FAKT ImPex

LL18894 · Labuan IBFC

Legal · Global Data Protection

🌍 GLOBAL POLICY · APPLIES WORLDWIDE

Privacy Policy

FAKT ImPex Inc. is committed to protecting the personal and financial data of every user, regardless of where in the world you live. This policy applies globally and complies with international data protection frameworks including the EU GDPR, US CCPA, UK GDPR, and equivalent privacy laws across Asia, Africa, the Americas, and the Middle East.

Effective Date: 28 April 2026

Last Updated: 28 April 2026

Version: 2.0 (Global)

Reach: Worldwide

📑 Table of Contents

1. Who we are
2. Global scope
3. Information we collect
4. How we use your data
5. AI Safe-Spend processing
6. OCR & receipt scanning
7. Data sharing & dealers
8. Cross-border transfers
9. Data security
10. Your rights worldwide
11. Cookies & local storage
12. Children's privacy
13. Regional supplements
14. Policy changes
15. Contact us

01 Who we are

The FINC Ecosystem is operated by FAKT ImPex Inc. (Labuan Company Number LL18894), a company incorporated under the laws of Malaysia and licensed under the Labuan International Business and Financial Centre (Labuan IBFC).

For users in any country, FINC ImPex Inc. acts as the Data Controller of your personal information. Where required by local law, we may also appoint a Data Protection Officer (DPO) or local representative.

📍 Registered Office

FINC ImPex Inc., Labuan International Business and Financial Centre, Federal Territory of Labuan, Malaysia.

02 Global scope

This policy applies to all users of the FINC Ecosystem worldwide, including but not limited to users in:

🇪🇺

European Union

GDPR

🇬🇧

United Kingdom

UK GDPR · DPA 2018

🇺🇸

United States

CCPA · CPRA · State laws

🇨🇦

Canada

PIPEDA · Quebec Law 25

🇧🇷

Brazil

LGPD

🇲🇾

Malaysia

PDPA 2010

🇸🇬

Singapore

PDPA 2012

🇮🇳

India

DPDP Act 2023

🇨🇳

China

PIPL

🇯🇵

Japan

APPI

🇰🇷

South Korea

PIPA

🇦🇺

Australia

Privacy Act 1988

🇿🇦

South Africa

POPIA

🇳🇦

Namibia

Data Protection Act

🇳🇬

Nigeria

NDPA 2023

🇰🇪

Kenya

Data Protection Act

🇦🇪

UAE

PDPL

🇸🇦

Saudi Arabia

PDPL

🇮🇩

Indonesia

PDP Law

🇹🇭

Thailand

PDPA

🇵🇭

Philippines

DPA 2012

🇲🇽

Mexico

LFPDPPP

🇦🇷

Argentina

PDPL

🌐

Other Regions

Local laws applied

Where local laws provide stronger protections than this policy, those local protections will apply. Where local laws conflict with this policy, we apply the higher standard of protection.

03 Information we collect

We collect only what is necessary to deliver our services. The exact data collected depends on which features you use.

Category	Examples	Source
Identity	Username, full name, email, phone, password (hashed)	You — at registration
Family	Spouse name, children info (age, school, grade)	Optional — you
Employment & Income	Job status, employer, industry, all income streams	You — Profile Hub
Financial Position	Assets, liabilities, fixed commitments, debt minimums	You — Profile Hub
Transactions	Expense amounts, merchants, categories, dates	Manual entry / AI Scanner
Bank Connection	Account name, balance snapshots, recent transactions	Licensed open-banking partners
Receipt Images	Photos for OCR processing	You — Smart Scanner
Goals & Preferences	Savings goals, currency, language	You
Social & Trade Activity	Posts, comments, tips, deal connections	Generated by usage
Business / Trade Profile	Trade name, region, commodities, revenue range	You — Profile Hub
Technical & Device	IP address, browser type, device type, login times	Automatic

⚠️ What we do NOT collect

We do not collect: government-issued ID numbers (national ID, SSN, passport), bank account numbers, credit card details, biometric data, or precise GPS location data. Bank syncing uses tokenized read-only access through licensed partners — we never see your banking credentials.

04 How we use your data

We process your information for the following lawful purposes:

Service delivery — Creating your Ecosystem ID, displaying your dashboard, calculating your Safe-Spend Balance and Health Score.
AI personalization — Powering ECO AI, your FINC Ecosystem Coach.
Pre-approved offers — Matching your verified Liquidity Passport to relevant B2B deals on FINC Marketplace (only with your explicit consent).
Trade facilitation — Connecting you to verified trade counterparts when you opt in.
Creator monetization — Calculating your share of network earnings, ad revenue, and tips.
Security & fraud prevention — Detecting unauthorized access and suspicious patterns.
Service improvement — Analyzing aggregated, anonymized usage patterns.
Legal compliance — Meeting regulatory obligations in jurisdictions where we operate.

Legal bases for processing (where required, e.g. EU GDPR):

Contract performance — to deliver the FINC services you signed up for
Consent — for optional features like marketing emails or specific dealer connections
Legitimate interests — for security, fraud prevention, and service improvement
Legal obligation — when required to comply with regulators

We will never sell your personal data to third parties. We do not use your financial data for advertising targeting on external networks.

05 The AI Safe-Spend Engine

Your AI Safe-Spend Balance is the cornerstone of the FINC Ecosystem. It is calculated using:

All declared monthly income streams
Fixed monthly commitments (rent, loans, insurance, etc.)
Liability minimum payments
Logged variable expenses
An AI safety buffer (12% of net income held as reserve)

The result — your Safe-Spend Balance and Health Score — powers your Liquidity Passport when you choose to connect with a dealer.

🔒 Important: Dealers never see your full data

When you click "Connect Dealer" in FINC Marketplace, we share only your verified buying capacity and pre-approval status — never your raw income, expense list, or transaction history. The dealer pays FINC a lead fee for receiving this verified summary.

06 OCR & Receipt Scanning

The FINC AI Smart Scanner allows you to capture receipts and invoices for automatic data extraction.

What happens when you scan a receipt:

The image is processed by our OCR engine (or licensed partners such as Google Cloud Vision)
The AI extracts merchant name, amount, date, and suggests a category
You review and confirm the extracted data before it is saved
The original image is deleted from our servers within 24 hours after extraction unless you choose to keep it

Receipt images are encrypted in transit (TLS 1.3) and at rest. Only metadata (merchant, amount, category, date) is retained long-term.

07 Data Sharing & Dealers

We share your information only in these specific circumstances:

With dealers on FINC Marketplace (with your active consent)

When you tap "Connect Dealer" on a deal, you authorize us to share your Liquidity Passport summary with that specific dealer:

Your username
Pre-approved purchasing limit
Monthly installment capacity
Health Score
Verification status

The dealer pays FINC a lead-generation fee for this verified introduction. Your raw financial data, transaction history, family details, and personal contact information are never shared.

With service providers

We use carefully selected third-party providers, each bound by strict data processing agreements:

Hosting: Hostinger International Ltd
OCR processing: Google Cloud Vision API (when enabled)
AI processing: FINC IMPEX INC AI service for ECO AI coach (when enabled)
Bank connectivity: Brankas / Salt Edge / Plaid (licensed open-banking aggregators)
Email delivery: SendGrid / Postmark for transactional notifications

With legal authorities

We will disclose information when required by lawful court orders or regulatory directives in any jurisdiction where we operate.

08 Cross-Border Data Transfers

FINC Ecosystem operates internationally. Your data may be transferred between any country where we, our users, or our service providers operate.

For users in regions with cross-border transfer restrictions (such as the EU, UK, China, Russia, India), we protect international transfers through:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK International Data Transfer Agreements for UK users
Adequacy decisions where applicable
Encryption in transit and at rest for all transfers
Local processing options where required by national law

09 Data Security

We protect your information through industry-standard security measures:

Encryption in transit: All connections use HTTPS / TLS 1.3
Encryption at rest: Database encryption with AES-256
Password security: Bcrypt hashing with salt (passwords never stored in plain text)
SQL injection protection: All database queries use prepared statements
Access controls: Strict role-based access; multi-factor authentication for staff
Backup & recovery: Encrypted backups with geographic redundancy
Incident response: Security breaches reported within 72 hours where required by law

Data retention

Active accounts: Indefinitely while account is active
Inactive accounts: Anonymized after 24 months of inactivity
Deleted accounts: Removed within 30 days of your deletion request, except where law requires retention (typically 7 years for financial records)
Receipt images: Deleted within 24 hours of OCR processing

10 Your Rights — Worldwide

Wherever you are in the world, you have the following rights over your personal data:

Right to access — Request a copy of all data we hold about you
Right to rectification — Correct inaccurate or outdated information
Right to erasure / "right to be forgotten" — Request deletion of your account and associated data
Right to portability — Receive your data in machine-readable format (JSON / CSV)
Right to restrict processing — Pause specific uses while keeping your account
Right to object — Opt out of marketing or non-essential processing
Right to withdraw consent — Revoke any consent you previously gave
Right against automated decision-making — Request human review of AI decisions affecting you
Right to lodge a complaint — Contact your local data protection authority

To exercise any of these rights, email privacy@faktimpexinc.com. We respond within 30 days (or sooner where required by your local law).

🇺🇸 California "Do Not Sell" notice

Under the CCPA / CPRA, California residents have the right to opt out of "sale" or "sharing" of personal information. FINC Ecosystem does not sell or share your personal information for cross-context behavioral advertising. This applies to all users globally.

11 Cookies & Local Storage

The FINC Ecosystem uses browser localStorage to cache your data on your device for offline access and faster loading. This is essential for the app to function smoothly.

We may also use:

Essential cookies: For session management and security (always active)
Analytics cookies: To understand aggregate usage (only with your consent in regions requiring it)
Preference cookies: To remember your currency and language settings

You can clear all locally stored data at any time using the "Sign Out" button on the dashboard.

12 Children's Privacy

The FINC Ecosystem is intended for users aged 18 and above. We do not knowingly collect personal data from children under 18 (or the higher age of consent applicable in your jurisdiction, e.g. 16 in some EU member states, 13 in the US under COPPA).

The "Children Information" field during registration is intended for parents to track family savings goals. It stores only age and school grade — never the child's identity or contact information.

If we learn we have collected data from a person under the applicable minimum age without parental consent, we will delete it immediately. Parents may contact privacy@faktimpexinc.com.

13 Regional Supplements

The following regional notices supplement the main policy for users in specific jurisdictions:

🇪🇺 European Economic Area / United Kingdom (GDPR / UK GDPR)

EEA and UK users have additional rights under the GDPR including the right to data portability in machine-readable format, and the right to lodge a complaint with their local Data Protection Authority. Our EU/UK representative will be appointed when processing thresholds require it.

🇺🇸 United States (CCPA / CPRA)

California residents may request disclosure of personal information collected, sold, or disclosed in the past 12 months, and may opt out of "sharing" for cross-context behavioral advertising. FINC does not sell personal information.

🇧🇷 Brazil (LGPD)

Brazilian users have rights under the LGPD including confirmation of processing, access, correction, anonymization, portability, deletion, and information about sharing.

🇿🇦 South Africa / 🇳🇦 Namibia (POPIA / DPA)

Users may lodge complaints with the Information Regulator of South Africa or the Office of the Data Protection Commissioner of Namibia respectively.

🇮🇳 India (DPDP Act)

Indian users have rights under the Digital Personal Data Protection Act 2023 including access, correction, erasure, and grievance redressal.

🇨🇳 China (PIPL)

Chinese users' data is processed in accordance with PIPL requirements including separate consent for sensitive personal information and cross-border transfers.

🇲🇾 Malaysia (PDPA)

Malaysian users may lodge complaints with the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi) at pdp.gov.my.

🇸🇬 Singapore (PDPA)

Singaporean users have rights under the PDPA 2012 administered by the Personal Data Protection Commission (PDPC).

🇦🇪 UAE / 🇸🇦 Saudi Arabia (PDPL)

Gulf users' data is processed in accordance with the respective Personal Data Protection Laws and any applicable free-zone regulations (DIFC, ADGM).

If your country is not specifically mentioned above, the main policy still applies fully and we honor all rights granted under your local data protection law.

14 Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes:

We update the "Last Updated" date at the top
We notify active users via email or in-app notification at least 30 days before the change takes effect
For significant changes (e.g., new categories of data sharing), we request your renewed consent

Your continued use of the FINC Ecosystem after changes take effect constitutes acceptance of the updated policy.

15 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data:

📧 FINC ImPex Inc. — Data Protection

Privacy: privacy@faktimpexinc.com

General: info@faktimpexinc.com

Support: support@faktimpexinc.com

Website: faktimpexinc.com

Address: Labuan International Business and Financial Centre, Federal Territory of Labuan, Malaysia

Company No: LL18894

🌍 Local Data Protection Authorities

You may also lodge a complaint with the data protection authority in your country if you believe your rights have been violated. A list of authorities worldwide is maintained by the Global Privacy Assembly.