Data Retention and Security

Data Retention: We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. For example:

• Personal data collected for transactions may be kept as long as needed to complete the transaction, provide any services related to it, and maintain appropriate records afterward, often for a minimum of 5 years due to anti-money laundering laws.

• If you have created an account or provided KYC information, we will retain that information while your account is active and for a certain period after account closure to comply with law or in case of disputes.

• If you contact support, we may keep communications for a few years, as they may be relevant to future support issues or legal matters.

• Aggregated data which cannot identify you may be kept indefinitely.

When we no longer have a legitimate business need or legal obligation to retain your personal data, we will either delete it or anonymize it. If deletion or anonymization is not immediately feasible (for example, because the data is stored in backup archives), then we will securely store and isolate the data from any further use until deletion is possible.

Data Security: We implement a variety of technical and organizational security measures to protect the personal data we hold against unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. These measures are designed to provide a level of security appropriate to the risk of processing your personal data. They include, but are not limited to:

• Encryption: We use encryption protocols (e.g., TLS/SSL) to secure data in transit between your device and our servers. Sensitive data (like personal identifiers or private communications) may also be encrypted at rest.

• Access Controls: We restrict access to personal data to authorized personnel who have a legitimate need to know in order to perform their job duties. These persons are subject to confidentiality obligations. We also employ role-based access control and two-factor authentication for our own accounts to minimize unauthorized access.

• Security Testing and Maintenance: We regularly review our information collection, storage, and processing practices to prevent unauthorized access. Our systems undergo periodic penetration tests and security audits by internal and external experts. We keep our software and infrastructure updated with the latest security patches.

• Physical Security: Where applicable, personal data stored in physical form (e.g., paper documents) are kept in secure facilities. For cloud or data center storage, we rely on providers with robust physical security controls (guarded premises, surveillance, etc.).

• Incident Response: We have an incident response plan for handling potential data breaches or security incidents, which includes steps for remediation, mitigation, and communication to affected parties and authorities as needed.

• Training: We train our staff on privacy and security best practices, ensuring they are aware of the importance of protecting personal data and know how to handle it properly.

Despite all our efforts, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. Any transmission of your data to us is at your own risk, and we expect that you will also take appropriate steps to secure your personal data (such as maintaining the secrecy of your account credentials, if any, and practicing general cyber hygiene).

In the unfortunate event that we suffer a personal data breach (for example, a security intrusion that compromises our systems and potentially exposes personal data), we will act promptly to identify the cause and mitigate any consequences. If a data breach occurs that is likely to result in significant harm to you, we will notify you and relevant authorities (such as the Personal Data Protection Commission in Singapore) as required by law. We may notify you via email, in-service notification, or any other means permitted by law.