PIPO Privacy Policy
Last updated: 18 December 2025
PIPO and its group companies (“PIPO”, “we”, “our”, “us”) provide payments, financial and technology solutions to businesses and individuals (“Services”). These Services include accepting and processing payments for ecommerce transactions, and facilitating transactions with social media creators, advertisers, e-commerce sellers and their respective service providers (“Partners”) as well as providing Services to members of the ByteDance group (“Corporate Partners”) which are supported by PIPO. In addition, PIPO provides identity verification, fraud detection and chargeback services for some of our Corporate Partners.
The specific PIPO data controller responsible for processing your personal information will be the PIPO company with whom you contract for our Services. Further information on the data controller responsible for the provision of our Services in your location may also be available in the Jurisdiction-Specific Terms section of this Policy.
This Privacy Policy (“Policy”) explains how we collect, use, share, and otherwise process personal information relating to individuals (“you” or “your”) in connection with our Services.
This version of our Policy applies where we process personal information relating to individuals outside of the European Union, European Economic Area, Switzerland or the United Kingdom, and North America. It governs how we collect, use, disclose or otherwise process personal information that we collect or is made available to us in the course of the performance of our Services.
We collect personal information from you, third parties or public sources. In particular, when you use our Services, we collect the following types of personal information.
We may collect information such as your full name, date of birth, residential address, billing address, email address, phone number, nationality, citizenship, occupation, country of residence, gender, family status, job and education information. When necessary and where permitted by applicable law, we may collect your identity information such as proof of address and government-issued identification such as your identification card number, passport number, and copies of your identification card, driving license or passport. We may also collect a photograph or image for facial verification and liveness checks.
When you make a payment transaction using our Services, we collect payment information. The payment information we collect depends on the payment method used and on the local requirements within the payor’s country of residence:
· When you make payments using payment cards, we collect your payment card information such as the name on your card, primary account number (“PAN”), card verification value (“CVV”) and expiration date (collectively, “cardholder data”).
· When you use bank transfers to withdraw or receive any funds, we may collect your bank and accountholder data such as PAN or IBAN, SWIFT BIC, bank code, beneficiary name and address, and any other relevant information relating to your chosen account.
· If you make payments through a third-party payment service provider or e-wallet, we may collect information about your account with that service provider or details relating to your e-wallet, and other relevant information.
Where relevant, we may also process your Value-Added Tax or Goods & Services Tax number.
To ensure the safety and security of your payments, we collect (but not retain) payment verification information such as CVV.
We may collect information to determine your income, financial status and creditworthiness where we offer or provide loan or credit-related products and services, or where we work with licensed financial institutions to provide such services to you. We may also collect these types of information to manage our financial and compliance risks. This information may include your transaction and repayment history, credit score and credit usage, and information relating to your profession and employment, income, location and other demographic data. We may also request documents such as utility bills, bank statements, credit card statements and tax-related documents. We may draw inferences relating to your credit risk or to monitor for fraud or other risks based on this information and other information which we collect in accordance with this Policy.
We may collect information in respect of the transactions you make or receive while using our Services, such as information about the underlying purchase or transaction, payment method, card type, payment authentication token, buyer billing information, order ID, logistics information regarding shipment and delivery of your products including by third party logistics providers, tax-related information and information about refunds and complaints. We also process PIPO account information, such as sellers and advertisers account ID, buyer account ID, and account history.
We may collect technical information such as IP address, information about your device (including your device ID, device type and model, device language) and apps, technical usage information, web browser and internet connection, time zone settings, operating system and screen resolution.
We collect information about your approximate location, including location information based on your SIM card and/or IP address. With your permission, we may also collect precise location data (such as GPS location).
We may collect information about you when you communicate with us, such as when you contact our customer support or sales teams. This may include the content of messages you send to us. We may record phone calls and video conferences (where permitted by applicable law) and retain transcripts of dialogue for training, quality assurance, product development and administration purposes. We may also collect contract information when you provide us with details of your contractual arrangements with third parties. We may collect information about you, such as survey or market research responses, where you choose to participate in such research studies or surveys conducted by us or on our behalf.
We may receive your personal information from third parties such as:
(a) Our Corporate Partners;
(b) Businesses and individuals with whom you interact that use our Services such as social media creators, advertisers, merchants and their respective service providers;
(c) Business partners and service providers such as identity verification providers, and providers of governance, risk and compliance solutions;
(d) Credit bureau, alternative credit scoring, or other credit reporting organisations;
(e) Payment service providers and other financial institutions; and
(f) Your authorised agents or third-party representatives.
We only use your information when we have a “legal basis” to do so in accordance with applicable laws. We rely on different legal bases depending on why we use your information (in other words, the “purpose” of our processing) and the laws of the jurisdiction in which you are located.
We process your personal information:
· To provide and administer our Services, or to facilitate the provision of services of our Corporate Partners and payments and financial services providers with whom we partner to provide such services to you. This includes enabling you and others to perform and manage payment and financial transactions, and for us to fulfill requests in relation to our Services.
· To communicate and provide support to you and parties with whom you transact, including to perform troubleshooting, provide information about changes to our Services and other service-related notifications.
· To investigate and resolve complaints, claims or disputes between you, us and other individuals or businesses with whom you transact.
· To process, manage and verify your eligibility for our Services or for products and services offered by our Corporate Partners and business partners. This may include performing credit checks, screening, and risk profiling.
· To check and verify your identity and information, and to carry out due diligence, Anti-Money Laundering and Know-Your-Customer checks, sanctions screening, security and background checks, and other transaction monitoring activities in accordance with legal and regulatory obligations, industry practice and risk management policies and procedures of PIPO and our Corporate Partners.
· To monitor, analyze, improve and develop our Services, systems and processes, and conduct research and product development.
· For our internal operations, including for accounting, transaction reconciliation, troubleshooting, data analysis, testing, statistical, and survey purposes, recordkeeping and to solicit your feedback.
· To maintain and enhance the safety, security, and stability of our Services, systems and infrastructure, such as by identifying and addressing technical or security issues or problems, detecting and preventing abuse, harmful activity, fraud, spam, and other illegal activities, and to detect and address any actual or suspected violations of our terms and conditions of the Services.
· To review, improve, promote, and develop our Services, including by monitoring user interactions and transactions, conducting surveys.
· To train and improve our technology such as our machine learning, AI models and algorithms.
· To comply with our legal and regulatory obligations, including under applicable tax, payments and financial services laws, and to meet our accounting, audit and financial reporting obligations.
· To comply with obligations and requirements imposed by us by any credit bureau or credit information sharing services of which we are a member or subscriber.
· To enforce obligations owed to us, or obligations owed to our Corporate Partners and business partners.
· To facilitate and fulfil discount and marketing programmes relating to payment methods.
· For any other purposes disclosed to you at the time we collect your information or pursuant to your consent.
We share your personal information with selected recipients. These categories of recipients include:
We share information about you with service providers to assist us in the performance of our Services and achieving the purposes of this Policy. We may also engage with business partners including where we work with such partners to offer certain financial services to you.
We share your personal information within our corporate group, including parent, subsidiary or affiliate companies (“Corporate Partners”) to provide the Services or for the purposes set out in this Policy.
Where you use the services of our Corporate Partners, we may share information about you with them to facilitate customer onboarding and Anti-Money Laundering and Know-Your-Customer checks performed by these group companies. We may also share your personal information within our Corporate Partners for the purpose of assessing your credit risk and determining your eligibility for their services.
We may share your information with law enforcement agencies, public authorities or other organizations if legally required to do so, or if such use is reasonably necessary to:
· Comply with a legal obligation, process or request;
· Enforce our terms of service and other agreements, policies, and standards, including investigation of any potential violation thereof;
· Detect, prevent or otherwise address security, fraud or technical issues; or
· Protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law.
We may also disclose your information to third parties in connection with a corporate transaction, such as a merger, purchase or sale of assets or shares, reorganization, financing, change of control, or acquisition of all or a portion of our business.
Your information may be stored on servers located outside the country where you live, such as in Singapore, Malaysia, Ireland and the United States. We maintain major servers around the world to bring you our services globally and continuously. If applicable laws require us to store information in the country in which you are located, we may also store your information on servers within your country.
Where we are the data controller of your personal information, you may exercise your data protection rights by contacting us. Some of these rights apply generally, while others will only apply in certain circumstances. Depending on the scenario, these rights may be subject to some limitations. PIPO will be responsible for responding to your request within the relevant periods provided by law.
The rights which you are afforded under applicable laws may include the right to access, delete, update, or rectify your data, to be informed of the processing of your data, to file complaints with authorities, and potentially other rights. Further information on the rights afforded to you under the laws of your jurisdiction may be provided in the Jurisdiction-Specific Terms section below.
To submit a request to exercise your rights under applicable laws, please contact us at https://www.pipopay.com/legal/data-subject-rights. Please also see the Jurisdiction-Specific Terms section below on whether a local representative or local contact is available for your country.
We may process your information on behalf of other individuals or businesses such as sellers. Where we process your information on behalf of another party, the individual or business with whom you work or transact will be responsible for responding to your requests to exercise your rights and this individual or business will be the appropriate party to whom your requests should be submitted.
We take steps to ensure that your information is processed securely and in accordance with this Privacy Policy and applicable laws. These steps include for example, the use of encryption for information transmitted via the internet. The transmission of information via the internet is inherently not fully secure. You should note that there are risks where you transact online. If you believe that the security of your accounts or any payment transaction has been compromised, please contact us immediately. Subject to applicable law, transmission of information to us via the internet is at your own risk.
We have implemented appropriate measures, including technical, physical and organizational measures, to ensure a level of security appropriate to the risks to you and other users of our Services. We maintain these measures and will amend them from time to time to improve the overall security of our systems.
You also share responsibility for keeping your personal information safe. You are responsible for keeping your account details (if any) confidential. For security and privacy reasons, we request that you refrain from disclosing personal information, including passwords, credit card numbers, or other confidential data. We are committed to safeguarding your privacy, but the security of your personal information also requires that you exercise safe user practices.
We retain your information for as long as it is necessary for the purposes for which it was collected. We also retain your information (which may include true copies of identification documents) when necessary to comply with contractual, legal or regulatory obligations, or when we have a legitimate business purpose to keep such data (including where it is necessary for the establishment, exercise or defence of legal claims).
The retention periods which we apply may differ depending on criteria such as the type of information and the purposes for which we use the information. Please also see the Jurisdiction-Specific Terms section below for further information on retention requirements specific to your jurisdiction (where applicable).
We may update this Privacy Policy from time to time. When we update this Privacy Policy, we will notify you by updating the “Last Updated” date at the top of this policy and posting the new Privacy Policy or providing any other notice required by applicable law. Your continued access to or use of our Services after the date of the updated policy constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you must stop accessing or using the Services.
If you have questions, comments, complaints or requests regarding this Privacy Policy, please contact us by submitting a request at https://www.pipopay.com/legal/data-subject-rights. This is without prejudice to your right to make a complaint with a relevant data protection authority, where applicable. Please also see the supplemental terms below on whether a local representative or local contact is available for your country.
We will endeavor to deal with your request as soon as possible.
Some jurisdiction-specific laws contain additional terms, which are set out in this section. If you are a user to which the laws of the jurisdictions set out below apply, the terms set out below apply to you in addition to the terms set out above and, in the event of a conflict, the terms set out below prevail.
Exercise of Data Protection Rights. Brazilian law provides certain rights to individuals with regards to their personal information. Thus, we seek to ensure transparency and access controls to allow users to benefit from the mentioned rights.
We will respond and/or fulfill your requests for the exercise of your rights below, according to the applicable law and when applicable, to the Brazilian General Data Protection Law - LGPD:
Verifying your Identity: For your safety and to allow us to make sure that we do not disclose any of your personal information to unauthorized third parties to verify your identity and guarantee the adequate exercise of your rights, we may request specific information and/or documents from you before we can properly respond to a request received concerning your data. All data and documents received from you in the process of responding to your requests will be used for the strict purposes of analyzing your request, authenticating your identity, and finally responding to your request.
Limitations to your Rights: In certain situations, we may have legitimate reasons not to comply with some of your requests. For instance, we may choose not to disclose certain information to you when a disclosure could adversely impact our business whenever there is a risk of violation to our trade secrets or intellectual property rights. In addition, we may refrain from complying with a request for erasure when the maintenance of your data is required for complying with legal or regulatory obligations or when such maintenance is required to protect our rights and interests in case a dispute arises. Whenever this is the case and we are unable to comply with a request you make, we will let you know the reasons why we cannot fulfill your request.
International Transfer of Data. We share your personal information globally with companies of our business group to carry out the activities specified in this Policy. We may also subcontract the processing of data involved in the Services or share your personal data with third parties located in other countries. Your personal information may therefore be subject to privacy laws other than those applicable in your country.
Whenever we transfer your personal information to third parties located in other countries, we will ensure that these companies comply with applicable data protection laws, and we will take all reasonably necessary measures to ensure the existence of adequate safeguards to protect your personal information and to ensure that it is processed safely.
Language. The Policy may have been prepared in the English language and in the Portuguese language. If you are a user located in Brazil, you shall refer to the Portuguese version, which shall prevail.
Contact: In case of doubt about your privacy, your rights or how to exercise them, please contact us through the form "Contact". If you have any questions about the processing of your personal information, we would like to clarify them.
DPO. If you wish to reach the PIPO's Data Protection Officer, please submit a request at https://www.pipopay.com/legal/data-subject-rights.
Data Subject Rights. When the processing of your personal information relies on consent, you may withdraw your consent to our processing of your personal information. Please note that by withdrawing your consent, we may not be able to fulfill your requests and you may not be able to use some PIPO features and functionality.
You may request that we (i) disclose the history of personal information that we have collected; and/or (ii) erase and dispose of your personal information that we have collected. Please note that by requesting us to erase and dispose of your personal information, you may not be able to use our Services, or some PIPO features and functionality.
Subject to the Indonesian Personal Data Protection Law or other applicable laws of Indonesia, you may have rights in addition to the rights set out in section on Your Rights and Choices. These include the right to (i) obtain information on the clarity of identity, the legal interests, the purpose of collecting and processing your personal information, and accountability of parties who can access your personal information (including related third parties); (ii) terminate the processing of, delete and/or destroy your personal information; (iii) object to any automatic processing of your personal information (including profiling activities); (iv) delay or restrict the processing of your personal information; (v) sue and receive compensation for violations affecting your personal information; and (vi) to port your personal information to another data controller.
Legal Basis for Processing. We will process your personal information by relying on a legal basis prescribed by the laws of Indonesia, that is (i) when you provide your explicit consent to us; (ii) when it is necessary for us to fulfill our contractual obligations to you; (iii) when we are legally obliged to process your information; or (iv) when we have a legitimate interest to process your information, provided that it is not outweighed by your rights and interests.
Language. This Privacy Policy is available in English and in Indonesian. The English version prevails if there are inconsistencies or different interpretations between the English and the Indonesian versions of the Privacy Policy.
Contact. Questions, comments and requests regarding this Privacy Policy or to exercise any of your rights under the applicable law, please submit a request at https://www.pipopay.com/legal/data-subject-rights.
Notification. In the event of any breach of your personal information, we will, in accordance with applicable law, notify you and provide you with information regarding such breach of your personal information.
Requirements for sharing and collecting your information for individuals in Japan:
Supervision. PIPO will conduct necessary and appropriate supervision of our employees, such as educating or training employees who process your personal information. Where a data breach has occurred or where PIPO has determined that it is likely that such a breach has occurred by us or our service providers, PIPO will report the relevant facts to you promptly, investigate and report thereon, and implement recurrence prevention measures.
Sharing your Personal Information. When outsourcing or subcontracting the processing of your information, PIPO will enter into a contract imposing the same level of data protection obligations as set forth in the terms with the outsourcee/subcontractor who has been retained by us for the processing of all or part of your personal information, and shall perform appropriate supervision and be responsible for the performance of the contract by the outsourcee/subcontractor.
Overseas Transfer of Personal Information. If PIPO transfers your personal information or audiences you create to third parties or PIPO affiliates that are located outside Japan, PIPO will impose on such third parties and PIPO affiliates the same level of data protection obligations as our obligations under this Privacy Policy by way of a written contract or legally binding rules, except as otherwise permitted under the applicable laws, regulations, and applicable industry guidelines.
Your Rights. PIPO is responsible for the accuracy, or deletion of any, of your personal information, as well as the authority to respond to any claims of rights under applicable laws and regulations. PIPO will provide disclosure regarding the processing of your personal information, and PIPO will be responsible for responding to the exercise of data subject rights and complaints from users.
Data Controller. The PIPO company responsible for the provision of our Services may vary depending on the specific Service that you use. Where you use payments and e-wallet services in Malaysia, the data controller responsible for processing your personal information is PIPO (MY) Sdn. Bhd. Where you use conventional or Syariah financing-related products and BNPL services, the data controller responsible for processing your personal information is PIPO Fintech (MY) Sdn. Bhd. Both companies are incorporated in Malaysia with their registered address at 12 (First Floor), Jalan Lembah Permai 1, Taman Lembah Permai, 14000 Bukit Mertajam, Pulau Pinang Malaysia.
Obligation to Provide Personal Data. Your personal information is required for the purposes set out in this Privacy Policy, including for performing our obligations under a contract with you. If you do not provide the required personal information, we may not be able to proceed with your request and/or to perform our obligations under the contract with you, either in whole or in part.
Consent for Processing of your Biometric Information. We may collect or rely on service providers to collect, personal information that is considered biometric data under Malaysian law. We collect this information via facial recognition or similar technologies, from an image such as a selfie photograph or a photograph of you from an identification document that you provide. We use such biometric data to verify your identity and for account authentication checks. If you use a service for which such checks are required, you consent to us processing your biometric data for these purposes.
Consent for Processing of Credit Information. We may collect and process credit information and reports relating to you, including from credit reporting agencies. We process this information to offer, provide or facilitate the provision of, financing-related services and BNPL services, including to assess your eligibility for such services, to evaluate, review and monitor your credit status, and for debt recovery purposes. Credit information we process may include Basic Information, Identification Information, Payment Information, Transaction Information, information on your existing credit facilities, credit repayment information and credit enquiry information. The credit reporting agencies we engage may also obtain such information and reports from the Central Credit Reference Information System (“CCRIS”) system operated by Bank Negara Malaysia.
By using our platform and services, you consent to the credit reporting agencies we engage, accessing, collecting and processing your credit information, including from CCRIS and other content and information providers, and for these credit reporting agencies to disclose this information to us. You also consent to us processing this information for the purposes stated above and in accordance with this Privacy Policy.
The credit reporting agencies we engage are regulated under the Credit Reporting Agencies Act 2010. We are not responsible for the privacy practices of these agencies. Please refer to the CTOS Privacy Policy and Experian Privacy Policy for information on how these credit reporting agencies process your personal information.
Language. In the event of any discrepancy or inconsistency between the English version and Bahasa Malaysia language version of this Privacy Policy, the English version shall prevail.
Data Controller. The data controller for the provision of our Services related to BNPL in Mexico is PIPO Soluciones Digitales, S.A. de C.V., with address at Corporativo Neuchatel. Av. Río San Joaquín No. 498 Piso 6, Col. Ampliación Granada, Mexico City, 11529, Mexico.
Personal Data Collected. The categories of personal data collected are those described in Section 3. “What types of information do we collect?”.
Additionally, for the provision of our Services, we may collect, in addition to the personal data disclosed in the general terms of this Notice (Section 3), any other information necessary for identity verification, credit evaluation, compliance with anti-money laundering obligations, and other required under applicable laws. If sensitive personal data is collected, it will be expressly identified and processed only with your express consent.
Processing Purposes. Your personal data will be processed for the purposes described in Section 4. “How do we process your Personal Information?”. In Mexico, we distinguish between primary purposes, which are required for the existence and maintenance of our legal relationship, such as identity verification, credit evaluation, loan management, compliance with legal obligations, and secondary purposes, such as marketing or profiling.
Secondary Purposes. You may object to the processing of your data for secondary purposes at the time your data is collected or at any time by contacting us at https://www.pipopay.com/legal/data-subject-rights.
Limitation of Use. You may limit the use or disclosure of your personal data by registering in exclusion lists managed by PIPO, sectoral exclusion lists, or public registries such as the Public Consumer Registry (REPEP) of PROFECO or the Public User Registry (REUS), or by opting out of communications through the mechanisms provided by us. See also Section 7. “Your rights and choices”.
ARCO Rights. You have the right to access, rectify, cancel, or oppose the processing of your personal data (“ARCO rights”). To exercise these rights, please submit your request at https://www.pipopay.com/legal/data-subject-rights, following the procedure described in Section 7. “Your rights and choices”.
Requests must include your name, contact details, proof of identity (or legal representation), a clear description of the data and rights to be exercised, and any information needed to locate your data. If incomplete, we may request missing information within 5 business days; you then have 10 business days to respond or your request will be considered withdrawn. Once complete, we will respond within 20 days and, if applicable, fulfil your request within 15 days of response. Each period may be extended once for an equal term if justified. Responses will be provided by the same means as the request, unless you specify otherwise. You may also revoke your consent at any time using this process.
Data Transfers. Your personal data may be transferred within the PIPO group and to third parties (e.g., service providers, payment processors, authorities) as described in 5. “How we share your personal information?”. Transfers will occur only as permitted by law and your consent, except where legally allowed without consent (e.g., compliance, intra-group, contract performance). Where required, we will request your express consent or objection.
Your personal data may be transferred to third parties such as credit bureaus, authorities, collection agencies, and technology providers, for purposes related to the provision of our Services, compliance with legal obligations, or as described in this Privacy Notice.
Changes to the Privacy Notice. Any changes to this document will be communicated through the means set in Section 10. “Privacy Policy update”. If the changes involve new purposes or transfers that require your consent under Mexican law, you will be provided with a new privacy notice and, where applicable, your express consent will be retrieved.
Retention Periods. Your personal data will be retained only for as long as necessary to fulfil the purposes described above, or as required by applicable Mexican law. Once this period expires, your data will be blocked and then deleted pursuant to applicable law.
Your personal data will be processed in accordance with this Privacy Notice and applicable laws in Mexico, including the Ley Federal de Protección de Datos Personales en Posesión de los Particulares and its regulations.
Data Controller. In the Philippines, the PIPO group of companies includes PIPO (PH) Inc. and/or PIPO Financing (PH) Inc. The data controller applicable to the specific service provided to you will be the company with whom you contract based on the applicable terms of service.
Sensitive Personal Information. We will process sensitive personal information (including your biometric data, such as your selfie photo and images about your ID document that may contain your face) only where we are permitted to do so under applicable data protection law, such as where we have obtained your consent, where the processing of the same is provided for by existing laws and regulations, where it is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when it is provided to government or public authority.
Data Subject Rights. You have the right to lodge a complaint relating to the processing of your personal information with the Philippines’ National Privacy Commission.
Data Protection Officer. If you have questions, comments, complaints or requests regarding this Privacy Policy or the PIPO’s processing of your personal information, you may contact PIPO’s Data Protection Officer at https://www.pipopay.com/legal/data-subject-rights.
Data Controller. The PIPO company responsible for the provision of our Services in Singapore is PIPO (SG) Pte. Ltd., with its registered address at 1 Raffles Quay, #26-10, South Tower, Singapore 048583.
Data Controller. The PIPO company responsible for the provision of our Services in South Africa is PIPO (SG) Pte. Ltd., with its registered address at 1 Raffles Quay, #26-10, South Tower, Singapore 048583.
Applicable Law. Your personal information will be processed in accordance with this Privacy Policy and applicable laws in South Africa, including The Protection of Personal Information Act no. 4 of 2013 (“POPIA”).
Overseas Transfer of Personal Information. We will not transfer your personal information to a third party in a foreign country unless one of the following conditions is met: (i) the recipient is subject to adequate data protection laws, binding corporate rules, or a binding agreement; (ii) you consent to the transfer; (iii) the transfer is necessary for the conclusion or performance of an agreement involving you; (iv) the transfer is in your interest through an agreement with a third party; or (v) the transfer benefits you and it is impracticable to obtain your consent, which would likely be given if practicable.
Processing of your Biometric Information. To the extent that your biometric information is processed (including facial recognition technology and fingerprinting technology), you specifically consent to us processing this information.
Processing of your Criminal Behavior in Order to Adequately Identify Risks. We may draw inferences relating to your credit risk or to monitor for fraud or other risks based on your Transaction Information, Technical Information and Information from Third-Party Sources or Corporate Group Entities. While we do not collect and process information pertaining to users’ criminal records, we may rely on publicly available sources, such as international or governmental sanctions lists, or commercial providers to make any risk assessment.
Complaints. You are entitled to lodge a complaint with the Information Regulator, being the independent body established in terms of section 39 of POPIA responsible for monitoring and ensuring compliance with POPIA. Should you feel that any of your personal information has been violated, a complaint to the Information Regulator must be made in writing. To lodge a complaint to the Information Regulator, complete the prescribed POPIA Form 5 downloadable from www.inforegulator.org.za and send it to POPIAComplaints@inforegulator.org.za.
Data Controller. The PIPO company responsible for the provision of our Services in South Korea is PIPO (SG) Pte. Ltd., with its registered address at 1 Raffles Quay, #26-10, South Tower, Singapore 048583.
Data Retention. We retain your personal information for as long as necessary to achieve the purposes for which it was collected and to which you have consented, or until the achievement of any other purposes or expiry of any other retention periods notified to you and to which you have consented; provided, however, we will continue to retain your personal information for the following statutorily-prescribed periods, where applicable, including, but not limited to:
Destruction of Personal Information. We destroy your personal information in a manner that renders it unrestorable by the relevant department.
Data Rights. You have the right to access personal information we hold about you, to rectify any personal information held about you that is inaccurate, to request the deletion of personal information held about you, and the right to request the suspension of the processing of your personal information. You can exercise your rights by contacting us at https://www.pipopay.com/legal/data-subject-rights.
Entrustment and/or Overseas Transfer of Personal Information. To provide you with our Services, we directly collect and process your personal data overseas in Singapore, Ireland and the United States. We entrust your information to our affiliates, cloud storage providers, IT service providers, and data centers, some of whom are located abroad, subject to your consents or notifications to you, if applicable. The entities receiving and processing your data are committed to using and storing personal information in compliance with domestic and international regulations and to taking all available physical and technical measures to protect personal information. You may opt-out of such transfer so long as the transfer is not necessary to provide you with our Services, by contacting us at https://www.pipopay.com/legal/data-subject-rights. Please note that you may be restricted from the use of certain Services if you refuse such transfers.
Data Controller. The PIPO company responsible for the provision of our payment services in Thailand is PIPO (HK) Limited, a company incorporated in Hong Kong with registered number 2764536 and having its registered office at Suite 3707-09 37/F, Tower Two Times Square, 1 Matheson Street Causeway Bay, Hong Kong.
Sensitive Personal Information. PIPO may collect, use and/or disclose personal information which is considered sensitive under applicable data protection laws of Thailand, including those listed in Section 26 of the Personal Data Protection Act B.E. 2562 (2019) (“Thai PDPA”). We will process sensitive personal information where we are permitted to do so under applicable data protection law, such as where we have obtained your consent, or where this is necessary to comply with a legal obligation. For example, with your consent, we may collect or use third-party service providers to collect your biometric data in order to verify your identity, such as your selfie photo and images about your ID document that may contain your face.
Legal Bases for Processing Your Personal Information. We will only process your personal information where there is a legal basis as prescribed by the Thai PDPA, including (i) with your consent; (ii) when it is necessary for us to proceed with your request to enter into an agreement with us; (iii) when it is necessary for us to perform our obligations under the agreement with you; (iv) when it is necessary for us to comply with applicable laws; (v) when the processing is necessary for our or third party’s legitimate interest.
In certain circumstances, your personal information may be required for the purposes of performing our obligation under a contract with you (e.g. process your payment and provide Services to you) in which case if you do not provide the required personal information, we may not be able to proceed with your request, or we may not be able to perform our obligations under the contract with you, either in whole or in part. Where your personal information is required for the purposes of compliance with applicable laws, if you do not provide the required personal information, PIPO and/or you may be found in breach of such applicable laws.
Data Subject Rights. Subject to the conditions and limitations under the Thai PDPA or other applicable laws of Thailand, you are entitled to the (i) right to access or obtain a copy of your personal information, as well as to request the disclosure of how your personal information has been acquired without your consent; (ii) right to request to have your personal information in a format which is generally readable and usable by automatic tools or devices and which can generally be used or disclosed via automatic means, or to have personal information in said format transmitted to another organization; (iii) right to object to the processing of your personal information; (iv) right to request the deletion, destruction or de-identification of your personal information; (v) the right to request the restriction of the use of your personal information; (vi) right to request to have your personal information rectified, updated or completed; and (vii) right to withdraw your consent at any time, if PIPO processes your personal information based on your consent. However, the withdrawal of consent would not affect the lawfulness of the processing of your personal information which has been carried out by us prior to such withdrawal; and (viii) right to file complaints with Thai authorities.
You may submit a request to exercise your rights under applicable laws at https://www.pipopay.com/legal/data-subject-rights.
Security and Confidentiality. We take steps to ensure that your information is protected, and securely stored and processed. PIPO will treat your personal information as confidential in accordance with applicable laws. PIPO will only disclose your personal information to third parties with your written consent or where permitted by applicable laws of your country.
Vulnerable
Individuals. We do not
intentionally collect, use, and/or disclose personal information of minors,
individuals who lack legal competence, or individuals deemed as
quasi-incapacitated, unless permitted by applicable law.
Data Retention. For users in Thailand, we may retain certain information
about you for periods of between 5 to 10 years in accordance with applicable
laws in your country, such as the Anti-Money Laundering Act 1999.
Contact. You may contact us at https://www.pipopay.com/legal/data-subject-rights.
Data Controller. The PIPO company responsible for the provision of our Services may vary depending on the specific Service that you use. Where you use our payments services in Vietnam, the data controller responsible for processing your personal information is PIPO (HK) Limited, a company incorporated in Hong Kong with registered number 2764536 and having its registered office at Suite 3707-09 37/F, Tower Two Times Square, 1 Matheson Street Causeway Bay, Hong Kong. Where you use the TikTok Pay e-wallet, the data controller responsible for processing your personal information is IO Media Joint Stock Company, a company incorporated in Vietnam with its registered address at Floor 7, Vinaconex Building, 47 Dien Bien Phu Street, Da Kao Ward, District 1, Ho Chi Minh City, Vietnam.
Methods of Processing Personal Information. We may process your personal information by manual or automated methods.
Applicable Law. Your personal information will be processed in accordance with this Privacy Notice and applicable laws in Vietnam, including Decree No. 13/2023/ND-CP dated 17 April 2023 on Personal Data Protection (“Vietnam PDPD”), and this Privacy Policy serves as our processing notice under these laws.
Sensitive Personal Information. We may collect, use and/or disclose personal information which is considered sensitive under the Vietnam PDPD, namely: (i) information about your payment methods and transaction history; (ii) information about your repayment history and credit usage; (iii) your location information; and (iv) biometric information.
Data Rights. Subject to the Vietnam PDPD or other applicable laws of Vietnam, you have certain rights in addition to your rights in the section on Your Rights and Choices. These include the right to (i) give, to object and to withdraw consent to our processing of your personal information; (ii) to restrict our processing of your personal information; (iii) to seek compensation under Vietnamese law if our processing of your personal information violates Vietnamese data protection laws; and (iv) to defend yourself or request competent state agencies to safeguard your rights as stipulated by Vietnamese law.
Unwanted Consequences and Damage That May Occur. We take steps to ensure that your information is processed securely and in accordance with this Privacy Policy and applicable laws. However, you should note that the processing of personal information, including through the internet, carries potential risks, including the risk of unauthorized access, loss, theft, alteration, destruction, or disclosure of such personal information which could lead to undesirable outcomes for you (e.g., financial loss, reputational damage, and identity theft).