Privacy Policy
Cashmallow Hong Kong Limited. (the “Company”) complies with all regulations on the protection of personal information specified in laws and regulations applicable to information and communication service providers, including Personal Data (Privacy) Ordinance and does its best to protect the rights and interests of the users with the personal information policy defined in accordance with applicable laws. This Privacy Policy is applied to the service in connection with the Local Business Partners’ ATM or business branch Exchange Withdrawal & Conversion service and Remittance Transactions via the Cashmallow mobile application or website (the “Service”).
This Privacy Policy may be revised in accordance with the change of laws and notification, and Terms of Service and other internal policies of the Company. If the Company revises this Privacy Policy, the Company will post the change on service screen or notify the change to the users. Users may refuse to consent to the following terms on collection, use, provision and entrustment of the personal information. Provided, if the user refuses such consent, the user may not be able to use all or part of the Service.
Article 1 Purpose of Collection and Use of Personal Information
The Company processes personal information for the following purposes. The processed personal information will not be used for any purpose other than the following purposes, and if the purpose of use is changed, the Company shall obtain prior consent from the users.
- For management of members: The Company processes the personal information for confirmation of user’s intention to sign up for a membership, sanction and prevention of activities that interferes the smooth operation of the Service and illegal use of the Service, restriction of duplicate subscriptions, complaint handling, various notifications, confirmation of user’s intention of membership withdrawal, record keeping for dispute resolution.
- For withdrawal of foreign currency, refund, payment of Re-Exchange Refund, deposit of the amount of remittance and related commission, etc.: The Company processes the personal information for withdrawal of foreign currency, refund.
- For Development of new services and utilization in marketing and advertising: The Company processes the personal information for developing new services, providing customized services, providing event and advertisement information, providing opportunities to participate such event, and statistics on users’ Service usage.
- For financial audit: The Company processes the personal information for financial audit procedure pursuant to the Company’s internal regulation and laws and regulations of two countries (country of residence for exchange, and country to travel for withdrawal) related to the Service.
- For obligation of customer due diligence and report: Customer due diligence means the regulations that requires the Company to confirm real name and contact information of user to perform Anti-Money Laundering(AML) and counterterrorism financing(CTF) with reasonable care. The Company processes the personal information for confirmation of the customer for duty of customer confirmation and acquire reliable documents. The Company also may collect additional personal information to perform enhanced due diligence upon consent of the customer if suspicious transaction in relation to the AML and CTF is occurred.
- For report to the authority: The Company is obligated to report the details of transaction regularly to the authority under two countries (country of residence for exchange, and country to travel for withdrawal) related to the Service and processes the personal information for such report.
Article 2 Collection of Personal Information
- The company processes the following items of personal information.
- Name, ID, password, mobile phone number, email address, birthday, bank account number (for signing up)
- Service usage records and device information (for sanction and prevention of misuse)
- (For domestic) Name, HKID number, copy of identification card, contact information, bank account information (for identification to financial transactions)
- (For foreigner) name, copy of passport, nationality, number of passport, expiry date of passport, birthday, bank account information (for identification to financial transactions)
- Service usage record (the type and number of transactions served, etc.), access log, cookie, access IP information (for identification to financial transactions)
- Service usage records and device information (for new service development, marketing and advertising)
- In the process of using the Service, IP information, cookies, service usage records, mobile device information, etc. may be automatically generated and collected.
Article 3 Methods of Collecting Personal Information
- The Company collects personal information in the following methods:
- sign up for a membership through the mobile app;
- provision by the user directly upon the identity verification;
- collection through tool to collect automatically generated information; or
- provision directly by the user when requesting currency exchange or remittance, or when acquiring the remitted amount.
- The Company collects the minimum personal information necessary for the establishment and implementation of the service agreement in a lawful and fair way and provides the contents for consent to the collection and use of personal information before collecting the information that can identify users personally.
- The Company shall accept membership registration or collect personal information only when the user is 18 years of age or older.
Article 4 Period of Retention of Personal Information
- In principle, personal information of users is destroyed without delay when the purpose of collecting and processing personal information is achieved. However, when a user withdraws the membership or the Company disqualify the membership of the user, the Company may retain personal information for 5 years from the date of termination of the service agreement in accordance with the Company’s internal policy with the purpose of prevention of abuse of right and misuse, or preparation for various disputes and request of cooperation in criminal investigation.
- Despite of Paragraph A, if the Company needs to retain user information based on the relevant laws, the Company may keep the user information during the period provided by relevant laws. In this case, the Company will store the information separately and use it only for the purpose. The retention period is as follows:
- Preservation of personal information (login record) related to service use
Retention period: 5 years - Preservation of records in relation to display and advertising record
Retention period: 5 years - Preservation of records in relation to agreements and cancellation of orders
Retention period: 5 years - Preservation of records in relation to payment and supply of goods
Retention period: 5 years - Preservation of records in relation to consumer complaints or dispute resolution
Retention period: 5 years - Preservation of electronic financial transaction records
Retention period: 5 years
- Preservation of personal information (login record) related to service use
Article 5 Sharing and Provision of Personal Information
- The Company shall use the personal information of users within the scope as stated in Article 1 and shall not disclose or use the personal information of users beyond the range of purpose described in Article 1 without prior consent of the user. Provided, in the following cases, the Company may use and provide personal information with caution.
- when the user consents in advance;
- when it is necessary for the settlement of charges related to service provision;
- when it is prescribed by law;
- when requested by the investigating agency for investigation purposes in accordance with the procedures and methods prescribed by law; or
- when it is provided to advertisers, subcontractors, or research groups in a form that cannot be identified as a specific individual for statistical preparation, academic research, or market research.
- The Company provides personal information to third parties as follows.
- Recipient: N/A
- Purpose of Provision: N/A
- Personal Information to be provided: N/A
- Retention Period: N/A
Article 6 Entrustment of Personal Information
- When executing an entrustment agreement, the Company specifies the prohibition of the processing personal information other than the purpose of entrustment business, technical and administrative protection measures, restricting re-entrustment, and managing and supervising consignees and other liability matters in accordance with the Personal Data (Privacy) Ordinance and supervises the consignees whether the consignees process personal information safely.
- Details of the consignees and entrustment business are as follows.
- Consignee: N/A
- Consignment work: N/A
- Period for Consignment: N/A
- In case of change in consignee or consignment work, Company will immediately disclose such change through the Privacy Policy. The Company will obtain the user’s consent if such change requires user’s consent.
Article 7 Transfer Abroad of Personal Information
- The name of the person to whom personal information is to be transferred: N/A
- Items of personal information transferred: N/A
- A nation to which personal information is to be transferred, the date and time, and methods of transfer: N/A
- The purposes of the use of the person to whom the personal information is to be transferred, and the period of retention of personal information: N/A
The Company consigns processing of personal information to third parties abroad as follows:
- The name of the consignee: KT Cloud
- Items of personal information consigned: Members personal information
- A nation to which personal information is to be transferred: Korea
- The purposes of the consignment: Data Storage
- The period of retention of personal information: When withdrawing from membership and ending the entrusted relationship
- The name of the consignee: Cashmallow Co., Ltd.
- Items of personal information consigned: Name, Phone Number, Date of Birth, Email, Address, Bank Account Number
- A nation to which personal information is to be transferred: Korea
- The purposes of the consignment: Data Storage, KYC, Watchlist and AML screening
- The period of retention of personal information: When withdrawing from membership and ending the entrusted relationship
- The name of the consignee: Queen Bee Capital.
- Items of personal information consigned: Name, E-mail
- A nation to which personal information is to be transferred: Japan
- The purposes of the consignment: To provide cash withdrawal
- The period of retention of personal information: 1 year from the service request
- The name of the consignee: IVXS Technology SG PTE. LTD
- Items of personal information consigned: Name, Birthday
- A nation to which personal information is to be transferred: Singapore
- The purposes of the consignment: authentication to prevent money laundering and terrorism financing
- The period of retention of personal information: 1 year from sign-in
- The name of the consignee: Sentbe Pte Ltd.
- Items of personal information consigned: Name, ID Number, Nationality/Region, Phone Number, Date of Birth, Address.
- A nation to which personal information is to be transferred: Singapore
- The purposes of the consignment: KYC, Watchlist and AML screening
- The period of retention of personal information: 5 years
- The name of the consignee: SCB Tech X Company Limited (“SCB Tech X”)
- Items of personal information consigned: First Name, Last Name, Address and National ID number
- A nation to which personal information is to be transferred: Thailand
- The purposes of the consignment: To provide cash withdrawal and anti-money laundering reporting
- The period of retention of personal information: 7 years or as required by relevant regulations
- Learn how SCB Tech X collects, uses, and discloses your personal data and understand your rights by checking out at Privacy notice
- The name of the consignee: PT. Bank Negara Indonesia (Persero) Tbk.
- Items of personal information consigned: Name, Date of Birth, Place of Birth, Remittance Purpose
- A nation to which personal information is to be transferred: Indonesia
- The purposes of the consignment: Verification, KYC, Sanction & AML Screening.
- The period of retention of personal information: 5 years
The name of the consignee: Rizal Commercial Banking Corporation
- Items of personal information consigned: First Name, Last Name, Country
- A nation to which personal information is to be transferred: Philippines
- The purposes of the consignment: To provide cash withdrawal via QR.
- The period of retention of personal information: 5 years
The name of the consignee: Authme Co., Ltd.
- Items of personal information consigned: : Personal Information, Identification Documents, Supporting Documentation.
- A nation to which personal information is to be transferred: Google Cloud Platform (GCP) infrastructure, specifically on premises located in Taiwan.
- The purposes of the consignment: Identity Verification, Regulatory Compliance, Customer Due Diligence, Fraud Prevention, Record Keeping.
- The period of retention of personal information: Up to 30 days after the completion of the KYC process or as required by applicable laws.
The name of the consignee: World Family Inc
- Items of personal information consigned: Name, Address, Phone number.
- A nation to which personal information is to be transferred: Japan
- The purposes of the consignment: Remittance funds.
- The period of retention of personal information: 7 years
Article 8 Right of Users and Guardians
The Company protects the rights of users as follows.
- The user at any time can view and edit personal information of such user, and request the Company to revise or delete the personal information if such personal information is untrue or unconformable. Provided that, if the Company is obligated to collect such personal information pursuant to related laws and regulations, the user may not request the deletion.
- The user can withdraw consent of provision of personal information or cancel the membership at any time.
- If the user requests to view, verify or correct the personal information, the Company will not use or provide the personal information until the correction or deletion is completed. The Company will take action without delay if it is deemed necessary to correct or delete the personal information, such as an error is found to the personal information or the retention period is expired.
Article 9 Method of Destruction of Personal Information
- The Company will destroy personal information of users immediately when purpose of its collection and use has been fulfilled. Provided, the items to be retained in accordance with relevant law or internal regulation of the Company will be retained based on such laws and regulations.
- If the personal information must be kept according to the laws or regulations even if the retention period agreed by the user has expired or the purpose of processing has been achieved, the personal information shall be transferred to a separate database or place.
- If the user requests for the correction or deletion of information or requests for cancellation of the membership in accordance with the procedure and method mentioned in Article 8, the Company shall destroy personal information in accordance with this Article.
- The Personal information received by the Company for temporary purposes (surveys, events, identity verification, etc.) will be destroyed in the same way after the purpose is achieved.
- The company handles user’s personal information safely and destroys personal information through the following methods to prevent leakage.
- Personal information printed on paper is shredded or incinerated for disposal.
- Personal information saved in a digital format is deleted by using technology that prevents the recovery of records.
Article 10 Adaptation of Expiration System of Personal Information
- The Company will separately store and manage the personal information of its users who have not used the Services for 1 year (the “Expiration period of Personal Information”) or longer in accordance with relevant laws after the prior notice to the users.
- In the case of the preceding paragraph, the Company shall notify in advance through the contact method entered by the user such as e-mail, text message and mobile phone 30 days before the Expiration period of Personal Information. However, if the user who has reached the Expiration period of Personal Information requests for renewal of the retention period, his or her E-money remains, or the retention period of personal information is determined separately by other laws, Expiration System of Personal Information will be adapted after the expiration of such period.
- Even if the personal information of the user has been separated by the Expiration System of Personal Information, the user can reuse the service upon request through the identity verification process.
Article 11 Technical and Administrative Measures for the Protection of Personal Information
The Company takes the following technical, managerial and physical measures necessary for safety.
- Encryption of personal information: Personal information of user is stored and managed in encryption and only such user may access. For important data, additional security measures, including encryption of file and transfer data and file lock, are applied.
- Technical measures against hacking: The Company installs security programs and update and verify the programs regularly to prevent leakage and damage of personal information by hacking, computer virus, etc. The Company also installs the system in controlled area not accessible from outside and observes and prevents the system.
- The Company takes necessary measures for access control to the personal information by granting, altering, and dropping access authorities to the database system of personal information and controlling unauthorized access from outside.
- Minimizing the employees to access personal information and training: The Company manages personal information by designating the employees in charge of personal information and by limiting the number of such employees.
Article 12 Installation, Operation and Refusals of Automatic Personal Information Collection Systems
- The Company uses ‘cookies’ to identify the user accessing to the homepage.
- The ‘cookies’ are piece of information that website transmits to the browser of the user to store basic setting information to websites. The option to use ‘cookies’ is at the user. The user can select options including allowing all cookies storage, asking confirmation whenever cookies are stored, or disallowing all cookies storage in the user’s web browser.
- Provided that, it may be inconvenient for the user to select disallowing all cookies storage.
Article 13 Opinions and Complaints regarding Collection of Personal Information
The Company accepts any inquiries, complaints, feedback or other matters related to personal information protection and prepares all procedures and methods to deals with complaints. Users can report complaints through the telephone or e-mail of the person in charge of personal information protection and the Privacy Protection Officer described in Article 13, and the Company will give a prompt and sufficient response to the user’s report.
Article 14 Privacy Protection Officer
- The Company is committed to ensuring that you can access safely to good information. The Privacy Protection Officer is responsible for any incidents that may violate your notice in protecting your personal information.
- The user is responsible for the security of his or her ID and password. The Company never asks the user directly about the password in any way, so please be careful not to leak the password to others. Be particularly careful when you are online in public places.
- The Company appoints a personal Privacy Protection Officer who is responsible for collecting opinions and handling complaints about personal information. The contact of Privacy Protection Officer is as follows:
[Privacy Protection Officer]
E-Mail: contact@cashmallow.com
Address: RM 1423,14/F, Radio City, 505-511, Hennessy Road, Causeway Bay, Hong Kong
Phone number: +852-4614-9439
Article 15 Exception of Application of Privacy Policy
The Company may provide users with links to other companies’ websites or materials through the website. In this case, the Company has no control over external sites and materials, and the Company’s Privacy Policy does not apply to the collection of personal information of those sites. Therefore, when you visit external sites by clicking the link, please check the privacy policy of the newly visited site.
Article 16 Remedy for Damage
Users can inquire about the following organizations for damage relief, or consultation, etc.
The following organizations are separate organizations from the Company. If you are not satisfied with the Company’s handling of complaints and damage relief, or need further assistance, please contact the following organizations.
- Consumer Council
Responsibilities: Forestalling and Mediating Consumer Disputes
Homepage: https://www.consumer.org.hk
Phone: 2929 2222 - The Office of the Privacy Commissioner for Personal Data
Responsibilities: To secure the protection of privacy of individuals with respect to personal data
Homepage: https://www.pcpd.org.hk
Phone: 2827 2827Address: Room 1303, 13/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong
- Money Service Supervision Bureau, Customs and Excise Department
Homepage: https://eservices.customs.gov.hk/MSOS/index
Phone: 2707 7837 - Hong Kong Police Force: Anti-Deception Coordination Centre
Phone: 2866 3366
Article 17 Obligation to Notify before Amendment
We reserve the right to update, revise, modify or amend this Policy in the following manner at any time as we deem necessary and you are strongly recommended to review this Policy frequently. Any update, revise, modify or amend this policy, the Company will notify in advance through the ‘Notice’ in the homepage or mobile app of the Service when this Privacy Policy is changed.
Additional Clause
This Privacy Policy takes effect on 2nd October 2024.