Privacy Policy

We, Nomupay(hereinafter referred to from time to time as “we”, “us”, “our”),value your privacy and strive to protect your personal data in compliance with thelaws and regulations governing personal data protection, including those that are enforceable in Thailand,which impose legal obligations upon us.

This privacy notice (“Privacy Notice”) explains:

  • what kind of personal data we collect and why we collect it;this includes what you tell us about yourselfand what we learn by having you as a customer, and the choices you give us about what marketing materials you want us to send you;
  • how we use your personal data;
  • whowe disclose your personal data to;
  • how long we keep your personal data; and
  • what your privacy rights as a data subject are and how the law protects you.

1. Collection of Personal Data

We use many different kinds of personal data. The type of customer data that we collect depends on the circumstances of the collection,the nature of requested service(s), and the transaction(s) performed.

We collect personal data about you from various sources as follows:

Information that you provide to us, namely:

  • Personal details:theseinclude any information concerning your identity, such as your given name(s), preferred name(s), gender, date of birth, marital status, personal identification number or information, passport number(s) andother government issued number(s), tax identification number(s), nationality, images of passports, driving licenses, signatures, authentication data (e.g. passwords, your maiden name, PINs, e-signatures, facial and voice recognition data, and fingerprints data); photographs and visual images, details of your education and employment, names and contact details of your family members and dependents,or other identification information;
  • Personal contact information: this includes any information you provide to us that would allow us to contact you, such as postal address, email address, social network details, or landline and mobile numbers;
  • Details of others provided by you: these include any information that you have provided us about other persons with whom we may or may not have direct legal relationship, such as their personal details or personal contact information;such details of others could include your guarantors, trustees, the beneficiaries of your insurance policy, joint account holders, people appointed to act on your behalf, your business partners, officers, or agents, and individuals whom you have referred to us, etc.;
  • Information from digital device: any information about the computer system or other technological device that you use to access any of our or third parties’ channels, applications, websites/sites or social media, as the case may be (collectively the “Sites”), in order to contact, communicate, visit or interact with us, such as IP addresses, operating system type, network information, web browser type and version, cookies, activity logs, online identifiers, unique device identifiers, geo-location data,photographs, videos, and voice recordings, among others;
  • Website/communication usage information:as you use or navigate through and interact with our Sites, we use automatic data collection technologies (i.e.cookies, web beacon, or third party tracking for analytics and advertising purposes) to collect certain information about you and your activities, such as the links you click on, the pages or content you view, the content response times,the download errors and the length of visits. (Please refer to our Cookies Policy published on our website for more information);
  • Account login information:any information that is required to give you access to your specific account profile, for examples, your login ID/email address, subscription data, screen name, password in unrecoverable form, security question and answer, login credentials for phone and/or onlineapplications;
  • Demographic information & interests:any information that describes your demographics or behavioral characteristics; for examples, your date of birth, age or age range, gender, geographic location, favorite products, hobbies and interests, household or lifestyle information, the way you use products and/or services, including information about payments you make or receive, such as the dates, amount, currency, and the details of your counterparties for the transactions, or your personal preferences relating to such transactions;
  • Market research & feedback:any information that you voluntarily share with us about your experience of using the products and/or services offered by us, such as your needs and interests, information and opinions expressed when participating in a market research and/or survey, or contact information that you provide to us in order to receive news and updates from us;
  • Customergenerated content:any content that you create and then share with us on third party social networks or by uploading it to one of our Sites, such as photographs, videos, personal stories, or other similar media or content;
  • Our customer support services:any communications with our officers, such as record of contact, complaints and/or disputes, emails or letters you send to us, record of your feedback, and record of advice that we may have given you; and
  • Special categories of personal data (sensitive personal data): any sensitive data which is necessary for us to consider granting you products and/or services and to perform customer due diligence as required by law, e.g.information about criminal convictions and offences and biometric data.

Information we collect or generate about you, namely:

  • Financial information: any of your financial information and information about your relationship with us, including any of our products and/or services or those offered by us(e.g.acquiring products, or other electronic payment products), that you apply for or hold or have had in the past, the channels you use and your ways of interacting with us, your ability to get and manage your credit, credit and borrowing history, your payment history, instruction records, transactions records, market trades, payments into your account, including salary details and information, billing address, account numbers, credit or debit card numbers, cardholder or accountholder name and details, credit information, risk rating information, counterparty details, client relationship information, payment and trade transactions information, personal wealth, assets, and liabilities, proof of income and expenditures, and other financial information;
  • Marketing and sales information: such as details of the products and/or services that you receive and your preferences;
  • Investigations records: such as due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, content and metadata relating to relevant exchanges of information between and among individuals, organizations, including emails, voicemail and live chat;
  • Records of correspondence and other communications: such as email, live chat, instant messages and social media communications;
  • Regulatory obligations: any information that we need to support our regulatory obligations, such as information about transaction details, detection of any suspicious and unusual activity and information about parties connected to you or these activities; and
  • Audiovisual information:such as recordings from surveillance videosonour premises and/or branches, or recordings of phone or video or chats with our officers or staff.

Information we collect from other sources, namely:

  • Specific information: any information you have asked us to collect for you, such as information about your accounts or holdings with other companies including transaction information and information on your preferences from other organizations where they have rights to share this information;
  • Third party social network information:any information that you share publicly on a third party social network or information that is part of your profile on a third party social network and that you allow the third party social network to share with us, such as your basic account information (e.g. name, email address, gender, birthday, current city, profile picture, user ID, list of friends, etc.) and any other additional information or activities that you permit such third party social network to share;
  • Third party providers: any information fromthird party providers, such as information that helps us to combat fraud or that relates to your social interactions (including your communications via social media, between individuals, organizations, prospects and other stakeholders acquired from companies that collect combined information);
  • Credit reference agencies: such as information received from the credit reference agencies and from other reference databases; and
  • Public sources: any information from other publicly available sources.

If you do not providethe necessary data or consent to the processing of data,which we indicate to you is mandatory, we may not be able to provide you with the products and/or services you require, or meet all our obligations we have with you, enter into a contract with you, or fulfil legal duties imposed on us by law. In such cases, our service to you may be limited, restricted, suspended, cancelled, prevented or prohibited, as the case may be.

If you give us personal data of other persons, or you request us to share their personal data with third parties, you confirm that such persons understand the information in this Privacy Notice about how we will use their personal data and that you have the rights to share their personal data to us.

We collect your personal data for the purposes that are within the scope of one or more lawful grounds described in Section 2, below.

2. Use of Personal Data

We may only collect, useand share (collectively “process”) personal data fairly and lawfully and for specified purposes (“lawful grounds”). The applicable data protection lawrestricts our actions regarding personal data to specified lawful purposes. These restrictions are not intended to prevent the processing of personal data, but to ensure that we process personal data fairly and without damaging your interests.

The lawful grounds for processing available under the applicable data protection law vary depending on the nature and purpose of the processing activities and the types of data being processed.

We will rely on one or more of the following lawful grounds when processing personal data:

  • when it is necessary to fulfil a contract or perform obligations we have with you or to act upon your request before entering into any contractual relationship with you;
  • when it is our legal duty;
  • when it is in our legitimate interest;
  • when you consent to the processing of your personal data;
  • when it is necessary to prevent harms to your life, body, or health; and
  • when it is within the public interest of substantial importance.

In the case of sensitive personal data or special categories of personal data under the applicable data protection laws, in addition to the lawful grounds above, we will process such data in accordance with any other additional requirements as prescribed by such data protection laws.

Some processing activities may fall under more than one lawful ground. In such case, we may rely on any of the applicable grounds for our processing activities.

The purposes for which we may process personal data, subject to the applicable law, and the legal bases on which we may perform such processing includes:

Purposes of Personal Data Processing Lawful Grounds
Provision of Products and/or Services
  • to verify and authenticate your identity;
  • to deliver our products and/or services to you;
  • to manage our relationship with you or your business;
  • to execute your instructions (we may monitor or record any communications between you and us, including phone calls);
  • to perform credit reference checks;
  • to collect and recover monies owed to us;
  • to study how you use products and/or services from us and other organizations;
  • to provide service notifications or reminders of your benefits;
  • to communicate with you about our products and/or services;
  • when it is necessary to fulfil a contractual duty or perform obligations that we have with you or to act upon your request before entering into any contractual relationship with you; or
  • when it is in our legitimate interest
Customer Support
  • to make and manage customer payments;
  • to manage fees, charges, and interest due on customer accounts;
  • to improve the performance and functionality of our websites (website cookies).
  • when it is necessary to fulfil a contractual duty or perform obligations that we have with you or to act upon your request before entering into any contractual relationship with you;
  • when it is our legal duty to process your personal data; or
  • when it is in our legitimate interest.
Marketing Activities
  • to conduct targeted advertising;
  • to personalize marketing messages sent to you;
  • to give you information about our and/or our group and/or our partners’ products and/or services that you may be interested in;
  • to let our trusted partners send you information about our products and/or services that you may be interested in;
  •  to use third party cookies to give you offers that you may be interested in;
  • to communicate with you via any means (including via email, telephone, text message, social media, post or in person) subject to ensuring that such communications are provided to you in compliance with applicable laws; and
  • to maintain and update your contact information where appropriate.
  • when you consent to the processing of your personal data; or
  • when it is in our legitimate interest.

 

Sharing Your Personal Data to Third Parties for Their Marketing
  • to allow our business partners to offer you their products and/or services (we will not share your personal data for this purpose unless you explicitly give us consent to do so)

 

  • when you consent to the processing of your personal data
Business Improvement
  • to understand and develop products/servicesto meet our customers’ needs and to improve our business performance;
  • to test, research, analyze and develop new features, products and/or services;
  • to understand and analyze needs and your satisfaction;
  • to identify issues with existing products and/orservices;
  • to plan improvements to existing products and/orservices;
  • to analyze your data, including credit and behavior scoring;
  • to manage your complaints;
  • to understand your spending behaviors in order to help you manage your saving plans;
  • to do statistical reports or market research;
  • to do internal audits and reports; and
  • to conduct surveys or to hear from you about our products and/or services.
  • when it is necessary to fulfil a contractual duty or perform obligations that we have with you or to act upon your request before entering into any contractual relationship with you;
  • when it is our legal duty to process your personal data; or
  • when it is in our legitimate interest.

 

Fulfilment of Our Legal Obligations
  • to verify and authenticate your identity;
  • to prevent fraud and money laundering/combating the financing of terrorism;
  • to submit regulatory reports to relevant authorities; and
  • to comply with applicable laws and regulations.
  • when it is our legal duty to process your personal data
  • when it is within the public interest of substantial importance.
Security and Risk Management
  • to prevent crimes and manage the security of our premises (for example, we may use closed circuit television (CCTV) in and around our premises , which may collect photographs, videos or voice recording of you and the individuals connected to you or your business);
  • to detect, investigate, report, and seek to prevent fraud and financial crime;
  • to manage risk for us, our related companies, and our customers; and
  • to sell or to buy our assets, business, or portfolios to or from third parties.
  • when it is necessary to fulfil a contract or perform obligations we have with you or to act upon your request before entering into any contractual relationship with you;
  • when it is our legal duty to process your personal data; or
  • when it is in our legitimate interest.
  • when it is within the public interest of substantial importance.

 

Provision of Products and/or Services
  • to verify and authenticate your identity using your biometric data

 

  • when you consent to the processing of your personal data; or
  • when it is our legal obligation to achieve the substantial public interest.
Fulfilment of Our Legal Obligations
  • to verify your identity;
  • to prevent fraud and money laundering/combating the financing of terrorism; and
  • to comply with applicable laws and regulations.
  • when it is our legal obligation to achieve the substantial public interest; or
  • when it is necessary to establish or defend a claim, or exercise our claim.
Collection and Retention of Documents for Evidentiary Purposes
  • to retain documents for evidentiary purposes (for example, we may keep copies of your national identification card as a piece of supporting document for your transaction with us;nationalidentification cards issued by the Government of Thailand may contain sensitive personal data,e.g.religion and blood type); as such, without further consent from you, we may mask such sensitive personal data to the extent appropriate in order to protect your information; and
  • to retain documents, agreements and application forms prescribed by the relevant authorities (for example, the Land Department prescribes forms that may contain information pertaining to race.)
  • when it is our legal obligation pertaining to substantial public interest; or
  • when it is necessary to establish or defend a claim, or to exercise our claim.
Other relevant processing activities Lawful Grounds
  • to conduct any processing activities in relation to the purposes set out in this table.
  • same as the lawful ground applicable tosuch activities

 

3. Disclosure of Personal Data

We may share your personal data or personal data relating to the individuals connected to your business with third parties where it is lawful to do so, including where we or they:

  • need to have access to your personal data in order to provide you with the products and/or services you have requested (e.g. fulfilling a payment request);
  • have a public or legal duty to do so (e.g. to assist with detecting and preventing frauds, tax evasion and financial crime);
  • need have access to your personal data for the purpose of regulatory reporting, litigation or to assert or defend their or our legal rights and interests;
  • have a legitimate business reason for doing so (e.g.to manage risk, verify identity, enable another company to provide you with services you have requested, or assess your suitability for products and/or services);
  • need to prevent harms to your life, body, or health; and/or
  • have asked you or the individuals connected to your business for the permission to share the personal data, and you (or they) have agreed.

In case of sensitive personal data or special categories of personal data under the applicable data protection laws, in addition to the lawful grounds above, we will share such data in accordance with additional requirements as prescribed by such data protection laws.

Some disclosure activities may fall under more than one lawful ground. In such case, we may rely on any of the listed grounds for our disclosure activities.

We may share your personal data or personal data relating to the individuals connected to your business for these purposes with others, including:

  • other NOMUPAY group companies and any sub-contractors, agents or service providers who work for us or provide services to us or other NOMUPAY group companies (including their employees, sub-contractors, service providers, directors and officers);
  • cloud service providers;
  • any trustees, beneficiaries, administrators or executors;
  • people who give or will potentially give guarantees or other security for any amounts you owe us;
  • people you make payments to and receive payments from;
  • your beneficiaries, intermediaries, correspondent and agent, clearing houses, clearing or settlement systems, market counterparties, and any companies the investment services of which you receive through us;
  • our business partners with whom we provide services (e.g. airline or hotel partners, co-branding partners, card scheme partners or loyalty program partners), including their agents and service providers;
  • our trusted partners (e.g. social media companies or advertisement agencies)for the purpose of conducting direct marketing activities on our behalf or other third parties for marketing purposes;
  • other financial institutions, lenders and holders of security over any property or assets you provide to us, tax authorities, trade associations, credit reference agencies, payment service providers and debt recovery agents;
  • insurance providers, including underwriters, brokers, agents, re-insurers, claims handlers and other relevant third parties;
  • any people or companies where required in connection with potential or actual corporate restructuring, merger, acquisition, takeover, assignment, transfer, participation or sub-participation, including any transfer or potential transfer of any of our rights or duties under our agreement with you;
  • law enforcement, government, courts, dispute resolution bodies, our regulators, fraud prevention agencies, credit reference agencies, tax agencies, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities, either having jurisdiction in Thailand or elsewhere;
  • other parties involved in any disputes, including disputed transactions;
  • fraud prevention agencies who will also use your personal data or personal data relating to the individuals connected to your business to detect and prevent fraud and other financial crime and to verify your identity;
  • anyone who provides instructions or operates any of your accounts, products and/or services on your behalf (e.g. Power of Attorney, lawyers, intermediaries, etc.);
  • your advisors (e.g.accountants, auditors, legal advisors, professional, financial or tax advisors) who you have authorized to represent you, or any other person of whom you have informed us is authorized to give instructions on your behalf; and/or
  • any other person with whom we have been instructed by you to share your personal data, or any other person who provides instructions or operates any of your accounts on your behalf.

Under some circumstances, the recipients of your personal data listed above may be located outside of Thailand. We will ensure that the cross-border transfers of your personal data comply with Section 4, below.

The purposes for which we may share personal data, subject to the applicable law, and the legal bases on which we may share personal data are set out in Section 2,above.

There may be instances which we may share your personal or non-personal data to third parties, such as advertising identifiers or one-way coding (cryptographic hash)of a common account identifier (such as a contact number or email address) to enable the conduct of targeted advertising.

We will not use personal data for any other purpose other than for the purposes as described to you. Should we intend to collect or use additional data, which is not described in this Privacy Notice; we will notify you and/or obtain your consent prior to the collection, use or disclosure in order to comply with relevant data protection laws.

4. Transfers of Personal Data Outside of Thailand

Your personal data may be transferred to and processed in all countries where NOMUPAY group companies or its service provider have established a business presence or have to meet compliance obligations. We will take all steps that are reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Notice as well as with the applicable data protection laws, including, where relevant, by entering into applicable standard contractual clauses (or equivalent measures) with parties outside of Thailand.

5. Opting Out of Direct Marketing

You have the right to object to direct marketing activities.

If you do not wish to receive marketing information from us, you may click on the ‘unsubscribe’ link, which can be found in our marketing emails and/or newsletters which are sent to you, fill up the “Optout” form provided at our branches,or email our customer service team at np.custservice@nomupay.com.

6. Retention of Personal Data

We collect your data for as long as it is necessary to carry out the purposes for which it was collected, for business, legal and legitimate interestpurposes or compliance with applicable laws.

We may keep your data for up to 10 years after you stop being our customer (that is, after our relationship with you has ended) to ensure that contractual disputes can be processed within that time. However, for legal, regulatory or technical reasons, we may keep your data for longer than 10 years. This includescircumstances where we keep records of any person exercising the rights under the applicable data protection laws; for example, where a person has opted out from our direct marketing, or has requested us to erase personal data. If we do not need to retain personal data for longer than the period that is legally necessary, we will destroy, delete or anonymize your personal data.

Where you receive products and/or services from third parties whowe has introduced you to, those third parties may keep your personal data, or personal data relating to the individuals connected to your business, in line with additional terms and conditions that apply to their product and/or services.

7. Accuracy of Your Personal Data

We need your co-operation to ensure that your personal data is current, complete, and accurate. Please inform us ofany changes to your personal data by contacting us at np.custservice@nomupay.com

We will occasionally request updates from customer dataand we may, in certain circumstances, proceed with such updates without your request to ensure the personal data we use to fulfil the purposes of the collection, use and disclosure is updated, complete and accurate.

8. Your Data Subject Rights

Subject to the conditions and exceptions set out in the applicable data protection law, you enjoy the following rights:

  • Right to Withdraw Consent: This enables you to withdraw consent that you have already given to us. The withdrawal of your consent will not affect any processing of your personal data carried out prior to your withdrawal being effective.

Where your consent is not mandatory, the withdrawal thereof may partially or completely impede our ability to provide you withfull benefits or experiencerelating to the products and/or services you receive.

Where your consent is mandatory, the withdrawal thereof may render our service limited, restricted, suspended, cancelled, prevented or prohibited, as the case may be.

For either case, we will not be liable to you for any losses incurred, and our legal rights are expressly reserved in respect of such limitation, restriction, suspension, cancellation, prevention or prohibition.

  • Right to Access: This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Right to Correct: This enables you to have any incomplete or inaccurate data we hold about you corrected.
  • Right to Deletion: This enables you to ask us to delete or remove personal data where there is no good reason for us tocontinue to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to the processing of your personal data (see below).
  • Right to Object: This enables you to object to the processing of your personal data where we are relying on a legitimate interest (or that of a third party) and your particular circumstances justify your objection to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Right to Restrict Processing: This enables you to ask us to suspend the processing of personal data about you;for example, you may want us to restrict the use of your personal data which is under our correction process.
  • Right to Portability: Request the transfer of your personal data to another party.

Please complete the “Consent Withdrawal” form or “Data Subject Rights” formnp.custservice@nomupay.com. Please also note that we will ask you to provide a proof of identity to us before responding to any requests to exercise your rights. We will respond to your request to exercise such rights without delay;we will notify you in advance if we require more time to process your request.

If you become or have become our customer before 1June 2022we will maintain and continue using your personal data based on the consent you previously given to us.Your right to withdrawal of consent also applies to consents that were given to us before the Personal Data Protection Act B.E. 2562 (2019), as amended, came into force, i.e.before 1 June 2022.If you wish to withdraw such consent, you may do so by completing the “Consent Withdrawal” form np.custservice@nomupay.com.We will process your request accordingly.

Please note that the abovementioned rights are not absolute, as they should be balanced against legal requirements and our legitimate interest.

Handling of Complaints

In the event that you wish to make a complaint about how we process your personal data, please contact us and we will try to consider your request as soon as possible. Your complaint filing that is made with usdoes not prejudice your right to file a complaint with a government authority with the mandate to enforce data protection law.

9. Security of Your Personal Data

We value your privacy;therefore, we place great emphasison ensuring the security of your personal data. We regularly review and implement reasonable and appropriatephysical, technical and organizational security measures when processing your personal data.

Our employees are trained to handle the personal data securely and with respect, failing which they may be subject to disciplinary actions.

10. Cookies

We use cookies in some of our webpages and applications to collect information about users of our website (for example, store users’ preferences and record session information). A cookie is a small text file that a website or application can send to your browser, which stores certain information on your system. We use different types of cookies for different purposes. This includes the purposes of improving your online experience and customizing the ads you see online. You can adjust the settings on your browser or within your mobile device so that you will be notified when you receive a cookie. You may, at any time, disable the cookies by changing the settings on your browser or via your mobile device. However, by doing so, you may not be able to use certain functions or enter certain part(s) of our websites.

For more information on how we use cookies, please refer to our Cookies Notice published on our website for more information.

11. Contact Us

Please contact us via email at np.custservice@nomupay.com, if you have any questions regarding the protection of your personal data.

You can also contact our Data Protection Officer, who is responsible for overseeing the protection of your personal data, by writing to:

The Data Protection Officer

Nomupay

900 12th Floor Zone A, Tonson Tower, Pleonchit road, Lumpini, Pathuwan, Bangkok, Thailand

Or you can send an email to np.custservice@nomupay.com

12. Revision of our Privacy Notice

You can request for a copy of this Privacy Notice using the contact details in Section 11, above.  However, we keep this Privacy Notice under regular review; thus, this Privacy Notice may be subject to changes. The date of the last revision of the Privacy Notice can be found atthe top of the page.

Privacy Policy

1. General

NomuPay (“NomuPay”, “we”) operates this website in accordance with the provisions of Hong Kong laws and regulations relating to data privacy all other provisions with relevance in the area of data protection law.

2. Contact us.

If you have any questions about how we collect, store and use your personal information or would like a copy of the information we hold about you, then please contact our Data Protection Officer. You can either write at the address noted on the main page of this website or e-mail to: data.privacy@NomuPay.com.

3. Cookies

Cookies are small text files which are stored locally in your internet browser‘s cache memory, in order to be able to recognise it. NomuPay uses different types of cookies, and we provide further information on these cookies here. In general, we use cookies that are necessary for the operation of the website and you cannot opt out of the use of these cookies. In addition, we use cookies that enhance the functionality and use of the website (as further described below in section 4), such as to make use of the website easier for visitors, and in order to be able to design it in a more customized manner. You can choose your individual settings in section 4.3 Information on Web Analysis Tools, or configure your web browser so that it informs you when cookies are stored, or to prevent the storage of cookies. Further information in this context can additionally be found in the help function of your web browser. However, we would like to expressly make you aware of the fact that some parts of this website may possibly no longer function faultlessly without cookies.

4. Processing of personal data and other data by NomuPay during visits to our website

4.1 Information we automatically collect when you access our website

No personal data will be collected, since the IP address is truncated before collection.

4.2 Transfer of your personal data

Your personal data will be used only to the extent necessary to achieve the purposes named in this data privacy statement. Your data will be forwarded to third parties, if at all, only within the limits of statutory regulations. Personal data will be forwarded to government institutions and authorities only within the limits of compulsory national legal provisions, or if those data must be forwarded for legal or criminal prosecution because abusive or fraudulent actions have been committed. Forwarding for any other purpose, especially for address trading, is excluded.

4.3 Information on Web Analysis Tools

4.3.1 Google Analytics

This NomuPay website uses Google Analytics, a web analysis service from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses cookies that are stored on your computer and make it possible to analyse how you utilize the site. The information generated by the cookie (including the IP address) is transferred and stored on a Google server located in the United States. On this website, Google Analytics is extended by the code “gat._anonymizeIp():” to ensure anonymized collection of IP addresses (so-called IP-Masking). This means that Google will truncate/anonymize the IP address. Only in exceptional cases, the full IP address is sent to and shortened by Google servers in the USA.

Google uses the information on our behalf to evaluate how this NomuPay website is used, create reports about the activities on the site for the site operators, and to perform additional services regarding website and internet utilization. Further, Google may pass this data on to third parties, if required by law or if using their services to analyse this data. Google will not associate IP addresses with any other information held by Google.

You can prevent the storing of cookies by choosing the appropriate settings in your browser; however, we would like to point out that in this case some functionality of the website may not be available to its full extent. Further you can prevent the collection and processing of cookie created data relating to your utilization of the website (including your IP) via Google by downloading and installing the browser-plugin available under this link. https://tools.google.com/dlpage/gaoptout?hl=en

You can refuse the use of Google Analytics by clicking on this link. https://policies.google.com/privacy?hl=en_US  An opt-out cookie will be set on the computer, which prevents the future collection of your data when visiting this website.

Further information concerning the terms and conditions of use for Google are available under this link. https://marketingplatform.google.com/about/analytics/terms/gb/  Further information concerning the data privacy of Google can be found under this link https://policies.google.com/?hl=en&gl=uk .

5. Data retention

We store your personal data for as long as it is needed to fulfil the purpose for which they were collected notwithstanding any statutory retention obligations, in particular according to tax or accounting law.

6. Data safety

In order to protect the personal data against loss, falsification or disclosure to unauthorised third parties, we have taken adequate organisational, technical and administrative measures. NomuPay uses firewalls in order to prevent unauthorised access to servers. The servers are located at a safe location to which only authorised staff have access. All staff members and all persons involved in the processing of data are subject to an obligation to comply with all laws relating to data protection, and to treat personal data confidentially.

7. Data subjects rights

Under certain privacy laws, visitors as data subjects have certain rights in particular the right to access, correct, update, or request deletion of your personal data that we store about you.

You can object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data. Again, you can exercise these rights by contacting us by sending us a email to the email address below.

Similarly, if we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.

You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact us at the above e-mail address.

Our data protection officer can be reached under data.privacy@NomuPay.com.

Privacy Policy

Wirecard e-Money Philippines, Inc., trades as “NomuPay” and references to “NomuPay” herein shall be in respect of the corporate entity Wirecard e-Money Philippines, Inc. and its related group companies (the “NomuPay Group”)

Purpose & Scope

NomuPay respects and values your privacy and the secrecy of your account information with us. This Privacy Policy (“Policy”) informs you how we collect, use, store, and process your personal data in Merchant Services. We adhere to the data privacy principles of (1) legitimate purpose – we only process upon your consent, in compliance with law or contract; (2) transparency – we notify everything that happens to your data; and (3) proportionality – collection is limited based on purpose.

This Policy applies to data subjects of Merchant Services whether as: (1) clients – current, past and prospective customers as individuals or corporations; or (2) non-clients – payees or payors or bank products and services we provide; visitors or inquirers at our branches and online channels; ultimate beneficial owners, directors or representatives of corporate clients; and such other persons involved in transactions with us or with our customers (“ Data Subjects”).

Collection of your Personal and Sensitive Personal Data

Personal Data refers to any information that identifies or is linkable to a natural person. On the other hand, Sensitive Personal Data is any attribute that can distinguish, qualify or classify a natural person from the others such as data relating to your ethnicity, age, gender, health, religious or political beliefs, genetic or biometric data.

We collect your Personal and Sensitive Personal Data when you register, sign-up or use our bank products and services or contact us about them. We also collect through your organization whether private corporation or government instrumentality you authorized. We may also obtain your information from other sources (i.e publicly available platforms, financial institutions, credit agencies, payment gateway processors, public authorities, and other registers) for purposes of identity verification and regulatory requirements by the Bangko Sentral ng Pilipinas (BSP).

Kinds of Data We Process

Know-Your-Customer (KYC) / Identification Data: refer to Personal Data and Sensitive Personal Data we collect when you sign up or register to our products and services such as full legal name, gender, date of birth, nationality, civil status, permanent address, present address, tax identification number and other government-issued identification numbers, mobile number, home number, office contact details, company name, job position or rank, office address, source of funds, gross annual income, and such other information necessary to conduct due diligence and comply with BSP rules and regulations.

Biometric Data: upon your express consent and subject to limitations imposed by law, data processed for customer verification using: (1) facial recognition technology; (2) liveliness detection mechanism; and (3) fingerprint recognition applications.

Transactional Data: linkable information to your Personal Data such as (1) bank account number, deposits, withdrawals, such other transfers made to or from your account, and details about them such as reference number, place and time these were made; (2) information when you contact us through our official channels such as branches, contact centers, web and mobile platforms; (3) credit card account number as well as purchases or transactions using your credit card; and (4) other forms of customer account number, payments, and transactions you have with us.

Financial Data: information about the value of your property and assets, your credit history and capacity, and other financial products and services you have with us.

Behavioral Data: this refers to your online behavior, customer segment, usage of our products and services, internet protocol address of your devices used to access our applications, interests and needs you share with us, and customer behavior we collect as part of due diligence, to prevent fraudulent conduct, and comply with banking rules on anti-money laundering, terrorism financing, and tax fraud.

Audio Visual Data: for security and improvement of our services, we process audio and video recordings of your interactions with us and surveillance videos at branches and automated teller machines, subject to limitations imposed by law.

Sensitive Personal Data: we may require the following Sensitive Personal Data upon your express consent: (1) for customer verification, your government-issued identification numbers or cards such as passport or driver’s license ID; or (2) any information that is necessary, incidental to contractual agreements or in connection with a requested product or service.

The foregoing data are collectively referred to as “Customer Data” or “Personal Information”.

Data Processing

Processing means any activity pertaining to the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of Customer Data.

We process Customer Data only for legitimate purposes and with lawful basis such as your express consent, terms and conditions of product or service you signed up with us, and as required by law and regulation. We ensure that only authorized employees and third-party service providers, who satisfy our stringent risk management, governance, information security, and data privacy requirements, can process your data.

Data Storage

We store Customer Data in secure and encrypted Bank-managed environments, devices, and media. For third-party managed environments such as cloud service providers, we employ BSP-sanctioned security protocols and procure BSP approval prior to deployment.

We store physical copies of documents containing Customer Data in physical secure vaults.

Data Access

Customer Data can only be accessed by authorized personnel on a role-based manner following the proportionality principle that authorized personnel can only access Customer Data they need for their role and purpose in the NomuPay business.

Data Use

Customer Engagement

We use your contact details with us to communicate with you about your relationship with us. We may ask for feedback, surveys or polls about our products and services.

We may send you email or mobile notifications, telephone calls, or newsletters about product and services enhancements and account security reminders.

You have the right to opt out from this form of communications with you or choose another means for which we can contact you.

Marketing

We may use your information for us to send out campaigns of commercial products and services we hope you find interesting, relevant, and useful.

We want to establish a more personalized relationship with you by providing you offers that would suit your lifestyle and needs.

We perform data analysis on results of our marketing campaigns to measure their effectiveness and relevance.

You have the right to withdraw your consent or unsubscribe from receiving personalized offers.

Due Diligence and Regulatory Compliance

We may use Customer Data to evaluate your eligibility for Bank products and services.

In assessing your ability to repay your loans, we conduct credit risk and investigation and reporting on your credit history and account updates.

We use your account details when you instruct us to make a payment or fulfill an investment order.

We use automated processes and data science solutions for faster decision-making in granting loan products.

We process Customer Data in compliance with legal obligations and statutory requirements by BSP, and other regulatory agencies.

Business Insights

We perform data analysis and reporting based on your Customer Data and how we operationalize to aid our management make better decisions.

We analyze your behavioral data, your interactions with our products and services, and our communications with you to aid us understand the areas for improvement and development.

We analyze transactional data performed through our third-party service providers and partners in order to determine how we can jointly improve our products and services for you.

Data Quality

We shall process your Customer Data in compliance with the data quality standards imposed by BSP. We shall obtain additional information about you from government institutions or credit bureaus to improve the quality of your Customer Data with We may contact you to ensure accuracy and integrity of your information in our data processing systems.

Protection and Security

We process Customer Data for your account protection against cybercrime, identity theft, fraud, financial crimes such as money laundering, terrorism financing, and tax fraud.

We use your Personal Data such as name, age, nationality, IP address, home address, and other Transactional Data to conduct profiling for detection of suspicious activity on your account.

We may employ artificial intelligence and machine learning in real-time detection of suspected fraudulent activities on your account.

We may reset your password or temporarily hold your online accounts to protect you from detected or suspected fraudulent activities.

Data Retention

Pursuant to BSP Regulations, retention period for transaction records shall be five (5) years from the date of transaction except where specific laws and/or regulations require a different retention period, in which case, the longer retention period is observed.

For financial data and documents which indicate taxable transactions, data shall be preserved for ten (10) years per BIR regulation.

We keep your data as long as it is necessary: a) for the fulfillment of the declared, specified, and legitimate purposes, or when the processing relevant to the purposes has been terminated; b) for the establishment, exercise or defense of legal claims; or c) for legitimate business purposes, which shall be in accordance with the standards of the banking industry.

Data Disposal

After the expiration of the imposed retention period, we dispose personal data in a secure manner in order to prevent further processing, unauthorized access, or disclosure to any other unauthorized entities or individuals.

Data Sharing and Purpose

When you consent to the processing of your Customer Data with us, you also agree to help us comply with our statutory and contractual obligations with other financial institutions. We may also share Customer Data externally with our partners, upon your written and/or electronic consent, for value added services you may find useful and relevant on top of your account with us. For contractual and value-added service data sharing agreements, we employ standardized model clauses as recommended by National Privacy Commission to ensure data protection of Customer Data. Below are the disclosures required by the government entities, other regulatory authorities and financial institutions:

Bangko Sentral ng Pilipinas (BSP), Anti-Money Laundering Council (AMLC)

We are subjected to mandatory disclosures to the AMLC under Republic Act 9160 or the Anti-Money Laundering Act of 2001, as amended, when there is probable cause that the deposits or investments involved are in anyway related to unlawful activities or money laundering offenses.

BSP mandates disclosures and reporting in compliance with its issuances for the protection of the integrity of the banking sector.

Bureau of Internal Revenue (BIR)

We may conduct random verification with the BIR in order to establish authenticity of tax returns submitted to us.

BIR may inquire into bank accounts of the following: a) a decedent in order to determine his gross estate; b) a taxpayer who has filed an application to compromise his tax liability on the ground of financial incapacity; and c) a taxpayer, information on whose account is requested by a foreign tax authority.

Credit Information Corporation (CIC)

Credit Information Systems Act (RA 9510) mandates us to submit your credit data to the CIC and share the same with other accessing entities and special accessing entities authorized by the CIC.

Judicial and Investigative Authorities

We may be mandated to disclose certain Customer Data upon service of legal court orders (i.e. unexplained wealth under Section 8 of RA 3019) or express legal request from police, public prosecutors, courts, or dispute resolution providers allowed by law.

In these cases, we would notify you of the disclosure to the requesting government authority, subject to limitations imposed by law.

Other Regulatory Authorities

Regulatory authorities when such other persons or entities we may deem as having authority or right to such disclosure of information as in the case of regulatory agencies, government or otherwise, which have required such disclosure from us and when the circumstance so warrant.

Financial Institutions

To fulfill payments and services, we may have to share your information with correspondent banks, network payment processors (i.e. Visa, Mastercard, American Express, JCB), stockbrokers, fund managers, or portfolio service providers.

We disclose your Customer Data with insurers, insurance brokers, or providers of deposit or credit protection or protection against all kinds of risks.

For purposes of credit investigation, consumer reporting, or for reports of credit history, account updates and fraud prevention, we may share your data with reference agencies such as Credit Card Association of the Philippines (CCAP) and Bankers Association of the Philippines (BAP).

Value Added Services

With your express consent, we may disclose your Customer Data to our partners who collaborate with us to provide services to you and provide joint communications that we hope you find of interest.

Through our digital channels, you may instruct other mobile financial technology applications to retrieve your account information, initiate payments or cash-in from your account with us via our Application Programming Interface (API) facility.

Rights of Data Subjects

Under the Data Privacy Act of 2012, you have the following rights:

Right to be informed – you may demand the details as to how your Personal Information is being processed or have been processed by the Bank, including the existence of automated decision-making and profiling system.

Right to access – upon written request, you may demand reasonable access to your Personal Information, which may include the contents of your processed personal information, the manner of processing, sources where they were obtained, recipients and reason of disclosure.

Right to dispute – you may dispute inaccuracy or error in your Personal Information in the Bank systems through our contact center representatives.

Right to object – you may suspend, withdraw, and remove your Personal Information in certain further processing, upon demand, which include your right to opt-out to any commercial communication or advertising purposes from the bank.

Right to data erasure – based on reasonable grounds, you have the right to suspend, withdraw or order blocking, removal or destruction of your personal data from the Bank’s filing system, without prejudice to the Bank continuous processing for commercial, operational, legal, and regulatory purposes.

Right to data portability – you have the right to obtain from the Bank your Personal Information in an electronic or structured format that is commonly used and allows for further use.

Right to be indemnified for damages – as data subject, you have every right to be indemnified for any damages sustained due to such violation of your right to privacy through inaccurate, false, unlawfully obtained or unauthorized use of your information.

Right to file a complaint – you may file your complaint or any concerns with our Data Protection Officer and/or with the National Privacy Commission through www.privacy.gov.ph.

Nomu Pay Malaysia Sdn. Bhd. (“Nomupay”)

(formerly known as Wirecard Payment Solutions Malaysia Sdn. Bhd.)

 Privacy and Cookies Policy

1. Collection & Use of Information

“Personal Data” means information about you from which you are identified, including but not limited to name, identification card number, passport number, nationality,  mailing, billing, shipping and email address, phone number, fax number, bank account information, credit and debit card information, date of birth, your designation in your company, your company details, any information about you or your company which you have provided to us in your application form, registration forms or any other similar forms and/or information about you that has been or may be collected, stored, used and processed by us from time to time.

1.1 Sources from which Personal Data may be obtained

In addition to the Personal Data you provide to us directly, there are variety of sources in which we may collect your Personal Data from, such as:

a) Fill up and completing application or registration forms or any other similar forms via online or otherwise;

b) When you complete a sale or purchase transaction online using our e-commerce service;

c) When you register at our website as a user;

d) From social media platforms’ pages, if you subscribe, follow, like or are a fan of our pages;

e) When you enter contests organized by us

f) From cookies used on websites;

g) When you interact with us at any events, activities or social media platforms.

1.2 Purposes of Collection and Processing

Nomupay collects personal data to set up and manage accounts for our ecommerce services and to handle orders of goods and services from Nomupay which shall include, without limitation the following:

a) website registration, enabling sales and other transactions, processing payments and settlement, sending payouts, handling orders, providingreceipts, perform credit check;

b) providing customer service, providing dispute resolution, chargebacks, refunds, or related issues;

c) marketing and surveys, sending service update notices;

d) recovering debt and collections, detecting and preventing fraud, detecting and preventing violations of our legal agreements;

e) measuring, improving and customizing our services;

f) fulfilling other technical ,logistical, financial, tax, legal, compliance, administrative, or back office functions for and/or in connection with all other purposes necessary and/or incidental to our business and all purposes necessary for or related to any of the above purposes.

In the course your dealings with us, we may also use and process your Personal Data for other purposes such as:

a) to send alerts, newsletters, updates, promotional materials from us or our partners;

b) to invite to event or activities organized by us or our partners; and,

c) to share your Personal Data amongst our holding companies, affiliates or subsidiaries for promotion, events or activities organized by the same.

1.3 Transfer of Personal Data

We may transfer your Personal Data to places outside Malaysia when carrying our any of the purposes stated herein.

1.4 Disclosure to Third Party

Your Personal Data may be disclosed and transferred amongst our holding companies, affiliates, subsidiaries, associate companies and jointly controlled entities which may include companies in different jurisdictions.

When processing your Personal Data, we may disclose the same to the following persons including but without limitation to:

a) Our business partners which shall include parties with whom we collaborate;

b) Merchants concerned on a need-to-know basis to complete the sale transaction and handling orders;

c) Credit Reporting Agencies, Third Party Service providers;

d) Our auditor, lawyers, consultants, insurers, advisers, bankers, and agents; and

e) All other persons or bodies who provide us with services necessary and/or incidental to our business.

2. Data Protection & Security

Nomupay protects your Personal Data against unauthorized access, use or disclosure. Your Personal Data will be stored either in hard copies in Nomupay’ office or stored in server operated by Nomupay or any of its service providers.

All internet communication is secured using up-to-date technology with high security encryption. Some of our security features include the following:

a) Hardware firewall

b) Dos Attack Prevention

c) 3D-Secure Compliance (“Verified by Visa” & “MasterCard SecureCode’)

Nomupay is PCI DSS compliant. However, you are are advised to follow certain security practices yourself. You must never share your Account or login details with anyone. If you are concerned that any of your login details have been compromised, you can change them any time you like once you are logged on, and immediately contact our Customer Services.

3. Notification of Changes

If Nomupay decides to change our privacy policy, Nomupay will post those changes on its website so the users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If, at any point, Nomupay decides to use personally identifiable information in a manner different from that stated at the time it was collected, Nomupay will notify users by way of an e-mail.

User will have a choice as to whether we use their information in this different manner. Nomupay  will use information in accordance with the privacy policy under which the information was collected.

4. Personal Data Protection Notice

This Personal Data Protection Notice (“Notice”} is issued pursuant to the Personal Data Protection Act 2010 (“Act”}. It explains the type of data we collect or have collected and how disclosed the data to and the choices available to you including how to access and correct your personal data.

By communicating with us, using our services or by virtue of your engagement with us, you acknowledge that you have read and understood this Notice and agree and consent to the use, processing and transfer of your Personal Data by us as described herein.

4.1 Collection of Personal Data

“Personal Data” means information about you from which are identified with, including but not limited to name, identification card number, passport number, nationality, mailing, billing, shipping and email address, phone number, fax number, bank account information, credit and debit card information, date of birth, your designation in your provided to us in your application form, registration forms or any other similar forms and/or information about you that has been or may be collected, stored, used and processed by us from time to time.

4.2 Sources from which Personal Data may be obtained

In addition to the Personal Data you provide to us directly, there are variety of sources in which we may collect your Personal Data from, such as:

a) Fill up and completing application or registration forms or any other similar forms via online otherwise;

b) When you complete a sale or purchase transaction online using our e-commerce service!

c) When you register at our website as a user;

d) From social media platforms’ pages, if you subscribe, follow, like or are a fan of our pages;

e) From cookies used on websites;

f) When you interact with us at any events, activities or social media platforms.

4.3 Purposes of Collection and Processing

Nomupay collects personal data to set up and manage accounts for our ecommerce services and to handle orders of goods and services from Nomupay which shall include, without limitation the following:

a) Website registration, enabling sales and other transactions, processing payments and settlement, sending payouts, handing order, providing receipts, performing credit checks.

b) Providing customer service, providing dispute resolution, chargebacks, refunds, or related issues

c) Marketing and surveys, sending service update notices

d) Recovering debt and collections, detecting and preventing fraud, detecting and preventing violations of our legal agreements

e) Measuring, improving and customizing our services

f) Fulfilling other technical, logistical, financial, tax, legal, compliance, administrative, or back office functions for and/or in connection with all other purpose necessary and/or incidental to our business and all purpose necessary for or related to any of the above purposes.

In the course your dealings with us, we may also use and process your Personal Data for other purposes such as:

a) To send alerts, newsletter, updates, promotional materials from us or our partners;

b) To invite to event or activities organized by us or our partners; and

c) To share your Personal Data amongst our holding companies, affiliates or subsidiaries for promotion,events or activities organized by the same

4.4 Transfer of Personal Data

We may transfer your Personal Data to places outside Malaysia when carrying our any of the purposesstated herein.

4.5 Disclosure to Third Partv

Your Personal Data may be disclosed and transferred amongst our holding companies, affiliates,subsidiaries, associate companies and jointly controlled entities which may include companies in differentjurisdictions.

When processing your Personal Data, we may disclose the same to the following persons including butwithout limitation to:

a) Our business partners whom shall include parties which we collaborate with;

b) Merchants concerned on a need-to-know basis to complete the sale transaction and handling orders

c) Credit Reporting Agencies, Third Party Service provides;

d) Our auditor, lawyers, consultants, insurers, advisers, banker and agents; and

e) All other persons or bodies who provide us with services necessary and/or incidental to ourbusiness.

4.6 Security

Nomupay protects your Personal against unauthorized access, use or disclosure. YourPersonal Data will be stored either in hard copies in Nomupay’ office or stored in serveroperated by Nomupay or any of its service providers. All internet communication issecured using up-to-date secure technology with high security  encryption.

Some of our security features include the following:

a) Hardware firewall

b) DoS Attack Prevention

c) 3D-Secure Compliance (“Verified by Visa” & “MasterCard SecureCode”}

Nomupay is PCI DSS compliant. However, you are advised to follow certain securitypractices yourself. You must never share your Account or login details with anyone. If you are concernedthat any of your login details have been compromised, you can change them any time you like once youare logged on, and immediately contact our Customer Service.

4.7 Right of Access and Correction to Personal Data

Under the Act, you have the right to access and the right for correction to your Personal Data which mighthave been out-of-date, inaccurate or incomplete. You may also withdraw your consent or restrict thepurpose for the processing of your Personal Data as set out in this Notice.

You may send the above request to the following address:

Attn: Compliance Office

Address:

Tel No.:

Email: support-Nomupay@Nomupay.com

You may also unsubscribe to our marketing materials by clicking the unsubscribe link contained in theemail we send to you and following the instructions therein.

4.8 Personal Data of Third Parties

You hereby confirm that you are authorized to provide Personal Data relating to other individuals and youhave obtained their consent for their personal data to be processed and uses in the accordance to thepurposes as stated in this Notice.

4.9 Changes to this Notice

Nomupay may update this Notice from time to time, and the changes will be effectiveafter posting at the Website or notice to you. Continued use of the Gateway or Website indicates your re‐acceptance of the revised notice. The most recent revision date for these terms is identified above.

5. Third-Party Links

In an attempt to provide increased value to our users, Nomupay may link to sites operated bythird parties. However, even if the third party is affiliated with Nomupay, Nomupay has no control over these linked sites, all of which have separate privacy and data collectionpractices, independent of Nomupay. These linked sites are only for your convenience andtherefore you access them at your own risk.

6. Use of Cookies

The Website uses “cookies” to identify a user’s session on theWebsite and thereby offers continuity as the user moves aroundthesite.Cookies areonlyusedontheWebsiteto store non-critical data.Cookies arepieces of information that websites transfer to your computer’s hard drive for record-keepingpurposes.

Cookies allow websites to maintain user information across connections. They are small strings of charactersused by many websites to deliver data to your computer, and in certain circumstances, return the informationto the website.

Cookies contain only information that members volunteer, and they do not have the capability of infiltrating auser’s hard drive and stealing personal information. The simple function of a cookie is that of helping the usernavigate a website with as little obstruction as possible.