PIPO Privacy Policy (the “Policy”)

Last updated: January 5th, 2024

1. Introduction

PIPO (“we”, “our”, “us”) is committed to protecting and respecting the privacy of all individuals who use our services. If you are a TikTok Merchant, a TikTok User or a TikTok Creator or if you represent them as an employee, owner, director or other representative (“you”), then we process personal data relating to you in accordance with this Policy.

Within this Policy we explain how we collect and process personal data relating to you and what we do with it.

This Policy applies to the processing of personal data for PIPO of individuals in the Philippines. The contact details for the relevant PIPO entities are included in Contact Us section below.

2. How does this Policy apply?

This Policy applies to the personal data that PIPO processes in connection with certain TikTok platforms which are supported by PIPO that link or reference this Policy (the “PIPO Platforms”). It governs how we use personal data that we collect directly and where it is made available to us in the course of the performance of our services. It does not apply to non-personal data, for example, data relating to corporations or aggregated or anonymized information that does not identify a living individual which we use to help us manage and develop our services.

Due to the nature of our services, as we explain in detail below, we process personal data as both a “Controller” and a “Processor” depending on our relationship with you. For example, where we collect personal information about you to meet our legal or regulatory obligations or to manage fraud risk on the PIPO Platforms, we act as a Controller, whereas when we provide payment processing services on behalf of merchants (the “Processing Services”) we generally act as a Processor on behalf of the relevant merchant who is the Controller. To understand how merchants process your personal data, please see the relevant merchant’s privacy policy.

3. What types of information do we collect?

This Policy covers personal data we collect directly from you and personal data relating to you which we obtain from third parties or public sources as needed to support our business.

When you use our services, we process the following types of personal data (collectively, “Your Personal Data”).

Information You Provide

● Basic Information: We process basic information relating to you such as your user ID, IP address, country name, mobile number, and email address.

● Identity Information: We collect information such as your name, billing address, device information, such as your device type and your device's network connections, information about your device web browser and internet connection, and technical usage information such as your IP address and emergency contact information. In necessary cases, we collect your identity information such as your local identification card number, passport number, local identification card copy, or passport copy to process the transactions or conduct anti-money laundering and/or fraud prevention checks. We will only do so under necessary scenarios as permitted under applicable law, and you will be notified when such requests happen.

● Payment Information: The payment information we collect depends on the payment method used and on the local requirements in your jurisdiction (see the Jurisdiction-Specific Terms below for more information.) When you make payments using payment cards we process your payment card information such as the name on your card, card type, card number, billing address, and expiration date. When you withdraw or receive any amount, we collect your bank or payment account information such as the beneficiary name, account number or IBAN, SWIFT BIC, beneficiary name and address and any other relevant information related to your chosen account.

Information From Other Sources

● We receive Your Personal Data from third parties such as:

● entities you interact with which use our Processing Services;

● business and identity verification providers, which we use to help prevent and detect fraud;

● your authorized agents or third-party representatives; and

● publicly available sources.

We rely on third-party vendors to source information including title, business email and business phone number of potential merchants. While we do so in a responsible way and in compliance with applicable laws, if you believe your information has been provided to us improperly and would like it deleted, please contact us and we will consider your request.

Technical Information and Information From Your Device

● Technical Information: We collect information from your device such as your device type and your device’s network connections, information about your device web browser and internet connection and technical usage information.

Transaction Information

● Transaction Information: We collect information in respect of the transactions you make or receive while using our services. For example, if you use the TikTok Shop service as a TikTok Merchant, we collect purchase and transaction history associated with your account, information about refunds and complaints, customer reviews of your store in order to calculate your store ratings, logistics information regarding shipment and delivery of your products including by third party logistics providers. We may also collect contract information and deal terms when you provide us with details of your arrangements with third parties (including TikTok Creators).

Other Information

● We collect information from or about you when you communicate with us, such as by contacting our customer support or sales teams.

4. How do we use Your Personal Data?

We act as both a Controller and Processor of Your Personal Data depending on the specific context.

Controller

We process Your Personal Data as a Controller in order to perform our obligations as a regulated payment service provider, to adhere to legal and regulatory requirements to which we are subject, to monitor and develop the performance of our services and the features we offer and to protect users of our services from fraud and other criminal activity. For more specific information relevant to your local region, see the Jurisdiction Specific Terms below.

Processor

We use Your Personal Data for limited business purposes related to the provision of Processing Services including:

● To administer our Processing Services including facilitating payment processing in a secure and reliable manner.

● To verify your identity. We do this to help protect merchants from fraud as part of the Processing Services we provide. It also allows us to comply with laws which require us to assist with identifying illegal activities, such as Anti-Money Laundering and Know-Your-Customer obligations and to meet financial reporting obligations.

● To comply with our legal and regulatory obligations.

● Where it is in our legitimate business interests:

● To ensure our Processing Services are safe and secure; and

● To monitor, analyze and improve our Processing Services.

● To communicate with you about your account and/or our Processing Services, or to respond to your queries that may be sent to us.

For more information on the lawful bases we rely upon to process Your Personal Data, see the Jurisdiction Specific Terms below.

5. Children’s Data

PIPO is not for use by persons aged under 18 and it is not directed at persons under the age of 18. Persons under the age of 18 are not allowed to use PIPO.

6. How do we share Your Personal Data?

We share Your Personal Data with selected recipients. All transfers of Your Personal Data within our corporate group and from us to third parties are covered by appropriate data processing agreements and international transfer mechanisms where appropriate. For more information on the safeguards applied to the transfer of Your Personal Data, please see the Jurisdiction Specific Terms below. These categories of recipients include:

● Third party service providers

We engage third party service providers to assist us in the performance of our services and in achieving the purposes in this Policy. These third parties broadly fall into the following categories:

● Payment Service Providers: who process or facilitate the Processing Services. These payment service providers also process your data for anti-money laundering and fraud prevention purposes.

● Cloud storage providers and providers of IT support services: who assist us in providing our services;

● Analytics and search engine providers: who assist us in improving and optimizing our services; and

● Integrated Platform Providers or third parties that provide us with fraud and risk management services: who check the payment information provided to them to identify fraudulent transactions. Some of these third parties use device fingerprinting technology to collect information about your device for fraud prevention, identity check, or security reasons.

● Our corporate group

We share Your Personal Data within our corporate group, including parent, subsidiary or affiliate companies as needed to provide the services or for the purposes set out in this Policy. Your Personal Data will be protected under our Intra-Group Agreement For Processing and Transfers Of Personal Information where it is shared within our corporate group.

● Law enforcement

We share Your Personal Data with law enforcement agencies, public authorities or other organizations if we are legally required to do so, or based on our legitimate interests if such disclosure is reasonably necessary to:

● comply with a regulatory or legal obligation to which we are subject;

● enforce an agreement we have with you or with a third party, including for the investigation of any potential violation thereof;

● detect, prevent, investigate or otherwise address security, fraud or technical issues;

● protect the rights, property or safety of us, users of our services, merchants, a third party or the public as required or as permitted by law; or

● help us cooperate with industry initiatives to for the purposes of fraud protection and credit risk reduction.

● Corporate reorganization

We disclose Your Personal Data to third parties in the event that we:

● sell, buy, transfer, merge, consolidate or re-organize any part(s) of our business, or merge with, acquire, or are acquired by, or form a joint venture or partner with, any other business, in which case we may disclose Your Personal Data to any prospective buyer, new owner, or other third party involved in such change to our business; or

● sell, buy or transfer any business or assets (whether as a result of liquidation, bankruptcy or otherwise), in which case we will disclose Your Personal Data to the prospective seller or buyer of such business or assets.

7. Where do we store Your Personal Data?

Your information may be stored on servers located outside the country where you live, such as in Singapore, Malaysia or the United States. We maintain major servers around the world to bring you our services globally and continuously.

8. The security of Your Personal Data

We take steps to ensure that Your Personal Data is treated securely and in accordance with data protection laws and this Policy. We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of varying likelihood and severity for the rights and freedoms of you and other users of our services. We maintain these technical and organizational measures and will amend them from time to time to improve the overall security of our systems.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect Your Personal Data, for example, by encryption, we cannot guarantee the security of your information transmitted; any transmission is at your own risk.

9. How long do we store Your Personal Data?

We retain Your Personal Data for as long as it is necessary for the purpose for which it was collected. We retain Your Personal Data only for so long as we have a legitimate business purpose or legal, regulatory or contractual obligation to keep such data (including where it is necessary for the establishment, exercise or defense of legal claims).

In general terms, we retain Your Personal Data for the duration of our relationship with you and for up to an additional 6 years to allow us to deal with any queries, complaints, investigations or legal claims that may arise and to comply with our legal and/or regulatory obligations. For more information in relation to how long we retain Your Personal Data, please see the Jurisdiction Specific Terms below.

10. Your Rights

Where we are the Controller of Your Personal Data, you may have certain rights in relation to such personal data. Where applicable, these rights are explained in the Jurisdiction Specific Terms below.

Where we are the Processor, your rights are exercisable against the underlying Controller as set out in that Controller’s privacy policy. For example, where TikTok is the underlying Controller, information on how to exercise any rights you may have can be found in TikTok’s Privacy Policy.

11. Complaints

In the event that you wish to make a complaint about how we process Your Personal Data, please contact us in the first instance at dpo@oneunita.com and we will endeavor to deal with your request as soon as possible. This is without prejudice to your right to lodge a claim with the data protection supervisory authority in the country in which you live or work where you think we have infringed data protection laws. For more information on your appropriate data protection supervisory authority, please see the Jurisdiction Specific Terms below.

12. Changes

We may amend or update this Policy from time to time. We will notify you of any material changes to this Policy. The “Last Updated” date at the top of this Policy reflects the effective date of such Policy changes.

13. Contact Us

If you have questions, comments, complaints or requests regarding this Privacy Policy, please contact us at dpo@oneunita.com. Depending on where you are located, a dedicated local contact channel may be available to you. Please see the Jurisdiction Specific Terms below for more information.

Location	Entity	Contact Point	Registered Address
Philippines	PIPO (PH) INC.	dpo@oneunita.com	12th Floor, The Curve Building, 3rd Avenue corner 32nd Street, Bonifacio Global City, Taguig City 1634, Metro Manila.