Privacy Policy

Version: 1.0.0

Effective Date: April 14, 2024

Last Updated: April 14, 2024

1. Introduction

BESPOKE TECHNICAL LEADERSHIP LTD ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our LocalPay mobile application and related services (collectively, the "Service").

This Privacy Policy applies to information we collect through our Service, in email, text, and other electronic communications sent through or in connection with our Service.

Important Note About Our Service: The LocalPay Service is provided by BESPOKE TECHNICAL LEADERSHIP LTD, a company registered in the United Kingdom, which acts as the data controller for your personal information. LocalPay is currently in private beta. Access is limited while we onboard verified users and ensure full regulatory compliance.

Please read this Privacy Policy carefully before using our Service. If you do not agree with our policies and practices, please do not use our Service. By using our Service, you acknowledge that you have read and understood this Privacy Policy. Your use of the Service does not constitute consent to the processing of your personal data. We rely primarily on legitimate interest and legal obligations as explained in Section 4. Where consent is required, such as for marketing communications, we will ask for it explicitly.

2. Definitions

To help you better understand this Privacy Policy, we use the following terms:

Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
Data Subject: A natural person whose personal data is processed.
Data Controller: The entity that determines the purposes and means of processing personal data (in this case, BESPOKE TECHNICAL LEADERSHIP LTD).
Data Processor: An entity that processes personal data on behalf of the data controller.
User: Any individual who uses our Service.
Verification Tiers: Different levels of user verification that determine transaction limits and available features.
Payment Service Provider (PSP): Third-party entities that facilitate payment processing.
VietQR: A QR code standard used in Vietnam for payment processing.
Automated Decision-Making: Any process that evaluates personal aspects by automated means without human intervention.
Special Category Data: Sensitive personal data revealing racial or ethnic origin, political opinions, religious beliefs, health data, etc.
Suspicious Activity: Transactions or behaviors that may indicate unauthorized access or fraudulent activity.
Beneficial Owner: The natural person(s) who ultimately owns or controls a customer or the person on whose behalf a transaction is being conducted.

3. Information We Collect

We adhere to the principle of data minimization and collect only the information necessary to provide our Service. The specific types of information we might collect include:

3.1 Account Information

Email address (necessary for account creation and communications)
Username or display name (necessary for account identification)
Password (stored in encrypted form using industry-standard encryption)
Profile information (such as profile picture, optional)
Communication preferences (necessary to respect your contact preferences)

3.2 Verification Information

Depending on your verification tier, we may collect:

Basic Verification Tier:

Full name (necessary for account identification)
Date of birth (necessary for age verification)
Nationality (necessary for service eligibility)
Country of residence (necessary for service eligibility)
Government-issued identification document (necessary for identity verification)
Selfie or photograph (necessary for identity verification)

Enhanced Verification Tier:

Proof of address (necessary for enhanced verification)
Source of funds declaration
Occupation and employer information
Additional identification information as required for enhanced verification
Beneficial ownership information (for accounts that may be used on behalf of others)

3.3 Transaction Information

Transaction history (date, time, amount, recipient)
Payment method information
Bank account information for transfers
QR code data from scanned VietQR codes
Transaction notes or descriptions
Exchange rates applied
Service fees

3.4 Device and Technical Information

Device type, model, and operating system
IP address
Browser type and version
Mobile device identifiers
Geolocation data (collected only with your explicit permission)
Log data (such as access times, app features used)
Diagnostic data (crash reports, performance data)
VPN or proxy detection information

3.5 Communications

Customer support inquiries and correspondence
Responses to surveys or feedback requests
Marketing communications preferences

We do not collect any Special Category Data unless required by law for specific purposes.

3A. Know Your Customer (KYC) Requirements

To comply with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations, we require users to complete a Know Your Customer (KYC) process. This involves providing a valid government-issued ID, a selfie, and, in some cases, proof of address. KYC verification is carried out by a trusted third-party provider that complies with GDPR and international data protection standards. All personal information is processed securely and only for the purpose of verifying identity and meeting legal obligations.

4. How We Use Your Information

We use the information we collect for specific, explicit, and legitimate purposes, including:

4.1 Service Provision and Account Management

Creating and managing your account
Processing your transactions
Providing customer support
Sending service-related notifications
Maintaining and improving our Service

Legal basis: Contract performance (necessary to provide the Service you have requested), legitimate interests (to improve our Service)

4.2 Verification Processes

Verifying your identity
Determining appropriate transaction limits
Preventing fraud and unauthorized access
Verifying beneficial ownership where applicable

Legal basis: Contract performance, legitimate interests (to protect our Service and users)

4.3 Security and Fraud Prevention

Detecting and preventing fraudulent transactions
Protecting against unauthorized access
Ensuring the security of our Service
Monitoring for suspicious activities
Enforcing transaction limits
Detecting and preventing structured transactions

Legal basis: Legitimate interests (to protect our Service and users)

4.4 Communications

Responding to your inquiries
Providing important updates about our Service
Sending marketing communications (only with your explicit consent)
Conducting surveys to improve our Service

Legal basis: Legitimate interests (to respond to your inquiries and improve our Service), consent (for marketing communications)

4.5 Legal Compliance

Complying with applicable laws and regulations
Responding to legal requests and preventing harm
Enforcing our Terms of Service
Establishing, exercising, or defending legal claims

Legal basis: Legal obligation, legitimate interests (to enforce our terms and protect our rights)

4.6 Automated Decision-Making

We use automated decision-making in the following circumstances:

Transaction monitoring: Automated systems analyze transaction patterns to detect potentially fraudulent activity using risk-based algorithms that consider factors such as transaction size, frequency, geographic location, and counterparty risk.
Verification tier assignment: Based on the information you provide and your transaction patterns, our system automatically determines your verification tier and associated transaction limits.
Suspicious activity detection: Automated systems flag unusual patterns that may indicate unauthorized access or fraudulent activity.

These processes are subject to human review by our security team, and you have the right to:

Obtain human intervention
Express your point of view
Contest the decision

To exercise these rights, please contact us using the details in Section 13.

5. Information Sharing and Disclosure

We share your personal information only in the specific circumstances described below:

5.1 Service Providers

We work with third-party service providers who perform services on our behalf, such as:

Identity verification services
Cloud storage providers
Analytics providers
Customer support services
Email and communication services
Security and transaction monitoring services

These service providers are contractually obligated to use your information only with appropriate confidentiality and security measures.

We might anonymize parts of information such as IP before sharing it with third-party service providers.

5.2 Payment Processors

To process transactions, we share necessary information with:

Payment Service Providers (PSPs)
Banking partners for transfers

The specific information shared includes only what is necessary to complete your transactions, such as recipient details, transaction amounts, and payment instructions.

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). We will only disclose the specific information requested and required by law.

5.4 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service at least 30 days before any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

5.5 With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so. You can withdraw this consent at any time.

We do not sell your personal information to third parties.

6. International Data Transfers

LocalPay operates globally, which means your information may be transferred to, stored, and processed in countries other than the one in which you reside. These countries may have data protection laws that are different from those in your country.

6.1 Transfers to Service Providers

When we transfer your data to service providers in countries without adequate data protection laws (as determined by the European Commission or UK authorities), we implement appropriate safeguards, including:

Standard Contractual Clauses approved by the European Commission
Binding Corporate Rules, where applicable
Supplementary measures as recommended by the European Data Protection Board, such as encryption, pseudonymization, and access controls

6.2 Your Rights Regarding International Transfers

You have the right to obtain a copy of the safeguards we use for international transfers. To exercise this right, please contact us using the details in Section 13.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

Encryption: We use TLS 1.2+ for data in transit and AES-256 encryption for sensitive data at rest
Access controls: Multi-factor authentication and role-based access controls for all systems containing personal data
Regular security assessments: Quarterly vulnerability assessments and annual penetration testing by independent security firms
Employee training: Mandatory data protection and security training for all staff
Incident response: Documented procedures for detecting, reporting, and investigating security incidents

7.1 Data Breach Notification

In the event of a data breach that affects your personal information:

We will notify relevant supervisory authorities within 72 hours of becoming aware of the breach, where feasible
We will notify affected users without undue delay, typically within 7 days
Our notification will include the nature of the breach, likely consequences, measures taken, and contact information for our Data Protection Officer

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. The specific retention periods include:

Account information: 5 years after account closure to comply with anti-money laundering regulations.
Transaction information: 7 years to comply with tax and accounting laws.
Verification information: 5 years after account closure as per anti-money laundering requirements.
Communications: 3 years for customer service and legal purposes.

These retention periods may be extended if:

The data is subject to a legal hold
The data is needed for the establishment, exercise, or defense of legal claims
Retention is required by applicable laws or regulations

Upon expiration of the retention period, we will either delete it or anonymize it so that it can no longer be associated with you.

9. Your Rights

Depending on your location, you may have certain rights regarding your personal information:

9.1 Access

You have the right to request access to the personal information we hold about you. We will provide this information within 30 days of your request.

9.2 Rectification

You have the right to request that we correct inaccurate or incomplete information about you. We will process such requests within 30 days.

9.3 Erasure

You have the right to request the deletion of your personal information in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. We will process such requests within 30 days.

Limitations: We may not be able to delete certain information if retention is required by law. In such cases, we will clearly explain why the data cannot be deleted and, where possible, restrict its further processing.

9.4 Restriction

You have the right to request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of the data. We will process such requests within 30 days.

9.5 Data Portability

You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. We will provide this information within 30 days of your request.

9.6 Objection

You have the right to object to our processing of your personal information in certain circumstances, such as for direct marketing or when processing is based on legitimate interests. We will process such requests within 30 days.

9.7 Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you. You can request human intervention, express your point of view, and contest automated decisions.

9.8 How to Exercise Your Rights

To exercise these rights, please contact us at privacy@localpay.asia or through the contact details provided in Section 13. We will respond to your request within 30 days. We may need to verify your identity before fulfilling your request.

If we decline to take action on your request, you have the right to lodge a complaint with a supervisory authority and to seek a judicial remedy. We will provide reasons for any refusal to act on your request.

10. Cookies and Tracking Technologies

Our Service uses cookies and similar tracking technologies to collect information about your browsing activities and to distinguish you from other users. This helps us provide you with a good experience when you use our Service and allows us to improve our Service.

10.1 Types of Cookies We Use

Essential cookies: Required for the operation of our Service (e.g., authentication, security)
Analytical/performance cookies: Allow us to recognize and count visitors and analyze how users navigate our Service (e.g., Google Analytics with IP anonymization)
Functionality cookies: Used to recognize you when you return to our Service (e.g., remember your preferences)
Targeting cookies: Record your visit to our Service, the pages you visit, and the links you follow (used only with your explicit consent)

10.2 Your Choices

You can control cookies through your browser settings. Most web browsers allow you to:

Block all cookies
Block third-party cookies
Delete cookies when you close your browser
Be notified when you receive a cookie

If you disable certain cookies, you may not be able to use all features of our Service.

10.3 Do Not Track

We currently do not respond to "Do Not Track" signals from web browsers.

11. Children's Privacy

Our Service is not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18.

Our age verification process includes analyzing government-issued identification documents to confirm the user's age. We use trusted third-party services to verify the authenticity of these documents.

11.1 Age Verification

We implement age verification measures during the registration process, including:

Requiring users to confirm they are 18 or older
Verification of identity documents
Monitoring for indicators of underage use
Age verification through identity document analysis

11.2 Deletion of Children's Data

If we learn that we have collected personal information from a child under 18, we will:

Immediately suspend the account
Delete all personal information associated with the account within 30 days
Take reasonable measures to ensure the data is not retained in our systems
Report to relevant authorities if required by law

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at privacy@localpay.asia.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Version" and "Last Updated" date at the top of this policy.

12.1 Material Changes

For material changes that significantly affect your rights or how we use your data:

We will provide at least 30 days' notice before the changes take effect
We will notify you via email and/or a prominent notice on our Service
We will obtain your consent if required by applicable law

Material changes include:

Changes to the purposes for which we process your data
New categories of data collected
New third parties with whom data is shared
Reductions in your rights or our obligations

12.2 Non-Material Changes

For non-material changes (such as clarifications or minor updates):

We will update the "Last Updated" date
We may not provide additional notice

12.3 Review of Changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes take effect constitutes acknowledgment of the updated Privacy Policy, but does not constitute consent where explicit consent is required by law.

12.4 Version History

A complete version history of this Privacy Policy is available at https://localpay.asia/privacy-policy/history.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Data Controller:
BESPOKE TECHNICAL LEADERSHIP LTD
124 City Road, London, England, EC1V 2NX.
Email: privacy@localpay.asia

Supervisory Authority:
If you are located in the European Economic Area or the UK, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO): https://ico.org.uk/.

We aim to respond to all inquiries within 5 business days and to resolve any concerns as quickly as possible.

14. Jurisdiction-Specific Provisions

14.1 European Economic Area (EEA) and United Kingdom

If you are located in the EEA or UK:

The legal basis for collecting and using your personal information depends on the personal information concerned and the specific context in which we collect it, as described in Section 4.
You have the right to lodge a complaint with your local data protection authority.
We act as the data controller for all processing activities described in this policy.

14.2 California Residents

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

The right to know what personal information we collect about you
The right to request deletion of your personal information
The right to opt-out of the sale or sharing of your personal information
The right to non-discrimination for exercising your rights

We do not sell your personal information as defined by the CCPA/CPRA. We also do not share your personal information for cross-context behavioral advertising. If we use your sensitive personal information, such as geolocation data, it is only for purposes necessary to provide the Service, and you have the right to limit such use. To exercise your CCPA/CPRA rights, please contact us using the details in Section 13.

14.3 Service Restrictions

Our Service is available only to invited members of our internal circle. We reserve the right to:

Verify the identity of all users
Restrict access to the Service
Terminate accounts that violate our terms
Modify access privileges as needed

14.3.1 Enforcement of Restrictions

We enforce these restrictions through:

Invitation-only registration
Identity verification
Ongoing monitoring for unauthorized access
VPN and proxy detection technology
Transaction pattern analysis
Periodic re-verification of user information

14.3.2 Handling of Unauthorized Access

If we identify unauthorized access to our Service:

We will immediately suspend the account
We will provide notice to the user explaining the restriction
We will securely retain the data as required by law
We will restrict further processing of the data except as required by law
We will process any funds in the account according to our Terms of Service

15. Security and Risk Management

15.1 Transaction Monitoring

We employ a risk-based approach to transaction monitoring:

All transactions are screened against risk indicators
Automated systems flag unusual patterns for review
Our security team reviews flagged transactions
Enhanced verification is applied to high-risk transactions

Risk indicators include:

Transaction size and frequency
Geographic risk factors
Counterparty risk assessment
Unusual patterns or deviations from expected behavior
Structured transactions that may attempt to circumvent limits

15.2 Verification Tier Transitions

When users transition between verification tiers:

Additional verification information is collected as required
Previous transaction history is reviewed
Risk assessment is updated
New transaction limits are applied

If a user fails to meet enhanced verification requirements:

The account remains at the current verification tier
Higher-value transactions are not permitted
The user is notified of the verification status
The user may resubmit verification information

15.3 Transaction Limits Enforcement

Transaction limits are enforced through:

Automated systems that prevent transactions exceeding limits
Monitoring for structured transactions designed to circumvent limits
Regular review of transaction patterns
Periodic reassessment of appropriate limits

If a transaction exceeds the applicable limit:

The transaction is automatically declined
The user is notified of the reason for decline
The user is informed about verification options to increase limits
The attempted transaction is logged for security purposes

15.4 Security Program

Our security program includes:

Designated Security Officer with relevant expertise
Regular staff training on security requirements
Internal audits of security procedures
Independent external reviews
Documented policies and procedures
Regular reporting to management
Ongoing monitoring of security developments

15.5 Suspicious Activity Reporting

We monitor for suspicious activities:

Staff are trained to identify suspicious activities
Clear escalation procedures are established
Our security team reviews potential suspicious activities
Records of reports and supporting information are maintained

When suspicious activity is detected:

The transaction may be delayed or declined
Additional information may be requested from the user
The account may be temporarily restricted

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including compliance with legal, accounting, or reporting requirements. When data is no longer required, we securely delete or anonymize it.

Data Portability

You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format, and to transmit those data to another controller where technically feasible.

Withdrawal of Consent

Where we rely on your consent for processing, you may withdraw it at any time by contacting us at privacy@localpay.asia. This does not affect the lawfulness of any processing carried out before you withdraw your consent.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.