Allinpay Merchants Services (Singapore) Pte Ltd (“AIP”, “we”, “our”, or “us”) is a Major Payment Institution licensed by the Monetary Authority of Singapore (MAS). AIP is committed to protecting the privacy of individuals and their personal data. This policy, which applies to all personal data in our possession or under our control, is aligned with the Singapore Personal Data Protection Act (No. 26 of 2012) (“PDPA”) and the data protection standards adopted worldwide.
Our Commitment
- The personal data AIP collect is not sold, rented, or otherwise transferred to third parties for their independent use.
- Data subjects have the right to manage their consent preferences, including the ability to opt out of the collection, use, and disclosure of their personal data.
1. Scope
- All customers, merchants, and their representatives who use our services
- Beneficiaries and remittance recipients
- Business partners, vendors, and service providers AIP engage with
- Employees, officers, and consultants
2. Collection of Personal Data
AIP may collect personal data directly from you, through our merchants, partners, or regulators, or via technology platforms.
Types of personal data AIP may collect include:
- Identity Data: Name, NRIC/FIN/Passport, nationality, date of birth, gender
- Contact Data: Address, email, phone number
- Financial Data: Bank account, card details, transaction history
- Business Data: UEN, company documents, beneficial ownership information
- Employment Data: Recruitment information, HR records (for employees)
- Technical Data: IP address, device information, geolocation, log-in credentials, cookies
AIP generally collect personal data in the following ways:
- Voluntary Provision: When you provide us with your personal data directly through forms, emails, or during interactions.
- Transactions: When you engage in a transaction, order a product or service, or register for an event.
- Third Parties: From third parties who are authorized to disclose your personal data to us, such as referrals or when AIP receive references.
- Automated Means: When you access our AIP websites or use our applications, through the use of cookies or other technologies.
3. Purpose of Collection, Use, Process and Disclosure
Personal data is collected, used, processed and disclosed for various purposes, including providing services, processing transactions, managing customer relationships, handling applications, marketing with consent, and complying with legal obligations.
AIP is committed to processing data in accordance with its responsibilities under PDPA.
- Data is processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes,
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by PDPA in order to safeguard the rights and freedoms of individuals, and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
4. Disclosure of Personal Data
AIP may disclose personal data to the following parties, on a need-to-know basis and subject to confidentiality safeguards:
- Regulators & Authorities: MAS, Personal Data Protection Commission (PDPC), law enforcement, tax authorities
- Financial Institutions & Payment Networks: Banks, card schemes, remittance partners
- Vendors & Service Providers: IT hosting providers, cybersecurity vendors, customer service providers, auditors, legal and compliance advisors
- Group Companies: Affiliates within the Allinpay Group (where applicable), subject to PDPA-compliant safeguards
AIP will never sell or trade personal data.
5. Consent and Withdrawal of Consent
5.1 Consent
By providing your personal data to us, whether directly or through a third party (e.g. merchants, payment partners, financial institutions), you consent to the collection, use, and disclosure of your personal data in accordance with this Policy
5.2 Withdrawal of consent
You may withdraw your consent for the collection, use, and disclosure of your personal data at any time by submitting a written request to our Data Protection Officer (DPO).
Upon receiving your request:
- AIP will process the withdrawal within a reasonable time.
- AIP will inform you of the likely consequences (e.g. inability to provide or continue services).
- AIP will cease further collection, use, or disclosure of your personal data, unless such processing is required or authorised under applicable laws.
5.3 Exceptions
Certain uses of personal data cannot be withdrawn, as they are mandatory under law or regulation, including but not limited to:
- KYC, AML, and CFT compliance required by MAS and other authorities
- Transaction and remittance record-keeping for at least 5 years
- Regulatory reporting to MAS, law enforcement, or tax authorities
- Fraud monitoring, risk management, and security purposes
6. Protection of Personal Data
AIP adopt MAS-aligned security controls to protect personal data from unauthorised access, disclosure, alteration, or loss. Safeguards include:
- Governance & Policy Controls: Data classification, access restrictions, employee confidentiality agreements
- Technical Controls:
- Encryption of data at rest and in transit
- Multi-factor authentication
- Endpoint and network security monitoring
- Operational Controls:
- Regular penetration tests and vulnerability assessments
- Cyber incident response procedures
- Vendor due diligence and outsourcing risk assessments
- Physical Controls: Restricted access to offices, secure storage for physical records
7. Retention of Personal Data
AIP retain information as long as it is necessary to provide the services requested by parties, subject to any legal obligations to further retain such information. Information associated with party’s account will generally be kept until it is no longer necessary to provide the services or until the party ask us to delete it or party’s account is deleted whichever comes first.
Additionally, AIP may retain information from deleted accounts to comply with the law, prevent fraud, resolve disputes, troubleshoot problems, assist with investigations, enforce the Terms of Use, and take other actions permitted by law. The information AIP retain will be handled in accordance with this Data Protection and Privacy Policy.
8. Access and Correction of Personal Data
Requests to access a copy of personal data or to correct/update data can be submitted in writing to the Data Protection Officer (DPO).
9. Data Breach Notification
In accordance with PDPA breach notification rules and MAS incident reporting requirements, AIP will:
- Investigate suspected or confirmed data breaches immediately
- Contain and remediate risks
- Notify PDPC, MAS, and affected individuals within the required timeframes if significant harm or impact is likely
10. Data Protection Officer
For questions or feedback on this policy, contact the Data Protection Officer at davidboey@allinpayintl.com or +65 9757 3252
11. Updates to This Policy
This Policy may be updated to reflect changes in law, regulations, or business practices. The latest version will be available on our website.
