Privacy Policy

Introduction & Scope

The Herring Global group of entities (“Herring Global”, “we”, “our” or “us”) is committed to protecting the Personal Data of our clients, partners, Customers, and other individuals we interact with. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and otherwise process your Personal Data when you:

• visit our website at www.herringglobal.com;
• trade or engage in business with us through any means, including email or messaging platforms; or
• otherwise interact with us (collectively, the “Services” )

in accordance with Singapore’s Personal Data Protection Act (“PDPA”) . By accessing or using our Services, or otherwise providing us with your Personal Data, you confirm that you have read, understood, and voluntarily consent to the practices described herein. This Policy applies to all Personal Data in our possession or under our control, including that handled by third-party service providers we engage.

Definitions

• “Customer” means an individual who:
  1. has contacted us through any means to find out more about any Services we provide; or
  2. may, or has, entered into a contract with us for the supply of any Services.
• “Personal Data” means data, whether true or not, about an individual who can be identified from that data, or from that data plus other information to which we have (or are likely to have) access. This includes data you provide directly, data collected automatically when you interact with our Services, and data received from third parties.
• Other terms used in this Policy shall have the meanings given to them in the PDPA (where the context so permits).

Personal Data We Collect & Why

Depending on the nature of your interaction with us, we may collect the following categories of Personal Data:

• Identity & contact data: name, alias, date of birth, gender, nationality, residential address, email, telephone number, photograph
• Employment & financial data: employer, job title, transaction history, payment details
• Electronic interaction data: IP address, browser type, device identifiers, cookies, session logs
• Other data: as provided by you, your authorised representative, or third parties

We generally do not collect your Personal Data unless:

1. it is provided to us voluntarily by you directly or via a third party who has been duly authorised by you to disclose your Personal Data to us (your “authorised representative”) after:
   1. you (or your authorised representative) have been notified of the purposes for which the data is collected, and
   2. you (or your authorised representative) have provided consent (whether express or deemed) to the collection and usage of your Personal Data for those purposes, or
2. collection and use of Personal Data without consent is permitted or required by the PDPA or other laws.

We shall seek your consent before collecting any additional Personal Data and before using your Personal Data for a purpose which has not been notified to you (except where permitted or authorised by law).

We may use your Personal Data for any or all of the following purposes:

1. performing obligations in the course of or in connection with our provision of the Services requested by you;
2. verifying your identity;
3. responding to, handling, and processing queries, requests, applications, complaints, and feedback from you;
4. managing your relationship with us;
5. processing payment or credit transactions;
6. complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;
7. any other purposes for which you have provided the information;
8. transmitting to any unaffiliated third parties including our third party service providers and agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for the aforementioned purposes; and
9. any other incidental business purposes related to or in connection with the above.

How We Share Your Personal Data

We may disclose your Personal Data:

1. where such disclosure is required for performing obligations in the course of or in connection with our provision of Services requested by you; or
2. to third-party service providers, agents, and other organisations engaged by us to carry out any of the purposes described in this Policy. These third parties (which may include cloud service providers, compliance consultants, and professional advisors) are contractually bound to protect your Personal Data and process it only in accordance with our instructions and applicable data protection laws.

The purposes described above may continue to apply even after your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter. This includes any period required for us to enforce our rights, comply with legal obligations, or retain records in accordance with our internal policies and regulatory requirements.

We do not sell your Personal Data or use it for unsolicited marketing or promotional purposes. We only use and disclose your Personal Data for purposes that you have been notified of, and in compliance with the Purpose Limitation obligation under Singapore’s PDPA and the guidelines issued by the Personal Data Protection Commission (“PDPC”).

Reliance on the Legitimate Interests Exception

In compliance with the PDPA, we may collect, use, or disclose your Personal Data without your consent where such collection, use, or disclosure is necessary for the legitimate interests of Herring Global or a third party. Before relying on this exception, Herring Global will assess the likely adverse effects on the individual and determine that the legitimate interests outweigh those effects.

In line with the legitimate interests’ exception, we will collect, use or disclose your Personal Data for the following purposes:

1. Fraud detection and prevention;
2. Detection and prevention of misuse of Services;
3. Network analysis to prevent fraud and financial crime, and perform credit analysis;
4. Collection and use of Personal Data on company-issued devices to prevent data loss; and
5. Internal audit and compliance monitoring.

The purposes listed in the above clause may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter.

Other Legal Grounds for Processing under the PDPA

We may also process your Personal Data without your consent when permitted by law, including:

• Public interest: Where necessary to protect the public interest, including matters relating to public health or safety.
• Legal proceedings: Where necessary to initiate, respond to, or participate in legal proceedings, including investigations, judicial processes, or security matters.
• Vital interests: Where necessary to protect your vital interests, such as in emergency situations where your life or safety is at risk.
• Performance of a contract: Where necessary to perform a contract to which you are a party, or to take steps at your request prior to entering into such a contract (e.g., account setup or onboarding for Services).
• Legal obligation: Where we are required to comply with a legal obligation that we are subject to (e.g., under financial crime, tax, or regulatory laws).

Withdrawing Consent

The consent that you provide for the collection, use and disclosure of your Personal Data will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop collecting, using and/or disclosing your Personal Data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below.

Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we aim to process such requests within ten (10) business days.

Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may no longer be able to continue providing you with certain Services. We will notify you if this is the case before completing the withdrawal process.

If you subsequently wish to cancel your withdrawal of consent, you may do so in writing or via email to our Data Protection Officer.

Please note that withdrawing consent does not affect our right to continue to collect, use and disclose Personal Data where such collection, use and disclose without consent is permitted or required under applicable laws.

Access and Correction of Personal Data

You have the right to request access to your Personal Data in our possession or under our control, as well as information about how it has been used or disclosed in the past year. You also have the right to request correction or updating of your Personal Data if you believe it is inaccurate or incomplete. We generally rely on Personal Data provided by you (or your authorised representative) to ensure its accuracy and completeness.

If you wish to make:

1. an access request for access to a copy of the Personal Data which we hold about you or information about the ways in which we use or disclose your Personal Data, or
2. a correction request to correct or update any of your Personal Data which we hold about you,

you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below.

Please note that a reasonable fee may be charged for processing an access request. If applicable, we will inform you of the fee before proceeding.

We will respond to your request as soon as reasonably possible. In general, you can expect a response within ten (10) business days. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request.

If we are unable to provide access to the requested Personal Data or make a correction as requested, we will generally inform you of the reason, unless we are not required to do so under the PDPA.

Personal Data Processed by Affiliates

Certain Services offered through Herring Global may be supported by its Singapore-based affiliate, Herring Technology Services Pte. Ltd (“HTSPL”) which has been granted an exemption from holding a licence under the Payment Services Act 2019 ("PS Act") for the payment services that fall under the expanded scope of regulated activities.

As an exempt payment service provider, HTSPL remains subject to the anti-money laundering and countering the financing of terrorism (“AML/CFT”) requirements under MAS Notice PSN02, which governs the conduct of all entities carrying on a business of providing payment services under the PS Act, including those operating under an exemption.

Where Personal Data is collected and processed by HTSPL for the purposes of complying with its regulatory obligations under MAS Notice PSN02, the following applies:

1. HTSPL may collect, use, or disclose your Personal Data without your consent, strictly for the purposes of complying with its AML/CFT obligations.
2. Pursuant to paragraph 15 of MAS Notice PSN02:
   1. You may not have the right to access or correct certain Personal Data held by HTSPL;
   2. However, upon request, and where applicable, you may access or request correction of identity-related information (such as your full name, identification number, residential address, nationality, etc.), as permitted under the Notice and PDPA.

If you have questions about how your Personal Data is processed in connection with MAS-regulated services, please contact our Data Protection Officer.

Cookies & Tracking

Our website may use cookies to improve your browsing experience. Cookies are small data files stored on your device by your web browser for record-keeping purposes and, in some cases, to track usage information. You may configure your browser settings to refuse cookies or to alert you when cookies are being sent. However, please note that disabling cookies may affect the functionality or performance of certain features on our website.

Retention of Personal Data

We retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable laws.

We will cease retention of your Personal Data, or anonymise it, as soon as it is reasonable to assume that the purpose for which it was collected is no longer being served, and retention is no longer necessary for legal or business purposes. For example, Know-Your-Customer (KYC) and Customer Due Diligence (CDD) records are retained for at least five (5) years following the termination of the business relationship, in accordance with applicable AML/CFT obligations.

Transfer of Personal Data outside of Singapore

Your Personal Data may be stored or processed on servers located outside of Singapore (e.g., via infrastructure provided by Google Cloud Platform, Amazon Web Services, or similar service providers). In such cases, we will ensure that any transfer of Personal Data complies with the requirements under the PDPA, and that the data remains protected by a standard of protection that is comparable to that under the PDPA.

Data Breach Notification

If we have credible grounds to believe that a data breach has occurred, we will promptly assess whether the breach is notifiable under the PDPA. If the breach is assessed to be a notifiable data breach, we will notify the PDPC and affected individuals as soon as is practicable.

If we share your Personal Data with third-party service providers, we require them to process it strictly in accordance with our instructions and applicable legal requirements, including those under the PDPA.

Protection of Personal Data

To safeguard your Personal Data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks, we implement appropriate administrative, physical, and technical measures. These include:

1. Data minimisation principles
2. Authentication and access controls (e.g., strong password policies, need-to-know access)
3. Data encryption and anonymisation
4. Up-to-date antivirus software and regular system patching
5. Secure erasure of storage media before disposal
6. Web security tools and firewall protections
7. Use of One-Time Passwords (OTP), Two-Factor Authentication (2FA), or Multi-Factor Authentication (MFA)
8. Regular security reviews and penetration testing
9. Access to Personal Data is restricted to authorised employees and service providers who require it to perform their duties.

While we strive to maintain a high standard of data security, please note that no method of transmission over the Internet or method of electronic storage is entirely secure. Nonetheless, we are committed to continuously reviewing and enhancing our security measures to protect your Personal Data.

Contact Our Data Protection Officer

In accordance with the Accountability Obligation under Singapore’s PDPA, we have appointed a Data Protection Officer (DPO) and made their contact information publicly available. If you have any questions about this Privacy Policy or wish to exercise your rights under the PDPA (such as access, correction, or withdrawal of consent), you may contact our DPO at: dpo@herringglobal.com.

Governing Law

This Privacy Policy is governed by the laws of Singapore. Any dispute arising from or in connection with this Policy or our handling of your Personal Data shall be subject to the exclusive jurisdiction of the Singapore courts.

Effect of Policy and Changes to Policy

This Policy applies in conjunction with any other notices, contractual terms, or consent clauses that apply in relation to our collection, use, or disclosure of your Personal Data.

We may update this Policy from time to time without prior notice. You can determine if any revision has occurred by referring to the “Last Updated” date below. We encourage you to check this page regularly to stay informed of any changes. Your continued use of our Services constitutes your acknowledgment and acceptance of the revised Policy.