Legal
Privacy Policy
Zhahab Pte Ltd · Effective: 27 April 2026 · Last Updated: 12 May 2026 · Version 1.3
This Privacy Policy explains how Zhahab Pte Ltd collects, uses, and protects personal data submitted through our waitlist and platform. Written in plain English in compliance with Singapore's Personal Data Protection Act 2012 (PDPA).
Who We Are
Zhahab Pte Ltd is a Singapore-incorporated fintech company building a precious metal micro-rewards payment platform. Our designated Data Protection Officer (DPO) can be reached at dpo@zhahab.com or support@zhahab.com.
NRIC/FIN numbers collected during KYC are used solely for identity verification and AML compliance. They are not used as authentication credentials, in accordance with the PDPC advisory of February 2026.
What Data We Collect
Waitlist registration (current phase):
- Email address — submitted voluntarily through our sign-up form
- Timestamp of submission
- Country/region (inferred from browser locale, not stored individually)
Upon platform launch (future):
- Full name, NRIC/FIN, date of birth — via SingPass MyInfo v5 or Stripe Identity for KYC
- Phone number — for OTP verification
- Transaction data — payment amounts, merchant details, gold gram allocations
- Device information and IP address — for fraud prevention and AML compliance
- Source of funds declaration — required under MAS AML/CFT guidelines
How We Use Your Data
- To add you to the Zhahab waitlist and send launch updates
- To notify you of your Early Adopter status (if eligible)
- To comply with PDPA, MAS AML/CFT requirements, and STRO reporting obligations
- To process transactions and calculate gold gram allocations (upon launch)
- To screen against OFAC and MAS sanctions watchlists via ComplyAdvantage
- To prevent fraud, money laundering, and account farming
We will never sell your data to third parties. We will never use your data for unrelated marketing without explicit consent.
Who We Share Data With
- Stripe Inc. — payment processing, identity verification (KYC via Stripe Identity), virtual card issuance, and PayNow processing (via Stripe Issuing)
- ComplyAdvantage — sanctions screening against OFAC, UN, MAS, and other watchlists
- NDI / MyInfo v5 — government identity verification via SingPass
- Alibaba Cloud (Singapore region) — cloud infrastructure; all data stored in Singapore
- Regulatory authorities — MAS, STRO, and law enforcement where required by Singapore law
How Long We Keep It
- Waitlist emails: Until you unsubscribe or complete platform registration
- KYC records: 5 years after your last transaction (MAS AML/CFT Notice)
- Transaction records: 5 years (MAS and IRAS guidelines)
- Audit logs: 5 years for regulatory compliance
Your Rights Under PDPA
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Withdrawal of consent: Withdraw consent at any time
- Deletion: Request deletion, subject to legal retention requirements
- Data portability: Request your data in a machine-readable format
- Opt-out of marketing: Unsubscribe at any time
To exercise any of these rights, email dpo@zhahab.com or support@zhahab.com. We will acknowledge your request within 3 business days and respond within 30 days in accordance with PDPA. No fee applies. Please note that withdrawal of consent may affect our ability to continue providing certain services.
Security
- All data encrypted in transit (TLS 1.2+) and at rest
- JWT-based authentication with bcrypt password hashing
- Admin access protected by TOTP two-factor authentication (2FA)
- Device fingerprinting to detect account farming and suspicious access
- Independent CREST/CSRO-certified penetration testing (scheduled 2027)
- Hosted on Alibaba Cloud Singapore with WAF protection
In the event of a data breach, we will notify you and the PDPC within the timeframes required by the PDPA Notification of Data Breaches Obligation.
Cookies & Analytics
- No advertising cookies. We do not run ad networks or sell data to advertisers.
- Google Fonts: Fonts loaded from Google CDN — Google may log your IP. See Google's Privacy Policy.
- Form submissions: Email submissions go to our form processor and are stored securely. No tracking cookies are set.
Do Not Call (DNC) Registry
- Zhahab complies with the Do Not Call Registry provisions of the PDPA for all marketing communications sent to Singapore phone numbers.
- We will only send marketing SMS or voice communications to numbers not listed on the DNC Registry, or where you have provided clear, explicit consent.
- You may opt out of marketing communications at any time via your account settings or by emailing dpo@zhahab.com.
Children
Zhahab is not directed at persons under 18. We do not knowingly collect data from minors. Email support@zhahab.com if you believe a minor has submitted data and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy as our platform develops or as legal requirements change. We will update the "Last Updated" date above and notify you by email for material changes.
Unsatisfied with our response? Lodge a complaint with the PDPC at pdpc.gov.sg.