Swiit Data Privacy Policy

1. Introduction

Welcome to Swiit, a global fintech service provided by the Sweet Intelligence group of companies. We value your privacy and are committed to protecting your personal data.This Data Privacy Policy ("Policy") explains how Swiit ("we," "us," or "our") collects, uses, discloses, and transfers personal data in connection with our services and mobile applications (the "Services"). It also outlines how we comply with various data protection laws, including the EU General Data Protection Regulation (GDPR), the Singapore Personal Data Protection Act 2012 (PDPA), U.S. laws like the Gramm-Leach-Bliley Act (GLBA) and Bank Secrecy Act (BSA), and other applicable regulations. We have structured this Policy to be clear and user-friendly, with sections addressing who we are, what data we collect, why and how we use it, how we share and transfer it across borders, your rights regarding your data, how long we retain data, and how we secure it.

By using Swiit's Services, you acknowledge that you have read and understood this Policy. We may update this Policy from time to time to reflect changes in our practices or legal requirements. If we make material changes, we will notify you by appropriate means (e.g. via our app or website). The current version of this Policy is always available through our app/website, and your continued use of the Services after an update indicates your acceptance of the revised Policy.

2. Who We Are

Swiit is a financial technology service application offered through a group of affiliated legal entities. These entities work together to provide the Swiit apps, website and related services, and each plays a specific role in handling your data. In this Policy, when we refer to "Swiit," we mean all entities collectively. Below is who we are and what each entity does:

Sweet Intelligence Inc. (USA) – Referred to as "SII", this is our U.S. entity incorporated in Colorado. SII is a licensed money services business (MSB) and serves as the primary regulated compliance entity. SII is the main contracting party for our banking partner (Zenus Bank) and is responsible for ensuring compliance with U.S. financial laws (including the Bank Secrecy Act and FinCEN regulations) in relation to your account. SII oversees anti-money laundering (AML) compliance and is the party that holds the MSB license in Colorado.

Sweet Intelligence Pte. Ltd. (Singapore) – Referred to as "SIPTE", this entity operates our mobile application and platform. When you sign up and use the SweetBanks app or website, SIPTE is the operator handling the day-to-day collection of your information through the app. SIPTE also manages our identity verification process in partnership with third-party vendors. SIPTE ensures that our operations comply with Singapore's laws (such as the Personal Data Protection Act, PDPA) and any other operational regulations.

Sweet Intelligence Limited (Hong Kong) – Referred to as "SIL", this entity is based in Hong Kong. Integrates anti-money laundering (AML) and sanctions screening services. SIL facilitates our compliance processes by routing relevant personal data to third-party screening tools and databases. For example, SIL helps perform sanctions, fraud, and AML checks (via service providers) to ensure users are not barred or high-risk individuals.

Unified Privacy Commitment: For purposes of this Privacy Policy, "Swiit" refers collectively to SII, SIPTE, and SIL. All these entities work together to provide you with a seamless service. We have internal agreements and controls in place to ensure that regardless of which entity is handling your information, your data is protected consistently and lawfully. We present a unified approach under the Swiit brand, while each entity carries out its respective responsibilities in compliance with local regulations. (In practice, one entity may delegate certain data processing tasks to another under inter-company agreements, but your rights and protections remain the same.) This unified policy applies to all personal data collected by any Swiit entity in connection with our services.

3. Categories of Personal Data Collected

We collect various categories of Personal Data in order to provide and improve our Services, to comply with legal requirements, and for other purposes described in this Policy. In this Policy, "Personal Data" (or "personal information") means any information relating to an identified or identifiable individual, as defined under relevant privacy laws. Other capitalized terms may be defined within this Policy or under applicable law. This Policy covers all such Personal Data, whether collected from you directly, generated through your use of our Services, or obtained from third-party sources. The types of Personal Data we may collect include, but are not limited to, the following:

Identity Data: Information that identifies you, such as your full name, date of birth, nationality, and government-issued identification details (e.g. ID or passport number, issuance and expiry dates). This also includes images of your identity documents (like a photo or scan of your passport or ID card) and any personal details shown on those documents. We may also collect additional biographical details like gender or occupation as required for KYC compliance.

Selfie and Biometric Data: A photograph or live "selfie" image of your face for identity verification purposes. We use facial likeness (and in some cases may use facial recognition technology) to confirm that you are the same person as in your photo ID. Note: We only use biometric data for fraud prevention and identity verification in compliance with applicable laws, and in some jurisdictions we will obtain your explicit consent for this (e.g. if required by biometric data laws).

Contact Data: Your contact information, such as your residential address, email address, phone number, and mailing address. This allows us to communicate with you and is also needed for verification (for example, proof of address documentation).
Address and KYC Documents: Documents you provide to verify your address or other aspects of your identity. This can include utility bills, bank statements, or other official documents containing your name and address. We also retain any questionnaires or forms you fill out as part of Know-Your-Customer (KYC) due diligence (for instance, information about your source of funds if required).
Financial and Transaction Data: Information about the financial transactions you conduct through Swiit or related services. For example, if our app or partner bank provides you with an account or payment functionality, we collect details like your bank account number or virtual account ID, transaction amounts, currency, timestamps, recipient or sender information, and transaction descriptions or metadata. We also collect details of your linked payment methods or funding instruments (e.g., if you link an external bank account or card, we may collect that account/card number and associated account holder name). Note: Actual banking services are provided by our partner Zenus Bank, and additional privacy disclosures from Zenus may apply to data they collect directly for account creation and maintenance.
Usage and Metadata: Data generated through your use of the app and our services. This includes logs of your actions (e.g. login times, features used), preferences you set, and other analytics information. For instance, we may collect metadata like referral sources, app version, clickstream data within the app, and cookies or similar tracking technologies if applicable (for example, if we have a web portal).
Device and Technical Information Information about the device and network you use to access Swiit. This can include device identifiers, device type, operating system version, mobile app version, browser type (if using a web interface), IP address, and other technical identifiers. We collect this to secure your account (e.g., for fraud detection, recognizing trusted devices) and to optimize our services for your technical environment.
Cookies and Analytics Data: We and our third-party partners use cookies, pixels, local storage, and similar tracking technologies on our websites and apps to collect data about your device and online activity. This data may include cookie identifiers or session IDs, browsing preferences, and pages or content viewed. We may receive reports based on the use of such technologies by our analytics providers (for example, aggregated usage statistics or error logs). This information helps us carry out website analytics, measure the effectiveness of features or content, personalize your experience, remember your preferences, and enhance security. You can control certain cookies through your browser settings or via our provided cookie consent tools (where required by law). Please note that if you disable cookies, some features of our Services might not function as intended.
Preferences and Behavioral Data: Information about your preferences and settings in relation to our Services. For example, this includes your preferred language, marketing and communication preferences (e.g. whether you have opted in or out of receiving promotional communications), and settings or configurations you choose within the app. We may also infer your interests or characteristics based on your interactions with the Services (such as features you use frequently) to personalize your experience. Additionally, we collect any feedback, survey responses, or opinions you voluntarily provide about our Services.
Self-Reported and Communication Data: Any other personal data you choose to provide us when interacting with us. For example, if you contact Swiit Support or our compliance team, we will collect the information you give in those communications (such as the content of emails, chat messages, or call recordings if you call customer service). Likewise, if you respond to surveys, provide feedback, or participate in promotions, we will collect whatever data you provide in those contexts.
Third-Party Compliance and Screening Information: Information obtained from third-party sources for compliance, fraud prevention, or verification purposes. For instance, we may receive data about you from our screening partners that perform sanctions, anti-money-laundering (AML) and politically exposed person (PEP) checks. This can include confirmation of whether you appear on government watchlists, sanctions lists, or adverse media databases, as well as due diligence notes (e.g. a risk score or alerts associated with your profile). We collect and use such information to fulfill our legal obligations and to protect our platform from illicit use. These third-party checks may reveal sensitive details (for example, public records of criminal convictions or regulatory actions, if applicable), which we handle in accordance with law and solely for compliance purposes.
Information from Linked Accounts and Third-Party Services: If you choose to link or integrate external accounts or services with Swiit, we will receive certain information from those third parties. For example, if you link an external bank account or financial institution to our platform, we may collect personal and financial data from that institution with your authorization. This can include both public and non-public information about your account and transactions, such as your account holder name, account balance, transaction history, account credentials/tokens, and any associated metadata necessary to facilitate the integration. Similarly, if our Services connect with third-party payment processors, e-commerce platforms, accounting systems, or other services you use, we will receive whatever information you allow to be shared from those sources (which may include invoices, payroll or HR data, or other commercial information related to your business or personal finances). We use this linked data to provide our Services to you and will treat all such externally sourced personal data in line with this Policy.
Other Data Collected by the App: There may be additional data we collect to comply with specific regulations or to provide certain features. For instance, we might ask for your occupation or employment status (as part of regulatory KYC requirements), or your tax identification number if needed for reporting. We will always inform you at the time of collection if any additional personal data is required. In general, we will not collect any highly sensitive personal data about you unless necessary (for example, we do not collect information about your race, religion, or health, as these are not required for our services). If any sensitive data is collected (such as biometric data for identity verification), it will be done with your consent and handled with enhanced security.
Data of Others: In some cases, you might provide us personal data about others – for example, if you refer a friend or if a joint account feature is offered. If you do so, you must ensure you have the other person’s permission. We will treat such data in line with this Policy.

We collect most of this information directly from you (e.g., through our app’s onboarding process, forms you fill, or documents you upload). In addition, we may also obtain some data from external sources with your knowledge: for instance, we might receive identity verification results or risk scores from third-party services (such as sanctions screening databases) or receive updated address information from reliable data providers to keep our records accurate. We ensure that any third-party data sources are lawfully used and that we have a right to use that data (for example, under an anti-fraud legitimate interest or with your consent, as required by law).

We will indicate to you when Personal Data is requested whether the provision of the data is optional or required. Some of the above categories (particularly Identification Data, Contact Information, and certain Financial Information) are necessary for us to provide our core Services (for example, we generally cannot provide financial services or open an account for you without verifying your identity or collecting required details) . If you choose not to provide required information, we may not be able to offer you some or all of the Services. Where we collect sensitive Personal Data (such as biometric identifiers or data revealing criminal offences from compliance checks), we will do so in accordance with applicable law and, where required, with your prior consent.

4. Purposes of Processing Personal Data

We collect and process Personal Data for a variety of purposes in connection with operating the Swiit Services and our business. Below we describe the key purposes for which we use your Personal Data, as well as the legal bases that make such processing lawful under applicable regulations (for example, GDPR, PDPA, and relevant U.S. laws or other relevant statutes). Depending on the context, more than one legal basis may apply to the same piece of Personal Data.

Providing and Maintaining Our Services: We use your Personal Data to set up your account, authenticate your identity, and provide you with the features and functionalities of the Swiit app and related services. This includes using Identification and Contact Data to register your user account, enabling you to log in securely, and facilitating any transactions or operations you request. For example, we will use your provided information to help you open and manage a linked bank account through Zenus Bank, to process payments or transfers you initiate, and to display your account information and transaction history within the app. This processing is necessary for performance of our contract with you (i.e. the User Agreement or Terms of Service governing the app). In some cases, it is also in our legitimate interests to ensure the proper functioning of our platform and to serve you as a customer. Additionally, certain uses of your data for this purpose (such as verifying identity to open an account) are done to comply with legal obligations in financial regulations.
Communication and Customer Support: We use contact information (like your email and phone number) to communicate with you about your account and the Services. This includes sending administrative or service messages such as account confirmations, transaction alerts, security notifications (e.g. OTP codes or fraud warnings), and updates about changes to our terms or this Policy. We also use your name and contact details, along with any relevant account info, to respond when you reach out with questions, requests, or support issues. If we record customer service calls or save chat transcripts (where permitted by law), we do so to train our staff and to ensure we accurately resolve your issues. Communicating and assisting you is part of our contractual obligations to provide the Service and is also within our legitimate interests to maintain good customer relations and service quality.
Identity Verification and Fraud Prevention: Personal Data (especially Identification Data and Biometric Identifiers) is used to verify your identity and protect against fraud, money laundering, or other unauthorized activity. For instance, we utilize your government ID information and biometric facial data to confirm that you are who you claim to be when signing up (this may involve automated matching of your selfie to your ID photo via a secure third-party verification service). We also use Compliance and Screening Information, as well as data from your device and usage patterns, to detect and prevent suspicious or prohibited activities on our platform. This includes running sanction/PEP checks, checking for inconsistencies or risk indicators in your transactions, and using automated systems to flag potential fraud or security issues (such as multiple failed login attempts or logins from a new location/device). Much of this processing is required for us to comply with legal obligations – for example, anti-money laundering (AML), countering the financing of terrorism (CFT), "know your customer" regulations, and sanctions laws mandate that we authenticate identities and screen users against certain databases. In addition, protecting our Service from fraud and abuse is in our legitimate interests (as well as in the interest of all our users), and in some cases, we are processing this data in the public interest of preventing crime. Where biometric data is used, we rely on your consent (collected in-app at the time of verification, as required by laws governing biometric privacy or sensitive data).
Providing Financial Services (with Partner Institutions): We share relevant Personal Data with our downstream financial partner (Zenus Bank) and use it internally to facilitate the financial products you access through Swiit. For example, to help you open a bank account or utilize banking services, we use your Identification, Contact, and Financial Information to fill in account application forms, conduct required screenings, and then securely transmit that information to Zenus Bank which will finalize the account onboarding and regulatory checks. We also assist Zenus in ongoing account maintenance by relaying any updated information you provide. As another example, if you initiate a funds transfer or payment through the app, we will use and share necessary details (such as your account number, the recipient's details, and payment amount) with payment networks or service providers to execute the transaction. These activities are a core part of our contractual service to you (enabling you to use the requested financial service), and they are also performed to comply with legal requirements in the banking/financial industry (since both we and our partners must follow regulations related to payments, KYC, record-keeping, etc.).
Improving and Developing Our Services: We analyze usage data, device information, and feedback to understand how our Services are performing and where improvements are needed. For instance, we may use analytics data (from cookies and app logs) to identify usability issues in the app interface, to diagnose crashes or bugs, and to assess which features are most popular or useful to users. We may also aggregate and anonymize Personal Data to generate insights that help us develop new features or products (for example, analyzing general user trends or financial product usage without identifying any individual user). It is in our legitimate interests to continually improve our offerings, enhance user experience, and innovate our financial technology solutions. When required by law (for example, if analytics cookies require consent), we will obtain your consent before collecting data for these purposes. We ensure that any analytics or research use of data is done in a privacy-protective manner (using de-identified data wherever feasible).
Marketing and Personalization: With your permission, we may use certain Personal Data to send you promotional communications about new products, features, or special offers from Swiit that might interest you. This may include using your email address to send newsletters or referral program invitations, or using your usage patterns to tailor the marketing content you see (for example, showing you features in the app that you haven't tried yet but may find useful). We may also utilize cookies or third-party advertising partners to present you with relevant ads on our or others' websites about Swiit services. We rely on consent for sending marketing emails or texts where required by law (and you can withdraw that consent at any time). In other contexts, marketing to our existing users about similar services may be considered within our legitimate interests, but we will always honor opt-out requests. We do not sell your Personal Data to third-party advertisers, and any targeted advertising uses cookies or similar identifiers without sharing your identifiable information externally. Where law requires an opt-in (for example, for third-party ad cookies), we will obtain it first.
Legal Compliance and Risk Management: We process Personal Data as needed to comply with our legal and regulatory obligations, and to manage legal or regulatory risks. This includes using and retaining records of your identity and transactions to meet financial regulatory requirements (such as record-keeping rules, responding to lawful requests from government authorities, filing mandatory reports like suspicious activity reports, or satisfying audits by regulators). We may also process data to enforce our terms of service or other agreements, to investigate or take action against fraudulent or illegal activities (e.g. account takeovers or money laundering attempts), and to resolve disputes or defend our legal rights. If necessary, we will use Personal Data to cooperate with law enforcement, courts, or regulators in accordance with applicable law (for example, providing information in response to a valid subpoena). These activities are primarily driven by legal obligations to which we are subject. In situations where no specific legal obligation applies, we may rely on our legitimate interests in protecting our rights, preventing harm, and ensuring regulatory compliance across our operations.
Other Purposes (with Notice to You): If we intend to use your Personal Data for any purpose that is materially different from the purposes listed in this Policy, we will provide you with additional notice and, if required, request your consent. We will not use your Personal Data for any wholly new, unrelated purposes without informing you and obtaining a lawful basis to do so.

Lawful Bases Summary: Depending on your jurisdiction, the concept of "lawful basis" for processing may or may not apply in the same way. We have outlined above the common bases such as Consent, Contractual necessity, Legal Obligation, Legitimate Interests , and Public Interest. In all cases, we ensure that we have a permissible ground under relevant law to handle your Personal Data. If at any time you have questions about the legal basis for a particular processing activity, you may contact us for more information (see the "Contact Us" section below).

5. Disclosure of Personal Data to Third Parties

We treat your personal data with care and confidentiality. We will never sell or rent your personal information to third parties. However, in order to run the Swiit service and comply with our legal and contractual obligations, we do need to share your data with certain trusted parties. We disclose personal data only to the extent necessary and with safeguards in place. The key categories of parties with whom we share data are:

Affiliate and Subsidiary Companies: If Swiit is part of a corporate group or has affiliates/subsidiaries, we may share Personal Data within our controlled group of companies. This would be done for internal administrative purposes, to support provisioning of the Services, or for centralized functions such as data storage, IT support, or analytics. All Swiit group entities receiving your data will comply with this Policy and are bound by appropriate confidentiality and data protection obligations.
Service Providers and Vendors: We employ third-party companies and individuals to perform functions on our behalf that involve processing personal data. These service providers act under our instructions and include, for example:

Cloud Infrastructure and Storage Providers: We host our platforms and store data on secure cloud servers provided by reputable third-party infrastructure companies. Your Personal Data may thus be stored and processed on systems maintained by these providers (for example, in data centers located in the United States or other regions). Our cloud providers are contractually obligated to protect your information with robust security measures and to process it only for our purposes.
Identity Verification Services: We use external biometric verification providers and document validation services to help confirm your identity during onboarding. This means your identification documents and facial biometric data may be securely transmitted to such a provider for analysis and verification. The provider returns an identity confirmation or fraud detection result to us. These partners are given only the data necessary for the verification process and are prohibited from using it for any other purpose.
Compliance and Screening Partners: As part of our legal compliance, we share your details (like name, date of birth, and other identifiers) with third-party compliance databases or screening services that check against sanction lists, PEP lists, criminal records, or other watchlists. The information exchanged is used to obtain risk and compliance results (e.g., confirming you are not on a prohibited list). Our screening partners process your data solely to provide us with compliance reports and are bound by confidentiality.
Payment and Transaction Processors: If we facilitate payments, transfers, or card transactions, we will share necessary information with banks, payment networks, card issuers, and payment processing companies to complete those transactions. For example, if you transfer funds, we send the receiving bank your name, account number, and transfer amount. These third parties are typically directly regulated (e.g., banks) or are service providers under contract with us.
Analytics and Technical Tools: We may share certain online identifiers or device data with analytics platforms or error tracking services to help us debug and improve our app. For instance, we might use a service that collects crash reports or usage metrics. These providers may set their own cookies or similar technologies on our site (with your consent where applicable) to collect information on our behalf. Data shared is usually pseudonymized or aggregated. We ensure no personally identifying details are sold or shared for independent use by these vendors.
Communications Providers: To send you SMS messages, emails, or app notifications (for login verification, alerts, or support communications), we use third-party communication platforms. We share your contact details and the content of the message as needed to utilize their service. These providers are authorized to use your info only to send out our communications to you.
Other Business Support Vendors: We may also use vendors for services such as cloud backups, cybersecurity monitoring, marketing email distribution, document management, or customer relationship management. In all cases, these vendors will have access to Personal Data only as needed to perform their functions for us, and they are bound by data protection agreements.

Banking and Financial Partners: As noted, we partner with Zenus Bank (and potentially other financial institutions) to offer certain financial services through our platform. We will share your Personal Data with Zenus Bank to the extent necessary for them to provide you with banking products (for example, to create and service your bank account, perform compliance checks, monitor transactions for fraud, etc.). Zenus Bank, as an independent regulated financial institution, will process your data in accordance with its own privacy obligations and the law. We have agreements in place with Zenus to ensure appropriate protection of your data and to restrict its use to the intended purposes. Similarly, if we collaborate with other financial partners or fintech firms (for instance, to offer co-branded services or facilitate cross-border payments), we will share data with them under strict requirements of confidentiality and only as needed for the joint service.
Third-Party Integrations at Your Request: If you choose to integrate or share data from your Swiit account with third-party services, we will transfer information as directed by you. For example, if you use a feature to export data to an accounting software or if you initiate a connection to another financial app, we will send the relevant information to that third party with your consent. Likewise, if you participate in a referral program that involves sending some of your information (like your referral code or name) to a person you refer, we will do so at your direction. Any data you explicitly instruct us to share with a third party falls under this category. Please note that once data is transferred at your request, the third party's handling of your data will be governed by their own privacy policy.
Business Transfers: In the event that Swiit undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of its assets, Personal Data may be transferred to the successor or acquiring entity as part of the transaction. We will ensure that any such entity is bound to respect your Personal Data in a manner consistent with this Policy. If a transfer would result in a materially different use of your Personal Data not covered by this Policy, you will be notified and, if required by law, given an opportunity to consent or opt-out.
Legal and Regulatory Disclosures: We may disclose Personal Data to third parties when required or permitted by law, such as:

Government Authorities and Law Enforcement: If we receive a legally binding request (such as a subpoena, court order, or law enforcement demand) for disclosure of data, or if we are required to report certain activities (like suspicious transactions) to regulators, we will comply to the extent the law compels or allows us. We will only provide the information specifically required and will object to overly broad requests when appropriate. In some cases, law enforcement or regulators may request information without informing you, due to legal restrictions.
Exercise of Legal Rights: We may share data as needed to establish, exercise, or defend against legal claims. For example, if we are involved in litigation or a regulatory investigation, relevant data may be disclosed to our attorneys, advisors, courts, or opposing parties under legal processes.
Protection of Rights and Safety: If we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual illegal activity, we may share Personal Data with the appropriate authorities or organizations. This can include exchanging information with other companies and organizations for fraud protection and credit risk reduction, in accordance with applicable data protection laws.

In all cases of third-party disclosure, we strive to share only the minimum necessary information to fulfill the purpose. We also ensure that any third party handling Personal Data on our behalf (i.e., our processors) are contractually obligated to implement adequate privacy and security measures to safeguard your data. Aside from the scenarios above, we will not disclose your Personal Data to any unauthorized third party without your consent.

6. Data Subject Rights and Choices

You have certain rights and choices regarding your Personal Data under applicable privacy laws. Swiit is committed to respecting and facilitating your rights. The availability of specific rights may vary depending on your jurisdiction. In general, subject to legal conditions and exceptions, you have the following rights:

Right to Access: You have the right to request a copy of the personal data we hold about you and to obtain information about how it is processed. This is sometimes called a "Data Subject Access Request." Upon verification of your identity, we will provide you with a summary of your personal data in our systems, typically within 30 days or the timeframe required by law. This will include the categories of data, purposes of processing, and any parties with whom it's shared. (Note: For security, we will not provide data that contains sensitive information about others or proprietary business information, but we will provide as much of your data as possible.) There is no fee for the first request, but a reasonable fee may be charged for repetitive or excessive requests as permitted by law.
Right to Correction (Rectification): If any of your Personal Data that we maintain is inaccurate or incomplete, you have the right to request that we correct or update it. This ensures that we are using accurate information about you. For example, if you change your phone number or notice an error in your profile data, you can ask us to rectify it. Where feasible, we will also inform any third parties who received the incorrect data so they can update their records. In some cases, you can directly make edits to certain profile fields via our app; otherwise, you can contact us to make the correction.
Right to Deletion: You have the right to request that we delete your Personal Data that we have collected from you. If you request deletion, we will erase or anonymize your Personal Data from our records, and instruct our service providers to do the same, to the extent required by law. Important: This right is not absolute – we may retain personal information if an exception applies. For instance, we may keep certain data to comply with legal obligations (such as record-keeping regulations for financial transactions or KYC information that must be retained for a minimum period), to resolve disputes, or to exercise or defend legal claims. If we must retain some data for these reasons, we will inform you of that in response to your request.
Right to Withdraw Consent: In situations where we rely on your consent to process your Personal Data (such as for marketing emails or processing sensitive biometric data), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of any processing done prior to such withdrawal, but it will stop the relevant processing going forward. For example, you can opt out of marketing communications by clicking the "unsubscribe" link in our emails or adjusting your app settings – once opted out, we will stop sending you promotional messages. For biometric data, if you withdraw consent, we will cease any future collection or use of that data for identity verification, though we may still need to retain existing biometric records for compliance audits if required by law (we will securely protect and eventually delete them according to legal retention rules).
Right to Object or Opt-Out: You have the right to object to certain types of processing or to opt out of certain data uses.

Direct Marketing Opt-Out: You can always opt out of our direct marketing communications as described above. Once you do, we will no longer use your contact information for non-essential emails or texts.
Targeted Advertising and Sale of Data: Swiit does not sell personal data for monetary consideration. We also do not engage in targeted advertising using your data in a manner that qualifies as a "sale" or "sharing" under laws. If in the future we ever considered doing so, we would provide a clear opt-out mechanism. As of the effective date of this Policy, there is nothing you need to opt out of in terms of sale or sharing – we simply do not do it. If you have any concerns, you may contact us to confirm.
Right to Object to Legitimate Interests Processing: If you are in a jurisdiction (such as the EU, under GDPR) that provides a right to object to processing based on legitimate interests, you may object to our processing of your data for those purposes. Although GDPR may not directly apply to our operations, we will honor reasonable objections for residents of jurisdictions with similar rights. For example, if you object to us processing your data for analytics under a legitimate interest basis, we will review your request, and unless we have a compelling legitimate ground to continue, we will cease the processing or offer you an opt-out.
Right to Restrict Processing: In certain situations (for instance, if you contest the accuracy of your data or have objected to processing pending verification), you can request that we restrict processing of your data (meaning we only store it and not actively use it) until the issue is resolved. This right may be available under GDPR-like regimes. We will accommodate restriction requests as required.

Right to Data Portability: You have the right to obtain a copy of certain Personal Data in a portable and, if technically feasible, readily usable format that allows you to transmit the data to another entity. Specifically, for data that you provided to us and that we process by automated means on the basis of your consent or to perform a contract (e.g. your account information, transaction history), you can request an electronic copy. Where applicable, we can transmit this data directly to another service provider at your direction, if it is technically feasible. This right is intended to give you greater control over your information across different services.
Right to Non-Discrimination / No Retaliation: We will not discriminate against you or refuse to provide our Services to you just because you exercised any of your privacy rights. For instance, unless permitted by law, we won't deny you service, charge you a different price, or provide a lesser quality of service as a consequence of you making a data rights request. (Do note that deletion of certain data may affect our ability to provide certain features if that data was necessary for them, but we will inform you if that is the case so you can make an informed decision.)

How to Exercise Your Rights: Most rights can be exercised by sending us a request at our contact point (see Contact Us section). To protect your security, we will need to verify your identity (for example, by confirming ownership of your email or phone, or asking for certain identifying info) before fulfilling a request. We will respond as soon as possible, generally within 30 days or the timeframe required by law. If we need more time or cannot comply with a request, we will explain the reasons. For instance, if you request extensive data under access right, we might ask for a bit more time; if you request deletion of data we must keep, we will explain the legal obligation. We do not discriminate against users for exercising their privacy rights – the services and pricing you receive will remain the same.

Keep in mind that some of your information might be controlled by you directly – for example, you may delete or modify content you posted within the app, or change your settings – without needing to contact us. We encourage you to make use of those options as well.

7. International Transfers of Personal Data

Swiit is a global service and, as such, your Personal Data may be transferred to and stored in multiple countries. We understand that cross-border data transfers must be done in compliance with applicable data export and privacy regulations. This section outlines how we handle international transfers and the safeguards we implement to protect your Personal Data when it moves outside of its country of origin.

Global Operations & Data Locations: The personal data we collect from you may be processed outside of your home jurisdiction, including in countries that may not provide the same level of data protection as the laws in your country. In particular, Swiit's primary operations (including servers and support infrastructure) may be located in the United States and other locations. For example, if you are in Singapore or another country, your data will likely be transferred to our cloud servers in the U.S. (or other regions where our service providers maintain facilities) for processing. Additionally, as part of providing financial services, your data will be shared with Zenus Bank in the United States. This means Personal Data initially collected in your country will cross international borders in order to be used and stored by Zenus and by our systems.

Equivalent Protection: Regardless of where we process data, we apply consistent privacy safeguards. If Personal Data is transferred to a country with data protection standards different from those in your jurisdiction, we will take appropriate measures to ensure an equivalent level of protection for that data. For instance, we treat all Personal Data in line with the principles of this Policy and applicable law, no matter where it resides. Our employees and contractors across all locations are trained on confidentiality and data protection requirements.

Safeguards for EU/UK Personal Data: If we ever collect personal data directly from individuals in the European Economic Area ("EEA"), United Kingdom, or other regions with cross-border transfer restrictions, we will ensure that such data is transferred in compliance with those jurisdictions' requirements. Typically, this means that if we send EEA or UK personal data to a country not deemed "adequate" by the European Commission (such as the U.S.), we will rely on approved transfer mechanisms. The most common mechanism we use is the Standard Contractual Clauses (SCCs) adopted by the European Commission (and the UK International Data Transfer Addendum, as needed). These are contractual commitments between data transferors and transferees that obligate us and the recipient to protect the personal data to EU GDPR standards. We may also rely on other safeguards or derogations where appropriate, such as the necessity of transfer for performance of a contract with you, or obtaining your explicit consent for the transfer, in each case in accordance with EU/UK law. If you have questions about cross-border data pertaining to the EU/UK, you can contact us for more information.

Transfers from Singapore: For personal data collected in Singapore, we will abide by the PDPA's requirements for overseas transfers. This means that before transferring Singapore data out of Singapore, we will take reasonable steps to ensure the receiving organization is bound by legally enforceable obligations (such as contract terms or binding corporate rules) to provide a standard of protection to the data that is comparable to the protection under the PDPA. In practice, this often involves incorporating contractual clauses with foreign recipients that stipulate PDPA-level protections or ensuring the recipient country has an appropriate adequacy recognition (if applicable). By engaging with our Services, you understand that your data may be transferred overseas, but we will protect it as described.

Enhanced Regulatory Requirements in Certain Jurisdictions: We acknowledge that certain jurisdictions have enhanced regulatory requirements regarding international personal data transfer. In some countries, local laws or regulations may mandate specific procedures, certifications, or government approvals before personal data can be sent abroad. For example, some jurisdictions require a form of transfer risk assessment, registration with authorities, or even obtaining special export permits for personal data. Swiit is committed to complying with all such local rules requiring heightened export safeguards. If your personal data is subject to a jurisdiction that imposes additional controls on cross-border transfers, we will ensure those conditions are met prior to transferring your data. This could involve conducting and documenting a transfer impact assessment, implementing additional encryption or de-identification measures for data in transit, or processing certain data within a restricted environment when legally required to do so. We will do what is necessary to lawfully transfer data while preserving its privacy and security.

Your Consent to International Transfer: By using our Services and providing us with your information, you acknowledge and consent that your Personal Data may be transferred across international borders, including to countries outside your country of residence. We will only do so in accordance with this Policy and for the purposes outlined. If applicable laws require your explicit consent for a particular cross-border transfer, we will obtain that consent at the appropriate time (for instance, during account registration or when you initiate a transaction that involves overseas data processing).

Note on Partner Bank Transfers: When you instruct us to facilitate an account or transaction with Zenus Bank (or another financial partner in a different country), that action inherently involves transferring your data to that jurisdiction to fulfill your request. Such transfers are a necessary part of the service you have chosen, and we ensure that any partner receiving your data has committed to protecting it. Zenus Bank, for example, is subject to U.S. federal and state banking privacy laws which provide safeguards for your information. Additionally, our agreement with Zenus contractually obligates them to treat your personal data in line with strict confidentiality and security standards.

In summary, we take the security and legality of international data transfers seriously. We have implemented measures like contractual safeguards, internal policies, and technical protections (encryption, access controls, etc.) to secure your data when it travels abroad. If you have questions about the countries to which your data has been transferred or the safeguards in place, you may contact us as described in the Contact section. We will do our best to provide you with additional information, taking into account both transparency and our own security obligations.

8. Data Security and Retention

Data Security

Swiit employs a comprehensive information security program to safeguard your Personal Data against loss, misuse, unauthorized access, disclosure, alteration, or destruction. We implement industry-standard technical and organizational measures appropriate to the sensitivity of the data. These measures include, but are not limited to:

Encryption: All communications between your app (or browser) and our servers are encrypted using modern TLS (HTTPS) protocols. This protects your data in transit from eavesdropping or tampering. Additionally, we encrypt personal data at rest in our databases and storage systems. We use strong encryption algorithms (such as AES-256) to ensure that if someone were to obtain the raw storage, they still could not read your data without the decryption keys. Sensitive fields (like passwords and secret keys) are further hashed or encrypted at the application level for extra protection.
Access Controls and Authentication: Swiit implements strict access control mechanisms to limit who can access personal data. By principle of least privilege, our employees and contractors are only given the minimum access necessary for their role. For example, our support team can see your account info to assist you, but they cannot view sensitive identity documents unless absolutely required and approved by management. We maintain detailed logs of who accesses what data and regularly review these logs for any anomalies. Access to production systems requires multi-factor authentication and is restricted to authorized personnel. Where feasible, data is pseudonymized so that even internally we minimize use of direct identifiers.
Network and Application Security: We protect our systems with multiple layers of security. Our cloud environment is secured by firewalls that block unauthorized connections. We employ an intrusion detection and prevention system to monitor for suspicious activities or attacks on our network. Security patches and updates are applied promptly to our servers and software to address vulnerabilities. We also use secure coding practices in development: our engineering team undergoes security training, and all code changes are peer-reviewed and tested. We guard against common web and mobile app threats (such as SQL injection, XSS, CSRF) through rigorous QA and automated scanning.
Vulnerability Management: We conduct regular vulnerability scans and penetration tests on our infrastructure and applications. This means we or third-party security experts proactively attempt to find weaknesses so we can fix them before any bad actors exploit them. We also operate a bug bounty or responsible disclosure program inviting security researchers to report any flaws they discover, which we then rapidly address. Our systems are also periodically audited for security compliance (for instance, by partners or regulators).
Monitoring and Logging: Our systems produce logs of various activities (logins, data access, configuration changes, etc.). We actively monitor these logs for unusual patterns that could indicate a security incident. For example, if there were multiple failed login attempts on an admin account or data being accessed in bulk unexpectedly, our security alarms would trigger. We also utilize automated tools to detect and block malicious traffic (like DDoS attacks or bot abuse).
Disaster Recovery and Business Continuity: We maintain regular backups of critical data (with sensitive data encrypted, as noted). Our backups are stored in geographically separate secure locations to ensure redundancy. We periodically test restoration procedures so that we can recover data in the event of data loss or corruption. In case of a significant outage or disaster, we have a business continuity plan that outlines how to restore operations quickly while protecting data. Our infrastructure is built with high availability in mind – for instance, using multiple servers and availability zones to avoid single points of failure.
Physical Security: Although we are a cloud-based service (no customer data is stored on paper or in on-premise servers that you need to worry about), our cloud providers like AWS have robust physical security at their data centers (24/7 guard patrols, biometric access, CCTV, etc.). On our side, any physical devices that might contain personal data (like an employee's laptop) are encrypted and locked down. We do not print sensitive personal data, and any paper records (if we ever create them) are stored securely and shredded when no longer needed.
Continuous Improvement: Security threats evolve, and so do our defenses. We review and update our security measures regularly in light of new risks and technologies. We may also obtain security certifications or attestation reports (such as SOC 2, ISO 27001) to demonstrate our commitment to security – if we do, we can provide those details on request or in our documentation. Internally, our leadership and board (if applicable) place high importance on cybersecurity, ensuring it gets appropriate resources and attention.
Data Breach Response: Despite all precautions, no system is 100% immune to incidents. Swiit has a detailed incident response plan to handle any data breaches or security incidents swiftly and effectively. If we detect a data breach that affects personal data, we will contain and investigate it immediately. We will also notify affected users and the relevant authorities without undue delay, and within any legally required timeframes. For example, under GDPR we would notify the supervisory authority within 72 hours if a breach is likely to result in a risk to individuals, and we would also inform individuals directly if there's a high risk to their rights (unless measures like encryption make the risk low). Our notifications would include information about the breach and guidance on steps you may need to take to protect yourself. We hope this never occurs, but we are prepared nonetheless.

While we strive to protect your Personal Data, it's important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee absolute security. You also play a role in keeping your data safe: we urge you to maintain the confidentiality of your account credentials, use unique and strong passwords, and notify us immediately if you suspect any unauthorized access to your account.

Data Retention: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal or business requirements. Because Swiit is a financial service subject to strict regulations, our retention periods may be influenced by laws such as anti-money laundering regulations, tax laws, and other compliance rules. Below are some key points about retention:

General Retention Period: If you are an active customer, we will keep your personal data for the duration of your usage of the Swiit services. This allows us to provide the service to you continuously. If you decide to close your account or if your account becomes inactive, we will initiate the data deletion process for data that is no longer needed, subject to the specific exceptions below.
AML/KYC Data: Many financial regulations mandate that we retain customer identification and transaction records for a minimum period even after the end of the customer relationship. For example, under U.S. BSA and international AML standards, we must keep identifying information and transaction history for at least 5 years after an account is closed or after a transaction is conducted. Likewise, the EU's 5th Anti-Money Laundering Directive and Singapore's MAS Notice on Prevention of Money Laundering set 5-year minimum retention for KYC records. Therefore, even if you delete the app or close your Swiit account, we will archive your identity verification details and transaction logs for five (5) years (or longer if required by local law) from the date of closure. This data will be securely stored and isolated, used only if needed for compliance (e.g., if requested by regulators or for audit purposes). After the mandatory period, we will securely erase or anonymize that data.
Transaction Records: Apart from legal minimums, we may retain certain financial transaction records for our own accounting and dispute resolution purposes. For instance, if you made a transaction that could later be disputed (say a transfer or payment), we might keep those logs for a time in case of chargebacks, complaints, or reconciliation needs. Typically, this aligns with the 5-year rule, but some specific data (like audit logs) might be kept slightly longer if necessary to demonstrate compliance or to resolve issues.
Communications: If you've corresponded with us (customer support inquiries, emails), we may retain those communications for a period to ensure we have a history of your service requests and how we handled them. This can be useful for improving service and for any future queries. These are generally kept for a shorter period (maybe 1-2 years) unless they contain information pertinent to compliance (e.g., if you sent documents via support, those might fall under KYC retention rules).
Analytics Data: Aggregated or anonymized analytics data (which no longer identifies you) may be retained longer for statistical purposes, since it doesn't impact your privacy anymore. If analytics data is tied to your profile, we either delete it or de-identify it when it's no longer needed.
Pending Requests or Disputes: If you have an unresolved issue with Swiit (for example, an open support ticket, a dispute, or a legal claim), we will retain the data relevant to that issue until it is resolved, even if that extends beyond the normal retention period. We do this to ensure we have the necessary information to address the problem. Similarly, if required by a government order or litigation hold, we may retain data until we are cleared to delete it.
Account Deletion: When you request account deletion (or we terminate your account), we will remove or anonymize personal data that is not subject to a specific retention requirement. This typically means your profile information, device tokens, etc., are deleted from our live systems. However, as explained, certain records will be archived for the required period. We also maintain backups of our database for disaster recovery – those backups are securely stored and rotated. It's possible that your data could linger in encrypted backups for a short time even after deletion from live systems, but our backup retention is time-limited and old backups are purged, so eventually that data will also be rendered unrecoverable. We do not use backup data for any active purpose and access to it is highly restricted.

In plain terms, we aim not to keep personal data longer than we absolutely need to. When data is no longer needed, we dispose of it in a secure manner. "Secure" means that if in physical form (paper), it's shredded/incinerated, and if electronic, it's permanently erased (or thoroughly anonymized such that it cannot be linked back to an individual). We also periodically review the data we hold and delete or anonymize records that are no longer necessary.

If you have specific questions about how long a certain type of data is retained, or if you want us to delete something sooner (and believe there's no legal need for us to keep it), please contact us – we will address requests on a case-by-case basis.

9. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. Users must be at least 18 years old (or the age of majority in your jurisdiction) to create an account with Swiit and use our financial services. If you are a parent or guardian and believe that your child under 18 may have provided personal data to us, please contact us immediately. We will take steps to promptly delete the information and terminate the child's account if we discover personal data from a minor. We also do not knowingly "sell" or "share" the personal information of minors under any definitions in applicable law.

In jurisdictions where a higher age threshold applies (for example, under 21 for certain financial activities), we will abide by those requirements. We reserve the right to ask for proof of age if we suspect a user is underage.

10. Governing Law

This Privacy Policy, and any disputes or claims arising out of or in connection with it (including non-contractual disputes or claims), are governed by the laws of the State of Colorado, USA, as the primary jurisdiction of Sweet Intelligence Inc.. By using our services, you agree that any issues regarding personal data or privacy will be resolved under Colorado law.

However, if you are located in a jurisdiction with mandatory data protection laws, those laws (such as GDPR in the EU, PDPA in Singapore, PIPL in China, etc.) will still apply to our handling of your personal data regardless of Colorado law for other aspects. Governing law in this context mainly affects interpretation of this Policy and any legal proceedings. We chose Colorado law for consistency, but we also comply with applicable local privacy laws as described throughout this Policy.

In the event of a dispute, we hope to resolve it amicably. But if it proceeds to formal resolution, unless prohibited by law, the courts of Colorado would have jurisdiction. (If you are an EU resident, you retain the right to seek action in your home country under GDPR; nothing in this section is meant to limit rights granted under local law.)

11. Contact Us

We welcome any questions, concerns, or requests you may have about this Policy or about how we handle your Personal Data. Our Compliance Officer (CO) is responsible for overseeing Swiit's data protection strategy and compliance. You may reach out to our CO as follows:

By Email: You can email zoe@swiit.ai for any privacy or data protection inquiries. Please include "Privacy Inquiry" in the subject line and provide detail on your question or request, along with your contact information. This email can be used for exercising your data subject rights (as described in Section 5) or for asking any questions about your Personal Data in our custody.
By Mail: If you prefer to contact us by postal mail, you may send correspondence to:
Attn: Compliance Officer – Sweet Intelligence Inc.
1312 17th St, Unit #2955
Denver, Colorado 80202, USA

We will endeavor to respond to your inquiries promptly – generally within a few business days for simple queries, and within the applicable statutory timeframe for formal requests. If you are contacting us to exercise a specific legal right, please clearly state the right you wish to exercise and the scope of the request (for example, "I am requesting access to my personal data."). This will help us process your request more efficiently.

Language: This Policy is provided in English. If we provide translations in other languages, the English version will control in case of any discrepancies, as this is our official version.

12. Changes to this Policy

We may update this Data Privacy Policy from time to time to reflect changes in law, changes in our business or Services, or for other operational reasons. When we make changes, we will revise the "Last Updated" date at the top of the Policy and post the updated Policy through our app and website. If the changes are significant, we will provide a more prominent notice (such as an email notification or in-app alert) to inform you of the update.

We encourage you to review this Policy periodically to stay informed about how we are protecting your Personal Data. Your continued use of the Swiit Services after any changes to this Policy will be deemed acceptance of those changes, unless applicable law requires explicit consent. If required by law, we will seek your affirmative consent to material changes that impact how we handle previously collected Personal Data.

Last Updated: December 18, 2025.

By using Swiit's Services, you agree to this Policy. Thank you for entrusting Swiit with your personal data – we are committed to keeping that trust through our robust privacy and security practices. If you have any questions or feedback regarding this Policy, please do not hesitate to contact us. Your privacy is important to us, and we will do our utmost to address any concerns you have.