PRIVACY POLICY

Terms and Definitions

Definitions. Undefined capitalised terms in this Policy shall have the meanings set out below.

Act means the Personal Data Protection Act 2012 of Singapore as amended from time to time.

Authorised Representative means the third parties who have been duly authorised by you todisclose your personal data to us.

Documentation means Trace's (a) security and compliance documentation; (b) privacy policy; and (iii) service level agreement, which can be found at trace.io/service-level-agreement and other documents as updated from time to time.

Order Form means an ordering document specifying the Services to be provided hereunder that is
entered into between a customer and Trace, including any statement of work, addenda and
supplements thereto.

Personal Data refers to data about an individual who can be identified from that data; or from that
data and any other information to which the organisation has or is likely to access, including sensitive
personal information.

Platforms means our website and where applicable, our application programming interface
documentation and any other resources made available to you from time to time that are developed or owned by Trace.

Purposes has the meaning ascribed to it in Clause "Use of personal data" (Purpose).

Services means the services that are ordered under an Order Form which, for the avoidance of
doubt, excludes Third Party Applications.

Personal Data We Collect

Collection of Personal Data. Trace generally does not collect personal data unless (a) it is provided to us voluntarily by the data subject directly or via a third party who has been duly authorised by the data subject to disclose such personal data to Trace (your “authorised representative”) after (i) the data subject (or its authorised representative) has been notified of the purposes for which the data is collected, and (ii) the data subject (or its authorised representative) has provided written consent to the collection and usage of such personal data for those purposes, or (b) collection and use of
personal data without consent is permitted or required by the PDPA or other laws. Trace shall seek
consent before collecting any additional personal data and before using any personal data for a
purpose which has not been notified to the data subject (except where permitted or authorised by
law).

Type of Data Collected. We may collect personal data (including sensitive personal data)
including but not limited to:
‍
(a) principal name;
(b) gender;
(c) date of birth;
(d) residential status;
(e) nationality;
(f) email address;
(g) registered address;
(h) financial information;
(i) transaction information;
(j) identification number such as NRIC/FIN; and/or
(k) information about mobile phone numbers, including where available IP address, operating system
and browser type.

Personal Data Of Other Individual

Provision of Personal Data of Other Individuals. To the extent that you have provided, or will
provide, personal data about your family members, spouse, other dependents (if you are an
individual), directors, shareholders, employees, representatives, agents (if you are a corporate, an
entity or an organisation) and/or other individuals, you confirm that you have explained or will explain
to them that their personal data will be provided to, and processed by, us and you represent and
warrant that you have obtained their consent to the processing (including disclosure and transfer) of
their personal data in accordance with this Policy.

Use Of Personal Data

Purpose. We may use personal data held for legitimate purposes associated with our business,
including but not limited to any or all of the following purposes (the "Purposes"):

(a) to manage the relationship between you and Trace;
‍
(b) to enable Trace to perform its obligations under or in connection with the provision of services
and/or products to you;
‍
(c) to maintain legal and regulatory compliance in the jurisdictions in which Trace operates;
‍
(d) to enforce the terms and conditions of any agreement between you and Trace (including this
Policy);
‍
(e) to enable Trace to improve its services and/or products and marketing and customer
relationships;
‍
(f) to send you updates on the services and/or products of Trace, benefits, promotions and other
such promotional material from time to time at the email address and/or contact number provided by
you to Trace;
‍
(g) where required under any applicable laws;
‍
(h) where required under any order of court from a court of competent jurisdiction;
‍
(i) for such purposes to which you have given your consent in writing.

Non-Exhaustive List. You acknowledge, agree and consent to the processing of your personal
data depending on the circumstances at hand for such purpose that may not appear as a Purpose.
However, we will notify you of any such other purpose at the time of obtaining your consent, unless
processing of the applicable data without your consent is permitted by the applicable laws.

Third-Party Use. We may also use your data, or permit selected third parties to use your data, to
provide you with information about goods and services which may be of interest to you and we or they
may contact you about these by email, post or telephone.

Continuation. You acknowledge and agree that Trace may continue to use and disclose
Personal Data for a reasonable period following the termination of the relationship between you and
Trace for any one or more of the following purposes:

(a) to allow Trace to fulfil its outstanding obligations to you under any agreement between you and
Trace, if any;
‍
(b) to allow Trace to enforce its rights under any agreement between you and Trace, if any;
‍
(c) for such purposes to which you have given your consent in writing;
‍
(d) where required under any applicable laws;
‍
(e) where required under any order of court from a court of competent jurisdiction.

Disclosure And Transfer Of Data

Instances of Disclosure. You agree that Trace may disclose Personal Data to:

(a) any governmental agency or regulatory authority of any jurisdiction properly exercising its powers;
‍
(b) professional advisers of Trace;
‍
(c) parties providing services and/or products to Trace (including information technology services,
know-your-client and anti-money laundering compliance services providers);
‍
(d) related corporations of Trace (“related corporation” as defined under the Companies Act (Cap. 50)
of Singapore), if any;
‍
(e) to any third party where we consider that disclosure of your data to such third parties will be
necessary to fulfill legitimate business interests;
‍
(f) entities that Trace is in discussions with for a merger or an acquisition of Trace by such other
entities;
‍
(g) entities that acquire the assets of Trace pursuant to any applicable law, including the laws of
insolvency in Singapore;
‍
(h) entities pursuant to any order of court from a court of competent jurisdiction.

Data Protection in Countries Not Including Singapore. The personal data that we collect from
you may be transferred to, and stored at, a destination outside Singapore. It may also be processed
by staff operating outside Singapore who work for us or one of our suppliers. Such staff may be
engaged in, among others, the fulfilment of your order, the processing of your payment details and the
provision of support services. By submitting your personal data to us, you agree to this transfer,
storing or processing. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with PDPA.

Storage of Personal Data. All information you provide to us is stored on our secure servers. Any
payment transactions will be encrypted using SSL technology. Where we have given you credentials
which enable you to access certain parts of our Platforms and/or Services, it is your responsibility to
ensure that the credentials are kept confidential and that you do not share the credentials with any
third party.

Transmission of Information via Internet. Please note that the transmission of information via
the internet is not completely secure. Although we do our best to protect your personal data, we
cannot guarantee the security of your data transmitted to our Platforms and any transmission is made
at your own risk. Once we have received your information, we will use strict procedures and security
features to try to prevent unauthorised access to your personal data.

Your Rights

Request for Access. To the extent that the prevailing personal data protection and privacy laws
allow, you have the right to request for access to, request for a copy of, request to update or correct,
your personal data held by us. Please note that depending on the request that is being made, Trace
may only need to provide you with access to the Personal Data contained in the documents
requested, and not to the entire documents themselves, in which case it may be appropriate for
Trace to instead provide you with a confirmation of the Personal Data that our organisation has on
record if the record of the Personal Data forms a negligible part of the document.

Response Period. Trace will respond to any request as soon as reasonably possible. Should
Trace not be able to respond to your request within thirty (30) days after receiving such request,
Trace will respond in writing within thirty (30) days of the time by which Trace will be able to respond
to such request. If Trace is unable to provide such personal data or to make the requested correction, Trace shall generally provide the reasons why Trace is unable to do so (except where Trace is not required to do so under the PDPA).

Withdrawal of Consent. You have the right, by notice in writing, to inform us of your withdrawal
(in full or in part) of your consent previously given to use your personal data, subject to any applicable
legal restrictions, contractual conditions and a reasonable duration of time for the withdrawal of
consent to be effected. However, depending on the extent of your withdrawal of consent for us to
process your personal data, you may not be able to access our Services and/or use our Platforms.

Links To Other Platforms. Our Platforms may, from time to time, contain links to and from the platforms of our partner networks, advertisers and affiliates. If you follow a link to any of these
platforms, please note that these platforms have their own privacy policies and that we do not accept
any responsibility or liability for these policies. Please check these policies before you submit any
personal data to these platforms.

Retention Of Personal Data

Duration of Retention. We may retain your personal data for as long as it is necessary to fulfill
the purpose for which it was collected, or as required or permitted by applicable laws. We will cease to retain your personal data or remove the means by which the data can be associated with you as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes.

Data Security

Data Security. We will take reasonable steps to keep your personal information safe from loss, unauthorised activity or other misuse.

To safeguard personal data from unauthorised access, collection, use, disclosure, copying,
modification, disposal or similar risks, the Company has introduced appropriate administrative,
physical and technical measures such as up-to-date antivirus protection, encryption and the use of
privacy filters to secure all storage and transmission of personal data by the Company, and disclosing
personal data both internally and to our authorised third party service providers and agents only on a
need-to-know basis. For further details please refer to the policies which can be found at trace.io/service-level-agreement.

Data Breach. In the event of a data breach, the Data Protection Officer will, as soon as
reasonably practicable, notify all affected parties of the breach.

Cookies

Implementation of Cookies. We may from time to time implement "cookies" or other features to
allow us or third parties to collect or share information that will help us improve our Platforms and the
Services we offer or help us offer new services and features.

What are Cookies. Cookies are small files which are placed on your computer when a website
is accessed by you. Cookies help the website user to navigate efficiently between pages and the
website operator to track usage of the site. We may link cookie information to personal data.

What We use Cookies For. Cookies allow us to recognise your computer or device and tell us
how and when the Services or Platforms are used or visited, by how many people and to track activity
within our Platforms. Cookies are also used to deliver content specific to your interest and to monitor
usage of the Platforms and Services.

What Are My Options in Relation to the Use of Cookies. By using our Platforms, you agree to
the use of cookies and other technologies as set out in this Policy. If you do not agree to such use
please either refrain from using the Platforms, or refuse the use of cookies by selecting the
appropriate settings on your browser. However, you may not be able to access the full functionality of
our Platforms or Services if you choose to do so.

Change To Policy

Other Clauses. This Policy applies in conjunction with any other notices, contractual clauses,
and consent clauses that apply in relation to the collection, use and disclosure of Personal Data by
Trace.

Revision of Policy. Trace may revise this Policy from time to time without any prior notice and
you acknowledge and agree that it is your sole responsibility to keep up to date with any revisions to
this Policy.

Acknowledgement. Your continued use of any service and/or product provided by Trace shall
constitute your acknowledgement and acceptance of any revisions to this Policy.

Data Protection Officer

Trace Data Protection Officer. Trace's Data Protection Officer can be contacted if you have
any enquiries or feedback on our personal data protection policies and procedures, or if you wish to
make any request (including for access and correction of personal data) at hello@tracefund.io.