Data Privacy Notice

WHO IS RED DOT PAYMENT PTE. LTD. AND HOW DOES THIS PRIVACY NOTICE WORK?

The purpose of this Privacy Notice (“Notice”) is to give you information on how Red Dot Payment Pte. Ltd (“RDP”) collects, uses, processes and discloses your Personal Information when you use our website (“Website”), software applications (“Apps”), payment processing platform (“Platform”), or financial technology products or services we may offer you.

RDP and its subsidiaries are part of the PayU Group of companies. PayU is part of a group made up of several local businesses in a number of markets across the world. PayU belongs to Prosus Group i.e., Prosus N.V, a company registered with the Trade Registry for Amsterdam under 34099856 and its affiliates.

In this Notice, “RDP”, “us” or “our” refers to RDP, which is responsible for processing your personal information. While this Notice applies to RDP and its subsidiaries, you can also view the PayU Global Privacy Statement here. In the event of any conflict between this Notice and the Global Privacy Statement, this Notice shall prevail.

By accessing our Website, submitting your Personal Data, or by engaging or using our Apps, tools, and services or Platforms, you accept and consent to the practices describes described within this Notice, including the purposes for which your Personal Data will be collected, used, and disclosed as set out in this Privacy Notice. We have taken steps to ensure that we do not collect more information from you than is necessary for us to provide you with our services as well as the purposes listed in Part 5 of this Notice.

WHAT IS PERSONAL INFORMATION AND WHAT TYPES OF PERSONAL INFORMATION DO WE COLLECT ABOUT YOU?

“Personal Data” as defined in the Personal Data Protection Act 2012 (“PDPA”), means data from which any individual can be identified, whether through the data alone or in conjunction with other information that we have or are likely to have access to. This would include personal information as defined in this Notice.

Depending on who you are (e.g., a merchant, customer, cardholder, consumer, supplier or business partner) and how you interact with us (e.g., telephone, online or offline), we may collect, use, receive, store, analyze, combine, transfer or otherwise process different categories of personal information.

Below is a table reflecting the categories of personal information we may collect about you:

Categories of Personal Information	Which includes such information as
Identity and account log-in information	Full name(s), title, identity number, and your date of birth.
Contact information	Telephone number(s), physical address, country, email, and chosen billing address.
Financial information	Bank account data, credit or debit card information.
Payments information (transactional information)	Personal account numbers, name on credit card, a merchant’s name and identifiers, the date and amount of the transaction and other information provided by you directly or by banks or merchants.
Usage and technical information	IP addresses, browser type and versions, operating systems, time zone setting, geolocation information, content and pages that you access on our Website(s), Apps or Platform, and the dates and times that you visit the Website, App or Platform, paths taken.
Credit and lending information	Financial information (e.g., credit score) and income information (e.g., employment contract).
Marketing and communications information	Communication with customer service support, behavioral data (for example, collected using cookies), information about promotions, surveys, promotional campaigns and records of your decision to subscribe or to withdraw from receiving marketing materials.

We may also collect, use and/or share non-personal information or anonymized data such as statistical or demographic information.

As a principle, we do not collect any special categories of personal information about you (such as details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health information, or genetic and biometric data.)

If our Website or Apps include links to third-party websites, plug-ins, or applications (including cookies, tracking technologies, or widgets from third-party advertisers), please note that by clicking these links or enabling these connections, you may allow third parties to collect or share information about you. RDP does not control or have oversight of these third-party websites and is not responsible for how they process your personal information.

HOW DO WE COLLECT YOUR PERSONAL INFORMATION?

How we collect personal information will depend on the following situations:

I. If we receive or collect it directly from you

We may collect personal information directly from you through our Websites, Apps, Platforms, or when you use our products or services. For example, you may provide your personal information when you:

give us your contact information so we can reach you about our services and products;
conclude a contract or verify your identity with us (via email, phone, or electronic verification);
apply for our products or services, either directly or through our appointed suppliers (such as marketplaces or credit providers), or initiate an account-based relationship with us;
scan a QR code that requests your personal information to process a payment on behalf of a merchant, or when using one of our own payment products;
provide your contact or payment information on our web checkout/payment pages or via similar channels;
enter a competition, promotion, or survey, or request to receive marketing materials from us;
access and browse our Websites, Apps, and Platforms. (For more information, see Part 8 of this Privacy Statement: Cookies and Similar Techniques.

II. If we collect personal information from third parties, or from publicly available sources

We obtain personal information through third parties or, if publicly available, where permitted under applicable law, including:

From our merchants, payment partners and financial institutions. For example, a merchant can offer you various ways to pay for their goods or services—such as by credit or debit card, hybrid card, electronic funds transfer (EFT), wallet, mobile money, or loyalty credits—and the payment would be settled into the merchant bank account held by an authorized financial institution. In such situations, the merchants, payment partners and financial institutions are responsible for your personal information, however we may collect certain personal information to complete the payment transactio We encourage you to review the privacy statements of these third parties to understand how they handle your personal information;
From social platforms and networks—when you give us permission. For example, depending on your social media settings, if you connect your social media account to an RDP product, certain profile information may be shared with us;
From financial institutions and fraud prevention agencies—for fraud prevention, risk assessments, and identity verification. For example, before providing services, goods, or financing, we may conduct checks to prevent fraud and money laundering, which requires collecting information about you;
From third-party service providers—who have entered into contracts with us to support our business operations;
From publicly available sources—in accordance with applicable laws;
From credit reference agencies, credit bureau, or banks—as required by law. For example, if RDP offers credit or lending products, we may receive information from credit agencies or bureau to perform a credit check or assessment;
From third parties within our corporate group—including Prosus N.V. and its subsidiaries and affiliates, subject to applicable laws.

WHAT ARE THE LAWFUL GROUNDS THAT WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?

We process personal information only when we have a valid legal ground to do so. Most commonly, we use your personal information where:

it is necessary to process your personal information in connection with the performance of a contract that we have with you directly or indirectly;
it is necessary for our legitimate interests (or the legitimate interests of a third party). We make sure that your fundamental rights are not overridden by our legitimate interests;
we use your personal information to comply with our legal obligations—for example, ensuring that we use your personal information to comply with anti-bribery and anti-money laundering requirements.

There can be additional legal grounds for processing personal information in some countries. This depends on applicable law and the products and services offered to you.

PURPOSES FOR WHICH RDP MAY PROCESS YOUR PERSONAL INFORMATION

I. To verify your identity, authenticate your details, and authorize your use of our products or services

We conduct Know Your Customer (KYC) checks and risk assessments to verify your identity and authorize your use of our products or services. The process may differ depending on whether you are a merchant, consumer, or customer, and based on the specific product or service you choose.

The personal information we typically require includes your identity details, contact information, and financial information. This is necessary in order for RDP to assess your application under contract and necessary for our legal obligations under certain laws.

II. To process payment transactions made through our Platforms

The type of personal information we are required to collect to provide a product or service and the legal basis for such collection depend on specific payment methods made available by us.

RDP offers a variety of international and local payment methods, which are subject to product specific service terms (contracts) and legal obligations.

For example, when RDP offers card payment processing as a payment aggregator on our Platform, we process personal information received from merchants. This may include transaction details and, in the case of card payments, cardholder details (such as the name on the card) to complete the payment you make to the merchant for a product or service. In these situations, RDP typically processes personal information on behalf of the merchant, who is acting as a responsible party for your data.

In other cases, certain payment transactions may require you to provide personal information directly to us via our Platform. In such instances, RDP processes your information to complete the payment transaction for you.

III. To protect our business and to ensure compliance with the law

We process personal information to meet the requirements of applicable laws, regulations, standards, rules, codes and the requirements of financial institutions with which RDP must comply. This includes:

authenticating and validating payments to mitigate and protect against identity theft or fraud. To do this, some of your personal and non-personal information may be collected by RDP directly or delivered to RDP by merchants. RDP will use this personal information to enter into the RDP fraud systems available for this validation and will remain there for future reference and cross-reference of information required to validate the payments;
Sharing and reporting your personal information and financial behavior related to monetary obligations to legitimately constituted credit, financial, commercial, or service risk centers, or with other financial institutions, as permitted or required under applicable law;
verifying your identity and comparing your information to ensure accuracy in compliance with reporting obligations under applicable law or payment scheme rules;
processing transactions where you exercise your right of refusal on purchases, or where a transaction is subject to dispute or chargeback with a financial institution; and
processing your personal information to ensure business continuity of our businesses and implementing appropriate disaster recovery measures for our Websites, Apps, Platforms, services and products.

IV. To manage our relationship with you

If you contact us or provide your contact information—for example, by registering, completing an enquiry form on our Website, subscribing to receive support or service status updates, or receiving security or fraud alerts—we may process your personal information to:

inform you about your products or services with us and any changes to these products or services and any associated legal documents;
notify you if there is any interruption or disruption of services or products;
ask you to provide information on how we may improve or develop services or products and to otherwise effectively communicate with you;
provide you with service assistance and problem solutions or to contact or send you notifications related to the services or products we offer you;
use your personal information for transaction and fraud monitoring reports as part of the performance of our contract. You have the option to unsubscribe from such reports in accordance with the terms of our contract.

V. To market our products and services and related services to you

We may use personal information to market our products and services and to notify you about events, offers, sponsorships, marketing programmes and similar marketing campaigns. For more information please see Part 7 on Marketing.

VI. To conduct research and to develop and improve our products and services

We may use personal information that we collect to:

research and understand market trends and customer needs, and to develop or innovate our technologies, products, and services to meet such market trends and needs. We may use machine learning and artificial intelligence techniques to conduct this research and gain insights;
analyze visitor use of our Websites, Apps, products or services in line with this Notice;
improve and personalize our merchant and customer relationships;
provide merchants with statistical insights and reports based on data we receive from them.

WHOM DO WE DISCLOSE YOUR PERSONAL INFORMATION TO OR SHARE IT WITH?

We may share personal information with internal third parties, namely entities within the group of companies to which RDP belongs (the Prosus Group). Such disclosures may be made in order to:

provide support services and technical services to these internal third parties and to receive some of these services from them;
contribute to the research, data analytics and studies in order to improve the products and services that RDP and other internal third parties respectively provide.

We may share your personal information with external third parties such as:

merchants in accordance with our service agreements (also referred to as our terms and conditions or contracts). For example, to process a card payment, we may need to share a customer’s credit card details to the merchant that the payment relates to. If you are buying goods or services through RDP services, we may also provide the merchant with your credit card billing address to help complete an individual’s payment transaction.
authorized financial institutions and banking partners with whom we partner to jointly create and offer products and services. Depending on the type of payment chosen by the customer, payer or buyer, RDP will share the necessary information with the financial institutions that validate, approve, and process each payment, and handle the corresponding settlement. This means that your personal information may be collected and used for those purposes issuing financial institutions, acquiring financial institutions, payment processing networks, and franchises such as Visa, MasterCard, and American Express.
credit bureaus and credit providers to report financial information and to conduct mandated credit scoring to determine affordability, as strictly permitted by law.
service providers or vendors under contract who assist us with our business operations.
companies that we plan to merge with or entities that we may be acquired by, in which situation we will require that the new combined entity or the acquiring entity follow this full privacy statement with respect to your personal information.
when required by law enforcement, government officials, fraud detection agencies or other third parties and when we are compelled to do so by law (such as via a subpoena, court order or similar legal procedure).
international entities we partner with for the offer and/or development of products and services subject to the requirements under this Statement and applicable laws.

RDP takes all reasonable measures to ensure that every third party involved in processing your personal information has the necessary organizational and technical protections in place, including data processing and transfer agreements where this is necessary. When required under applicable law, we may provide you with a list of our sub-processors or suppliers upon request, by contacting us at dpo@reddotpay.com.

MARKETING

You may receive marketing communications from RDP, for example, if you have:

requested more information from us;
provided your contact information to us in order to retrieve content or communications from us, including any research papers, insights or studies conducted by us;
subscribed for services or products from RDP; or
entered into a promotional campaign, offer or survey or loyalty programme and provided your contact details to participate in such activity. RDP may run these marketing activities directly or with or through promoters.

The provision of such marketing activities is subject to the applicable laws of the country that the marketing and communication activity occurs. We keep a register of Marketing and Communications personal information that is used by us. You are entitled to opt out from receiving such marketing by clicking on the opt out or unsubscribe link(s) provided in such RDP marketing communications.

You may also be required to opt- in before receiving any marketing communications from RDP and you have the right to opt-out at any time.

RDP may also use your marketing and communications information to improve and customize the content of our ads, promotions, and other communications to better match your interests.

COOKIES AND SIMILAR TECHNIQUES

RDP uses cookies, web beacons and similar techniques when you access our Website, App or Platform. We explain how we use cookies and the choices you have when it comes to our use of cookies below.

What is a cookie?

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by RDP and are called first-party cookies. We also use third-party cookies, which come from a domain different from the website you are visiting, to support our advertising and marketing efforts.

More specifically, we use cookies and other tracking technologies for the following purposes:

Targeting Cookies

These cookies may be set on our website by our advertising partners. They are used to build a profile of your interests and display relevant advertisements on other websites. They do not store personal data directly but work by uniquely identifying your browser and device. If you disable these cookies, you will receive less targeted advertising.

Performance Cookies

These cookies help us count visits and track traffic sources, allowing us to measure and improve the performance of our Website. They show us which pages are most and least popular and how visitors navigate the site. All information collected by these cookies is aggregated and anonymous.

If you choose not to allow these cookies, we will not know when you visit our Website and will be unable to monitor or improve its performance.

Strictly Necessary Cookies

These cookies are essential for the website to function and cannot be turned off in our systems. They are usually set only in response to your actions amount to a request for services, such as setting privacy preferences, logging in, or filling out forms. You can configure your browser to block or alert you about these cookies, but some parts of the site may not work properly. These cookies do not store any personally identifiable information.

To learn more about how to disable or delete cookies on your browser, click on the relevant link below for your browser.

If you want to learn even more about how to disable and delete cookies on your browser, click on any of the links below depending on your choice of browser.

allaboutcookies.org.
Mozilla Firefox®
Microsoft® Internet Explorer
Google Chrome™
Safari®
Opera(R) [https://help.opera.com/en/latest/web-preferences/]
LinkedIn (https://www.linkedin.com/legal/cookie-policy)

INTERNATIONAL DATA TRANSFERS

We are part of a global company with an international footprint. Your personal information may be processed locally in Singapore—where you work or reside—or in any other country where we or our approved third-party service providers operate, in accordance with applicable law.

Where personal information is transferred outside the European Economic Area (EEA) or another jurisdiction that restricts transfer of personal information, we implement appropriate safeguards to ensure that your information remains protected. These safeguards may include the use of the EU Commission’s Standard Contractual Clauses (SCCs) or other locally-compliant transfer mechanisms, such as consent, to ensure that an adequate or same level of protection is applied to your personal information as that afforded in the country of origin.

DATA RETENTION

RDP may retain your personal information for as long as necessary to fulfill the purposes for which it was collected. The retention period is determined by factors such as legal, contractual, or statutory obligations, as well as accounting and compliance reporting requirements. For example, personal information may be retained to prevent fraud, combat money laundering, corruption, or the financing of terrorism.

RDP also considers temporary limits set by the commercial, data privacy, and other relevant laws when determining how long to keep your personal information.

WHAT ARE YOUR INDIVIDUAL RIGHTS?

We ensure that you may exercise your individual privacy rights under the PDPA. However, we are generally not required to provide any customer—or any individual acting on behalf of the customer, connected to the customer, or a beneficial owner of the customer (collectively, a “Requesting Individual”)—with:

Access to Personal Data that is in our possession or under our control;
Information about how such PersonalData has been, or may have been, used or disclosed by us; or
The right to correct any errors or omissions in the Personal Data we hold or control.

Where we are satisfied that reasonable grounds exist , we may grant such Requesting Individual with the right to:

access the following types of Personal Data in our possession or control:
1.1. full name, including any alias
1.2. unique identification number;
1.3. residential address;
1.4. date of birth;
1.5. nationality; and
1.6. subject to sections 21(2) and (3) read with the Fifth Schedule to the PDPA, any other Personal Data provided by that Requesting Individual to us; and
correct an error or omission in relation to your Personal Data listed in a(i) to (iv) above but it is subject to section 22(7) read with the Sixth Schedule to the PDPA which specifies five activities which are exceptions from correction requirements under the PDPA – such as – opinion data kept solely for evaluative purposes, examinations conducted by an education institution, examination scripts and before the release of examination results or Personal Data related to arbitration or documents related to prosecution proceedings.
withdraw any consent provided (or deemed to have been provided) under the PDPA for the collection, use, or disclosure of your Personal Data, where no other legal basis exists for us to process it.
file a complaint with the Personal Data Protection Commission (PDPC).

If you would like to make a request regarding any of your individual rights, please feel free to contact us at dpo@reddotpay.com

SECURITY: HOW WE PROTECT & STORE PERSONAL INFORMATION

The security of your personal information is important to RDP. RDP takes legal, technical and organizational measures that it considers necessary in order to maintain the confidentiality and security of your personal information, with due regard to the applicable obligations and exceptions under the legislation in force.

In addition, RDP adheres to the payments industry standards regarding the protection of payment card information. RDP is regularly audited to maintain the highest level of security certification with the Payments Card Information Security Standard Council (PCI) in respect of protecting card data.

RDP regularly reviews its policies regarding the collection, storage and processing of personal information, including physical security measures, to prevent alteration, loss , query, use or fraudulent or unauthorized access of your personal information.

RDP has established procedures to address personal information breaches and will notify you and relevant regulators or authorities when legally required.

MINORS

RDP does not knowingly, voluntarily or actively collect, use, or disclose personal information of minors (individuals less than 21 years of age) without the prior consent of their parents or guardians. Our services are not intended or designed to attract minors.

If we discover that personal information has been collected from a minor without verifiable parental consent, we will take prompt steps to delete the information as soon as possible.

If we learn that we collected the personal information of a minor, without first receiving verifiable parental consent, we will take steps to delete the information as soon as possible.

ARTIFICIAL INTELLIGENCE AND DATA POLICY

We have adopted the Responsible AI Policy here, which outlines the guiding principles that inform the work of the AI and data science teams in developing ethical and responsible AI. As part of the Prosus Group, we are committed to integrating social and ethical efforts to ensure that social and ethical considerations of AI are seamlessly included within the product or feature development process.

Our Responsible AI principles are used as a starting point for us to develop and deploy AI as effectively and responsibly as possible to support business growth, to innovate, and to improve our competitive advantage. Responsible AI has also been identified as one of the material domains for our Group’s ESG strategy and reporting.

CHANGES TO THE PRIVACY STATEMENT AND YOUR DUTY TO INFORM US OF CHANGES

This Notice may change over time and only the recent version of this Notice shall be published on this Website.

We will notify you of any changes to this Notice by publishing this on our Website. You can print or store this Privacy Statement by downloading a copy from your browser. It is very important that any personal information we hold about you is up to date and correct. Please inform us of any changes to your personal information.

This version was issued on 8 October 2025.

HOW TO CONTACT US

The Controller of this Website is RDP. Should you have any questions or concerns regarding the content of this Notice or would like to make a request, you may contact us at dpo@reddotpay.com.

Ready to talk?