PRIVACY POLICYSMART ROUTING PTE. LTD. (SG)

This Privacy Policy (“Policy”) aims to provide clear and comprehensive information about how SMART ROUTING PTE. LTD. ("SMART ROUTING", operating globally as “YUNO”), incorporated in Singapore under UEN 202438195M and located at 1 Raffles Place, #34-04, One Raffles Place, Singapore (048616), handles the Processing of Personal Data in connection with the use of its services in compliance with Applicable Legislation, especially Singapore’s Personal Data Protection Act (PDPA) and applicable international standards.

By using YUNO’s Software-as-a-Service platform, which integrates different types of existing payment methods, anti-fraud providers, and other industry solutions (hereinafter the "Services")  the individual or entity accessing or utilizing the Services as the data subject to whom the Personal Data relates (“User” or “Data Subject”) acknowledges and consents to the terms outlined in this Policy. If the User does not agree, they should refrain from using the Services. The User is responsible for regularly reviewing this Policy for any updates or modifications.

‍

1. GENERAL PROVISIONS

1.1 Applicable Legislation. This Policy incorporates and is governed by the provisions of Singapore’s Personal Data Protection Act 2012 (“PDPA”) and aligns with international standards including but not limited to ISO/IEC 27001 for information security management and relevant cybersecurity frameworks, where applicable. YUNO is committed to Processing Personal Data responsibly and in compliance with these regulations, including ensuring appropriate safeguards during international data Transfers.

1.2 Scope of Application. This Policy applies to all Personal Data processing activities involving the Processing of Personal Data carried out by YUNO or its designated entities in their capacity as Data Controllers or Data Intermediaries under Applicable Legislation.

‍

1.3 Definitions. The following definitions apply to this Policy and should be interpreted consistently across singular or plural uses:

‍

1. YUNO: SMART ROUTING PTE. LTD. and its designated third-party service providers, subcontractors, or affiliates authorized to Process Personal Data on behalf of YUNO , operating globally and acting as a Data Controller or Data Intermediary in the handling of Personal Data, as applicable under Applicable Legislation. 

2. Consent: Express, deemed, or implied authorization given by the User for the Processing of Personal Data for specific purposes, as defined under Sections 13-15A of the PDPA.

3. Deemed Consent. Consent that an organization can deem an individual to have given in certain circumstances, as defined under Sections 15 and 15A of the PDPA. YUNO may rely on Deemed Consent under Sections 15 and 15A of the PDPA. This includes scenarios where Consent is inferred from the voluntary provision of Personal Data or where it is necessary to fulfill a contractual obligation. Additionally, Deemed Consent applies when Processing is necessary for legitimate business purposes and YUNO has assessed that these purposes do not override the User’s fundamental rights or freedoms.

4. Personal Data: Information or data relating to an identified or identifiable natural person.

5. Sensitive Data: Information or data revealing racial or ethnic origin, religious beliefs, political opinions, health data, sexual orientation, or biometric details, as defined by the Applicable Legislation and PDPA.

6. Processing: Any operation performed on Personal Data, including collection, storage, management, use, disclosure, or deletion.

7. Transfer: The movement of Personal Data from YUNO to a third party, within or outside Singapore.

8. Sharing: The communication or availability of Personal Data between the Controller/Intermediary and third parties.

1.4 Objective. This Policy aims to establish clear guidelines and regulate the procedures related to the overall Processing of Personal Data by YUNO, ensuring the protection and respect of Users’ rights and maintaining transparency in data handling practices.

‍

1.5 Principles. The following principles serve as the foundation for compliance with this Policy:

‍

1. Purpose Limitation: Personal Data must be processed for legitimate, specific, and clearly informed purposes consistent with Singapore’s regulatory framework and international best practices and disclosed transparently.

2. Data Accuracy: Personal Data Processed must be accurate, complete, clear, relevant, and updated regularly where necessary. Processing incomplete or misleading Personal Data is strictly prohibited.

3. Transparency: Users have the right to obtain information about the existence, Processing, and specifics of their Personal Data at any time.

4. Security: Processing activities must implement reasonable security arrangements to protect Personal Data against unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.

5. Confidentiality: All individuals involved in Processing Personal Data must adhere to confidentiality obligations during and after their engagement with YUNO.

1.6 Legal Bases for Data Processing. YUNO processes Personal Data under the following legal bases and justifications:

‍

1. Consent: Where the User has explicitly authorized specific Processing activities, to the Controller, Joint Controllert or the Processor.

2. Legal or Regulatory Compliance: Where Processing is required to fulfill obligations under Singaporean or international laws and regulations.

3. Contractual Necessity: Where Processing is essential to execute a contract or comply with pre-contractual arrangements requested by the User.

4. Legitimate Interests: Where Processing is necessary for YUNO’s legitimate business interests, provided such interests do not override the fundamental rights and freedoms of the User. Assessments are conducted to ensure compliance.

5. Protection of Vital Interests: Where Processing is required to protect the life or physical integrity of the User or other individuals.

1.7 Purposes of Data Processing. YUNO Processes Personal Data for the following purposes:

‍

1. Service Provision: Yuno's provision of its Services.

2. Regulatory Compliance: Ensuring adherence to legal and regulatory obligations.

3. Communication: Notifying Users of updates, security alerts, or relevant service modifications.

4. Business Development: Conducting analytics, improving services, and managing partnerships.

5. Security and Fraud Prevention: Protecting against fraudulent activities and ensuring secure transactions
   ‍

2. RIGHTS OF USERS

2.1 Rights of Users. Users whose Personal Data is held within YUNO’s databases are entitled to the following rights, as established under Singapore’s Personal Data Protection Act (PDPA):

1. Right to Access. Users have the right to obtain information regarding their Personal Data, including the purposes for which it is processed, the location of databases, and any Sharing or Transfers of their data.

2. Right to Correction. Users may request updates to their Personal Data whenever there are changes to ensure accuracy and relevancy.

3. Right to Accuracy and Completeness. Users have the right to correct inaccurate, incomplete, or outdated Personal Data.

4. Right to Withdrawal of Consent. Users may withdraw Consent for Processing their Personal Data, subject to legal or contractual requirements mandating continued Processing.

5. Right to Portability. Users may request that their Personal Data be Transferred to another data controller, provided such Transfer is technically feasible and carried out in a structured format as prescribed under the PDPA.

6. Right to Lodge Complaints. Users may submit complaints to the Personal Data Protection Commission (PDPC) or other relevant authorities if they identify breaches of data protection laws.

‍

2.2 The exercise of these rights shall be free of charge and without limitation, exclusively carried out by the User in accordance with Clause 4.1., except as otherwise prescribed by law.

‍

3. YUNO’S OBLIGATIONS

3.1 Obligations of YUNO as a Data Controller. YUNO, in its capacity as a Data Controller of Personal Data, assumes the following responsibilities:

‍

3.1.1 Guaranteeing Rights: Ensure Users can fully and effectively exercise all rights outlined in this Policy and Applicable Legislation.

‍

3.1.2 Consent: Obtain, document, and maintain Consent provided by the Users, where required, in compliance with legal requirements.

‍

3.1.3 Informed Purpose: Clearly inform the User about the specific purpose for collecting and Processing their Personal Data.

‍

3.1.4 Security: Implement and maintain technical and administrative security measures to safeguard Personal Data from alteration, loss, access, use, or unauthorized consultation.

‍

3.1.5 Accuracy of Information: Ensure that Personal Data shared with processors or third parties is accurate, complete, and up-to-date.

‍

3.1.6 Updates: Promptly update information related to Personal Data and notify the relevant processor or third party of such updates.

‍

3.1.7 Corrections: Correct any inaccurate information and notify the processor about the rectifications made.

‍

3.1.8 Prior Authorization: Only provide processors with Personal Data authorized by the User or permitted by Applicable Legislation.

‍

3.1.9 Security Standards for Processors: Require that processors adopt adequate security and privacy measures when handling shared Personal Data.

‍

3.1.10 Complaint Processing: Handle inquiries and complaints from Users in accordance with the terms of this Policy and Applicable Legislation.

‍

3.1.11 Disputes Regarding Personal Data: Inform processors of any disputes or controversies related to Personal Data under Processing.

‍

3.1.12 Compliance with the PDPC: Promptly comply with determinations, requests, or guidelines issued by the Personal Data Protection Commission (PDPC).

‍

3.2 Obligations of YUNO as a Data Processor. When acting as a Data Processor, YUNO assumes the following responsibilities:‍

‍

3.2.1 Guaranteeing Rights: Ensure that the User’s rights are fully respected and upheld in compliance with the Controller’s instructions and Applicable Legislation.

‍

3.2.2 Secure Storage: Store Personal Data under appropriate technical and organizational conditions to protect against unauthorized access, loss, alteration, or misuse.

‍

3.2.3 Updating, Correcting, and Deleting Data: Update, correct, or delete Personal Data promptly as directed by the Controller.

‍

3.2.4 Notification of Updates: Notify the Controller of any changes made to Personal Data within five (5) business days of receiving such a request or update.

‍

3.2.5 Restricted Access: Ensure that access to Personal Data is limited to authorized individuals and exclusively for purposes instructed by the Controller.

‍

3.2.6 Compliance with the PDPC: Fully comply with all determinations, requests, or guidelines issued by the Personal Data Protection Commission (PDPC), adhering to the Processor’s role and the Controller’s instructions.

‍

3.3 Personal Data Collected. YUNO may collect the following categories of Personal Data, as applicable:

‍

3.3.1 Personal Information: Full name, identification number, address, country of residence, nationality, marital status, date of birth, date of employment or contract initiation, gender, mobile phone number, and email address (personal and business).

‍

3.3.2 Banking and Financial Information: Bank account details, financial institution, account type, debit or credit card information, account numbers, and transaction data (e.g., merchant name, transaction date, and amount).

‍

3.3.3 Professional and Educational Information: Job title, education level, and affiliation with employee benefits entities such as insurance providers, health agencies, or compensation funds. 

‍

3.3.4 Other Information: Any additional Personal Data provided by the User, depending on the forms or processes completed.

‍

3.4 When and if YUNO collects sensitive Personal Data, such as information on racial or ethnic origin, religious beliefs, health conditions, sexual orientation, or biometric data, it communicates the specific purposes to the User and explicitly obtains Consent unless otherwise permitted under Section 17 of the PDPA. Providing Sensitive Data is optional unless required by law or necessary for contractual obligations.

‍

3.5 Transmission of Personal Data. YUNO ensures that Personal Data transmissions to third parties comply with internal policies and PDPA requirements. Such transmissions are made to fulfill contractual obligations or delegate Processing activities. Third parties are contractually obligated to implement adequate security measures in accordance with Section 24 of the PDPA. For cross-border Transfers, YUNO implements safeguards under Section 26 of the PDPA, ensuring comparable protection levels.

‍

3.6 Transfer of Personal Data. When Transferring Personal Data within or outside Singapore, YUNO ensures the preservation of Users rights. Transfers outside Singapore occur only after obtaining consent, unless exemptions under Section 26 of the PDPA apply, such as when necessary for contractual purposes. Legally enforceable mechanisms, like binding corporate rules or contractual clauses, are used to ensure protection. The receiving entity ensures comparable data protection standards‍

‍

3.7 Data Retention Scope. YUNO retains Personal Data only as long as necessary to fulfill the purposes for which it was collected or to comply with legal or regulatory obligations. Once no longer needed or upon expiration of retention periods, Personal Data shall be securely deleted or anonymized, as required by Section 25 of the PDPA.

‍

3.8 Processing Personal Data of Minors. YUNO processes minors’ (“children” under 18 years) Personal Data in compliance with Section 13(3) of the PDPA, obtaining verifiable parental or legal guardian Consent. Processing is strictly limited to necessary purposes, ensuring children’s rights are safeguarded.‍

‍

3.9 Confidentiality. YUNO restricts access to Personal Data to authorized personnel or third parties with a legitimate purpose. Disclosures required by law or court order comply strictly with Section 21 of the PDPA and are limited to what is necessary.‍

‍

3.10 Communication of Personal Data. YUNO may disclose Personal Data to entities in its corporate group, including Yuno Colombia S.A.S., Yuno Intermediacao de Servicios Ltda. and Yuno Tecnologias S.A.P.I. de C.V., or with trusted partners for legitimate business purposes, such as payment processing. Robust safeguards, including contractual obligations and technical measures, ensure compliance with the PDPA.‍

‍

3.11 Security. YUNO implements strong security measures, including encryption for data in transit and at rest, regular security audits to assess and mitigate potential risks, firewalls, and intrusion detection, to safeguard Personal Data. Certified under Payment Card Industry Data Security Standard (PCI DSS) ensuring the secure Processing of payment-related data, YUNO ensures data protection at the highest levels. Access is restricted to authorized personnel on a need-to-know basis, and confidentiality agreements are enforced.‍

‍

3.12 YUNO adopts measures to safeguard the Personal Data of Users both online and offline. Whenever sensitive or confidential information is processed, the following security protocols apply: robust network security protocols, stringent access controls, and adherence to industry standards such as Payment Card Industry Data Security Standard (PCI DSS), ensuring high levels of protection.‍

‍

3.13 To maintain data integrity, only authorized employees or third parties with verified roles will access information, restricted to the specific activities requiring such access. YUNO's servers are hosted in secure environments, complying with Singapore’s PDPA requirements for ensuring reasonable security arrangements under Section 24 of the Act​. The Users are aware that their data may be processed on servers located either within Singapore or internationally, provided that any cross-border Transfers comply with Section 26 of the PDPA, ensuring a comparable level of data protection​.

‍

‍3.14 Mechanisms for Obtaining Consent. Consent from Users will be collected through clear and accessible formats, such as electronic documents, physical forms, or other means that allow for subsequent reference. YUNO guarantees transparency in its processes, ensuring that Users are fully aware of this Policy and their rights under it.

‍

3.15 Proof of Consent. YUNO maintains verifiable records of when and how Consent was obtained. These records are securely stored and comply with Section 12(d) of the PDPA, which requires organizations to implement policies and practices necessary to comply with the Act​. 

‍

4. PROCEDURES TO ENSURE THE EXERCISE OF USERS’ RIGHTS

4.1 Addressing Inquiries and Complaints. For any questions related to this Policy or the exercise of rights under Singapore’s PDPA, Users may contact YUNO via email at privacy@y.uno. This channel is managed by designated teams responsible for ensuring the protection of Users rights in compliance with the PDPA.‍

‍

4.2 Procedure for Inquiries. Users or their authorized representatives may submit inquiries regarding their Personal Data stored in YUNO’s databases, either in writing or through electronic means specified above. YUNO guarantees the right to access and will provide all relevant information associated with the Users. Inquiries will be responded to within ten (10) business days of receipt. If YUNO is unable to meet this timeframe, the User will be informed of the reason for the delay and provided a new resolution date, which will not exceed five (5) additional business days.‍

‍

4.3 Procedure for Complaints.   Users or their representatives who believe that the information contained in YUNO’s databases is incorrect, outdated, or should be deleted—or who identify non-compliance with any legal provisions or this Policy—may submit a formal complaint. The complaint must include:
(i) Identification of the Users;
(ii) A detailed description of the facts supporting the complaint;
(iii) Contact details for notifications; and
(iv) Supporting documents substantiating the complaint.

If the complaint is incomplete, the User will be notified to amend it within five (5) business days. Failure to do so will result in the complaint being considered withdrawn. Complete complaints will be addressed within fifteen (15) business days. If resolution within this timeframe is not feasible, YUNO will provide the reason for the delay and a new resolution date, which will not exceed eight (8) additional business days.‍

‍

4.4 Escalating Complaints to the PDPC. Before lodging a complaint with the Personal Data Protection Commission (PDPC), Users or their representatives are required to exhaust YUNO’s internal inquiry and complaint procedures.‍

‍

4.5 Data Breach Notification. YUNO commits to notifying Users and the PDPC of any security incident that may result in harm or risk to Personal Data, as required by Section 26D of the PDPA. Notifications will be made promptly and within three (3) calendar days of determining that the breach is notifiable. Users will be informed reasonably and provided with sufficient details of the breach, except where exemptions apply, such as instructions from law enforcement or when technological safeguards mitigate risks.

‍

5. PURPOSE AND VALIDITY OF THE POLICY

5.1 Purpose and Validity of the Policy. YUNO processes Personal Data to support its employment, commercial, contractual, and financial activities, as well as operations aligned with its corporate objectives. This includes collecting Personal Data for inclusion in databases, facilitating transactional flows among parties in the payment process, and assisting with transaction processing. It is also used to provide contracted services, authenticate data to mitigate fraud, and send promotional communications. Additional purposes include developing new products or services, conducting administrative operations, issuing tax and accounting documents, managing human resources, executing contracts, utilizing data for internal or commercial purposes, researching and improving services, and fulfilling legal obligations. These activities are conducted in compliance with Section 18 of the PDPA, ensuring all purposes are reasonable and appropriate.‍

‍

5.2 Effect. This Policy takes effect as of its publication date. The retention period for Personal Data adheres to the principles of purpose limitation and retention minimization, as outlined in Section 25 of the PDPA. Personal Data is retained only as long as necessary to fulfill the purposes for which it was collected or to meet legal and business obligations, after which it is securely deleted or anonymized.‍

‍

5.3 Updated and Editions. YUNO reserves the right to amend or revise this Policy as required. The most recent version will always be available on YUNO’s website, and significant updates will be communicated to Users appropriately. This Policy is subject to annual review and regular updates. The most recent version is accessible at https://www.y.uno/privacy.‍

‍

5.4 Data Protection Officer. To oversee compliance with the PDPA, YUNO has designated a Data Protection Officer (DPO). The DPO can be contacted at privacy@y.uno for inquiries or concerns related to this Policy.