1. About this Privacy Policy
1.1 Who we are
This Privacy Policy is published by Fizen Limited, a company incorporated in Hong Kong with company number [77059696] and registered office at Unit 1411, 14/F, Cosco Tower, 183 Queen’s Road Central, Sheung Wan, Hong Kong (together with its Affiliates, “Fizen”, “we”, “us” or “our”). Fizen is the controller of personal data processed in connection with the Fizen Platform, except in the limited circumstances described in clause 9.4 (where Fizen acts as a processor on behalf of a Fizen Pay merchant).1.2 What this Policy covers
This Privacy Policy describes how Fizen collects, uses, discloses, retains, transfers and protects personal data when you use the Fizen website at fizen.io, the Fizen mobile application, the Fizen browser extension (if and when made available), and any other Fizen-operated interface or service through which the Fizen Services are made available (together, the “Platform”). The Platform is operated under the Fizen Master Terms of Use and the product-specific schedules for the Fizen Wallet, Fizen Card, Fizen Pay, Fizen QR Pay, Fizen Marketplace, Fizen Swap & Conversion, Fizen Rewards Program and any other Service Fizen makes available.1.3 Other documents
This Privacy Policy is supplemented by:- the Fizen Cookie Policy, which describes the cookies and similar technologies we use;
- any product-specific privacy notice we publish for a particular Service;
- the privacy notices of our partners (including the Card Issuer, Transak, Ondo, the Conversion Service Provider, Marketplace Suppliers and Local Payment Partners), which apply to the data those partners receive from us and the data they collect directly from you; and
- any Data Processing Addendum we have entered into with a Fizen Pay merchant for whom we act as a processor.
2. Definitions
In this Privacy Policy:- “Affiliate” means an entity that controls, is controlled by, or is under common control with Fizen.
- “Applicable Privacy Law” means any law, regulation, regulatory guidance or binding decision that applies to our processing of your personal data, including (without limitation) the EU and UK General Data Protection Regulation, the California Consumer Privacy Act as amended by the California Privacy Rights Act, comparable US state privacy laws, the Hong Kong Personal Data (Privacy) Ordinance (PDPO), the Vietnamese Personal Data Protection Decree (Decree 13/2023/ND-CP), the Philippines Data Privacy Act 2012 (RA 10173) and the Singapore Personal Data Protection Act.
- “Personal Data” means any information relating to an identified or identifiable natural person. Where Applicable Privacy Law uses a different term (such as “personal information” under CCPA/CPRA or “personal data” under Decree 13), that term has the equivalent meaning in this Policy.
- “Processing” means any operation performed on personal data, including collection, storage, use, disclosure, transfer, retention and erasure.
- “Sensitive Personal Data” means special categories of personal data under GDPR Article 9, sensitive personal information under CCPA/CPRA, sensitive personal data under Decree 13, and equivalent categories under other Applicable Privacy Law.
- “Services” has the meaning given in the Fizen Master Terms of Use.
- “you” means the natural person whose Personal Data is being processed, or the user of the Platform, as the context requires.
3. Personal Data We Collect
We collect the following categories of Personal Data. The table identifies, for each category, the types of data included and the sources from which we collect them.| Category | Examples | Sources |
|---|---|---|
| Identifiers | Name, date of birth, nationality, postal address, email, phone number, account name and username, IP address, device identifiers, advertising identifiers. | You; your device; Affiliates; KYC providers; social networks if you connect them. |
| Government identifiers (sensitive) | Passport number, national identity card number, driver’s licence number, tax identification number; image of your government ID document. | You; KYC providers. |
| Biometric and image data (sensitive) | Selfie used for face matching against your government ID; liveness-detection metrics during onboarding. | You; KYC providers. |
| Financial identifiers | Payment card number, Card balance, wallet addresses (Fizen-managed and external), transaction history with Fizen. | You; the Card Issuer; the Conversion Service Provider; Transak (where you have completed Transak KYC); public blockchain. |
| Transaction information | Date, amount, currency, counterparty, Merchant identifier, Marketplace Item details, Swap quote and execution data, ramp transaction data. | You; the Platform; the Card Issuer; the Conversion Service Provider; the Local Payment Partner; the Marketplace Suppliers; public blockchain. |
| Behavioural and inferred data | Products and Services you view, engage with or show interest in; Marketplace browsing history; in-app search history; risk scores; product preferences; KYC tier; eligibility flags; cohort assignments. | Automatically collected from your use of the Platform. |
| Technical and device data | Device type, operating system, OS version, browser type, browser version, app version, screen resolution, time zone, language, mobile carrier, network type, web and app logs, crash reports, performance metrics. | Automatically collected from your device. |
| Location data | Approximate location derived from IP address (always); precise location derived from device GPS (only with your consent). | You; your device; IP-geolocation providers. |
| KYC, AML and sanctions data | PEP status, sanctions screening hits and dismissals, source-of-funds information, source-of-wealth information, occupation, beneficial-ownership information. | You; KYC providers; sanctions screening providers; public databases; law-enforcement requests. |
| Customer-support and feedback data | Communications with our support team, feedback and survey responses, in-app messages, call recordings (where notified), chat transcripts. | You; your communications with us. |
| Marketing engagement data | Email opens, link clicks, push-notification interactions, app campaign engagement, ad attribution data. | Automatically collected from your interactions with our marketing. |
| Third-party social account data | Username, public profile, friend list (only where you connect a social account and only to the extent permitted by that network). | Connected social networks (e.g. Google, Apple, Facebook, X), if you connect them. |
| Public blockchain data | On-chain wallet addresses, transaction hashes, balances and counterparty addresses associated with your use of the Platform. | Public blockchains. |
4. How We Use Your Personal Data and Our Legal Bases
We use your Personal Data only for the purposes described below. For each purpose, we identify the categories of data used and the legal basis on which we rely under GDPR / UK GDPR. Where you are located in another jurisdiction, the legal basis under Applicable Privacy Law in that jurisdiction is generally equivalent and is described in the jurisdiction-specific sections of this Policy.| Purpose | Categories of data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Provide the Platform and Services (account creation, authentication, transaction processing, balance display, settlement, support). | Identifiers; financial identifiers; transaction information; technical data. | Performance of contract (Art. 6(1)(b)). |
| KYC, customer due diligence, sanctions, PEP and AML screening, ongoing monitoring. | Identifiers; government identifiers; biometric and image data; KYC, AML and sanctions data; transaction information; public blockchain data. | Legal obligation (Art. 6(1)(c)); for sensitive data, Art. 9(2)(g) — substantial public interest. |
| Fraud detection and prevention, security, abuse prevention. | Identifiers; technical data; behavioural data; transaction information. | Legitimate interests (Art. 6(1)(f)) — securing the Platform and preventing fraud. |
| Compliance with legal obligations (tax, financial-services, sanctions, regulatory reporting, court orders). | Most categories, on a need-to-disclose basis. | Legal obligation (Art. 6(1)(c)). |
| Operate the Fizen Rewards Program; track Qualifying Activities; deliver Rewards. | Identifiers; transaction information; behavioural data. | Performance of contract (Art. 6(1)(b)). |
| Personalise and improve the Platform (recommendations, preferences, feature flags, language and currency selection). | Behavioural data; technical data; location data (approximate). | Legitimate interests (Art. 6(1)(f)); consent (Art. 6(1)(a)) where required for cookies or precise location. |
| Analytics, aggregated reporting and product development. | Technical data; behavioural data; transaction information (aggregated and de-identified where practicable). | Legitimate interests (Art. 6(1)(f)); consent (Art. 6(1)(a)) for non-essential analytics cookies. |
| Direct marketing of the Services to existing customers, including transactional and promotional emails, push notifications and in-app messages. | Identifiers; behavioural data; marketing engagement data. | Legitimate interests (Art. 6(1)(f)) for soft opt-in to existing customers where permitted; consent (Art. 6(1)(a)) where required (including for cross-context behavioural advertising). |
| Behavioural advertising and personalised marketing on third-party platforms (Meta, Google, TikTok, X, etc.). | Identifiers; behavioural data; marketing engagement data; cookie data. | Consent (Art. 6(1)(a)). |
| Communications with you about your account, the Services and important notices. | Identifiers; transaction information. | Performance of contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)). |
| Defend, establish and exercise legal claims; respond to disputes. | Most categories, on a need-to-defend basis. | Legitimate interests (Art. 6(1)(f)). |
| Corporate transactions (sale, merger, restructuring, financing). | Most categories, on a need-to-disclose basis, subject to confidentiality protections. | Legitimate interests (Art. 6(1)(f)). |
5. Sensitive Personal Data
We process the following categories of Sensitive Personal Data:- Biometric and image data — collected during KYC for identity verification (face image, document image, liveness detection). We process this data on the basis of substantial public interest (Article 9(2)(g) GDPR, supported by national-law derogations for AML/CFT compliance) and, where Applicable Privacy Law requires, your explicit consent.
- Financial identifiers — collected to provide the Services. Processing is necessary for the performance of our contract with you and, where applicable, for compliance with a legal obligation.
- Government identifiers — collected for KYC and AML. Processing is necessary for compliance with a legal obligation.
- Precise location data — only where you consent.
- Racial, ethnic or similar inferences — only where incidentally recognised by our document-recognition tools and only used for KYC matching. We do not use these inferences for any other purpose.
6. Automated Decision-Making and Profiling
We use automated processes to make certain decisions that may have legal or similarly significant effects on you. These include:- Identity verification (KYC) — automated facial-recognition, document-recognition and liveness-detection tools operated by our KYC providers verify the identity documents and selfies you submit during onboarding;
- Sanctions, PEP and adverse-media screening — automated screening of your name, identifying details, country, IP location, wallet addresses and transaction counterparties against sanctions lists (UN, OFAC, EU, UK OFSI, HK, MAS), PEP databases and adverse-media sources;
- Fraud and abuse detection — automated scoring of transactions, sessions, devices and behavioural signals; transactions that exceed risk thresholds may be blocked, delayed or require additional verification;
- Transaction and on-chain monitoring — automated monitoring of your transactions and on-chain activity for AML risk patterns (structuring, mixing, sanctioned-counterparty exposure, peeling chains, layering);
- Eligibility and limits — automated rules determine your KYC tier, transaction limits, and eligibility for specific products (Fizen Card, Fizen QR Pay, Fizen Tokenized Securities, Fizen Marketplace categories);
- Marketing segmentation and targeting — automated profiling determines which marketing communications you receive.
7. How We Share Your Personal Data
We share Personal Data with the following categories of recipients, in each case on a need-to-know basis and subject to written agreements that require appropriate confidentiality and security protections.7.1 Within Fizen
Our employees, contractors and contingent workers, on a need-to-know basis, to operate the Platform and the Services and to administer our business. Our Affiliates, for the same purposes and for group-wide security, fraud prevention and internal reporting.7.2 Service providers (processors)
Independent service providers who process Personal Data on our behalf under contractual obligations, including:- KYC and identity verification providers (for example, Sumsub, Onfido, Jumio — list to be confirmed in the published version);
- Sanctions, PEP and AML screening providers;
- On-chain analytics and transaction monitoring providers (for example, Chainalysis, Elliptic, TRM Labs — list to be confirmed);
- Cloud infrastructure providers (for example, Amazon Web Services, Google Cloud Platform — list to be confirmed);
- Customer-support tooling providers (ticketing, live chat, CRM);
- Communications providers (email, push notification, SMS);
- Analytics providers (for example, Amplitude, Mixpanel, Google Analytics 4 — list to be confirmed);
- Marketing and advertising providers (for example, Meta, Google, TikTok, X, attribution providers — only with your consent for non-essential cookies / marketing);
- Fraud prevention providers.
7.3 Partners (independent controllers / joint controllers)
Independent partners through whom we deliver specific Services, who process Personal Data they receive from us as independent controllers or, where applicable, as joint controllers:- Card Issuer — for the Fizen Card. The Card Issuer is the regulated financial institution that issues the Card and is identified in the Issuer Cardholder Agreement;
- Conversion Service Provider — for the conversion between Digital Assets and fiat currency in the Fizen Card and Fizen QR Pay products;
- Transak — for the on-ramp and off-ramp services. When you use the ramp, you complete KYC and contract directly with Transak; Transak processes the data you provide to it as an independent controller;
- Ondo Finance — for the tokenized securities products. Ondo processes the data necessary to issue and redeem tokenized securities as an independent controller, subject to Ondo’s own privacy policy;
- Marketplace Suppliers — gift-card aggregators, eSIM providers, mobile-top-up aggregators, hotel and flight aggregators. Each Marketplace Supplier processes the limited data necessary to fulfil your Marketplace Order as an independent controller;
- Local Payment Partners — for Fizen QR Pay in each market, including [VN LOCAL PAYMENT PARTNER] (Vietnam) and [PH LOCAL PAYMENT PARTNER] (Philippines);
- Swap aggregators — KyberSwap and 1inch. Swap transactions are executed on public blockchains; we do not transfer personal data to these aggregators beyond what is necessarily contained in the on-chain transaction you sign with your own private key.
7.4 Authorities, regulators and law enforcement
We disclose Personal Data to regulators, supervisory authorities, financial intelligence units, tax authorities, courts and law-enforcement agencies where required by Applicable Privacy Law, by other Applicable Law (including AML, sanctions and tax law), or in response to valid legal process. We assess each request for legality and proportionality and, where appropriate and lawful, we narrow over-broad requests, challenge unlawful requests, and notify you of a request unless prohibited from doing so.7.5 Corporate transactions
In the event of a sale, merger, acquisition, reorganisation, financing, bankruptcy or sale of all or substantially all of our assets, your Personal Data may be transferred to the relevant counterparty or successor entity, subject to appropriate confidentiality protections. We will notify you where required by Applicable Privacy Law.7.6 With your consent or at your direction
We share Personal Data with other recipients where you have asked us to (for example, when you connect a social account, when you authorise a third-party application via API, or when you share a transaction receipt).8. International Transfers of Personal Data
8.1 Where Personal Data is stored and processed
Fizen is established in Hong Kong. To provide the Services we transfer Personal Data to, and store and process Personal Data in, jurisdictions other than the one in which you are located, including Hong Kong, Singapore, the United Kingdom, the European Union (in particular Ireland and Germany), the United States, Vietnam, the Philippines, India, and any other jurisdiction in which Fizen, our Affiliates, our service providers or our partners are established or operate.8.2 Transfers from the EEA, the UK and Switzerland
Where we transfer Personal Data from the European Economic Area, the United Kingdom or Switzerland to a jurisdiction that has not been the subject of an adequacy decision by the European Commission (or the equivalent for the UK or Switzerland), we put in place appropriate safeguards under Article 46 GDPR / UK GDPR, including:- the European Commission’s Standard Contractual Clauses (SCCs) of 4 June 2021, supplemented where the recipient is in the United Kingdom by the UK International Data Transfer Addendum or, where appropriate, the UK International Data Transfer Agreement;
- for transfers from Switzerland, the SCCs as recognised by the Swiss Federal Data Protection and Information Commissioner; and
- where required by our transfer impact assessment, additional technical, contractual and organisational measures (for example, encryption in transit and at rest, pseudonymisation, contractual restrictions on government access requests).
8.3 Transfers from Vietnam
Where we transfer Personal Data of individuals located in Vietnam to a jurisdiction outside Vietnam, we comply with the requirements of Decree 13/2023/ND-CP, including completing a transfer impact assessment, obtaining consent from the data subject where required, and notifying the Ministry of Public Security through the prescribed form.8.4 Other jurisdictions
Where we transfer Personal Data from any other jurisdiction with a cross-border-transfer regime (including the Philippines, Singapore, India, China, the UAE, Brazil and others), we comply with the applicable local-law requirements.9. Cookies and Similar Technologies
We use cookies, pixels, SDKs, local storage and similar technologies (collectively, “cookies”) on the Fizen website and in the Fizen app. Cookies fall into four categories:- Strictly necessary cookies — required for the Platform to function (authentication, security, session management, recording your acceptance of our terms). These cookies do not require your consent.
- Functional cookies — remember your preferences (language, currency, dark mode). Set only with your consent where required by Applicable Privacy Law.
- Analytics cookies — help us understand how the Platform is used so we can improve it. Set only with your consent where required.
- Marketing and advertising cookies — let us and our partners deliver advertising relevant to you and measure the effectiveness of marketing campaigns. Set only with your consent.
10. Blockchain Data and the Right to Erasure
When you use the Fizen Wallet, send or receive Digital Assets through the Platform, or use any Service that involves an on-chain transaction (including the Card, QR Pay, Marketplace where on-chain settlement is used, Swap and On/Off-Ramp), the relevant blockchain network records your wallet address, the counterparty wallet address, the asset and amount transferred, and the timestamp. These records are public, are replicated across many independent validators worldwide, are not under our control, and cannot be erased by us, by any participant or by any individual operator. We treat publicly accessible blockchain data linked to you as Personal Data. When you exercise your right to erasure of Personal Data we hold, we will:- delete the Personal Data we hold about you in our internal systems (including the mapping between your Fizen account and your wallet addresses), to the extent permitted by our retention obligations described in clause 12;
- cease to use the on-chain data linked to you for our own purposes; and
- explain to you that the on-chain data itself remains on the underlying blockchain and is accessible to any person who queries that blockchain. This is a technical property of public blockchain networks, not a choice we have made.
11. Security
We implement technical and organisational measures designed to protect Personal Data against unauthorised access, accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access, including:- Encryption of Personal Data in transit using TLS 1.2 or higher;
- Encryption of Personal Data at rest using industry-standard algorithms;
- Strict access controls based on least-privilege, with multi-factor authentication for administrative access, role-based authorisation, and audit logging of access events;
- Network segmentation and monitoring;
- Regular vulnerability scanning, penetration testing and security reviews;
- A documented incident response and breach notification process;
- Vendor security due diligence and contractual security obligations;
- Privacy and security training for our staff.
12. Data Retention
We retain Personal Data for as long as necessary to provide the Services and to meet our legal, regulatory, tax, accounting and dispute-resolution obligations. The retention period for each category of Personal Data is determined by the criteria below.| Category of data | Retention period | Why |
|---|---|---|
| KYC documents and verification results | Account lifetime + 7 years after closure | AML/CFT recordkeeping (HK AMLO; EU AMLD6; FATF Recommendation 11; local equivalents) |
| Transaction records (Card, QR Pay, Marketplace, Swap, Ramp) | Account lifetime + 7 years after closure | AML, tax and financial-services recordkeeping |
| Wallet addresses associated with your Fizen account | Account lifetime + 7 years after closure | AML / transaction-monitoring records; on-chain data itself is publicly retained independently |
| Account profile and preferences | Account lifetime + 30 days after closure | Account administration and short tail for reactivation |
| Customer-support communications | 5 years from last interaction | Service-quality records; defence of claims |
| Marketing engagement data and analytics | Up to 26 months from collection | Industry-standard analytics retention |
| Cookie-based data | As stated in the Cookie Policy (typically up to 13 months for analytics, shorter for session, longer for consent records) | ePrivacy / CNIL guidance and PECR |
| Sanctions and PEP screening records | 10 years from screening | Sanctions defence and supervisory recordkeeping |
| Fraud and suspicious-activity reports (SARs) | 10 years from report or filing | Defence; supervisory access; FATF/local FIU recordkeeping |
| Backups and disaster-recovery snapshots | Rolling 90 days | Business continuity |
| Anonymised statistical aggregates | Indefinite | No longer Personal Data once anonymised |
13. Your Rights
Depending on the Applicable Privacy Law in your jurisdiction, you have the following rights in relation to your Personal Data:- Right of access — to obtain confirmation that we process your Personal Data and to obtain a copy of it.
- Right to rectification — to have inaccurate Personal Data corrected and incomplete Personal Data completed.
- Right to erasure — to have your Personal Data deleted, subject to the exceptions in Applicable Privacy Law (including retention required by AML/CFT, tax, accounting and contract obligations, and to defend legal claims), and subject to the blockchain immutability described in clause 10.
- Right to restriction of processing — to limit how we process your Personal Data in certain circumstances.
- Right to data portability — to receive a copy of your Personal Data in a structured, commonly used, machine-readable format and, where technically feasible, to have it transmitted to another controller.
- Right to object — to processing based on legitimate interests, including profiling for marketing purposes. You may object to direct marketing at any time and unconditionally.
- Right to withdraw consent — where we rely on consent, you may withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint — with the supervisory authority of your habitual residence, your place of work or the place of the alleged infringement (see clause 22).
- Right not to be subject to automated decision-making — see clause 6.
13.1 How to exercise your rights
Submit a request through legal@fizen.io, or the in-app live chat. We will verify your identity using the email address associated with your Fizen account and, where required by Applicable Privacy Law, additional information. We will respond within the time required by Applicable Privacy Law (in most cases within one month under GDPR / UK GDPR, with one further extension of up to two months where reasonably necessary; in most US states within 45 days, extendable by 45 days where reasonably necessary; in Vietnam within the timelines under Decree 13). You may authorise an agent to make a request on your behalf. We will verify the agent’s authority and your identity before responding. If we deny your request and you are a resident of a jurisdiction that grants an appeal right (for example, Virginia, Colorado, Connecticut and other US states), you may appeal by replying to our denial.13.2 Exceptions and limits
Some rights are subject to exceptions under Applicable Privacy Law, including:- Erasure does not apply where we are required to retain the data for AML, sanctions, tax, financial-services or other regulatory purposes, or to establish, exercise or defend legal claims.
- Erasure does not extend to data permanently recorded on a public blockchain (see clause 10).
- Portability applies only to Personal Data we hold on the basis of consent or contract.
- We may charge a reasonable fee for excessive or manifestly unfounded requests, or refuse to act on them, where permitted by Applicable Privacy Law.
14. Personal Data Breach Notification
In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach where required by GDPR Article 33 or UK GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34 / UK GDPR Article 34, including the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures we have taken or propose to take. In jurisdictions with different breach-notification timelines (including Vietnam, the Philippines, Singapore and various US states), we will notify in accordance with the applicable local timelines.15. Children and Minors
The Platform is not intended for, and is not directed to, individuals under the age of 18, and we require all users to be at least 18 years old or the age of majority in their jurisdiction, whichever is higher. We do not knowingly collect Personal Data from individuals below this age. If you believe we have collected Personal Data of an individual below the applicable age threshold, please contact our legal team at legal@fizen.io and we will delete the data as soon as reasonably practicable. Where Applicable Privacy Law sets a lower age for valid consent in the context of information society services (for example, GDPR Article 8 sets ages between 13 and 16 depending on the member state; UK GDPR sets 13; COPPA sets 13; Vietnam Decree 13 sets 16), and you reach out to us indicating that an account exists in respect of a person between that lower age and 18, we will apply the protections required by that law.16. US State Privacy Notice
This section provides information required by US state privacy laws (including the CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana CDPA and similar laws). It applies in addition to the rest of this Privacy Policy if you are a resident of a US state with a comprehensive privacy law.16.1 Categories of Personal Information we collect and disclose
In the past 12 months we have collected the following categories of Personal Information about US residents: (a) Identifiers; (b) Customer records; (c) Characteristics of protected classifications (age, where collected for AML and Card eligibility); (d) Commercial information; (e) Internet or other electronic network activity; (f) Geolocation data; (g) Professional or employment-related information (where you provide it); (h) Inferences drawn from the above. We have disclosed each of these categories to the categories of recipients described in clause 7.16.2 Sensitive Personal Information
We collect the following Sensitive Personal Information: government identifiers; biometric and image data; financial account information; precise geolocation (only with your consent). We use Sensitive Personal Information only for the limited purposes permitted by CPRA, including providing the Services you request, security and compliance with law. You have the right to limit our use of Sensitive Personal Information by contacting us through the in-app live chat support.16.3 “Sale” and “share” of Personal Information
We do not sell Personal Information for monetary consideration. However, our use of analytics and advertising cookies and similar technologies may constitute a “sale” or “share” under the CCPA/CPRA and analogous US state laws. You can opt out at any time using the link “Do Not Sell or Share My Personal Information” in the footer of the Platform and by configuring your cookie preferences. We also respect the Global Privacy Control (GPC) signal as a valid opt-out where required by Applicable Privacy Law.16.4 Your rights as a US resident
Subject to the conditions and exceptions in your state’s law, you have the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing, the right to limit use of Sensitive Personal Information, the right to data portability, and the right not to be discriminated against for exercising your privacy rights. Submit a request through legal@fizen.io, or the in-app live chat.16.5 California Shine the Light
California residents may request information about the disclosure of Personal Information to third parties for direct marketing purposes by contacting legal@fizen.io.16.6 No financial incentive
We do not currently offer any financial incentive in exchange for the collection, sale or retention of Personal Information.17. Vietnam — Additional Information
If you are located in the Socialist Republic of Vietnam, the following additional information applies in addition to the rest of this Privacy Policy.- Legal basis. Our processing of your Personal Data is based on (a) the performance of our contract with you, (b) compliance with legal obligations applicable to Fizen and to our Vietnamese Local Payment Partner (including KYC and AML obligations), and (c) your consent, where consent is required.
- Sensitive Personal Data. We process the categories of Sensitive Personal Data described in clause 5 in accordance with Article 13 of Decree 13/2023/ND-CP.
- Cross-border transfer. Before commencing or materially changing a cross-border transfer of Personal Data of Vietnamese data subjects, we complete a Transfer Impact Assessment and submit the prescribed notification to the Ministry of Public Security in accordance with Article 25 of Decree 13/2023.
- Your rights. You have the rights described in clause 13, exercised in accordance with the response timings required by Decree 13/2023. You may lodge a complaint with the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention — A05).
18. Other Jurisdictions
If you are located in another jurisdiction with a comprehensive privacy regime (including the Philippines, Singapore, Hong Kong, Brazil, the UAE and others), we process your Personal Data in accordance with the applicable local law. Specific notices and contact details for those jurisdictions are available at fizen.io/privacy/regions.20. Changes to This Privacy Policy
We may update this Privacy Policy from time to time.- Non-material changes (clarifications, typographical corrections, updates to contact details, descriptions of new internal tools that do not change the nature of processing) take effect on posting of the revised Policy on the Platform.
- Material changes (changes to the categories of Personal Data we collect, the purposes for which we process, the legal bases we rely on, the categories of recipients with whom we share, the international transfer mechanisms or your rights) take effect no earlier than thirty (30) days after we have notified you by email to the address associated with your account, by prominent in-app notification, and by updating the “Last Updated” date at the top of this Policy.
- Changes requiring new consent. Where a change introduces a new processing purpose for which consent is the legal basis, we will request fresh consent before that processing begins in respect of you.