Data We Collect from Users: Identity data (full name, NRIC/passport number, date of birth); biometric data (facial recognition templates derived from facial scans); contact data (mobile number, email address); payment data (tokenised payment credentials, DuitNow IDs, transaction history); device data (device identifiers, operating system, IP address); behavioural data (purchase history, loyalty points, preferences, AI-generated insights).

Data We Collect from Merchants: Business registration information; authorised representative identity data; contact and billing information; POS device data; transaction records and performance metrics.

How We Use Your Data: To provide, operate, and improve AyeFace services; to verify your identity and authenticate transactions; to process payments and manage loyalty programmes; to personalise your experience through AI-driven recommendations; to comply with legal and regulatory obligations; to detect and prevent fraud and unauthorised access; to communicate service updates, promotions, and compliance notices; and to conduct research and analytics to improve our platform.

Data collected directly from you (registration, onboarding); automatically (device and usage data via the AyeFace application and POS terminals); from merchants (transaction and interaction data when you use AyeFace at their premises); and from third parties (payment processors, identity verification partners, and fraud prevention services).

Our websites and applications may use cookies, pixel tags, local storage, and similar tracking technologies to recognise your device, remember preferences, measure the effectiveness of communications, and analyse usage patterns.

Essential cookies are necessary for the platform to function and cannot be disabled. Analytics cookies help us understand how users interact with our services so we can improve them. Preference cookies allow us to remember your settings and choices.

You may control cookie preferences through your browser settings or our cookie preference centre. Note that disabling certain cookies may affect the functionality of AyeFace services. For mobile applications, similar device-level tracking may apply and can be managed through your device operating system settings.

Within the Aye Group: Personal data may be shared among Aye Global Holdings Pte. Ltd. and its subsidiaries for operational, administrative, and service delivery purposes, subject to this Policy.

With Merchants: We share only your store activity (transaction amounts, points earned, rewards redeemed) with the merchant where the transaction occurred. We do not disclose your identity, biometric data, or payment credentials to merchants.

With Service Providers: We engage trusted third-party providers for cloud hosting, payment processing, identity verification, fraud prevention, analytics, and customer support. These providers are bound by data processing agreements and are permitted to use your data only as directed by Aye.

For Legal Compliance: We may disclose personal data where required by applicable law, court order, regulatory authority, or to protect the rights, property, or safety of Aye, its users, or the public.

Corporate Transactions: In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction, subject to continued protection under equivalent terms.

We do not sell personal data to third parties for their own marketing purposes.

Aye operates across Southeast Asia and may transfer personal data to jurisdictions outside your home country, including Singapore, Malaysia, and other locations where our service providers operate.

Where personal data is transferred across borders, we ensure that appropriate safeguards are in place, such as standard contractual clauses, adequacy decisions, or binding corporate rules, in accordance with applicable data protection laws including the Malaysian Personal Data Protection Act 2010 (PDPA), Singapore PDPA, and GDPR where applicable.

By using AyeFace services, you consent to the transfer of your personal data to our processing locations as described in this Policy. We will always ensure that cross-border transfers are subject to protections at least equivalent to those in your home jurisdiction.

We process personal data on the following legal bases:

Consent: For biometric data collection, marketing communications, and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Contractual Necessity: To provide AyeFace services, process payments, and fulfil our obligations to users and merchants under applicable Terms and Conditions.

Legal Obligation: To comply with applicable laws and regulations, including anti-money laundering (AML), know-your-customer (KYC), and financial reporting requirements.

Legitimate Interests: For fraud prevention, security, service improvement, analytics, and network integrity, where these interests are not overridden by your data protection rights.

For special categories of data (biometric data), we rely on explicit consent and applicable exemptions under data protection law.

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, and destruction.

Technical measures include: AES-256 encryption for data at rest; TLS 1.2+ encryption for data in transit; biometric template tokenisation — raw facial images are not stored; multi-factor authentication for platform access; Presentation Attack Detection (PAD) compliant with ISO/IEC 30107; regular penetration testing and vulnerability assessments; and SOC 2-aligned infrastructure controls.

Organisational measures include: role-based access controls (least privilege); mandatory data privacy training for all staff; data processing agreements with all third-party providers; incident response and breach notification procedures; and regular privacy impact assessments for new features.

In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant authorities in accordance with applicable law.

Subject to applicable law, you have the following rights regarding your personal data:

Right of Access: Request a copy of the personal data we hold about you.

Right to Correction: Request correction of inaccurate or incomplete personal data.

Right to Erasure: Request deletion of your personal data where there is no legitimate ground for continued processing.

Right to Restrict Processing: Request that we limit how we process your data in certain circumstances.

Right to Data Portability: Receive your personal data in a structured, machine-readable format where processing is based on consent or contract.

Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent: Withdraw consent for biometric data processing or marketing at any time without penalty.

To exercise your rights, contact us at dpo@aye-ai.org or through the AyeFace User Portal. We will respond within 30 days. Requests may be subject to identity verification. You also have the right to lodge a complaint with your local data protection authority.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.

User account data is retained for the duration of your account and for 7 years after account closure for legal and audit compliance. Biometric templates are deleted within 30 days of account closure or consent withdrawal. Transaction records are retained for 7 years to satisfy financial regulatory requirements. Marketing data is retained until you withdraw consent or opt out.

Where data is no longer required, we securely delete or anonymise it in accordance with our data retention schedule. Anonymised, aggregated data may be retained indefinitely for research and analytics purposes.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

Data Protection Officer
Aye Global Holdings Pte. Ltd.
Email: dpo@aye-ai.org
For complaints or concerns: complaints@aye-ai.org

We are committed to resolving data privacy concerns promptly. If you are not satisfied with our response, you may escalate to the relevant data protection authority in your jurisdiction.

This Privacy Policy is effective as of 1 October 2025. We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material changes will be communicated to you via in-app notification, email, or prominent notice on our website at least 14 days before taking effect. Your continued use of AyeFace services after the effective date of any update constitutes acceptance of the revised Policy.

We encourage you to review this Policy periodically. The "Last Updated" date at the top of this page indicates when the Policy was most recently revised.