Privacy Policy

Trust IQ is part of the wider Trusting Social / Trust IQ group of companies and operates with the support of its affiliates and service providers, including Trusting Social Joint Stock Company and Trust IQ Limited Liability Company (both located in Vietnam), where applicable, as further described in Section 2.3 below.

For data protection enquiries, contact us at data-privacy@trustingsocial.com. For matters reserved for our Data Protection Officer, see Section 13 (Data Protection Officer) below.

Portal user data — Trust IQ as controller. When you register for a Portal account, log in, browse the Portal, or communicate with us about the Portal, Trust IQ acts as a data controller (or its equivalent under applicable law) and processes your personal data in accordance with this Privacy Policy.

Client Inputs and Client Personal Data — Trust IQ as processor. Data uploaded by the Client to the Portal in connection with the Service (referred to in the Terms and the DPA as "Client Inputs"). Personal data contained in Client Inputs is "Client Personal Data" and may include personal data of Client's data subjects in the following categories:

• Image Data, including self-portrait images (selfies) of Data Subjects (which may constitute biometric data under certain applicable laws where they are used to identify, verify or authenticate an individual), together with associated image metadata (such as EXIF data, capture timestamps, device information, and camera parameters);
• Performance Data, including outcome records, performance metrics, application data, payment status records, and related metadata uploaded by Client in structured format;
• Inferred attributes, where generated by the Service from Image Data, which may include technical, contextual, image-based, or other risk-related signals. Some of these inferences may, under applicable law, constitute special-category or sensitive personal data; and
• Subject identifiers that link records together (such as customer or applicant IDs assigned by Client).

Operational processing by Trust IQ Group affiliates. Trust IQ delivers the Service with the support of its affiliates. In particular, Trusting Social Joint Stock Company and Trust IQ Limited Liability Company (companies incorporated under the laws of Vietnam, with principal place of business in Ho Chi Minh City — together, the "Vietnam Affiliates") support Trust IQ in delivering the Service. Where the Vietnam Affiliates process Client Personal Data on behalf of Trust IQ, they act as Trust IQ's sub-processors for that Client Personal Data. Where they process Portal User Data or other operational data for Trust IQ's own purposes, they act as Trust IQ's affiliate service providers. As between Trust IQ and Client, Trust IQ remains responsible for the Vietnam Affiliates' processing of Client Personal Data to the extent required under the DPA. The Vietnam Affiliates perform technical processing activities such as data science operations, model training and fine-tuning, customer support, and incident response. The Vietnam Affiliates process personal data:

• solely on Trust IQ's documented instructions and on the same terms by which Trust IQ is bound to the Client;
• under a written intra-group data processing agreement between Trust IQ and the Vietnam Affiliates that imposes equivalent confidentiality, security, retention, and breach-notification obligations;
• subject to appropriate cross-border transfer safeguards required under Singapore PDPA and applicable foreign law; and
• subject to Trust IQ's audit and oversight rights.

Trust IQ remains responsible under applicable law for personal data processed by the Vietnam Affiliates on its behalf as if Trust IQ had processed the data itself.

• Account and KYB data: name, business email, business phone, job title, the Client entity's name, registered address, registration number, beneficial-ownership information, and other information needed to verify the Client's business standing. This Privacy Policy also covers authentication information, login records, IP addresses, device and browser information, usage logs, support communications, security logs, audit records, acceptance timestamps, KYB-related information and other operational data.
• Authentication data: username, password (in hashed form), multi-factor authentication factors, and session tokens.
• Usage data: Portal log files, including IP address, device information, browser type, pages viewed, features used, and timestamps of actions.
• Communications: the contents of any communications you send to us, including support requests and feedback.
• Client Inputs and Client Personal Data, including:
  • Self-Portrait Images (selfies), which may constitute biometric data under certain applicable laws;
  • Image Metadata including EXIF data such as capture timestamps, device information, camera and lens parameters, and (where present) geolocation;
  • Environmental and background visual context visible in Self-Portrait Images;
  • Inferred attributes, including inferred demographic attributes (such as gender) and inferred psychophysical attributes (such as alertness). Some of these inferences may constitute special-category or sensitive personal data;
  • Performance data, including loan terms, payment history, delinquency status, default outcomes, and equivalent metrics;
  • Rejected application data (where uploaded), including reasons for rejection;
  • Performance application data, including product type, application timestamp, and application channel; and
  • Borrower identifiers that link records together (such as customer IDs assigned by Client).
• Service Outputs. Vision Scores, scoring results, performance metrics, lift tables, analytics, reports, and other outputs generated by the Service from Client Inputs. To the extent Service Outputs include personal data or are reasonably linkable to a Data Subject, they are treated as Client Personal Data.
• Aggregated Service Metrics. Statistical, operational, performance, security, benchmarking or analytics information derived from use of the Service that has been anonymised so that it does not identify any individual. Aggregated Service Metrics are not personal data once properly anonymised.
• Technical data. Strictly necessary technical data (such as session identifiers and authentication tokens) collected to operate the Portal. Trust IQ does not use third-party advertising, analytics tracking, or non-essential cookies on the Portal.
• Government identifiers. We do not use NRIC, passport, national identification or similar government identifier numbers as passwords, default credentials or authentication factors. Where such identifiers are collected for KYB, sanctions, legal, compliance or verification purposes, Trust IQ collects and retains them only where reasonably necessary and in accordance with applicable law.

For Singapore PDPA purposes, Trust IQ collects, uses and discloses personal data for the purposes described below. Where another applicable law requires Trust IQ to identify a legal basis for processing, Trust IQ's legal bases may include performance of contract, compliance with legal obligations, consent, legitimate interests, establishment or defence of legal claims, and other lawful bases available under applicable law.

• To provide, operate, administer and support the Portal and the Service for Client and Authorized Users, including account administration, access management, service delivery, support and administrative communications.
• To verify Client's business (KYB), compliance with anti-money-laundering, sanctions, and other legal obligations.
• To operate, secure, and improve the Service, including model improvement using Aggregated Service Metrics only.
• To communicate with you about the Service, account, support, and incident notifications.
• To comply with legal obligations.
• To send marketing communications about Trust IQ products and services, where permitted by applicable law. You may opt out of marketing emails at any time by clicking "unsubscribe" or contacting data-privacy@trustingsocial.com.

Client Personal Data — purpose limitation. Trust IQ processes Client Personal Data solely as instructed by the Client for the purpose of providing the Service. Client Personal Data is not used for any other purpose, except in properly anonymised form (as Aggregated Service Metrics) for Service improvement as permitted under the Terms and the DPA. Trust IQ does not use Client Personal Data, Self-Portrait Images, biometric features, Service Outputs or Client-specific model artefacts in identifiable or re-identifiable form to train general-purpose, multi-customer or foundation models, unless expressly agreed in writing with Client.

Client-uploaded Image Data may constitute biometric data under certain applicable laws where used to identify, verify or authenticate an individual. Trust IQ treats Image Data, biometric templates or features derived from them, Performance Data and sensitive inferences as high-risk personal data requiring heightened protection.

We treat biometric data, Self-Portrait Images, performance data and sensitive inferences as high-risk personal data, and as sensitive or special-category personal data where applicable law so provides. We process such data solely as a processor on the Client's behalf, for the limited purpose of generating the Vision Score and (where requested by Client) fine-tuning a customer-specific Vision Score model. We do not use biometric data to identify or re-identify any individual outside the Service. We do not sell biometric data or any other Client Personal Data. We do not use biometric data, Self-Portrait Images or biometric features in identifiable or re-identifiable form to train any general-purpose, multi-customer or foundation model unless expressly agreed in writing with Client.

Client is responsible for ensuring that, before uploading any Self-Portrait Images, biometric data, sensitive inferences, performance data or other Client Personal Data to the Portal, it has provided all notices and obtained all consents, deemed consents, authorisations, approvals or other legal grounds required under applicable law.

Where the Service infers demographic or psychophysical attributes from an image, Trust IQ acts as processor on Client's behalf. Client is responsible for ensuring that the use of such inferred attributes is permitted under applicable law (including fair-lending and anti-discrimination law) and does not result in discrimination against any Data Subject.

During the Trial, Service Outputs are provided for internal evaluation, testing and backtesting only and must not be used for live, customer-facing or production decisions affecting any individual. The generation of a Vision Score may involve profiling, automated processing or similar regulated processing under certain applicable laws, because it involves automated analysis of Client Inputs to produce risk-related signals.

The Vision Score is intended to be used by Client as one input among others in Client's own assessment process. It is not designed, authorised or intended to be used as the sole basis for any decision that produces legal, financial, performance, eligibility, onboarding, pricing or similarly significant effects on a Data Subject. Client is responsible for applying meaningful human review and for complying with all laws applicable to its own decision-making.

Where applicable law requires information, explanation, human intervention, contestation, appeal or similar safeguards in relation to a decision based wholly or partly on a Vision Score:

• Client is responsible for providing those safeguards to the Data Subject;
• Client is responsible for complying with any performance, lending, adverse-action, anti-discrimination, fair-treatment, explainability, appeal, contestation and record-keeping requirements applicable to its decision-making; and
• Trust IQ will provide reasonable assistance to Client in accordance with the DPA and the technical capabilities of the Service.

We share personal data with:

• Trust IQ Group affiliates — within the Trust IQ / Trusting Social group, on a need-to-know basis. In particular, the Vietnam Affiliates perform operational processing on Trust IQ's behalf (see Section 2.3);
• Sub-processors and service providers — Trust IQ uses third-party service providers to support Portal operations, hosting, infrastructure, communications, security, monitoring, KYB, customer support, operational analytics, compliance and business administration. Where a third party processes Client Personal Data on behalf of Trust IQ in connection with the Service, that third party is treated as a sub-processor under the DPA.
• Professional advisors — including auditors, legal counsel, and consultants, under confidentiality obligations;
• Regulatory and law-enforcement authorities — where required by law or to defend our legal rights; and
• In a corporate transaction — to a successor entity in connection with a merger, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality protections.

We do not sell personal data.

Trust IQ operates globally and may transfer personal data outside the country in which it was collected. The principal destinations for personal data processed in connection with the Service are Singapore (Trust IQ's headquarters) and Vietnam (where the Vietnam Affiliates perform operational processing). Personal data may also be transferred to other jurisdictions in which Trust IQ or its sub-processors operate, consistent with the geographic restrictions set out in Section 2.3 of the Terms (Prohibited Jurisdictions).

Prohibited Jurisdictions. The Terms restrict Client from uploading Client Personal Data of residents of certain prohibited jurisdictions, including the United States, the EEA, the United Kingdom, Switzerland, and sanctioned jurisdictions, unless Trust IQ separately agrees in writing. If any exceptional processing is agreed, applicable transfer terms will be addressed in the DPA or a separate written agreement.

Where required by applicable law, Trust IQ implements appropriate cross-border transfer safeguards, which may include contractual obligations, intra-group data transfer agreements, technical and organisational measures, transfer assessments or other lawful transfer mechanisms.

We retain personal data only as long as needed for the purposes set out in this Privacy Policy or as required by applicable law:

• Account and KYB data: while the account is active, and for up to seven (7) years after closure, to meet legal and audit obligations.
• Authentication and usage logs: typically twelve (12) months from the date of the relevant event.
• Client Personal Data (including Self-Portrait Images, biometric features, image metadata, performance data, application data and applicant identifiers): retained only for the period required to provide the Service and deleted, returned or anonymised in accordance with the DPA, the Terms and Client's documented instructions. Unless otherwise agreed in writing or required by law, Client Personal Data will be deleted or anonymised within thirty (30) days after the end of the Trial or termination of Client's access to the Service.
• Client-specific model weights and artefacts derived from Client Personal Data are handled in accordance with the DPA and the Terms and remain subject to the confidentiality, security, retention, deletion and use restrictions applicable to Client Personal Data.
• Aggregated Service Metrics (anonymised information derived from use of the Service): retained for analytics, benchmarking, security, research, development, and service improvement, provided that Trust IQ does not attempt to re-identify such information.
• Communications: retained for as long as needed to resolve the matter, plus a reasonable archival period.
• Marketing data: until opt-out or as required by applicable law.

Backups. Personal data retained in routine backups will be isolated from active processing and overwritten in the ordinary backup cycle, unless earlier deletion is technically feasible or longer retention is required by law.

We maintain reasonable and appropriate technical and organizational security measures, including encryption in transit and at rest, access controls, audit logging, and personnel training. Further detail on security measures applicable to Client Personal Data is set out in the Data Processing Agreement. No system is fully secure, and we cannot guarantee absolute security.

Client remains responsible for securing its own systems, credentials, devices, networks and access to the Portal, and for ensuring that only authorised personnel access the Portal.

If Trust IQ becomes aware of a data breach involving personal data, Trust IQ will assess, contain and respond to the incident in accordance with applicable law. Where the breach involves Client Personal Data, Trust IQ will notify the relevant Client in accordance with the DPA and applicable law. Client is responsible for determining whether any notification to its own end users, regulators, counterparties or other persons is required in respect of Client Personal Data.

Depending on your jurisdiction and on whether Trust IQ acts as organisation/controller or processor/data intermediary for the relevant personal data, you may have rights to:

• access the personal data we hold about you;
• rectify inaccurate or incomplete data;
• erase your personal data, subject to legal exceptions;
• restrict or object to processing, including profiling;
• portability — receive your data in a structured, commonly used, machine-readable format;
• withdraw consent (where consent is the legal basis);
• obtain human intervention, express your point of view, and contest decisions based solely on automated processing;
• opt out of marketing communications; and
• lodge a complaint with your local data protection authority.

To exercise your rights, contact us at data-privacy@trustingsocial.com. We will respond within the timeframe required by applicable law.

For end-user data uploaded by the Client (Client Personal Data, e.g., selfies, performance data): Trust IQ acts only as processor / data intermediary. If you are an end user whose data has been uploaded by a Client, please direct your request to the Client (which is the data controller / organisation). Trust IQ will provide reasonable assistance to Client in accordance with the DPA and the technical capabilities of the Service.

The Portal is intended for business use by adults. We do not knowingly collect personal data from children. Clients warrant they will not upload personal data of children under 18 (or such higher threshold required by applicable law). If you believe a child's data has been uploaded, contact us at data-privacy@trustingsocial.com.

Trust IQ Pte. Ltd. has appointed a Data Protection Officer ("DPO") in accordance with Section 11(3) of the Singapore Personal Data Protection Act 2012. The DPO oversees Trust IQ's compliance with applicable data protection laws and serves as a point of contact for data protection enquiries relating to Trust IQ's processing activities.

You may contact the Data Protection Officer at:

Trust IQ Pte. Ltd. — Data Protection Officer
Email: data-privacy@trustingsocial.com
Postal address: Trust IQ Pte. Ltd., Attn: Data Protection Officer, #07-01 Suntec Tower 2, 9 Temasek Boulevard, Singapore 038989

We may update this Privacy Policy from time to time. Material changes will be notified through the Portal or by email. The "Last Updated" date at the top reflects the most recent revision.

This Privacy Policy is governed by, and shall be construed in accordance with, the laws of Singapore, including the Personal Data Protection Act 2012 and its implementing regulations.

Trust IQ Pte. Ltd. fulfils its obligations under this Privacy Policy in compliance with the Singapore PDPA. Where another data protection law is mandatorily applicable to specific processing, this Privacy Policy may be supplemented by additional disclosures, contractual terms or the DPA, as applicable.

If there is any conflict between this Privacy Policy and the DPA in relation to Trust IQ's processing of Client Personal Data on behalf of Client, the DPA will prevail. If there is any conflict between this Privacy Policy and the Terms in relation to commercial rights, restrictions, liability, dispute resolution or use of the Service, the Terms will prevail, except to the extent the DPA expressly provides otherwise for Client Personal Data.

For any general question or to exercise your rights, contact us at:

Trust IQ Pte. Ltd.
Attn: Data Privacy
#07-01 Suntec Tower 2, 9 Temasek Boulevard, Singapore 038989
Email: data-privacy@trustingsocial.com

You may also contact the competent data protection authority for complaints: Singapore — Personal Data Protection Commission (https://www.pdpc.gov.sg)