Sliq Digital Pte. Ltd. and its affiliates (hereinafter "Sliq.app", "we", "us" or "our") operate the technology platform accessible through various subdomains of sliq.app (the "Platform"). This Privacy Policy sets forth our policies regarding the collection, use and disclosure of personal data when you utilise our Platform.

This Privacy Policy is provided in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation - "GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable data protection legislation.

3.1 Data Provided Directly by Data Subjects:

• Identification data (first name, last name, email address)
• Authentication credentials
• Profile information
• Transaction data as determined by the Data Controller
• Payment data (where applicable)
• Communications data

3.2 Data Collected Automatically:

• Technical data (IP address, browser type, device information)
• Usage data (access times, pages viewed, features used)
• Location data (derived from IP address)
• Cookie data and similar tracking technologies

We process personal data strictly in accordance with the documented instructions of the Data Controller for the following purposes:

• Provision of the Platform services
• User authentication and access management
• Processing of transactions as configured by the Data Controller
• Technical support provision
• Platform security and fraud prevention
• Service improvement and maintenance
• Compliance with legal obligations

5.1 Data Controller:

All personal data is accessible to the Data Controller in accordance with the master SaaS agreement.

5.2 Sub-processors:

We engage carefully vetted sub-processors to assist in providing our services. A current list of sub-processors, including their location and processing activities, is available at sub-processors.

5.3 Other Recipients:

Personal data may be disclosed to competent authorities where required by applicable law.

Personal data may be transferred to and processed in countries outside the European Economic Area. Where such transfers occur, we ensure appropriate safeguards are implemented in accordance with Chapter V of the GDPR, including:

• Standard Contractual Clauses adopted by the European Commission
• Adequacy decisions pursuant to Article 45 GDPR
• Other appropriate safeguards as provided for in Article 46 GDPR

Personal data is retained in accordance with the retention periods specified by the Data Controller and applicable legal requirements. Upon termination of services, personal data shall be deleted or returned to the Data Controller within ninety (30) days, unless retention is required by applicable law.

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Pseudonymisation and encryption of personal data
• Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems
• Ability to restore availability and access to personal data in a timely manner following incidents
• Regular testing, assessment and evaluation of security measures
• Adherence to approved codes of conduct pursuant to Article 40 GDPR

In accordance with Chapter III of the GDPR, data subjects have the following rights:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure ('right to be forgotten') (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)
• Rights related to automated decision-making (Article 22 GDPR)

Exercise of Rights: Data subjects should direct requests to exercise these rights to the Data Controller. We will assist the Data Controller in fulfilling such requests in accordance with our obligations under Article 28 GDPR.

Right to Lodge a Complaint: Data subjects have the right to lodge a complaint with their local data protection supervisory authority.

We utilise strictly necessary cookies required for the operation of the Platform. These cookies are exempt from consent requirements under Article 5(3) of Directive 2002/58/EC. The Data Controller may implement additional tracking technologies subject to their own policies and applicable consent requirements.

Our services are not directed at persons below the age of 16. We do not knowingly process personal data relating to children without appropriate parental consent as required under Article 8 GDPR.

We reserve the right to amend this Privacy Policy. Material amendments will be communicated through appropriate channels. The Data Controller is responsible for ensuring data subjects are informed of relevant changes.

For inquiries regarding this Privacy Policy or our data processing activities: