Privacy Policy
Welcome to Aye Solutions Sdn. Bhd. (“Aye”, “We”, “Us”, or “Our”). We are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how We collect, use, disclose, and protect personal data when you interact with Our services, including:
a. Our official website (www.aye-ai.org) (“Official Website”);
b. The AyeFace User Portal, where you can manage your account, payment methods, rewards, and preferences;
c. The AyeFace Merchant Portal, which provides merchants with access to performance insights and customer interaction data;
d. The AyeFace Virtual Terminal, the software on which Customers interact with facial recognition features, place orders, make payments, and interact with the AI components as part of AyeFace services.
e. Any other AyeFace software, application, or service operated by Us.
This Privacy Policy applies to all users who access or use our services, including individual users, merchants, business partners, and website visitors. It outlines the types of data we collect, how we use and share that data, and the choices available to you regarding your personal information.
We comply with the Personal Data Protection Act (Malaysia), Personal Data Protection Act (Singapore), and the EU General Data Protection Regulation (GDPR) where applicable, including supplementary provisions governing biometric data, cross-border transfers, and data subject rights.
By using or accessing our services, you agree to the collection and use of information in accordance with this Privacy Policy.
Definitions
"Personal data" refers to any information, whether stored electronically or otherwise, that can identify you as an individual, either on its own or in combination with other data. We generally do not collect your personal data unless:
a. It is voluntarily provided to us by you or by a third party authorised by you to act on your behalf; and
b. You (or your authorised representative) have been informed of the purpose of the data collection and provided your consent, or where such collection and use is permitted or required under applicable laws.
“Biometric data” refers to sensitive personal data such as facial templates, which by default are mathematical representations of facial features and not raw images.
Data Protection Impact Assessment (DPIA) and Transfer Risk Assessment (TRA) refers to structured assessments undertaken to identify and mitigate privacy risks associated with processing personal data, particularly biometrics and cross-border transfers.
How We Use and Collect Your Personal Data
Information We Collect
Depending on how you interact with us, we may collect the following categories of personal data:
- Identification and contact information: e.g., name, phone number, email address, business registration number.
- Biometric data: such as facial recognition tokens, collected only with your explicit, informed consent.
- Payment and financial information: e.g., linked bank accounts, e-wallets, credit/debit cards, DuitNow ID, and AyeFace transaction history.
- Device and technical data: e.g., IP address, browser type, operating system, device identifiers, and approximate location.
- Usage and interaction data: e.g., pages viewed, order preferences, engagement with AI prompts, and portal activities.
- Professional information: e.g., resumes, company details, or other documentation submitted in job applications or business inquiries.
- Aggregated or anonymised data: derived from personal data but stripped of identifiers.
Biometric data is treated as sensitive personal data under Malaysia’s PDPA and a special category of data under the EU GDPR. We only process it with your explicit consent, and you may withdraw this consent at any time. This means:
- We will request your express opt-in before any biometric data is captured or processed.
- You may withdraw your consent at any time by contacting us (see “Your Rights” below).
- If consent is withdrawn, we will securely delete any biometric data previously collected, unless retention is required by law or for the establishment, exercise, or defense of legal claims.
We will also seek your consent before using your personal data for new purposes, unless otherwise permitted or required by law.
- When You Visit Our Website
When you browse our official website, we may automatically collect:
a. Technical information, such as your IP address, browser type, operating system, device type, and approximate location;
b. Usage information, such as the pages you view, the time spent on the site, and your interactions with website features.
This data helps us understand site performance, optimise content, and improve our services (legitimate interest).
- When You Use AyeFace Services
When you register for or interact with AyeFace services, we may collect:
a. Identity and contact information, such as your name, phone number, email address, and device ID.
b. Biometric data, such as facial recognition tokens used to enable AI-driven services and contactless payments (with your explicit consent).
c. Payment-related information, such as the DuitNow ID, linked bank or e-wallet accounts, credit or debit card details, and your transaction history.
d. Interaction data, such as your order preferences, engagement with AyeFace AI prompts, and responses within the Virtual Terminal.
This data is used to personalise your experience, facilitate payments, deliver features, and maintain security (contractual necessity, explicit consent for biometrics, legitimate interests).
- Through the User Portal
If you use the AyeFace User Portal, we may collect and process data related to:
a. Viewing and managing your rewards
b. Managing payment methods (e.g., adding, linking, or removing DuitNow, e-wallets, and credit/debit cards)
c. Updating your preferences or profile
d. Verifying your identity (e.g., via one-time password)
This data enables you to control your own user experience securely (contractual necessity, legitimate interests).
- Through the Merchant Portal
If you are a merchant using AyeFace, we collect:
a. Business contact details (e.g., name, business registration number, email address)
b. Operational data such as store activity, customer engagement metrics, and transaction analytics
This data is used to generate insights, personalise customer interactions, and optimise performance on the AyeFace platform (contractual necessity, legitimate interests).
- Through Job Applications or Business Inquiries
If you submit a job application or business inquiry via our website, we may collect:
a. Your name, contact information, company details, and any documentation or resumes you submit
b. Any feedback or questions you provide through forms or communications
This helps us manage recruitment or respond to partnership opportunities (contractual necessity, legitimate interests, legal obligation).
- Use of Anonymised or Aggregated Data
We may also generate aggregated or de-identified data from your personal information for legitimate purposes such as statistical analysis, research, or product development. This data cannot be used to identify you and is not considered personal data under this Policy.
- Retention after termination
The purposes listed above may continue to apply even after your relationship with us has ended, for a reasonable duration. This includes legal compliance, fraud prevention, or record-keeping as required under applicable regulations.
- Children’s Data
Our services are not directed to children under the age of 16. We do not knowingly collect personal data from children under this age without the consent of a parent or legal guardian, in line with the requirements of the GDPR and applicable local laws. If we discover that we have inadvertently collected personal data from a child under 16 without proper consent, we will take steps to delete such data promptly.
Parents or guardians who believe their child has provided us with personal data without their consent may contact us at privacy@aye-ai.org to request deletion.
Cookies and Similar Technology
We use cookies and similar technologies on our website and platforms to improve your experience and enhance the functionality of our services.
- What are cookies?
Cookies are small text files stored on your browser or device when you visit a website. They allow the site to remember your actions and preferences (such as login status or language settings) over time.
2. Types of cookies we use:
a. Strictly Necessary Cookies are essential for you to browse our website and use its features. They enable core functions such as page navigation and access to secure areas.
b. Performance and Analytics Cookies collect information about how visitors use our website. This helps us improve performance and user experience.
c. Functionality Cookies remember your preferences and choices (e.g. region or language), allowing us to customise your experience.
d. Targeting or Advertising Cookies (applicable and with your consent) may track browsing habits to deliver relevant ads through third-party services.
3. Managing your cookie preferences:
Most browsers allow you to control cookies through settings. You can usually choose to block or delete cookies, or receive a warning before a cookie is stored. Please note that disabling certain cookies may affect the functionality of our website or services.
4. Third-party cookies:
We may allow trusted third-party services (such as analytics or marketing platforms) to set cookies on our website. These providers are contractually required to comply with data protection standards and may collect data such as device identifiers or browsing history in accordance with their own privacy policies.
How We Share, Transfer, and Publicly Disclose Your Personal Data
We do not sell or rent your personal data. We only share, transfer, or disclose personal data in limited circumstances, with appropriate safeguards, and we take reasonable steps to ensure compliance with the Malaysian PDPA, Singapore PDPA, GDPR, and other applicable laws. We also maintain a record of disclosures and transfers where required under these laws. In the course of providing our services and operating our business, we may share, transfer, or disclose your personal data under the following conditions:
- Sharing
We may share your personal data with:
a. Our affiliates and related companies, only as necessary to deliver, maintain, or improve our services. These entities are bound by confidentiality obligations and privacy standards consistent with this policy.
b. Third-party service providers, such as cloud hosting, analytics, communication tools, or payment processors, solely for the purpose of performing tasks on our behalf. These providers are contractually required to protect your data and to provide evidence of compliance (such as certifications, audit reports, or other assurance mechanisms):
c. Regulatory or law enforcement authorities, if required to comply with legal obligations, enforce our rights, respond to legal process, or protect the safety of users or others.
d. Other parties, only with your explicit consent or where otherwise permitted by law.
- Transfers
a. Corporate Transfers
In the event of a merger, acquisition, asset sale, or corporate restructuring, your personal data may be transferred as part of that transaction. Such transfers will only take effect after the completion of the transaction and when the change has been publicly announced through official filings or press releases. In these cases, the transfer of data ownership is considered a natural consequence of the transaction and will not require direct notification to individual users, unless specifically required by applicable law. We will ensure that the new owner of your data continues to handle it in accordance with this Privacy Policy, or otherwise seek your consent where required.
b. Cross-Border Transfers
Personal data may be transferred internationally where we or our service providers operate across multiple jurisdictions. In such cases, we only transfer personal data across borders where one of the following conditions is met:
i. The destination country’s laws are assessed to provide a level of protection substantially similar to the Malaysian PDPA;
ii. Appropriate safeguards (such as Standard Contractual Clauses, binding corporate rules, or equivalent contractual protections) are implemented to ensure your data continues to receive adequate protection;
iii. You have provided explicit consent for the transfer;
iv. The transfer is necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract;
v. The transfer is required for legal claims, advice, or obligations; or
vi. Other exceptions permitted by law apply (e.g. to protect your vital interests).
We also conduct Transfer Risk Assessments (TRA) to evaluate whether the legal framework and practices in the destination country ensure adequate protection. These assessments are reviewed periodically.
Where we rely on safeguards such as Standard Contractual Clauses, you may request a copy of the relevant provisions by contacting us.
Where biometric or other sensitive personal data is transferred, such transfers are subject to additional scrutiny through a Data Protection Impact Assessment (DPIA), documented and approved at management level.
- Disclosure
We may only disclose your personal data under the following circumstances:
a. After obtaining your explicit consent;
b. It is required by law, legal process, or a lawful request from public authorities;
c. It is necessary to protect our rights, property, or safety, or that of our users, partners, or the public;
d. For biometric data specifically, disclosure will only occur under strict legal obligation, subject to prior legal review and proportionality assessments.
- Data Protection Impact and Risk Assessments
For activities that involve high-risk processing (e.g., biometric data, AI-driven profiling, or cross-border transfers), we conduct:
a. Data Protection Impact Assessments (DPIAs) to evaluate necessity, proportionality, and risks to individuals.
b. Threat and Risk Assessments (TRAs) to assess cybersecurity and operational vulnerabilities.
c. Review of contractual safeguards with third parties, including flow-down of obligations to sub-processors.
These assessments are embedded into our governance framework and reviewed periodically to ensure ongoing compliance with Malaysian, Singaporean, and international data protection requirements.
Cross-Border Data Transfer
Some of the disclosures described in How We Share, Transfer, and Publicly Disclose Your Personal Data may involve transferring your personal data to our affiliates, service providers, or partners located outside your home country. These jurisdictions may have data protection standards that differ from those in your home country.
We recognise that biometric data and other sensitive personal data require enhanced protection. Before any transfer, we take steps to ensure that your personal data is handled with safeguards that are substantially similar to those required under the laws of Malaysia, Singapore, and the European Union.
- Transfer Assessments and Safeguards
We conduct a Transfer Risk Assessment (TRA) and, where applicable, a Data Protection Impact Assessment (DPIA) before transferring personal data to another jurisdiction, especially when the transfer involves biometric or sensitive data.
We implement contractual and technical safeguards to protect your data, including:
a. Standard Contractual Clauses (SCCs) or equivalent legally binding agreements,
b. Adequacy warranties that the recipient provides a level of protection substantially similar to PDPA and GDPR,
c. Restrictions on onward transfer without equivalent safeguards,
d. Mandatory breach notification obligations, and
e. Audit and inspection rights to verify compliance.
- Adequacy of Jurisdictions
Where required by law, we will only transfer personal data to jurisdictions formally recognised as providing adequate protection, or recipients who have implemented legally enforceable obligations consistent with this Policy.
- Explicit Consent and Exceptions
If no adequacy or safeguards are available, we may transfer your personal data only with your explicit consent, after informing you of the possible risks. Limited exceptions may also apply where the transfer is necessary for:
a. The performance of a contract with you,
b. The protection of vital interests (e.g., emergencies), or
c. Compliance with legal or regulatory obligations.
- Your Rights
You may request details about cross-border transfers of your personal data, including the categories of data transferred, the recipient country or organisation, and the safeguards applied.
Our Legal Basis for Processing Personal Data
We process personal data only where we have a lawful basis to do so. Depending on the specific purpose, this may include:
- Consent: for processing sensitive data (including biometrics), marketing communications, or cross-border transfers where required.
- Contractual necessity: where processing is required to provide our services or perform our agreement with you.
- Legal obligation: where we must comply with applicable laws or regulatory requirements.
- Legitimate interests: for purposes such as fraud prevention, service improvement, or security, provided these do not override your fundamental rights and freedoms.
For transparency, we link each processing purpose to a specific lawful basis. For example:
Account registration & authentication | Contractual necessity |
Biometric verification | Explicit consent |
Fraud detection & security monitoring | Legitimate interests |
Legal compliance | Legal obligation |
- Your consent
We rely on your express consent to collect and process your personal data in specific cases, such as when you register for AyeFace services, submit forms on our website, or accept the use of cookies. You may withdraw your consent at any time, although this may affect your ability to access or use certain features of our services. For biometric data, we only process it with your explicit consent and subject to strict safeguards and proportionality assessments.
- Contractual necessity
In many instances, the processing of your personal data is necessary to fulfil our obligations under a contract with you—for example, to provide access to the user portal, process payments, or enable facial recognition services.
- Legitimate interests
We may process your personal data where it is necessary for our legitimate business interests, provided such interests are not overridden by your rights or interests. These legitimate interests include:
a. Improving and personalising our services,
b. Continuing to provide services to users and merchants,
c. Detecting and preventing fraud,
d. Securing our systems and infrastructure, and
e. Supporting internal governance and compliance reviews.
- Legal obligations
We may process your data as necessary to comply with applicable legal requirements, including obligations related to anti-money laundering, tax reporting, and consumer protection.
- Public Interest or Regulatory Requirements
Where required by law or in the exercise of regulatory duties, we may process data for tasks carried out in the public interest, subject to applicable safeguards.
How We Protect Your Personal Data
We have taken security protection measures in line with industry standards to protect the personal data you provide, so as to prevent unauthorized access, loss, misuse, alteration, or destruction of data.
- Access Control and Confidentiality
Access to your personal data is strictly limited to employees, service providers, or agents who need it to provide services on our behalf. All such personnel are subject to strict confidentiality obligations and are trained regularly on safe data-handling practices.
- Encryption and Secure Transmission
Sensitive personal data is encrypted both in transit and at rest using industry-standard encryption protocols. Communication between your device and our servers is secured using HTTPS.
- Biometric Data Safeguards
By default, we store tokenised templates of facial recognition data instead of raw images. These templates are mathematical representations that cannot be reverse-engineered to recreate the original face.
In limited scenarios where raw images must be stored (for example, when required for security verification by regulatory bodies or legal proceedings) this will only be done with your explicit consent, for a clearly defined purpose, and for a limited duration.
All biometric data, whether tokenised or raw (where strictly necessary), is encrypted, access-restricted, and subject to enhanced monitoring and retention controls. Biometric data is deleted or anonymised once it is no longer required for the stated purpose or legal obligation.
- Authentication and Permissions
Our systems support features such as user authentication, secure password management, role-based access control, and activity logging to help prevent unauthorized access or misuse.
- Server and Application Security
We harden our operating systems and infrastructure through regular updates, vulnerability scanning, and patching. Secure protocols (e.g., SSH) are used for server access, and default system credentials are disabled.
- Monitoring and Incident Response
We actively monitor system activity and maintain audit logs to detect suspicious behavior. If a data breach is suspected or detected, we follow a strict incident response process that includes containment, notification, investigation, and remediation. Where required by law, affected individuals and regulators will be notified promptly.
- Data Minimization and Retention
We collect only the data necessary for the stated purposes and retain it only as long as necessary for those purposes or as required by law. When no longer needed, personal data is deleted or anonymized securely.
- User Responsibility
While we take all reasonable precautions to protect your data, no system is completely secure. You are responsible for keeping your login credentials confidential and using only trusted networks and devices.
Your Rights to Personal Data
You have rights over your personal data, which may vary depending on your location and the applicable data protection laws. We are committed to ensuring you can exercise these rights in a timely and transparent manner.
Subject to applicable law, you have the following rights:
- Access: to obtain a copy of the personal data we hold about you.
- Correction: to request that inaccurate or incomplete data be corrected.
- Deletion: to request deletion of your data where it is no longer necessary or where consent has been withdrawn.
- Portability: to receive certain data in a structured, machine-readable format and request that we transfer it to another provider.
- Restriction: to limit how we process your data in certain circumstances.
- Objection: to object to processing based on our legitimate interests, or to direct marketing.
- Withdraw Consent: to withdraw your consent at any time (this will not affect processing carried out before withdrawal).
- Automated Decision-Making: to request human intervention and to contest decisions where processing is based solely on automated means that significantly affect you.
- Access and Correction
You may request:
a. Access to a copy of the personal data we hold about you.
b. Information on how your personal data has been used or disclosed.
c. Correction or updating of your personal data if it is inaccurate, incomplete, or out of date.
To make such a request, please contact us via email to privacy@aye-ai.org. A reasonable administrative fee may apply for access requests, and we will inform you of the fee (if any) before processing your request.
We aim to respond to all access and correction requests within thirty (30) business days. If we are unable to do so within this time frame, we will notify you in writing and inform you of the revised timeline. If we are unable to comply with your request, we will provide you with the reason(s), unless we are legally restricted from doing so.
- Deletion of Personal Data
You may request that we delete your personal data under any of the following circumstances:
a. When the data is no longer necessary for the purpose for which it was collected.
b. When you withdraw your consent (where processing was based on consent).
c. When the data was collected or processed unlawfully.
d. When you cease to use our services or close your account with us.
e. When we are no longer providing products or services to you.
We will respond to your request within thirty (30) business days. Upon approval, we will assess your request and, where valid, delete your personal data from our active systems. Please note that data stored in backups may take additional time to be erased during the next scheduled system update.
- Withdrawal of Consent
You may withdraw your consent to the collection, use, or disclosure of your personal data at any time by submitting a written request to us. Depending on the nature of your request, this may affect your ability to continue using our services.
Upon receiving your request, we may require reasonable time (up to thirty (30) business days) to process your request and notify you of the consequences, including if continued access to our services will no longer be possible.
Please note that withdrawing consent does not affect our right to collect, use, or disclose your data where such processing is permitted or required by applicable law.
- Account Cancellation
You may cancel your AyeFace or employment-related account at any time. After cancellation, we will delete or anonymize your personal data unless retention is required for legal or operational reasons.
- Additional Rights (Where Applicable)
Subject to your jurisdiction, you may also have the right to:
a. Restrict processing of your personal data.
b. Object to processing for specific purposes, including marketing or profiling.
c. Data portability, allowing you to request your data in a structured, machine-readable format.
d. If you are located in the European Union, you also have the right to lodge a complaint with your local data protection authority. Contact details for EU supervisory authorities are available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Retention of Personal Data
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements, and to support ongoing service delivery and improvements.
- Duration of Retention
Your data will be retained for the duration of your relationship with us and, where applicable, for a period thereafter to allow us to:
a. Respond to any questions or complaints,
b. Comply with legal obligations,
c. Enforce our contractual rights,
d. Maintain appropriate business and financial records, or
e. Personalise and improve our services, or continue providing our services to users and merchants.
- Data Minimization and Deletion
When personal data is no longer necessary for these purposes, we will:
a. Anonymize or aggregate it so that it can no longer be associated with you, or
b. Securely delete or destroy it from our systems, unless otherwise required by law.
- Backup and Disaster Recovery Copies
While personal data may be deleted from our active systems upon request or at the end of the retention period, it may persist temporarily in our secure backup systems due to system architecture. Backup copies of personal data may also be retained for limited periods consistent with our disaster recovery policies.
Such copies are securely stored, access-restricted, and automatically purged on a rolling basis.
- User-Initiated Account Closure
If you cancel your account or withdraw your consent, we will begin the data deletion process for your account information. Some information may be retained if required by applicable regulations (e.g., anti-money laundering laws, fraud prevention) or internal policies.
- Exceptions and Legal Holds
Where legal, regulatory, or law enforcement obligations require us to preserve specific categories of data, retention may extend beyond the normal schedule until the obligation has been satisfied. During an investigation or litigation, relevant data may be placed on hold and retained until resolution.
Contact Us
You may contact our Data Protection Team if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, using the details below:
Email Address: privacy@aye-ai.org
We aim to respond to all legitimate requests within thirty (30) working days. In some cases, especially if your request is particularly complex or involves a large volume of data, we may take longer. If this occurs, we will notify you accordingly and keep you updated.
Effectiveness Of This Policy and Changes To Policy
This Privacy Policy applies in conjunction with any other terms, notices, or contractual clauses that apply to the collection, use, and disclosure of personal data in connection with our services.
We may update or revise this Privacy Policy from time to time to reflect changes in legal requirements, our business practices, or the features of our services. Any changes will be effective upon publication on our official website or as otherwise communicated to you.
We will not reduce your rights under this Privacy Policy without your explicit consent, where such consent is required by applicable data protection laws.
You are encouraged to review this Privacy Policy periodically. Your continued use of our website, services, or applications after any changes have been made will signify your acceptance of those changes.
Last Updated: 1 October 2025