Privacy Policy

“Personal data” refers to any information, whether stored electronically or otherwise, that can identify you as an individual, either on its own or in combination with other data. We generally do not collect your personal data unless:

i. It is voluntarily provided to us by you or by a third party authorised by you to act on your behalf; and

ii. You (or your authorised representative) have been informed of the purpose of the data collection and provided your consent, or where such collection and use is permitted or required under applicable laws.

We will seek your consent before collecting additional personal data or using your personal data for new purposes, unless permitted or required by law. We collect and use your personal data in connection with the following:

a. When You Visit Our Website

When you browse our official website, we may automatically collect:

i. Technical information, such as your IP address, browser type, operating system, device type, and approximate location;

ii. Usage information, such as the pages you view, the time spent on the site, and your interactions with website features.

This data helps us understand site performance, optimise content, and improve our services.

b. When You Use AyeFace Services

When you register for or interact with AyeFace services, we may collect:

i. Identity and contact information, such as your name, phone number, email address, and device ID.

ii. Biometric data, such as facial recognition tokens (not raw facial images) used to enable AI-driven services and contactless payments.

iii. Payment-related information, such as the DuitNow ID, linked bank or e-wallet accounts, credit or debit card details, and your transaction history.

iv. Interaction data, such as your order preferences, engagement with AyeFace AI prompts, and responses within the Virtual Terminal.

This data is used to personalise your experience, facilitate payments, deliver features, and maintain security.

c. Through the User Portal

If you use the AyeFace User Portal, we may collect and process data related to:

i. Viewing and managing your rewards

ii. Managing payment methods (e.g., adding, linking, or removing DuitNow, e-wallets, and credit/debit cards)

iii. Updating your preferences or profile

iv. Verifying your identity (e.g., via one-time password)

This data enables you to control your own user experience securely.

d. Through the Merchant Portal

If you are a merchant using AyeFace, we collect:

i. Business contact details (e.g., name, business registration number, email address)

ii. Operational data such as store activity, customer engagement metrics, and transaction analytics

This data is used to generate insights, personalise customer interactions, and optimise performance on the AyeFace platform.

e. Through Job Applications or Business Inquiries

If you submit a job application or business inquiry via our website, we may collect:

i. Your name, contact information, company details, and any documentation or resumes you submit

ii. Any feedback or questions you provide through forms or communications

This helps us manage recruitment or respond to partnership opportunities.

f. Use of Anonymised or Aggregated Data

We may also generate aggregated or de-identified data from your personal information for legitimate purposes such as statistical analysis, research, or product development. This data cannot be used to identify you and is not considered personal data under this Policy.

g. Retention after termination

The purposes listed above may continue to apply even after your relationship with us has ended, for a reasonable duration. This includes legal compliance, fraud prevention, or record-keeping as required under applicable regulations.

2. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies and similar technologies on our website and platforms to improve your experience and enhance the functionality of our services.

a. What are cookies?

Cookies are small text files stored on your browser or device when you visit a website. They allow the site to remember your actions and preferences (such as login status or language settings) over time.

b. Types of cookies we use:

i. Strictly Necessary Cookies are essential for you to browse our website and use its features. They enable core functions such as page navigation and access to secure areas.

ii. Performance and Analytics Cookies collect information about how visitors use our website. This helps us improve performance and user experience.

iii. Functionality Cookies remember your preferences and choices (e.g. region or language), allowing us to customise your experience.

iv. Targeting or Advertising Cookies (applicable and with your consent) may track browsing habits to deliver relevant ads through third-party services.

c. Managing your cookie preferences:

Most browsers allow you to control cookies through settings. You can usually choose to block or delete cookies, or receive a warning before a cookie is stored. Please note that disabling certain cookies may affect the functionality of our website or services.

d. Third-party cookies:

We may allow trusted third-party services (such as analytics or marketing platforms) to set cookies on our website. These providers are contractually required to comply with data protection standards and may collect data such as device identifiers or browsing history in accordance with their own privacy policies.

3. HOW WE SHARE, TRANSFER, AND PUBLICLY DISCLOSE YOUR PERSONAL DATA

We do not sell or rent your personal data. However, in the course of providing our services and operating our business, we may share, transfer, or disclose your personal data under the following conditions:

a. Sharing

We may share your personal data with:

i. Our affiliates and related companies, only as necessary to deliver, maintain, or improve our services. These entities are bound by confidentiality obligations and privacy standards consistent with this policy.

ii. Third-party service providers, such as cloud hosting, analytics, communication tools, or payment processors, solely for the purpose of performing tasks on our behalf. These providers are contractually required to protect your data and use it only as instructed by us.

iii. Regulatory or law enforcement authorities, if required to comply with legal obligations, enforce our rights, respond to legal process, or protect the safety of users or others.

iv. Other parties, only with your explicit consent or where otherwise permitted by law.

b. Transfers

In the event of a corporate transaction, such as a merger, acquisition, asset sale, or corporate restructuring, your personal data may be transferred as part of that transaction. We will ensure that the recipient of your data continues to handle it in accordance with this Privacy Policy, or otherwise seek your consent where required.

Cross-border data transfers may occur where we or our service providers operate in multiple countries. In such cases, we take appropriate steps to ensure your personal data remains protected, including through:

i. Contractual safeguards such as Standard Contractual Clauses (SCCs), where applicable.

ii. Ensuring that the receiving entity has adequate data protection measures in place.

c. Disclosure

We may only disclose your personal data under the following circumstances:

i. After obtaining your explicit consent; and

ii. It is required by law, legal process, or a lawful request from public authorities.

iii. It is necessary to protect our rights, property, or safety, or that of our users, partners, or the public.

4. OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA

We process your personal data only when there is a valid legal basis to do so. Depending on the context in which your data is collected and used, the legal basis may include:

a. Your consent

We rely on your express consent to collect and process your personal data in specific cases, such as when you register for AyeFace services, submit forms on our website, or accept the use of cookies. You may withdraw your consent at any time, although this may affect your ability to access or use certain features of our services.

b. Contractual necessity

In many instances, the processing of your personal data is necessary to fulfil our obligations under a contract with you—for example, to provide access to the user portal, process payments, or enable facial recognition services.

c. Legitimate interests

We may process your personal data where it is necessary for our legitimate business interests, provided such interests are not overridden by your rights or interests. These legitimate interests include improving our services, detecting and preventing fraud, and ensuring the security and performance of our systems.

d. Legal obligations

We may process your data as necessary to comply with applicable legal requirements, including obligations related to anti-money laundering, tax reporting, and consumer protection.

5. CROSS-BORDER DATA TRANSFERS

To provide our services, we may transfer your personal data to our affiliated companies, service providers, or partners located in other countries. These jurisdictions may have data protection standards that differ from those in your home country. Where required by law, we implement appropriate safeguards to protect your personal data, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission or other lawful mechanisms that ensure the security and integrity of the data during transfer. You may contact us to request a copy of the relevant safeguards implemented in connection with such transfers.

6. HOW WE PROTECT YOUR PERSONAL DATA

We have taken security protection measures in line with industry standards to protect the personal data you provide, so as to prevent unauthorized access, loss, misuse, alteration, or destruction of data.

a. Access Control and Confidentiality

Access to your personal data is strictly limited to employees, service providers, or agents who need it to provide services on our behalf. All such personnel are subject to strict confidentiality obligations.

b. Encryption and Secure Transmission

Sensitive personal data is encrypted during both transmission and storage using industry-standard encryption protocols. Communication between your device and our servers is secured using HTTPS.

c. Authentication and Permissions

Our systems support features such as user authentication, secure password management, role-based access control, and activity logging to help prevent unauthorized access or misuse.

d. Server and Application Security

We harden our operating systems and infrastructure through regular updates, vulnerability scanning, and patching. Secure protocols (e.g., SSH) are used for server access, and default system credentials are disabled.

e. Monitoring and Incident Response

We actively monitor system activity and maintain audit logs to detect suspicious behavior. If a data breach is suspected or detected, we follow a strict incident response process to assess, contain, and resolve the issue.

f. Data Minimization and Retention

We collect only the data necessary for the stated purposes and retain it only as long as necessary for those purposes or as required by law. When no longer needed, personal data is deleted or anonymized securely.

g. Staff Training and Awareness

We conduct regular training for our staff on data protection responsibilities and safe handling of personal data.

h. User Responsibility

While we take all reasonable precautions to protect your data, no system is completely secure. You are responsible for keeping your login credentials confidential and using only trusted networks and devices.

7. YOUR RIGHTS TO PERSONAL DATA

You have rights over your personal data, which may vary depending on your location and the applicable data protection laws. We are committed to ensuring you can exercise these rights in a timely and transparent manner.

a. Access and Correction

You may request:

i. Access to a copy of the personal data we hold about you.

ii. Information on how your personal data has been used or disclosed.

iii. Correction or updating of your personal data if it is inaccurate, incomplete, or out of date.

To make such a request, please contact us via the contact details listed in the “Contact Us” section. A reasonable administrative fee may apply for access requests, and we will inform you of the fee (if any) before processing your request.

We aim to respond to all access and correction requests within thirty (30) business days. If we are unable to do so within this time frame, we will notify you in writing and inform you of the revised timeline. If we are unable to comply with your request, we will provide you with the reason(s), unless we are legally restricted from doing so.

b. Deletion of Personal Data

You may request that we delete your personal data under any of the following circumstances:

i. When the data is no longer necessary for the purpose for which it was collected.

ii. When you withdraw your consent (where processing was based on consent).

iii. When the data was collected or processed unlawfully.

iv. When you cease to use our services or close your account with us.

v. When we are no longer providing products or services to you.

We will respond to your request within thirty (30) business days. Upon approval, we will assess your request and, where valid, delete your personal data from our active systems. Please note that data stored in backups may take additional time to be erased during the next scheduled system update.

c. Withdrawal of Consent

You may withdraw your consent to the collection, use, or disclosure of your personal data at any time by submitting a written request to us. Depending on the nature of your request, this may affect your ability to continue using our services.

Upon receiving your request, we may require reasonable time (up to thirty (30) business days) to process your request and notify you of the consequences, including if continued access to our services will no longer be possible.

Please note that withdrawing consent does not affect our right to collect, use, or disclose your data where such processing is permitted or required by applicable law.

d. Account Cancellation

You may cancel your AyeFace or employment-related account at any time. To do so, please contact us using the contact information in Clause 20. After cancellation, we will delete or anonymize your personal data unless retention is required for legal or operational reasons.

e. Additional Rights (Where Applicable)

Subject to your jurisdiction, you may also have the right to:

i. Restrict processing of your personal data.

ii. Object to processing for specific purposes, including marketing or profiling.

iii. Data portability, allowing you to request your data in a structured, machine-readable format.

iv. Lodge a complaint with a data protection authority if you believe your data rights have been violated.

8. RETENTION OF PERSONAL DATA

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including the provision of our services, compliance with legal, regulatory, tax, accounting, or reporting requirements, and the resolution of disputes.

a. Duration of Retention

Your data will be retained for the duration of your relationship with us and, where applicable, for a period thereafter to allow us to:

i. Respond to any questions or complaints,

ii. Comply with legal obligations,

iii. Enforce our contractual rights, or

iv. Maintain appropriate business and financial records.

b. Data Minimization and Deletion

When personal data is no longer necessary for these purposes, we will:

i. Anonymize or aggregate it so that it can no longer be associated with you, or

ii. Securely delete or destroy it from our systems, unless otherwise required by law.

c. Backup Systems

While personal data may be deleted from our active systems upon request or at the end of the retention period, it may persist temporarily in our secure backup systems due to system architecture. Such data will also be deleted in the next scheduled backup purge cycle.

d. User-Initiated Account Closure

If you cancel your account or withdraw your consent, we will begin the data deletion process for your account information. Some information may be retained if required by applicable regulations (e.g., anti-money laundering laws, fraud prevention) or internal policies.

9. CONTACT US

You may contact our Data Protection Team if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, using the details below:

Email Address: privacy@aye-ai.org

We aim to respond to all legitimate requests within thirty (30) working days. In some cases, especially if your request is particularly complex or involves a large volume of data, we may take longer. If this occurs, we will notify you accordingly and keep you updated.

10. EFFECTIVENESS OF THIS POLICY AND CHANGES TO POLICY

This Privacy Policy applies in conjunction with any other terms, notices, or contractual clauses that apply to the collection, use, and disclosure of personal data in connection with our services.

We may update or revise this Privacy Policy from time to time to reflect changes in legal requirements, our business practices, or the features of our services. Any changes will be effective upon publication on our official website or as otherwise communicated to you.

We will not reduce your rights under this Privacy Policy without your explicit consent, where such consent is required by applicable data protection laws.

You are encouraged to review this Privacy Policy periodically. Your continued use of our website, services, or applications after any changes have been made will signify your acceptance of those changes.

Last updated:  07/07/2025