Skip to content

Privacy

1. INTRODUCTION 

We at CardUp HK Limited (“CardUp”,“we”, “us”, or “our”) take your privacy very seriously and we are committed to protecting your personal data. This Privacy Notice (“Notice”), together with any terms and conditions or terms of service, which you can find on the relevant CardUp website at cardup.co explains how we manage your personal data. It sets out the basis which we may collect, use, disclose or otherwise process personal data of our customers in accordance with the Malaysia Personal Data Privacy Ordinance (“PDPO”). If you wish to contact us regarding this Notice, please see the contact details set out below.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

For the purpose of this Notice,
  • a "Customer" means an individual who (a) has contacted us through any means to find out more about any products or services we provide, or (b) may, or has, entered into a contract with us for the supply of any products or services by us; and
  • "Personal Data” means any information of the customer, including but not limited to, information to establish your identity, background (including your images), addresses, contact numbers, email addresses, IP addresses, operating systems, browser types, contact details, employment information, financial data, bank information, creditworthiness information, payment information, financial transactional information, audio recordings and other information and data generated or that you provide when you apply for any of our products and/or services.

Other terms used in this Notice shall have the meanings given to them in the PDPO (where the context so permits).


2. COLLECTION, USE AND DISCLOSUR OF PERSONAL DATA 

Collection of Personal Data 

We do not collect your Personal Data unless: 

(a) it is provided to us voluntarily by you, directly or via a third party who has been duly authorised by you, to disclose your Personal Data to us (“Authorised Representative") after (i) you (or your Authorised Representative) have been notified of the purposes for which the data is collected, and (ii) you (or your Authorised Representative) have provided written consent to the collection and usage of your Personal Data for those purposes; or

(b) the collection and use of Personal Data without consent is permitted or required by the PDPO or to fulfil any local legislated Know-Your-Customer (KYC) or Anti-Money Laundering (AML) regulatory requirements or standards set by our payment partners and to comply with any other applicable laws.

We shall seek your consent before collecting any additional Personal Data and before using your Personal Data for a purpose which has not been notified to you (except where permitted or authorised by law).

Usage of Personal Data 

We may collect and use your Personal Data for any or all of the following purposes (“Permitted Purposes"): 

(a) to perform obligations in the course of or in connection with our provision of the products and/or services requested by you;

(b) to verify your identity and to assist other affiliate companies or financial institutions to verify your identity;

(c) to verify your occupation, business activities, source of funds and source of wealth

(d) to respond to, handle, and process queries, requests, applications, complaints, and feedback from you;

(e) to manage your relationship with us including to manage and maintain your accounts with us;

(f) to process payment instructions and payment transactions through the relevant payment channel;

(g) to review our products offering and the related fees and charges ;

(h) to utilise the same for strategic alliances, cross-selling, marketing, and promotions;

(i) to detect crime or fraud, and to utilise and disclose the same for investigation, prevention, prosecution and compliance with sanctions, including know your customer (KYC) and regular politically exposed persons (PEP) screening purposes;

(j) to respond to the requirements of a civil or criminal legal process and/or for regulatory compliance purpose and/or as required by law or regulation;

(k) to enforce any fee due or owing to enforce your obligations to us;

(l) to utilise the same for market research, statistical analysis and surveys with the aim of improving our products and services and product development;

(m) to provide you with the information on our and third-party products and services which may be of interest to you;

(n) to compare information/data for accuracy of our record, and to verify the same with third parties;

(o) to utilise the same for research, design, and improvement of our products and services, operational and business processes;

(p) to support our business, financial and risk monitoring, planning and decision-making;

(q) to utilise and disclose the same for audit, compliance and risk management;

(r) to transfer or assign our rights and duties under any governing terms and conditions between us and yourself;

(s) to utilise the same for our outsourcing of business and back room operations;

(t) to utilise and disclose the same for security reasons;

(u) to utilise the same to carry out cross-marketing activities, which includes promoting and advertising products or services to you that are related to or complementary with our products and services;to comply with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;

(v) for any other purposes for which you have provided the information;

(w) to transmit to any unaffiliated third parties including our third party service providers and agents, connected entities and relevant governmental and/or regulatory authorities, whether in Hong Kong or abroad, for the aforementioned purposes; and

(x) for any other incidental business purposes related to or in connection with the above.

The Permitted Purposes may continue to apply even in situations where your relationship with us has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under a contract with you).

Disclosure of Personal Data

Your Personal Data shall be kept confidential at all times. However, in order to provide you with effective products and services (subject to any laws, regulations and guidelines) and for the Permitted Purposes, we may need to disclose your Personal Data to the following parties:

(a) CardUp’s agents, holding companies, subsidiaries, affiliates and associates;

(b) Professional advisers, contractors, service providers, and other agents with whom we have contractual agreements for some of our functions and services;

(c) financial services providers and/or payment partners in relation to the products and services that you have with us;

(d) any actual or potential participants or assignee or transferee of our rights and/or obligations under any transaction between us and you;

(e) any guarantor or security provider for the products and/or services granted by us to you;

(f) any authorities or regulators, including foreign regulators for the performance of their functions, or any party as required by any law or any government, quasi-government, administrative, court or tribunal;

(g) strategic/business partners with whom we have a relationship with for specific products and services;

(h) any person connected to the enforcement or preservation of any of our rights under your agreements with us; and/or

(i) any party authorised and/or consented by you.

3. RELIANCE ON THE LEGITIMATE INTERESTS EXCEPTION 

In compliance with the PDPO, we may collect, use or disclose your Personal Data without your consent for the legitimate interests of CardUp or any another person. In relying on the legitimate interests exception of the PDPO, CardUp will assess the likely adverse effects on the individual and determine that the legitimate interests outweigh any adverse effect.

In line with the legitimate interests exception, we will collect, use or disclose your Personal Data for the following purposes:

(a) Fraud detection and prevention;
(b) Detection and prevention of misuse of services;
(c) Network analysis to prevent fraud and financial crime, and perform credit analysis; and
(d) Collection and use of Personal Data on company-issued devices to prevent data loss.

The purposes listed in the above clause may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter.


4. WITHDRAWING YOUR CONSENT 

The consent that you provide for the collection, use and disclosure of your Personal Data will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop collecting, using and/or disclosing your Personal Data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below.

Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us.

Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our products or services to you. In such circumstances, we shall notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described above. In addition to the aforementioned, we may not be able to remove information which is necessarily retained by us to comply with legal or regulatory requirements, storage purposes, or if there are valid grounds under the law to do so (such as legal claims etc.).

Please note that withdrawing consent does not affect our right to continue to collect, use and disclose Personal Data where such collection, use and disclosure without consent is permitted or required under applicable laws.


5. ACCESS TO AND CORRECTION OF PERSONAL DATA 

If you wish to make (a) an access request for access to a copy of the Personal Data which we hold about you or information about the ways in which we use or disclose your personal Data, or (b) a correction request to correct or update any of your Personal Data which we hold about you, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below. You may also update your Personal Data via Account Settings upon logging into our portal.

Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request. We will respond to your request as soon as reasonably possible. If we are unable to provide you with any Personal Data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPO).

 

6. PROTECTION OF PERSONAL DATA

To safeguard your Personal Data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures such as authentication and access controls (such as good password practices, need-to-basis for data disclosure, etc.), encryption of data, data anonymisation, up-to-date antivirus protection, regular patching of operating system and other software, securely erase storage media in devices before disposal, web security measures against risks, security review, and regularly performed testing.

However, you should be aware, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.

7. ACCURACY OF PERSONAL DATA 

We generally rely on Personal Data provided by you (or your Authorised Representative). From time to time, we may do a verification exercise for you to update us on any changes to the Personal Data we hold about you. In order to ensure that your Personal Data is current, complete and accurate, it is important that you update us if there are changes to your Personal Data we hold about you by informing our Data Protection Officer in writing or via email at the contact details provided below.

 

8. RETENTION OF PERSONAL DATA 

We may retain your Personal Data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws. We will cease to retain your Personal Data, or remove the means by which the Personal Data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the Personal Data was collected, and is no longer necessary for legal or business (accounting and reporting) purposes but also to properly resolve disputes or to troubleshoot problems.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. In addition, certain information may be stored indefinitely due to technical constraints, and will be blocked from further processing for purposes which are not mandatory by law.

You may delete the Personal Data we hold about you in ‘Account Settings’ at any time. However, we will retain it in our records for our audit and verification purposes (for example, where there is any subsequent dispute about a payment made using the CardUp platform).

 

9. HOW WE STORE AND SECURE YOUR PERSONAL DATA 

We are committed to taking appropriate measures designed to keep your Personal Data secure. Our technical and organizational procedures are designed to protect your Personal Data from accidental, unlawful or unauthorized loss, access, disclosure, use, alteration, or destruction. While we make efforts to protect our information systems, no website, mobile application, computer system, or transmission of information over the Internet or any other public network can be guaranteed to be 100% secure. Once we have received your Personal Data, we will use strict procedures and security features to try to prevent unauthorized access or inadvertent disclosure.

The Personal Data that we hold about you will be stored either on cloud servers or using third party data storage providers in the countries where the relevant data controller operates or if elsewhere, in compliance with applicable data protection laws.

 

10. TRANSFER OF PERSONAL DATA OUTSIDE OF HONG KONG 

We are a company with offices and customers in more than one country. Hence, your Personal Data may be processed in other countries, and where data is stored in the Cloud with providers that operate data centres outside of Hong Kong.

When transferring data outside of Hong Kong we only do so:

  • for the Permitted Purposes;
  • to disclose certain Personal Data to organisations outside of Hong Kong that we have engaged, to process it on our behalf in order for us to provide the CardUp service to you and with whom we enter into strict contractual obligations, including confidentiality obligations and (where applicable) verify, that they are in compliance with the relevant applicable data protection laws and regulations; and
  • to enable our employees, who are under strict confidentiality obligations, to access Personal Data if they are located in a country outside Hong Kong in which we have operations.

 

11. COOKIES AND OTHER TRACKING 

A “cookie” is a small text file that is placed onto an internet user’s web browser or device and is used to remember and/or obtain information about the user and a “web beacon” is a small object or image that is embedded into a web page, application, or email and is used to track activity, which are also sometimes referred to as pixels and tags.

We use the following cookies on the CardUp website and application:
  • Strictly necessary cookies. These are cookies that are required for the operation of the CardUp website and application. They include, for example, cookies that enable you to log into your CardUp account. 
  • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the CardUp website and application. They also enable us to see how users use the CardUp website and application and helps us improve the website and application. 
  • Functional cookies. These are used to recognize you when you return to the CardUp website. This enables us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region). They also help us provide a customised experience and enable us to detect certain kinds of fraud.
  • Targeting cookies. These cookies record your visit to the CardUp website, the pages you have visited and the links you have followed. We will use this information to make the website and the advertising displayed on it more relevant to your interests. 

Please note that there may also be third party cookies used on our website, over which we have no control. These named third parties may include, for example, advertising networks and providers of external services like web traffic analysis services. These third party cookies are likely to be analytical cookies or performance cookies or targeting cookies.

We also use Google analytic tools to measure and understand how you use the CardUp website. More information on the types of cookies used may be found at https://policies.google.com/privacy?hl=en and opt out by downloading the Google Analytics opt out browser add-on, available at https://tools.google.com/dlpage/gaoptout.

You can block cookies by activating the setting on your browser that allows you to refuse the acceptance of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of the CardUp website.


12. LINKS TO THIRD PARTY WEBSITES 

The CardUp website and application may contain links to other third party websites and microsites, whose privacy practices may differ from that of CardUp. We will not be responsible for the protection of handling of your Personal Data if you submit your Personal Data to any of those sites.

We encourage you to review the privacy notice of any site you visit. By clicking on or activating such links and leaving the CardUp website, CardUp does not exercise control over any data or any information which you give to any other entity after leaving the CardUp website. Any access to such other sites or pages is entirely at your own risk.


13. QUERIES, COMMENTS, REQUESTS AND COMPLAINTS

If you have any questions, comments, requests or complaints about our collection, use or disclosure of Personal Data, or regarding this privacy notice, please contact us using the details below. Please also contact us if you would like to update or amend any of your Personal Data which you have provided to us or if you believe our records relating to your Personal Data are incorrect.

hellohk@cardup.co

dpo@cardup.co 

When contacting us please provide as much detail as possible in relation to your question, comment, request or complaint. We would like to reassure you that we will take any privacy complaint seriously and such complaint will be assessed by an appropriate person with the aim of resolving any issue in a timely and efficient manner. We request that you cooperate with us during this process and provide us with any relevant information that we may need (for example, your name and valid contact details, as well as proof of identity such as a copy of your identification document or details about your transactions with us). If we cannot reasonably satisfy ourselves of your identity, we may not be able to deal with your query, comment, request or complaint.


14. CHANGES TO THE PRIVACY NOTICE 

This Notice is in effect as of the date noted at the end of the Notice. We may change our privacy notice from time to time. Any changes we may make to our Notice in the future will be posted on this page and, where appropriate, notified to you by email.

Please check back frequently to see updates or changes to our privacy notice. By continuing to use CardUp, or continuing to allow us to retain or process your Personal Data following any such changes to our privacy notice, you are deemed to have accepted such changes unless you expressly notify us otherwise in writing (except to the extent we are required to make such changes in accordance with applicable laws).

Where we need to seek updated, additional or different consent from you, we will contact you. 

15. CONTACTING US 

If you have comments, questions or complaints about or requests relating to this Privacy Notice statement, please contact CardUp in writing at the address below referencing ‘Privacy Notice':


By letter:

Data Protection Officer

3/F, Dorset House, Taikoo Place

979 King’s Road

Quarry Bay, Hong Kong

 

By email:

hellohk@cardup.co

dpo@cardup.co

 

Last updated: 09 June 2023