfer and Storage of your information: The personal data that we collect from you may be transferred to, and stored at, a destination outside of your country. It may also be processed by staff operating outside your country who work for us, for one of our suppliers or one of our business partners. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Policy. Please refer to the above sections of "How do we share your personal data" and "Where do we store your personal data" for further details of the collection and storage of your personal data.

Data rights: You have the right to access and review personal data we hold about you, to rectify any personal data held about you that is inaccurate, to request the deletion of personal data held about you, and the right to request the suspension of the processing of your personal data. You can exercise these rights by contacting us by email at dpo@oneunita.com. You may at any time withdraw your consent previously provided for the collection and processing of your personal data. Please note that if you withdraw your consent, you will not be unable to use the Services through our merchants' platforms as we require your information for the provision of our Services through our merchants' platforms.

Retention of Data: We will retain your information as required under applicable laws. After you have terminated your use of the Services through our merchants' platforms, we may store your information in an aggregated and anonymised format.

Grievances: If you have any questions, concerns or complaints in relation to our handling of your personal data, or about this Policy, please contact us by email at dpo@oneunita.com.

Brazil

If you are using the Services in Brazil, the following additional terms apply:

Exercise of data protection rights. Brazilian law provides certain rights to individuals with regard to their personal data. Thus, we seek to ensure transparency and access controls in order to allow users to benefit from the mentioned rights.

We will respond and/or fulfill your requests for the exercise of your rights below, according to the applicable law and when applicable, to the Brazilian General Data Protection Law - LGPD:

1. confirmation of whether your data are being processed;
2. access to your data;
3. correction of incomplete, inaccurate or outdated data;
4. anonymization, blocking or erasure of data;
5. portability of personal data to a third party;
6. object to the processing of personal data;
7. information of public and private entities with which we shared data;
8. information about the possibility to refuse providing personal data consent and the respective consequences, when applicable;
9. withdrawal of your consent.

Verifying your identity : For your safety and to allow us to make sure that we do not disclose any of your personal data to unauthorized third parties, in order to verify your identity and guarantee the adequate exercise of your rights, we may request specific information and/or documents from you before we can properly respond to a request received concerning your data. All data and documents received from you in the process of responding to your requests will be used for the strict purposes of analyzing your request, authenticating your identity, and finally responding to your request.

Limitations to your rights : In certain situations, we may have legitimate reasons not to comply with some of your requests. For instance, we may choose not to disclose certain information to you when a disclosure could adversely impact our business whenever there is a risk of violation to our trade secrets or intellectual property rights. In addition, we may refrain from complying with a request for erasure when the maintenance of your data is required for complying with legal or regulatory obligations or when such maintenance is required to protect our rights and interests in case a dispute arises. Whenever this is the case and we are unable to comply with a request you make, we will let you know the reasons why we cannot fulfill your request.

Parental and Guardian Consent. If required by Brazilian data protection laws, (i) if you are over the age of 16 but under the age of 18, you can only use the Services with the assistance of your parent or legal guardian and you declare and represent that you had such assistance to use the Services and to agree to the Policy; (ii) if you are under the age of 16, you can only use the Services with the representation of your parent or legal guardian, and you must obtain the consent from your parent or legal guardian to the use of the Services and acceptance of this Privacy Policy.

Language. The Policy may have been prepared in the English language and in the Portuguese language. If you are a user located in Brazil, you shall refer to the Portuguese version, which shall prevail.

Contact : In case of doubt about your privacy, your rights or how to exercise them, please contact us through the form "Contact". If you have any questions about the processing of your personal data, we would like to clarify them.

DPO : If you wish to reach the PIPO's Data Protection Officer, contact us at: dpobrasil@oneunita.com

Indonesia

If you are using the Services in Indonesia, the following additional terms apply:

Language. In compliance with any applicable law to the extent that the applicable law requires that the Policy is to be made in a local language (for example Indonesian language), the Policy is made in an English language version and an Indonesian language version. If there is any inconsistency between the English language version and the Indonesian language version of the Policy, the English language version shall prevail, and the Indonesian language version is deemed to be automatically amended (with effect from the last updated date of the Policy) to make the relevant part of the Indonesian language version consistent with the relevant part of the English language version.

Contact. Questions, comments and requests regarding this Policy should be addressed to dpo@oneunita.com.