Secure Payment Privacy Notice

Secure Payment Privacy Notice

Effective date: February 6, 2025

Update Summary

Main Body

Thank you for using Secure Payment. Secure Payment ("Secure Payment", the "App", or the "Service") is a payment app provided by HEYTAP PTE. LTD. ("we", "us", or "our", registered at 138 Market Street #15-03 Capitagreen, Singapore 048946).

We attach great importance to the protection of your personal information and privacy. We also fully understand the importance of personal information to you. That is why we have developed this Secure Payment Privacy Notice ("Privacy Notice") in accordance with applicable laws, regulations, and national standards. When you use our accounts, websites, mobile apps, or other products and services, we may collect, store, use, process, transmit, share, disclose, or delete (collectively, "process") your personal information. In this Privacy Notice, "personal information", or "personal data", refers to all information that can be used alone or in combination with other information to identify a natural person.

This Privacy Notice explains how we process your personal information, the categories of personal information we process about you during your use of Secure Payment, the purposes and methods of processing such information, your rights to such information, the methods by which you can exercise such rights, and the security measures we use to protect personal information.

Before using the App, please carefully read this Privacy Notice, with special attention to the terms highlighted in bold, to understand our practices regarding the processing and protection of your personal information. By launching Secure Payment, you acknowledge that you fully understand the collection and use of your personal information and your rights described below. If you do not agree to the terms of this Privacy Notice, you can exit or shut down the App, which will make us unable to provide you with services related to Secure Payment.

This Privacy Notice is divided into the following parts:

1. How We Collect and Use Your Personal Information
2. How We Use Cookies and Similar Technologies
3. How We Retain Your Personal Information
4. How We Share, Transfer, or Publicly Disclose Your Personal Information
5. How We Protect Your Personal Information
6. Your Rights to Your Personal Information
7. How We Process Children's Personal Information
8. Third-Party Service Providers and Their Services
9. How Your Personal Information Is Transferred Across Borders
10. How This Privacy Notice Is Updated
11. Contact Us

Appendixes: Country or Region-Specific Privacy Notices

1. India-Specific Privacy Notice (DPDPA-based Terms)

A. General Terms

1. How We Collect and Use Your Personal Information

The personal information we collect depends on the context of your interactions with us and the choices you make, including your privacy settings and the products and features you use. The features or services provided in the App may vary according to the countries or regions where our products are made available and the operating system or App version in use. Therefore, the features and services available to you are subject to the product you use, which determines the processing of your personal information.

You are not obliged to provide personal information to us. If you choose not to provide the personal information necessary for the App to provide the required services, we may not be able to provide you with such services, nor will we be able to respond to or deal with the problems you may encounter. We collect personal information to operate more efficiently and provide you with the best possible user experience. The following describes in detail what personal information we collect as well as how and why we collect and use such information.

We collect information about you in three primary ways:

• Directly from you
• From your use of the App
• From third parties

If the following clauses explicitly state that your relevant information is only kept locally, then the information is only collected and processed locally on your device and it will not be uploaded to our servers, which means such information is not bound by this Privacy Notice. This is to address any privacy concerns you may have and provide transparency about our processing of personal information.

Please note that if you provide other people's personal information to us, you must ensure that you have obtained their authorization.

Depending on the App features you use, we may collect the following personal information about you.

1.1 Information directly from you or automatically from your use of the App

1.1.1 Account information

Depending on your phone brand, model, and region settings, you may need to use our HeyTap Account or OnePlus Account. You can create and sign in to a HeyTap Account or OnePlus Account to use the App. You can also choose to use the App as a guest by not signing in to an account.

To ensure normal payment processing, we may need to access your HeyTap Account or OnePlus Account, along with the OAID and masked phone number linked to your account, in certain scenarios. If you do not provide the aforementioned information, we will not be able to provide you with payment services. For more details on the protection of personal information needed for HeyTap Account creation and sign-in, please refer to the HeyTap Privacy Notice.

For certain device models, a OnePlus Account can or must be used to use payment services. For details, please refer to the OnePlus Privacy Notice. Please note that the data generated during your use of payment services will not be synced between your OnePlus Account and HeyTap Account.

After you sign in to your account, we will collect your account ID to allow you to complete a payment.

1.1.2 Payment account and bank card information

To provide you with basic and quick payment services, we will collect your payment account information, including your  Account ID, the number and validity period of your bank card that you use to pay, and your payment account ID.

1.1.3 Device-related information

To provide you with basic payment services, optimize the payment screen, and control payment risks, we will collect information relating to your device, including its identifier (GAID or GPID), model, operating system version, language setting, country/region setting, and information displayed on its screen.

1.1.4 App usage data

To provide you with basic payment services and optimize your payment experience, we will collect information about the apps you use, such as the version of the App, information about apps installed on your device and their developers, IAP, and the days when you are active.

1.2 Information obtained from third parties

Depending on the services and features provided by the App and where permissible by law, we may obtain data about you from public or commercial sources and combine that information with other information that we have received or that relates to you. For example, to provide you with basic and quick payment services, we will collect data about your HeyTap Account activity on the products provided by our affiliates or third parties that are accessible with your HeyTap Account (the sign-in address and time, the duration, etc.) and other data that you have authorized to be shared, as well as the number of the bank card you use to pay, the validity period of that bank card, and your payment account ID.

We will use your personal information solely for the purposes stated in this Privacy Notice. Your personal information will only be used for the purposes identified, described, and authorized by you at the time of collection. We will obtain your prior consent if we intend to use your personal information for any purpose not stated in this Privacy Notice or when personal information collected for a specific purpose is used for other purposes. Without your consent, we will not provide your personal information or behavioral data to any third party.

2. How We Use Cookies and Other Similar Technologies

Currently, Secure Payment does not use cookies or any other similar technologies to collect or store user preferences or any information about you.

3. How We Retain Your Personal Information

The personal information we collect will be retained for the minimum period needed to fulfill the purposes for which it is collected as described in this Privacy Notice, unless otherwise specified by applicable laws and regulations. Pursuant to relevant laws, we will delete or anonymize your personal information upon the expiration of the retention period.

If we discontinue some or all of our products or services for any particular reason, we will promptly inform you and stop the collection and processing of your personal information in connection with such products or services. We will also delete or anonymize any such information in our possession unless otherwise specified by laws and regulations.

4. How We Share, Transfer, or Publicly Disclose Your Personal Information

Upon your request or for the purpose of providing you with the products or services you request, we may, from time to time, share, transfer, or disclose your personal information with or to our affiliates and strategic partners, including our payment service providers. In addition, we will require such third parties to take appropriate confidentiality and security measures during their processing of your personal information by means of agreements or other appropriate measures.

• Our affiliates. For the purpose of providing services to you, we may share your personal information with our affiliates. We will only share the necessary personal information. If we or our affiliates intend to change the purpose for which your personal information is used and processed, we will obtain your authorization or consent again.
• Our authorized partners. Some of our services will be provided by our authorized partners only for the purposes stated in this Privacy Notice. We may share some of your personal information with such partners to provide services to you and improve your user experience. For example, we may rely on service providers to send you SMS messages or verification codes and to identify and provide mailing services.
• Any organization involved in a merger, acquisition, or bankruptcy liquidation. When we are in the process of a merger, acquisition, or bankruptcy liquidation, and if such process requires the transfer of your personal information, we will request the new company or organization that holds your personal information to continue to be bound by this Privacy Notice; otherwise, we will require this company or organization to obtain your authorization or consent again. If the process does not involve the transfer of personal information, we will adequately inform you and delete or anonymize all your personal information under our control.
• Any entity to which you authorize us to disclose your personal information.
• Any entity to which we are legally required to disclose your personal information. For example, when we are required to comply with subpoenas or other legal procedures, litigations, or mandatory requirements of government authorities, we may disclose your personal information if we sincerely believe that disclosure is necessary to protect our rights, ensure your safety or the safety of others, investigate fraud, or respond to government requests.

5. How We Protect Your Personal Information

5.1 Our Data Protection Measures

We adopt technical and organizational measures that are reasonable and actionable to protect the information we collect in connection with our services. We use safeguards that meet industry standards to protect the personal information you provide from unauthorized access, disclosure, use, or alteration, or from damage or loss. We take all reasonable and actionable measures to protect your personal information. For example:

• We use mainstream security safeguards such as SSL or TLS to encrypt many of our services or to secure the transmission channels. We regularly review our practices regarding information collection, storage, and processing (including physical security measures) to protect our systems from unauthorized access or alteration.
• We strictly control access to personal information and only allow our employees and the personnel of authorized service providers to access such personal information on a need-to-know basis to help us process such information. Such employees and personnel are subject to strict contractual confidentiality obligations. If they fail to perform these obligations, they may be held legally liable, or their relationship with us may be terminated. Personal information access logs will be kept and audited periodically.
• The security of your information is very important to us. Therefore, we will continue our efforts to protect the security of your personal information and implement safeguards such as encrypting stored data and using end-to-end encryption during transmission to protect your information from unauthorized access, use, or disclosure. In addition, certain encrypted data is inaccessible to anyone other than the user.
• When transmitting and storing sensitive personal information or special categories of personal information about you, we will use security measures such as encryption.
• We conduct security and privacy protection training, tests, and publicity activities to raise our employees' awareness of the importance of personal information protection.
• We use international and industry-recognized standards to protect your personal information and actively acquire security and privacy protection certifications.

5.2 Notification and response to personal information security events

Please note that although we take reasonable measures to protect your information, no websites, internet transfers, computer systems, or Wi-Fi connections are absolutely secure. In the event of any security breach of your personal information, we will take timely measures in accordance with applicable laws and regulations. When required, we will inform you of the event by means we deem appropriate. When it is difficult to inform each individual in regard to their personal information, we will give notice in a commercially reasonable and effective manner.

6. Your Rights to Your Personal Information

We respect your rights to your personal information. The following describes your rights under the law and explains how we will protect your rights. We provide you with a variety of ways to make privacy settings and personal information management more secure and convenient for you to ensure the security of your personal information.

Please note that the settings may vary according to the device model, operating system, and the App version. In addition, we may adjust the settings from time to time to improve your user experience.

You can exercise the rights to your personal information using the ways described below. If you are unable to exercise the rights on your own or if you have any problem in exercising the rights, you can contact us in the manner disclosed in this Privacy Notice to request the exercise of the rights. We respect your rights to your personal information. The following describes your rights under the law and explains how we will protect your rights.

6.1 Right to be informed

We inform you of how we process your personal information by publishing this Privacy Notice and, where required by laws and regulations, by posting a notice or contacting you by SMS or email. We are committed to staying transparent about how we use your personal information. You can regularly check this Privacy Notice, receive emails and SMS messages that contain a description of updates to this Privacy Notice, and contact us in the manner disclosed in this Privacy Notice to learn about our collection and use of your personal information.

6.2 Right of access

You can go to the relevant product or service pages to directly query or access your personal information, such as going to Settings at any time to sign in to your HeyTap Account or OnePlus Account.

If you are unable to query or access your personal information on your own, or if you encounter any problems when exercising the right to access your data, you can request access by contacting us in the manner disclosed in this Privacy Notice.

6.3 Right to rectify

If you find that any of your personal information processed by us is inaccurate or incomplete, you have the right to request that we correct or complete it. You can contact us in the manner disclosed in this Privacy Notice to have such personal information corrected or completed.

6.4 Right to delete your account

You can delete your account in the following ways:

• If you use a HeyTap Account, you can go to Settings and follow the prompts to submit an account deletion request. Deleting a OnePlus Account through Settings is not supported for the time being.
• If you use a HeyTap Account, you can also go to https://id.heytap.com. After signing in to your HeyTap Account, you can select "Personal Data Management", tap "Delete Account", and then follow the prompts to submit an account deletion request. If you use a OnePlus Account, you can go to https://id.oneplus.com to submit an account deletion request. For a HeyTap Account, related services are provided by HEYTAP PTE. LTD. For a OnePlus Account, related services are provided by OnePlus Technology (Shenzhen) Co., Ltd. and its affiliates. (To view the privacy notice governing the use of a OnePlus Account, please go to https://www.oneplus.com/legal/privacy-policy.)

After you submit an account deletion request, the account-related service provider may need to manually review your request to make sure that you satisfy the conditions for deleting your account. They will assist you with the deletion of your account after confirming that you satisfy the conditions.

After your request is approved, they will delete or anonymize all your personal information associated with your account, unless otherwise specified by laws and regulations. After your account is deleted, we will no longer be able to provide you with services that are only accessible with a HeyTap Account or OnePlus Account. In this situation, you can continue to use the App as a guest.

6.5 Right to erase

You can contact us in the manner disclosed in this Privacy Notice to request the deletion of your personal information.

6.6 Right to change the scope of authorization or withdraw consent

The performance of each service function requires certain basic personal information (see the "How We Collect and Use Your Personal Information" section above). You can change relevant settings in Settings to change the scope of the personal information you authorize us to continue to collect or revoke your consent. Specifically:

• App permission settings: You can go to the Settings app to withdraw your consent to our use of related app permissions.

If you withdraw your consent, we will no longer be able to provide you with the related services. We will also no longer process related personal information, but the withdrawal of your consent will not affect the lawfulness of data processing based on consent before its withdrawal.

6.7 Right to get a copy of your personal information

You have the right to request that we provide a copy of the personal information you provided to us or transfer the copy to a third party you designated.

6.8 Right to complain

You have the right to file a complaint by contacting us in the manner disclosed in this Privacy Notice. You have the right to lodge a complaint with the competent supervisory authority regarding our personal information protection practices or file a lawsuit in a court with jurisdiction.

However, we would appreciate the chance to resolve your concerns before you approach the relevant regulator, so please contact us directly in the first instance.

Please note that for security reasons, we may verify your identity before handling your request.

In general, we do not charge a fee for handling your reasonable requests. However, for repeated requests exceeding reasonable limits, we may charge a fee to cover the costs of handling such requests, depending on the actual situation. We may reject unreasonably repeated requests, requests that pose excessive technical requirements (such as developing a new system or fundamentally changing existing practices), requests that present risks to the legitimate rights and interests of others, or very unrealistic requests. Should we choose to reject your request, we will state the reason in our reply.

In addition, we may not respond to your request if laws or administrative rules specify that the data mentioned in your request must be kept confidential or there is no need to keep you informed, or if your request would hinder government departments from performing their statutory duties, directly involves any issues that directly concern public interests such as national security, national defense, public health, and criminal investigations, or may result in serious damage to your legitimate rights and interests or those of any other individual or organization.

7. How We Process Children's Personal Information

We greatly value our obligation and responsibility for protecting the personal information of children. We strive to create a healthy cyber environment for them and make extra efforts to protect them. We treat anyone under the age of 18 (or a similar minimum age of full legal capacity defined in the jurisdiction concerned) as a child. Most of the features and services provided by the App are intended for adults, not for children. We do not provide services directly to children. Please note that, due to technical limitations and other objective factors, the App may not be able to actively identify your age.

According to applicable laws and regulations, if you are a child, you must obtain the consent of your parent or another guardian before using the App, and be sure to carefully read this Privacy Notice together with them. If you are the guardian of a child, before assisting the child in using the App, you must carefully read both the Children's Privacy Statement (if any) and this Privacy Notice. Please note that children are not allowed to use the App without the consent of their parents or guardians.

We do not actively collect, store, use, transfer, or disclose children's personal information, let alone use their personal information for marketing purposes. If you are a child, or if you are a parent or guardian of a child, or if you otherwise find that any information we processed may contain the personal information of a child, please contact us in the manner disclosed in this Privacy Notice. We will try to delete the relevant data as soon as possible.

8. Third-Party Service Providers and Their Services

Our websites, products, apps, and services may contain links to third-party websites, products, or services. You can choose whether to access or use any website, product, or service provided by a third party.

We have no control over third-party privacy or personal information protection policies, as such third parties are not bound by this Privacy Notice. Before submitting personal information to third parties, please refer to their personal information protection policies.

9. How Your Personal Information Is Transferred Globally

As a company operating globally, we provide products and services through our resources and servers around the world. For the purpose of ensuring the high quality of our services (such as a high processing speed) and subject to local data protection laws, we will store your personal data based on the area where your phone is purchased or the region set for your phone. We have built data centers in Singapore and India. This means that your personal information may be transferred to or accessed from a jurisdiction outside the country or region where you use the relevant products or services.

You understand that there are different risks under different data protection laws. We will take measures to ensure that the data collected by us is processed in accordance with this Privacy Notice and applicable laws, and that, when your personal information moves across borders, it is as well protected as it is in the country or region where you use the relevant products or services. For example, we will obtain your consent to the cross-border transfer of your personal information or take security measures such as encryption, de-identification, or entering into a necessary data transfer/sharing agreement with the recipient of your data before transferring your data across borders.

10. How This Privacy Notice Is Updated

We reserve the right to update or modify this Privacy Notice. We will notify you of any material changes to this Privacy Notice in a manner we deem appropriate, and we will indicate the "Last updated" date at the top of this Privacy Notice.

This Privacy Notice is subject to adjustments. If you continue to use the App after this Privacy Notice is updated, you will be deemed to have accepted the new Privacy Notice.

The latest version of this Privacy Notice applies to our processing of your personal information. This Privacy Notice enters into force as of the date it is updated.

11. Contact Us

If you have any questions, suggestions, or complaints regarding this Privacy Notice or our privacy practices, you can contact us or our data protection officer as set forth below. We will verify your identity and respond within the stipulated time limit in accordance with local laws and regulations. This time limit may be extended when necessary due to the complexity and large number of individual requests and technical feasibility.

Data Subject Rights Platform: https://brand.heytap.com/en/privacy-feedback.html

Name of data protection officer: Kenneth Kwek

Address of data protection officer: 7500A Beach Road, The Plaza, #09-324, Singapore 199591

B. Appendix: India-Specific Privacy Notice (DPDPA-based Terms)

• Applicable Scope and Supplementary Note

This appendix applies only to users located in India. Under this appendix, "personal information" is dubbed "personal data" and refers to any data that identifies or relates to a person.

• Relationship Between This Appendix and the General Terms

For users located in India, the General Terms and this appendix together constitute a notice (this "Notice") of the processing of their personal data and govern the data processing. For matters not covered in this appendix, the General Terms prevail. In the event of any conflict between this appendix and the General Terms, this appendix prevails.

• Roles in Data Processing

You understand that this appendix has been prepared in accordance with the DPDPA of India and relevant personal data protection laws. DPDPA defines two roles for data processing: data fiduciary and data processor. "Data fiduciary" refers to any entity that, alone or together with others, determines the purposes and means of processing personal data. "Data processor" refers to any entity that processes personal data on behalf of the data fiduciary.

In general, we act as a data fiduciary to process your personal data. However, in the course of providing Secure Payment services, there might be third parties involved. You understand that in some cases, such third parties may have separate purposes and means of processing your personal data and that they will constitute independent data controllers and process your personal data independently.

1. Personal Data We Collect and the Purposes of Data Processing

We collect your personal data only for the purposes of providing Secure Payment services and performing relevant functions. For details, please refer to Section 1 "How We Collect and Use Your Personal Information" in Part A "General Terms".

Please note that processing of your personal data is permitted without your consent in the following circumstances:

(1) Where you voluntarily provide the data to us for a specific purpose without giving an express representation that you object to our processing of such data;

(2) As necessary for the country and its agencies to provide or issue prescribed subsidies, benefits, services, certificates, and licenses to you;

(3) As necessary for the country or its agencies to perform their functions under the laws currently in force in India, or in the interests of safeguarding the sovereignty, integrity, and national security of India;

(4) As necessary for any person to fulfill any obligation under the laws currently in force in India to disclose any information to the country or its agencies;

(5) As necessary to comply with any judgment, ruling, or order issued under the law currently in force in India, or judgments, rulings, or orders in relation to contracts or civil claims under the law currently in force outside India;

(6) As necessary to take measures to provide medical treatment or health services to any individual in the event of an epidemic, disease outbreak, or any other threat to public health;

(7) As necessary to take measures to protect the safety of any individual or to provide assistance or services in the event of any disaster or public disorder.

2. Sharing of Personal Data

This section helps you understand what personal data we share and who the recipients are. For details, refer to Section 4 "How We Share, Transfer, or Publicly Disclose Your Personal Information" in Part A "General Terms".

3. Data Subject Rights

Under the DPDPA, you have the following rights as a data subject. You can exercise such rights in the ways described below. You can also directly submit a data subject rights request in the manner disclosed in the "Contact Us" section.

3.1 Right to access

You have the right to know about:

(1) The scope of personal data we are processing and the data processing activities we are carrying out. For details, please refer to Section 1 "How We Collect and Use Your Personal Information" in Part A "General Terms";

(2) All the data fiduciaries and processors that process your personal data and the categories of personal data we share. For details, refer to Section 4 "How We Share, Transfer, or Publicly Disclose Your Personal Information" in Part A "General Terms";

(3) Information required to be disclosed by relevant laws and regulations.

3.2 Right to rectification and erasure

You have the right to (1) correct, complete, and update your personal data and (2) delete your personal data. For details, refer to Section 6.3 "Right to rectification" and Section 6.5 "Right to erasure" in Part A "General Terms".

3.3 Right to redress for grievances

If you believe that we have deficiencies or omissions in fulfilling our obligations regarding the processing of personal data, you may contact us for redress and remediation. For details, refer to Section 6.3 "Right to rectification" and Section 6.8 "Right to complain" in Part A "General Terms". In general, we will respond to your data subject rights request within 30 working days of the date we receive it. If you believe that we are unable to respond to your request, you may file a complaint with the Personal Data Protection Commission of India.

3.4 Right to withdraw consent

You have the right to withdraw your consent to our processing of your personal data. For details, refer to Section 6.6 "Right to change the scope of authorization or withdraw consent" in Part A "General Terms".

After you withdraw your consent, we will cease to process your personal data accordingly. You understand that the withdrawal of consent does not affect the lawfulness of our processing of your personal data based on consent before its withdrawal.

3.5 Right to designate an authorized agent

If you are a child or disabled person, you have the right to designate an authorized agent to act on your behalf to exercise your rights as a data subject. When you use an authorized agent, we will take the necessary action to verify the identity of the agent for a qualification review.

4. Processing of Personal Data of Children

In principle, we do not provide our products and services to children. For details, please refer to Section 7 "How We Process Children's Personal Information" in Part A "General Terms".

Please note that in India, children refer to natural persons under the age of 18.