This Privacy Policy (the “Privacy Policy”) describes how Score Financial Pte. Ltd. (“Score”) collects, uses, discloses, and safeguards Personal Data in connection with access to and use of its suite of business and technology solutions (“Services”). Score is committed to managing Personal Data in compliance with the Personal Data Protection Act 2012 (“PDPA”) of Singapore and other applicable data protection laws. Users acknowledge that they have read and understood this Privacy Policy and consent to the collection, use, and disclosure of their Personal Data as described herein.

1. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below: “Services” means the suite of business and technology solutions provided by Score, including all related functionalities, platforms, systems, applications, and tools. “Score” means Score Financial Pte. Ltd., a company incorporated in Singapore, including its subsidiaries, affiliates, and related entities, where applicable. “User” means any individual who accesses or uses the Services, whether on their own behalf or on behalf of a Client. “Client” means any business entity or organization that has entered into a Service Agreement with Score and uses the Services for commercial or internal business purposes. “Service Agreement” means the legally binding agreement entered into between Score and the Client, governing the Client’s and its Users’ access to and use of the Services. “Consent” means any voluntary, specific, informed, and unambiguous indication of the User’s agreement to the collection, use, and disclosure of Personal Data, provided through a statement or affirmative action. “Personal Data” means data, whether true or not, about a User who can be identified from that data or from that data and other information to which Score has or is likely to have access. This includes, but is not limited to, names, identification numbers, job titles, contact information, account credentials, and other identifiers. “Applicable Law” means all applicable statutes, regulations, rules, directives, and codes of practice or guidance issued by governmental or regulatory authorities, including but not limited to the Personal Data Protection Act 2012 (PDPA), the Electronic Transactions Act 2010 (ETA), and any other data protection laws relevant to Score’s operations or the User’s jurisdiction. “Data Protection Officer (DPO)” means the individual appointed by Score to oversee its compliance with the PDPA and this Privacy Policy, and to act as the point of contact for data protection-related enquiries. “Personal Data Protection Commission (PDPC)” means the regulatory authority responsible for administering and enforcing the PDPA. “Cookies” means small text files stored on a User’s device by a website or application to collect standard Internet log information and visitor behavior information. “Tracking Technologies” means technologies that may collect and store information when Users access or interact with the Services, including web beacons, tags, scripts, pixels, and similar tools. “Notifiable Data Breach” means a data breach that results in, or is likely to result in, significant harm to affected Users or affects not fewer than 500 Users, as defined under the PDPA.

2. Personal Data Collection

2.1 Information Provided by Users

Score may collect Personal Data directly from Users or Clients when they: a. Register for or access the Services; b. Submit enquiries, support tickets, or feedback; c. Enter into a Service Agreement; d. Participate in surveys, events, or promotions; e. Submit information through forms, websites, applications, or digital platforms operated by Score.

2.2 Information Collected Automatically

Score may also automatically collect certain data through the use of its Services, such as: a. Internet Protocol (IP) address; b. Browser type and version; c. Device information; d. Date and time of access; e. Pages visited and user interaction patterns; f. Cookies and similar tracking technologies (further addressed in Section 13).

2.3 Third-Party Sources

Where permitted by law, Score may collect Personal Data from third-party sources, such as: a. Public databases or directories; b. Third-party service providers (e.g., identity verification services); c. Business partners or affiliates.

3. Personal Data Types

The types of Personal Data collected may include, but are not limited to: a. Full name; b. Contact information (e.g., email address, phone number); c. Personal identification details (e.g., NRIC/FIN); d. Job title or business role; e. Login credentials or user account details; f. System and device information; g. IP address and usage activity within the Services.

4. Personal Data Purpose and Use

Score collects, uses, and processes Personal Data for purposes that are lawful, reasonable, and necessary to support its business operations and the provision of Services. These purposes include, but are not limited to:

4.1 Service Delivery and Administration

a. To provide, operate, and maintain the Services; b. To register, authenticate, and manage User accounts; c. To facilitate access control and usage rights within the Services; d. To fulfil obligations under the Service Agreement.

4.2 Client Relationship Management

a. To communicate with Clients and Users regarding their accounts, transactions, or Service updates; b. To manage Client and User enquiries, support requests, or complaints; c. To administer events, feedback collection, and customer engagement.

4.3 Service Improvement and Analytics

a. To analyse usage patterns and user behaviour within the Services; b. To conduct internal audits, quality assessments, and performance monitoring; c. To develop and enhance features, interfaces, and security measures. a. To comply with applicable laws, regulations, and legal processes; b. To respond to requests from public or government authorities; c. To detect, investigate, and prevent fraud, abuse, or other security threats.

4.5 Other Purposes

Personal Data may also be used for other purposes for which the User has provided consent, or which are reasonably related to the above purposes and permitted under Applicable Law.

5. Personal Data Disclosure

Score may disclose Personal Data to third parties where such disclosure is reasonably necessary to provide the Services, support business operations, comply with legal obligations, or for other purposes set out in this Privacy Policy.

5.1 Categories of Recipients

Personal Data may be disclosed to the following categories of third parties: a. Service Providers – Vendors engaged to support Score’s operations, including cloud infrastructure providers, IT and cybersecurity vendors, customer support platforms, payment processors, and data analytics services; b. Business Partners and Affiliates – Entities that collaborate with Score in providing or improving Services, where such sharing is relevant and appropriate; c. Clients – Where the User is acting on behalf of or is affiliated with a Client, relevant Personal Data may be shared with the Client for Service administration and account management; d. Regulatory and Government Authorities – Agencies, regulators, or law enforcement bodies to comply with legal obligations, respond to lawful requests, or enforce Score’s rights; e. Professional Advisors – External legal counsel, auditors, accountants, or consultants engaged by Score under appropriate confidentiality obligations; f. Affiliates and Successors – To Score’s affiliates or any successor entity in the event of a merger, acquisition, corporate restructuring, or sale of assets, where such transfer is necessary for the continuity of business operations and subject to appropriate safeguards.

5.2 Safeguards for Disclosure

Where Personal Data is disclosed to third parties, Score shall take reasonable steps to ensure that: a. Such disclosure is limited to the minimum data necessary for the stated purpose; b. The recipients are contractually or legally bound to protect the Personal Data in a manner consistent with Applicable Law; c. Data handling by such recipients is subject to appropriate confidentiality, security, and use restrictions.

6. Personal Data Transfer

Score may transfer Personal Data to jurisdictions outside of Singapore in the course of providing the Services, including for purposes such as hosting, data processing, or collaboration with service providers and affiliates.

6.1 Cross-Border Transfers

Personal Data may be transferred to, stored in, or processed by third parties located in countries or territories outside of Singapore. These transfers will occur only where reasonably necessary for: a. Delivering or supporting the Services; b. Operating Score’s business and systems infrastructure; c. Engaging third-party service providers or affiliates; d. Complying with legal or regulatory obligations.

6.2 Safeguards for Overseas Transfers

Where Personal Data is transferred outside Singapore, Score will take appropriate steps to ensure that the data continues to receive a standard of protection that is at least comparable to the protection provided under the PDPA. These measures may include: a. Contractual agreements with recipients to ensure data protection obligations; b. Requiring recipients to implement appropriate technical and organisational security measures; c. Conducting due diligence or risk assessments on the jurisdiction and recipient; d. Relying on exceptions under the PDPA, including those set out in the Fourth Schedule (e.g., legitimate interests, contractual necessity), where applicable.

7. Personal Data Security

Score takes the security of Personal Data seriously and implements reasonable administrative, technical, and physical safeguards to protect Personal Data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.

7.1 Security Measures

Security measures implemented by Score include, but are not limited to: a. Encryption of data in transit and at rest where appropriate; b. Firewalls, intrusion detection systems, and other network protection tools; c. Role-based access controls and authentication mechanisms; d. Secure development practices and regular vulnerability assessments; e. Logging and monitoring of system access and activity.

7.2 Security Limitations

While Score implements industry-standard safeguards, no method of transmission over the Internet or method of electronic storage is completely secure. As such, Score cannot guarantee absolute security and Users provide Personal Data at their own risk.

8. Personal Data Deletion and Retention

Score retains Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, or as required or permitted by Applicable Law, including for contractual, legal, regulatory, or operational needs.

8.1 Retention Criteria

Notwithstanding a deletion or consent withdrawal request, Score may retain certain Personal Data where such retention is: a. Necessary to fulfil obligations under a Service Agreement or other contract; b. Required to comply with applicable laws or regulations; c. Needed to protect the rights, property, or safety of Score, its Clients, Users, or others; d. Permitted under the PDPA or other Applicable Law.

8.2 Secure Disposal

When Personal Data is no longer required for any business or legal purpose, Score will take reasonable steps to: a. Permanently delete or anonymise the data such that the User is no longer identifiable; b. Ensure secure disposal or destruction in a manner that prevents unauthorised access, collection, use, disclosure, or modification.

9. Personal Data Accuracy

Score takes reasonable steps to ensure that Personal Data in its possession or control is accurate, complete, and up to date, particularly where such data is used to make decisions that affect Users, or is disclosed to third parties. Users and Clients are responsible for providing accurate and complete information at the time of submission and for informing Score promptly of any changes to their Personal Data. Failure to do so may affect the accuracy of Score’s records and the ability to deliver Services effectively. Score may, from time to time, request Users or Clients to verify or update their Personal Data to ensure its continued accuracy, in line with applicable legal, regulatory, and operational requirements.

10. Personal Data Breach Notification

Score implements safeguards to prevent data breaches, but recognises that in certain situations, a breach may occur. In such events, Score will respond promptly and in accordance with Applicable Law.

10.1 Breach Response and Containment

Upon becoming aware of a suspected or actual data breach, Score will: a. Immediately assess the scope and nature of the breach; b. Contain the breach to prevent further unauthorised access or damage; c. Conduct an internal investigation to determine the root cause.

10.2 Notification to the PDPC

Where required under the PDPA, Score will notify the PDPC of a notifiable data breach that: a. Results in, or is likely to result in, significant harm to affected Users; b. Affects a significant number (≥500) of Users. Score will provide such notification as soon as practicable, and in any case no later than three (3) calendar days.

10.3 Notification to Affected Users

Where required, and where the breach poses or is likely to pose a risk of significant harm, Score will also notify affected Users directly. The notification will include: a. A description of the nature of the breach; b. The types of Personal Data affected; c. Recommended steps that affected Users can take; d. Contact details for further enquiries or assistance.

10.4 Continuous Improvement

Following any breach, Score will review and enhance its security measures, policies, and procedures to mitigate future risks and prevent recurrence. Score collects, uses, and discloses Personal Data based on the User’s consent, except where such processing is required or permitted under Applicable Law without consent (e.g., legal obligations, legitimate interests, contractual necessity). Consent may be obtained explicitly (e.g., via checkbox, signed agreement, or digital form) or implicitly (e.g., through continued use of the Services after being informed of the Privacy Policy). By accessing or using the Services, Users acknowledge that they have read and understood this Privacy Policy and consent to the collection, use, and disclosure of their Personal Data as described herein. Users may withdraw their Consent at any time by submitting a written request to Score’s Data Protection Officer. Upon receiving a valid request, Score will: a. Cease to collect, use, or disclose the User’s Personal Data, unless processing without consent is permitted or required under Applicable Law; b. Inform the User of any consequences of withdrawing consent, including how it may affect access to or functionality of the Services. Score may be required or permitted to retain certain data for legal or business purposes.

11.3 Limitations on Withdrawal

Withdrawal of consent does not affect: a. The lawfulness of any data processing carried out before the withdrawal; b. Score’s right to retain certain Personal Data where necessary to fulfil legal, regulatory, or contractual obligations, or where permitted under Applicable Law. Score maintains records of User consent, including timestamps, methods of consent, and consent language versions, to demonstrate compliance with the PDPA and applicable regulations.

12. User Rights and Requests

Score recognises the rights of Users under the Personal Data Protection Act (PDPA) and provides mechanisms for Users to exercise control over their Personal Data.

12.1 Access to Personal Data

Users may request access to the Personal Data that Score holds about them. Upon verification of identity, Score will provide: a. Information on the types of Personal Data held; b. The purposes for which it is being used or disclosed. Score may impose a reasonable administrative fee for processing such access requests, where permitted by law.

12.2 Correction of Personal Data

Users may request the correction of inaccurate or incomplete Personal Data. Upon verification and validation, Score will make the necessary corrections and, where applicable, inform any third parties to whom the data has been disclosed (unless exempted).

13. Use of Cookies

Score uses cookies and similar technologies to enhance User experience, improve system performance, and analyse usage of the Services.

13.1 Types of Cookies Used

a. Essential Cookies – Necessary for the basic functionality of the Services (e.g., user authentication, session management); b. Performance and Analytics Cookies – Help Score understand how Users interact with the Services to improve functionality and user experience; c. Functionality Cookies – Remember User preferences (e.g., language or display settings); d. Third-Party Cookies – Set by third-party services (e.g., analytics, customer support, social media integrations).

13.2 User Controls

Users may manage or disable Cookies through their browser settings. In addition, Users may be presented with cookie consent banners or preference tools to customise their cookie settings. Disabling certain cookies may impact the availability or functionality of some parts of the Services.

14. Privacy Policy Modification

Score may amend this Privacy Policy from time to time to reflect changes in legal, regulatory, technical, or operational requirements.

14.1 Notification of Changes

Any material changes to this Privacy Policy will be communicated to Users through appropriate electronic means, such as email notifications or in-platform alerts. Users are encouraged to review this Privacy Policy periodically to stay informed about how their Personal Data is collected, used, and protected. Amendments shall become effective as of the date indicated in the revised Privacy Policy. Where required by law or where changes materially affect User rights, Users will be required to re-consent to the updated Privacy Policy prior to continued access or use of the Services.

15. Governing Law

This Privacy Policy shall be governed by, and construed in accordance with, the laws of the Republic of Singapore. Any disputes arising out of or in connection with this Privacy Policy, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of Singapore.

16. Electronic Transactions

By accessing or using the Services, Users consent to receive communications, notices, and documents from Score in electronic form, including via email, phone, and system notifications. These communications shall have the same legal effect as if provided in hardcopy.

16.2 Use of Electronic Records and Signatures

Where permitted by Applicable Law, electronic records and electronic signatures used in connection with the Services shall be valid and enforceable, and shall carry the same legal effect as physical signatures and documents. This Privacy Policy is intended to be consistent with the requirements of the Electronic Transactions Act 2010 of Singapore and any applicable cross-border electronic commerce standards.

17. Contact

For any questions, concerns, or communications regarding this Privacy Policy or the handling of Personal Data, please contact DPO using the following details:

17.1 Data Protection Officer

Email: support@scorefintech.com All correspondence should include the User’s registered entity name and relevant contact information to facilitate a timely response.