Privacy Policy - PA Alliance

To use the Aurora Card and PA
Alliance App, you have given your consent to the Privacy
Policy Statement and Personal Information Collection Statement pursuant to
Personal Data (Privacy) Ordinance in relation to the Aurora Card and PA
Alliance Mobile App.

PA Alliance Limited

Privacy Policy Statement

June 2023 Version

PA Alliance Limited (the “PAA”, “we”,
“us” and/or “our”) is committed to protecting the privacy of
personal data and this Privacy Policy Statement (“Policy”) sets out our
personal data privacy policies and practices in accordance with the provisions
of the Personal Data (Privacy) Ordinance (Cap. 486, Laws of Hong Kong) (“PDPO”).

The content of this Policy is meant
to provide a general overview. For further details, please refer to our Personal Information Collection
Statement (“PICS”).
For the avoidance of doubt, should there be any inconsistencies between this
Policy and the PICS, the PICS shall prevail. This Policy sets out the policy
and practices in connection with your access to and use of the Aurora Card (“Aurora
Card”) and the Hong Kong PAA mobile application on iOS and Android (the “App”).

Kinds of personal data held

We may
collect personal data from you in connection with the matters and purposes set
out in the PICS and this Policy. This may include Device Information,
Registration Information, Account Information, KYC Information and Identity
Verification Information as defined in the PICS. For details on the kinds of
personal data held, please refer to the PICS.

Main purposes of collecting and
keeping personal data

We may
collect your personal data from time to time in the ordinary course of your
relationship with us for any of the following purposes:

1.
Verifying your
identity, including during account creation, password reset and authorisation
of transaction processes, as well as the process of changing your mobile phone
number in our records.

2.
Verifying your
eligibility to download the App or to use any of the features and functions of
the App. Verifying your eligibility to register as a user of the Aurora Card
(including detection and verification of any anti-money laundering,
counter-terrorist financing or other unlawful activities) or to use any of the
features and functions of the Aurora Card.

3.
Handling your
service requests after processing your registration with PAA as a user of the
Aurora Card and supporting PAA in relation to maintaining and managing your
registration.

4.
Processing your
registration with us as a user of the Aurora Card, providing you with a log-in
ID and maintaining and managing your registration.

5.
Providing you
with Aurora Card services and related customer services, including facilitating
the settlement of purchase price for goods and services, cash advance,
charge-backs, sending notices about your transactions, and responding to your
queries, feedback, claims or disputes. Allowing you to access and/or enjoy
particular functions provided within the App and services provided by financial
institutions including banks and/or financial service companies (“Third
Party Financial Institutions”) with whom you have selected to register.

6.
Allowing you to
access and/or enjoy particular features and functions provided within the App,
and services (including apps and mini programs) operated by third parties (“Third
Party Operators”) which are accessible through links provided on the App.

7.
Improving and
expanding our offerings by way of research and development of new functions of Aurora
Card and the App or other new products and services that we may offer from time
to time.

8.
Performing
research, statistical analysis or surveys, whether orally or in writing, in
order to manage and protect our business operation including our information
technology infrastructure, to measure the performance of Aurora Card, the App
and other services we offer and to ensure your satisfaction with our services.

9.
Analysing
trends, usages and other behaviours
(whether on an individualised or aggregated basis), which helps us better
understand how you and our collective user base access and use Aurora Card and
the App and the underlying commercial activities conducted, including for
purposes of improving our services and responding to customer queries and
preferences.

10. Subject to having obtained your
consent in accordance with applicable law and as contemplated in Part D of the
PICS, we may provide direct marketing information to you relating to goods and services
(defined in the PICS) offered by us, Our Group Companies and affiliates, our
business partners and selected third parties using your personal data to
contact you, including but not limited to by telephone, text (SMS), email,
post, fax, push notification and any other electronic means.

11. Managing risk, performing
creditworthiness and solvency checks, or assessing, detecting, investigating,
preventing and/or remediating fraud or other potentially prohibited or illegal
activities and otherwise protecting the reputation of our payment platform (the
Aurora Card) and information technology platform (the App).

12. Detecting, investigating,
preventing or remediating violations of the Aurora Card T&C and App
Agreement (defined in the PICS), any applicable internal PAA policies, relevant
industry standards, guidelines, laws or regulations.

13. Making such disclosures as may be
required by any law or regulation of any country applicable to us or Our Group
Companies, government official or other third party that PAA has contractual or
regulatory obligations to, including any card association or other payment
network. Disclosures may also be made pursuant to any subpoena, court
order, decision or other legal process or requirement in any country applicable
to us or Our Group Companies (including anti-money laundering and
counter-terrorist financing reporting requirements).

14. Making any disclosure to prevent
any harm or financial loss, to report any suspected illegal activity or to deal
with any claim or potential claim brought against us or Our Group Companies.

15. Enabling any due diligence and
other appraisals or evaluations for actual or proposed merger, acquisition,
financing transactions or joint ventures.

16. Any other legitimate business
purposes, such as protecting you and other users of Aurora Card or the App from
losses, protecting lives, maintaining the security of our systems and products,
and protecting any of our other rights and/or properties; meeting or complying
with any obligations, requirements, policies, procedures, measures or
arrangements for sharing data and information within Our Group Companies and/or
any other use of data and information pursuant to any of Our Group Companies’ group-wide
programs for compliance with sanctions or prevention or detection of money
laundering, terrorist financing, fraudulent activities or other unlawful
activities.

17. Any other purposes directly
relating to the purposes listed above.

We also may
use your personal data in other ways for which we provide specific notice at
the time of collection or for which you have subsequently consented.

Retention of personal data

Personal
data collected from you will not be kept longer than necessary for the carrying
out of the purposes for which such data were initially collected, unless
otherwise required or permitted by applicable laws or regulations.

We will
retain and procure our service providers to retain your personal data only for
so long as is necessary for the purposes set out in the PICS and in accordance
with the PDPO and all applicable regulatory requirements.

Security of personal data

We take all
reasonable steps, including technical, administrative and physical safeguards
to help protect your personal data that we process from loss, misuse and
unauthorized access, disclosure, alteration and destruction.

For
registered users of the Aurora Card, your Registration Information (as defined
in the PICS) can be viewed and edited in the App through your account with us,
which is protected by a password. We recommend that you do not divulge your
password to anyone. Our staff will never ask you for your password in an
unsolicited phone call or in an unsolicited email. If you share a computer with
others, you should not choose to save your log-in information for the Aurora
Card (e.g., user ID and password) on that shared computer.

Disclosure of data

We will
comply with the applicable requirements and restrictions under the PDPO in
disclosing personal data to any other person. We may, when appropriate and
necessary, provide, transfer or disclose your personal data to Our Group
Companies and any third party (whether within or outside Hong Kong) set out in
the PICS for the purposes set out above and/or in the PICS.

For details
on the disclosure of personal data to third parties, please refer to the PICS.

Outsourcing arrangement

We may
appoint suppliers, agents, contractors, service providers and other contractual
counterparties within or outside Hong Kong to process data collected by us, in
order to provide administrative, telecommunication, computing, remittance or
other services to us, such as in connection with the operation or maintenance
of the Aurora Card or App or the provision of services and products, including
for fraud prevention, payment settlement and transaction processing, insurance,
bill collection, data entry, database management, promotion, marketing,
customer service, technology service, product and service alerts and payment
extension services.

All
suppliers, agents, contractors, service providers and other contractual
counterparties are required to comply with the applicable requirements and
restrictions under the PDPO and personal data access will be restricted to
authorised personnel on a need-to-know basis.

Direct Marketing

We may wish
to use your personal data in direct marketing activities for the purposes set
out above and/or in the PICS. We will comply with the applicable requirements
and restrictions under the PDPO and the PICS in direct marketing activities.

We will not
use your personal data unless we have received your consent. If you at any time
you do not wish for us to continue to use or provide to other persons your
personal data for direct marketing purposes as described herein, you may
exercise your “opt-out” right by notifying us at admin@paa.global.

Use of cookies, spotlight tags and
web beacons, etc.

Cookies are
text files placed in a user’s computer or mobile device Internet browser to
collect and store information about the users of our websites and mobile
applications. When you use or browse our websites, mobile applications, or the Aurora
Card, information will be collected from you by cookies and other similar
technologies including but not limited to super position model (SPM)
technologies, web beacons and spotlight tags. The information collected by
using such technologies may include but is not limited to information about
your electronic device, mobile device, browser details, IP address, and your
preferences and habits on language, webpage layout and other matters. We will
analyse and use the information collected to maintain, manage and enhance our websites,
mobile applications, products, services and user experience.

Use of information gathered from
cookies, etc.

We may share
the information gathered through the use of cookies, SPM and other technologies
referenced in the previous section of this Policy with third party research
agencies for analysis and research purposes which will enable us to adopt a
more focused marketing strategy and customer experience for our services and
products. No personally identifiable information about you will be collected or
shared with any of these third party research agencies as a result of this
analysis and research.

We do not
use spyware or hidden identifiers or other similar technologies to gain access
to your personal data or store hidden information when you visit our mobile
applications or websites.

Managing cookies, etc.

— Our
websites

You will not
be able to disable the spotlight tags and web beacons functions when browsing
our websites.

While most
browsers are initially set to accept cookies, you may alter your browser
settings to restrict or disable certain types of cookies. For more information
on how to disable cookies on a wide variety of browsers and more information
about cookies more generally, you may visit www.aboutcookies.org or use the
“Help” function in your browser. If you restrict or disable cookies, you may
find that certain features and functions on our website may be disrupted. If
you accept cookies, you agree to the collection and use of your information as
set out above.

— Our
mobile applications

Our mobile
application uses cookies, SPM and similar technologies to help us improve our
services to you. You will not be able to restrict or disable the use of such
cookies and technologies in our mobile application. If you do not agree to our
use of the such cookies and technologies, please refrain from using or
accessing our services or products via the mobile application. By continuing
browsing, you agree to the collection and use of your information as set out
above.

Accessing your personal data

You have the
right to access and update your information and contact us. For example, you
may:

(a) check whether we hold data about you and/or access such data;

(b) require us to correct any
data relating to you which is inaccurate;

(c) to the extent required in
accordance with applicable laws and regulations, require us to correct
inaccurate, or unlawfully collected or unlawfully processed data;

(d) ascertain our policies
and procedures in relation to data and to be informed of the kind of personal
data held by us; and

(e) request us not to use
your personal data for direct marketing purposes, in which case we will cease
to do so at no cost to you.

If you would
like to make a request for access to data, please submit the “Data Access
Request Form” (the prescribed form (form:OPS003) can be downloaded from
the following link http://www.pcpd.org.hk/english/publications/files/Dforme.pdf), along with appropriate proof of
identity (a copy of the applicant’s Hong Kong Identity Card or Passport) to our
Data Protection Officer at the address below. We may charge you a fee at a
level permitted by the PDPO for this service.

If you have
any question about this Policy, or would like to request for access to data or
correction of data, or for information regarding our policies and practices and
kinds of data held, please write to us at:

The Data Protection Officer

PA Alliance Limited

Address: Flat/Rm. A, Dolford
Mansion, 1-3 Chatham Court, Tsim Sha Tsui, Kowloon, Hong Kong

Email: admin@paa.global

In this
Policy, unless inconsistent with the context or otherwise specified, the words
below shall have the following meanings:

“Hong Kong” means the
Hong Kong Special Administrative Region of the People’s Republic of
China.

Personal
Information Collection Statement pursuant to Personal Data (Privacy) Ordinance
(Cap.486) (“Ordinance”) in relation to Aurora Card and the App

Updated
in June 2023

This
Statement sets out how PA Alliance Limited (“PAA”, “we” or “us”)
may collect, use and disclose your “personal data”, “personally identifiable
information” or other personal information as ascribed under the Ordinance
(collectively, “Personal Data”) in connection with your access to and
use of Aurora Card (“Aurora Card”) and/or the Hong Kong PA Alliance iOS
and Android mobile applications (the “App”).

From time to
time, it is necessary for you to provide us with Personal Data in connection
with your registration and use of the Aurora Card and the App, to accept the
services of PAA (these services are based on the PA Alliance Aurora Card Terms
and Conditions (“Aurora Card T&C“) and the PA Alliance Mobile
App Terms and Conditions (“App Agreement”)) and other service agreements
that you consent to as part of your registration for and use of the Aurora Card
at the time of registration, or for compliance with any laws, guidelines or
requests issued by regulatory or other authorities.

If you do
not supply such Personal Data to us, it may result in us being unable to
complete your registration for the Aurora Card / the App or provide you with
the services in the Aurora Card / the App under the Aurora Card T&C and the
App Agreement respectively.

The App in
combination with Aurora Card that is also provided by PAA provides a gateway
for Hong Kong registered users of Aurora Card to participate in a variety of
activities, including making payments and cash advance globally.

Registered users of the App can
also sign up for an Aurora Card virtual account with PAA, a co-brander of Key
Solution Ventures Limited (“Issuer KSV”), which is a principal
MasterCard credit card issuing licensee with the license to issue MasterCard
credit cards to co-branded card members in Hong Kong.

The word
“including” shall not be limiting.

A. COLLECTION
OF PERSONAL DATA

We may
obtain your Personal Data (directly or indirectly), including:

1.
Information
obtained about your computer, mobile device or other item of hardware through
which you access and use the App through the use of cookies, super position
model (SPM) technologies and other similar technologies (including your IP
address, geographical location, device identification codes, device Installed
Packages and other features/data that can be used to identify a device,
browser/platform type and version, internet service provider, operating system,
referral source/exit pages, length of visit/usage, page views and device
operations) (“Device Information”).

2.
Information
obtained by us or provided by you while you register as a user of the Aurora
Card or App, including your telephone number and/or email address (“Registration
Information”).

3.
Information
obtained by us or provided by you during your use of the App, including your
name, date of birth, address (“Account Information”).

4.
As required by Issuer
KSV, and in order to complete the “Know-Your-Client” (“KYC”) process
necessary for the security of our system and that of our customers, we will
also collect your identity document (including Hong Kong Identity Card) and
your occupation, source of funding, and/or other information from bank
statements (“Necessary KYC Information”). We may also collect your facial
images and identification document images to complete the KYC (together with
the Necessary KYC Information, are collectively referred to as the “KYC
Information”).

5.
When we are
dealing with your request of changing password or changing the mobile phone
number that is associated with your Aurora Card or the App, or when we detect
potential risks to the assets stored in a particular Aurora Card or the App
account, we may need to verify your identity by requesting data from you or a
third party. Those data may include, but without limit, proof of your top-up
records or otherwise funding the Aurora Card User Account (collectively, “Identity
Verification Information”).

6.
Any
combination, derivation or updated version of the above Device Information,
Registration Information, Account Information, KYC Information, Identity
Verification Information or such other information may be provided by you or
collected by us (automatically or manually) at the time of your downloading the
App, during your registration as a user of the Aurora Card and/or during the
course of your use of the Aurora Card or the App.

The above
information may constitute your Personal Data. We have taken steps to
ensure that we do not collect more information (whether or not such information
constitutes Personal Data) from you than is necessary for us to provide you
with our services, to perform the purposes set out in Part B of this notice, to
protect your Aurora Card, to comply with our legal obligations, to protect our
legal rights, and to operate our business.

B. USE OF PERSONAL DATA

We may use
the Personal Data that we obtained about you for the following purposes:

1.
Verifying your
identity, including during account creation, password reset and authorization
of transaction processes, as well as the process of changing your mobile phone
number in our records.

2.
Verifying your
eligibility to download the App or to use any of the features the functions of
the App. Verifying your eligibility to register as a user of the Aurora Card
(including detection and verification of any anti-money laundering,
counter-terrorist financing or other unlawful activities) or to use any of the
features and functions of the Aurora Card.

3.
Processing your
registration with us as a user of the Aurora Card, providing you with a log-in
ID and maintaining and managing your registration.

4.
Handling your
service requests after processing your registration with PAA as a user of the Aurora
Card and supporting PAA in relation to maintaining and managing your
registration.

5.
Providing you
with Aurora Card services and related customer services, including facilitating
the payment of goods and services, cash advance, charge-backs, sending notices
about your transactions, and responding to your queries, feedback, claims or
disputes. Allowing you to access and/or enjoy particular functions and services
provided by credit card issuers, banks and/or financial service companies (“Third
Party Financial Institutions”) with whom you have selected to register.

7.
Improving and
expanding our offerings by way of research and development of new functions of Aurora
Card and the App or other new products and services that we may offer from time
to time.

8.
Performing
research, statistical analysis or surveys, whether orally or in writing, in
order to manage and protect our business operation including our information
technology infrastructure, to measure the performance of Aurora Card and the
App and other services we offer and to ensure your satisfaction with our
services.

9.
Analyzing
trends, usages and other behaviors (whether on an individualized or aggregated
basis), which helps us better understand how you and our collective user base
access and use Aurora Card and the App and the underlying commercial activities
conducted, including for purposes of improving our services and responding to
customer queries and preferences.

10. Subject to having obtained your
consent in accordance with applicable law and as contemplated in Part D below,
we may provide direct marketing information to you relating to goods and services
offered by us, Our Group Companies and affiliates, our business partners
and selected third parties using your Personal Data to contact you,
including but not limited to by telephone, text (SMS), email, post, fax,
push notification and any other electronic means.

12. Detecting, investigating,
preventing or remediating violations of the Aurora Card T&C and/or App
Agreement, any applicable internal PAA policies, relevant industry standards,
guidelines, laws or regulations.

13. Making such disclosures as may be
required by Issuer KSV, any law or regulation of any country applicable to us
or any of Our Group Companies, government official or other third party that PAA
has contractual or regulatory obligations to, including any card association or
other payment network. Disclosures may also be made pursuant to any
subpoena, court order, decision or other legal process or requirement in any
country applicable to us or any of Our Group Companies (including anti-money
laundering and counter-terrorist financing reporting requirements).

14. Making any disclosure to prevent
any harm or financial loss, to report any suspected illegal activity or to deal
with any claim or potential claim brought against us or any of Our Group
Companies.

15. Enabling any due diligence and
other appraisals or evaluations for actual or proposed merger, acquisition,
financing transactions or joint ventures.

16. Any other legitimate business
purposes, such as protecting you and other users of Aurora Card or the App from
losses, protecting lives, maintaining the security of our systems and products,
and protecting any of our other rights and/or properties; meeting or complying
with any obligations, requirements, policies, procedures, measures or
arrangements for sharing data and information within Our Group Companies and/or
any other use of data and information pursuant to any Our Group Companies’ group-wide
programs for compliance with sanctions or prevention or detection of money
laundering, terrorist financing, fraudulent activities or other unlawful
activities.

17. Any other purposes directly
relating to the purposes listed above.

We also may
use your Personal Data in other ways for which we provide specific notice at
the time of collection or for which you have subsequently consented.

C. DISCLOSURE OF PERSONAL DATA

Your
Personal Data held by us will be kept confidential but we may provide such
information to the following parties (whether within or outside Hong Kong) for
the purposes set out in B.1 to B.17 above:

1.
Our Group
Companies and affiliates.

2.
Our agents,
contractors, professional advisers or third party service providers that we
engage (including their employees, directors and officers) who are under a duty
of confidentiality to us and who provide administrative, telecommunication,
computing, remittance or other services to us in connection with the operation
or maintenance of the Aurora Card, the App or the provision of services and
products, including but not limited for fraud prevention, payment settlement
and transaction processing, insurance, bill collection, data entry, database
management, promotion, marketing, customer service, technology service, product
and service alerts and payment extension services.

3.
Merchants to
whom payments are made using the Aurora Card or the App.

4.
Marketing
service providers under a duty of confidentiality to us who provide
administrative, data processing, research and marketing, distribution,
professional or other similar services to us.

5.
Law enforcement
agencies, government and regulatory authorities or any other organizations to
which PAA is under an obligation or expected to make disclosures under the
requirements of any applicable law, regulation or commercial arrangement,
including arrangements with Issuer KSV, any card association or payment
network.

6.
Actual or
proposed entities involved in any merger, acquisition, financing transaction or
joint venture with us. We may disclose and transfer to any of our actual
or proposed assignees or transferees of our rights with respect to your
Personal Data in connection with a company re-structuring, and/or merger (as
between us and a third party), sale, or transfer (whether of assets or shares,
in whole or in part), to use, hold, process or retain such Personal Data for
the purposes mentioned in Parts B and D of this Statement.

D. DIRECT MARKETING

For the
purpose specified at B.10, PAA may wish to use your Personal Data in direct
marketing activities. Please note that:

1.
We will solicit
your consent by way of explicit indication of no objection and will use your
Personal Data for direct marketing purposes after receipt of your
consent.

2.
PAA may use your
name, contact information, products and service portfolio, transaction pattern
and history, financial background, demographic data and geographical location
in order to send to you marketing communications on the goods and services.

3.
PAA may market
to you the goods and services. This may include goods and services that are
offered by us, any of Our Group Companies and affiliates and our business
partners or any other selected third parties.

4.
We may provide
your Personal Data to certain third parties with which we maintain business
referral or other similar commercial arrangements, including (i) Our Group
Companies and affiliates, and (ii) business partners, for use by them in
marketing their own goods and services.

5.
If at any time
you do not wish for us to continue to use or provide to other persons your
Personal Data for direct marketing purposes as described herein, then you may
exercise your “opt-out” right by notifying us at Email: admin@paa.global.

E. PUSH NOTIFICATIONS

We may send
you push notifications from time to time in order to update you about your
account activities and service related information. If you no longer wish to
receive these types of communications, you may turn them off at the device
level.

F. SECURITY MEASURES AND RETENTION

We take all
reasonable steps, including technical, administrative and physical safeguards
to help protect your Personal Data that we process from loss, misuse and
unauthorized access, disclosure, alteration and destruction.

We will
retain and procure our service providers to retain your Personal Data only for
so long as is necessary for the purposes set out in this Statement and in
accordance with the Ordinance and all applicable regulatory requirements.

For
registered users of the Aurora Card, your Registration Information and Account
Information (if any) can be viewed and edited in the App through your account
with us, which is protected by a password. We recommend that you do not divulge
your password to anyone. Our staff will never ask you for your password in an
unsolicited phone call or in an unsolicited email. If you share a computer with
others, you should not choose to save your log-in information for the Aurora
Card (e.g., user ID and password) on that shared computer.

G. THIRD PARTY SERVICES AND
WEBSITES

The Aurora
Card and the App may provide links to other websites and services (including
apps and mini programs operated by third parties) for your convenience and
information. These services and websites may operate independently from
us and may have their own privacy notices or policies, which we strongly
suggest you review before you use any of their services or conduct any activities
on those websites. To the extent that any linked websites and services
you visit are not owned or controlled by us, we are not responsible for their
contents, their privacy practices and the quality of their services.

H. CHANGES TO THIS NOTICE

From time to
time we may update this Statement to reflect changes to our data practices. If
we make any material changes, we will notify you by means of a notice within
the App or we may notify you by email (sent to the e-mail address specified in
your account). Please review this page periodically for the latest information
on our privacy practices. After we have issued a notice to you either
through the App or by email, if you continue to use the App, you will
be deemed to have agreed to and been notified of any updated version of this
Statement concerning the collection, use, storage, transfer and disclosure of
your Personal Data as set out in this Statement.

I. FURTHER INFORMATION

Under the
Ordinance, you have the right to access or correct your Personal Data or
exercise any “opt-out” right. If you wish to exercise any of these rights,
please do so by logging into your account in the App or by contacting
us through the following means:

PA Alliance limited

Address: Flat/Rm. A, Dolford
Mansion, 1-3 Chatham Court, Tsim Sha Tsui, Kowloon, Hong Kong

Email: admin@paa.global

PAA may
charge a reasonable fee for processing any data access request.