Rays Card

Privacy Policy

Effective date: April 25, 2026

This Privacy Policy explains how RAYS CAPITAL PTE. LTD. (UEN [insert UEN], registered in Singapore; "we", "our", "us") collects, uses, discloses, and protects personal data when you use the RAYS CARD mobile application, websites, and related services (collectively, the "Services").

We process personal data in accordance with the Singapore Personal Data Protection Act 2012 (PDPA). By using the Services, you consent to the practices described in this Policy.

1. Information We Collect

1.1 Information you provide

  • Account information: name, email address, mobile number, password.
  • KYC / identity verification: government-issued ID, date of birth, nationality, residential and billing address, photographs / selfies, proof of address.
  • Payment information: card details (processed securely by our payment processors; we do not store full card numbers), transaction amounts and history, wallet balance, recipient information.
  • Customer support information: messages, attachments, and other content you share when contacting support.

1.2 Information collected automatically

  • Device data: device model, operating system, language, time zone, unique device identifiers, IP address, mobile network information.
  • Usage data: pages and features accessed, in-app actions, session duration, crash and performance logs.
  • Push notification tokens: required to deliver transaction alerts and security notifications.
  • Cookies and similar technologies on our websites for authentication, security, and analytics.

2. How We Use Personal Data

  • To create and manage your account and verify your identity (KYC/AML).
  • To process card issuance, payments, deposits, withdrawals, and other transactions you authorize.
  • To prevent fraud, money laundering, and other unlawful or prohibited activity.
  • To send transactional notifications, security alerts, and important service updates.
  • To provide customer support and respond to enquiries.
  • To improve, debug, and secure the Services (including crash reporting and performance analytics).
  • To comply with legal, regulatory, and tax obligations.

3. How We Share Personal Data

We share personal data only when necessary, and only with the recipients below.

3.1 Service providers

We engage third-party processors who handle personal data on our behalf under contractual obligations of confidentiality and data protection. Key processors include:

  • MatchMove Pay Pte. Ltd. — our card-issuing and wallet infrastructure partner. Account, KYC, and transaction data are shared with MatchMove for the purpose of providing the underlying wallet and card services.
  • Stripe, Inc. — credit and debit card processing for card purchases and top-ups. Card details are submitted directly to Stripe and are not stored on our servers.
  • BoomFi — cryptocurrency payment processing for crypto-funded card purchases (USDT, USDC, ETH, Polygon, BSC). You will be redirected to BoomFi's hosted checkout, which is governed by BoomFi's privacy policy.
  • Freshworks Inc. (Freshchat) — in-app customer support chat. The content of your support conversations is stored by Freshworks.
  • Functional Software, Inc. (Sentry) — crash reporting and error monitoring. Receives device, user identifier, and stack-trace data when errors occur.
  • Expo (650 Industries, Inc.) — push notification delivery via the Expo Push Notification Service. Receives push tokens and the contents of notifications we send to you.
  • Apple, Inc. and Google LLC — Apple Push Notification service / Firebase Cloud Messaging for delivery of push notifications to your device.
  • Identity verification and credit-bureau partners — to perform KYC and sanctions screening.
  • Cloud infrastructure providers — Amazon Web Services and Vercel Inc., for hosting and content delivery.

3.2 Legal and regulatory disclosure

We may disclose personal data when required by law, valid court order, or request from a competent authority (including the Monetary Authority of Singapore and tax authorities), or when necessary to investigate fraud, protect our rights, or protect the safety of users.

3.3 Business transfers

If we are involved in a merger, acquisition, or asset sale, personal data may be transferred to the successor entity, subject to the protections of this Policy.

3.4 With your consent

We may share personal data with other parties if you give us explicit consent.

4. International Data Transfers

Personal data may be processed and stored outside of Singapore, including in jurisdictions where our service providers operate (such as the United States and the European Union). When transferring personal data outside Singapore, we take reasonable steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA, in line with PDPA Section 26.

5. Data Retention

We retain personal data for as long as your account is active and for the period required to comply with our legal, regulatory, accounting, tax, and audit obligations. Where retention is required by law (for example, anti-money-laundering record-keeping), we retain the relevant records for the legally required period (typically up to seven years after the end of the customer relationship). After this period, personal data is deleted or irreversibly anonymized.

6. Your Rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate or outdated personal data;
  • Withdraw consent for the processing of your personal data, where consent is the basis for processing;
  • Request deletion of your account and associated personal data, subject to legal retention requirements;
  • Lodge a complaint with the Personal Data Protection Commission (Singapore) if you believe your rights have been infringed.

You can exercise most of these rights directly inside the app (under Settings → Profile and Settings → Close Account) or by contacting us (see Section 11).

7. Security

We implement industry-standard administrative, technical, and physical safeguards to protect personal data, including encryption in transit (TLS) and at rest, secure credential storage on device (Keychain on iOS, Keystore on Android), strong access controls, and regular security reviews. No method of transmission or storage is 100% secure; you are responsible for keeping your account credentials confidential.

8. App Tracking Transparency

The RAYS CARD iOS app does not request permission to track you across apps and websites owned by other companies, and we do not use the iOS Identifier for Advertisers (IDFA). The data we collect is used solely for the purposes described in this Policy and is not shared for cross-app advertising.

9. Children's Privacy

The Services are intended for users 18 years of age or older. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected personal data from a person under 18, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available at https://rayscard.com/en/privacy. If the changes are material, we will notify you in advance through the app, by email, or by another reasonable means.

11. Contact Us

For any questions, requests, or complaints regarding this Privacy Policy or our handling of your personal data, please contact us: