Privacy Policy.

This privacy policy aims to give you information on how Finyon collects and processes your personal data through your use of this website, including any data you may provide through this website when you purchase a product or service.

Definitions

The following phrases are to be understood as follows:

• AML — Anti-Money Laundering.
• CFT — Counter-Financing of Terrorism.
• Client — should be understood as a Customer, a Visitor, an Interested Person in the services provided by Finyon or companies with equity or personal ties to Finyon.
• Customer — a natural person acting on their own behalf and on their own account, or a board member or another person authorised to represent a legal person, a partner or an actual beneficiary of a legal person who was subject to Verification on the Website and was positively assessed in this Verification process and has started using Finyon’s services.
• Interested person — a natural person making an enquiry to Finyon, a natural person acting on their own behalf or a natural person who is a board member or other person authorised to represent a legal person, acting on their behalf, regarding the use of Finyon’s services.
• Website — Finyon’s website available at https://www.finyon.io.
• Verification — a process consisting of actual activities, performed by Finyon and the Cooperating Entities, consisting in defining and verifying the correctness and authenticity of data of the Interested Person, in order to attribute the Customer status to the Interested Person.
• Visitor — a person visiting Finyon’s Website using an Internet browser.

Who controls your personal data?

In accordance with Article 13 sections 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”), and the Singapore Personal Data Protection Act 2012 (“PDPA”), the controller of personal data is Finyon Pte Ltd, a company incorporated in Singapore with UEN 202511118R, with its registered address at Level 11, MBFC, 8 Marina Boulevard, Singapore 018981, e-mail address: [email protected] (the “Controller”).

Where applicable, the GDPR applies to individuals located in the European Economic Area (“EEA”).

For any questions or concerns relating to personal data, privacy, or data protection, please contact Finyon at: [email protected].

Who might receive your personal data?

A Client’s personal data may be accessed by the Controller’s employees, contractors, or associates who are authorised to process such data on behalf of the Controller and only to the extent necessary for the performance of their duties. Personal data may also be disclosed to entities to which the Controller entrusts the processing of personal data, including providers of accounting, legal, compliance, information technology, cloud hosting, customer support, marketing, and organisational services that enable the Controller to provide its services, maintain the Website, and conduct its business operations (the “Cooperating Entities”).

In particular, personal data may be shared with third-party service providers performing identity verification, transaction monitoring, fraud prevention, and other compliance-related services as part of the Controller’s Know Your Customer (“KYC”) and anti-money laundering and counter-terrorist financing obligations, in accordance with the Payment Services Act 2019, the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA), the Terrorism (Suppression of Financing) Act 2002 (TSOFA), and MAS Notice PSN02 on Prevention of Money Laundering and Countering the Financing of Terrorism — Digital Payment Token Service, and applicable regulations, as well as other applicable laws.

Personal data may be disclosed to competent public authorities, including law enforcement agencies, regulators, courts, or other governmental bodies, where such disclosure is required by applicable law, regulation, court order, or binding request, or where it is necessary for the prevention, detection, or investigation of crime, fraud, or other unlawful activities.

Personal data may also be transferred to entities belonging to the Controller’s corporate group or to entities with capital or personal ties to the Controller, to the extent necessary for the provision of services, internal administrative purposes, risk management, compliance, or business continuity.

The Controller exercises due diligence in selecting its Cooperating Entities and ensures, at the stage of concluding agreements and throughout the cooperation, that such entities provide appropriate technical and organisational measures to protect personal data and ensure a level of protection required by applicable data protection laws, including the GDPR where applicable.

Where do we store your personal data?

Personal data is stored and processed in Singapore, and may also be processed in other jurisdictions where the Controller, its affiliates, or its Cooperating Entities maintain facilities or engage service providers, including for the purposes of cloud hosting, information technology support, data analytics, customer support, identity verification, transaction monitoring, and compliance operations.

Where personal data is transferred to or processed in a jurisdiction outside the country of the data subject’s residence, the Controller ensures that such transfers are carried out in accordance with applicable data protection laws and are subject to appropriate safeguards. These safeguards may include contractual protections, technical and organisational security measures, and internal policies designed to protect personal data against unauthorised access, loss, misuse, or disclosure.

For personal data relating to individuals located in the European Union, any transfer of personal data outside the European Economic Area is carried out in accordance with the GDPR, using appropriate transfer mechanisms and safeguards recognised under applicable data protection laws.

The Controller’s guarantees and representations

The Controller ensures that personal data is processed lawfully, fairly, and transparently, and in accordance with applicable data protection laws, including Singapore privacy legislation (the Personal Data Protection Act 2012 — PDPA) and, where applicable, the General Data Protection Regulation (GDPR).

The Controller collects and processes only such personal data as is necessary for the performance of contracts, the provision of services, compliance with legal and regulatory obligations, or other legitimate purposes described in this Privacy Policy. Personal data is not processed beyond these purposes unless required or permitted by applicable law or with the data subject’s consent where such consent is required.

The Controller implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, misuse, or disclosure, taking into account the nature of the data and the risks associated with its processing.

The Controller does not knowingly process personal data of individuals under the age of 18 or of persons who lack full legal capacity, unless such processing is carried out through a duly authorised legal representative and is permitted by applicable law.

Legal bases for processing

Where the GDPR applies, personal data is processed on the following bases:

• Contractual necessity (Article 6(1)(b) GDPR): Registration, service provision, and Website functionality.
• Legal obligation (Article 6(1)(c) GDPR): Accounting, tax, and AML/CFT requirements where applicable.
• Legitimate interest (Article 6(1)(f) GDPR): Complaint handling, service improvement, Website usability, and fraud prevention.
• Consent (Article 6(1)(a) GDPR): Marketing, newsletters, and third-party advertising (opt-in only).

Verification / KYC

Verification is conducted in accordance with applicable anti-money laundering and counter-terrorist financing laws, including the Payment Services Act 2019, the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA), the Terrorism (Suppression of Financing) Act 2002 (TSOFA), and MAS Notice PSN02 on Prevention of Money Laundering and Countering the Financing of Terrorism — Digital Payment Token Service, and other applicable regulations.

Verification may include identity verification, proof of residence, screening, and risk-based checks (source of funds/wealth). Verification is performed via automated tools and manual review. Automated processes may approve, flag for manual review, or reject applications.

Tax references

• Data related to transactions is retained to meet tax obligations (including VAT/GST, where applicable).
• Records of purchases may be provided to relevant authorities to comply with local laws.

Marketing & cookies

Marketing communications are sent only where explicit consent has been provided.

The Website uses cookies and similar technologies for Website functionality, analytics, and service improvement, including:

• First category: Technical cookies required for Website operation (Article 6(1)(b) GDPR).
• Second category: Analytical cookies used for performance monitoring and service improvement (Article 6(1)(f) GDPR).
• Third category: Marketing cookies, which require prior opt-in consent.

Users may manage or withdraw their cookie consent via browser settings at any time.

Third-party analytics and advertising services may involve data transfers outside Singapore and/or the EU, subject to appropriate safeguards in accordance with applicable data protection laws.

Data retention

Personal data is retained as follows:

• Visitors: for the duration of the Website session, until the session ends or until cookie consent is withdrawn (as applicable).
• Interested Persons: until enquiries are resolved or Verification is completed (negative result leads to deletion).
• Customers: for the duration of the service relationship and thereafter for 8 years following termination, in accordance with AML/CFT and legal obligations.

Data subject rights

Clients may exercise the following rights, subject to applicable law:

• withdraw consent to the processing of personal data;
• access personal data and obtain copies thereof;
• request rectification or erasure of personal data;
• request restriction of, or object to, the processing of personal data; and
• request data portability, where applicable, in a structured, commonly used, machine-readable format.

Requests should be sent to the Controller. Additional information may be required to verify the identity of the requesting individual. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

Contact

For all privacy-related enquiries, write to [email protected].

Finyon Pte Ltd · UEN 202511118R · Level 11, MBFC, 8 Marina Boulevard, Singapore 018981