Privacy Policy

Effective Date: [DATE — TODO: set before launch]

This Privacy Policy ("Policy") describes how Smiley Pay Limited ("Smiley Pay," "Company," "we," "our," or "us") collects, uses, stores, discloses, protects, and deletes personal information when you use our websites, mobile applications, biometric authentication platform, payment authorization services, merchant integrations, kiosks, APIs, point-of-sale systems, and related technologies (collectively, the "Service").

By creating an account, enrolling your biometric information, or otherwise using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

We may collect information that identifies, relates to, describes, or can reasonably be associated with an individual.

A. Personal Information

• Full legal name
• Email address
• Phone number
• Mailing address
• Billing address
• Date of birth
• Government-issued identification (where required)
• Account credentials
• Profile information

B. Biometric Information

To provide biometric authentication, we may collect:

• Facial photographs
• Live facial scans
• Facial geometry measurements
• Facial recognition templates
• Facial embeddings
• Mathematical representations derived from facial images
• Authentication logs
• Verification records

Biometric information is collected only with your consent and is used solely for authentication, fraud prevention, security, and operation of the Service.

Smiley Pay does not sell, rent, lease, or trade biometric information.

C. Transaction Information

When you authorize purchases using Smiley Pay, we may receive information including:

• Merchant name, location, and category
• Transaction amount, timestamp, and status
• Payment confirmation
• Authentication result

Smiley Pay does not receive or store full payment card numbers or payment security codes.

D. Device Information

• Device identifiers
• Browser information
• Operating system
• IP address
• Session identifiers
• Network information
• Crash reports and diagnostic information

E. Usage Information

• Authentication attempts and login history
• Merchant interactions and Service usage
• Session duration
• Security and fraud detection events
• Feature usage and system performance metrics

2. How We Collect Information

Information may be collected:

• Directly from you
• During account registration, biometric enrollment, authentication events, and payment authorization
• Through merchant integrations and participating kiosks
• Through cameras used for authentication
• Through cookies and similar technologies
• From payment processors, identity verification providers, and fraud prevention partners

3. How We Use Information

We may use collected information to:

• Verify your identity and authenticate your account
• Authorize payments
• Prevent fraud and detect suspicious activity
• Secure user accounts and maintain transaction history
• Improve authentication accuracy and operate the Service
• Provide customer support
• Comply with legal obligations, resolve disputes, and enforce agreements
• Improve our products, analyze Service performance, detect abuse, and maintain platform integrity

We do not use biometric information for advertising or marketing purposes.

4. Biometric Information

Biometric information is processed solely for identity verification, user authentication, payment authorization, fraud prevention, account recovery, and security monitoring.

Facial images may be converted into encrypted mathematical templates or embeddings that are used for authentication.

Biometric information is encrypted during transmission and while stored.

Smiley Pay does not sell biometric information, share biometric information for advertising purposes, or use biometric information to create advertising profiles.

5. Payment Processing

Smiley Pay provides biometric authentication and payment authorization technology.

Smiley Pay does not directly process, settle, transmit, or hold customer funds.

Payment transactions are processed by authorized third-party payment processors, together with your selected financial institution or payment method. Those providers are responsible for payment processing and payment credential storage in accordance with their own terms and privacy policies.

Smiley Pay may receive limited transaction information, including merchant identifiers, transaction amounts, timestamps, authentication status, and payment confirmation data solely for operating the Service, maintaining transaction history, fraud prevention, customer support, security monitoring, and platform improvement.

6. Location and Merchant Activity

When you authenticate using Smiley Pay at participating merchants, we may collect information regarding merchant location, merchant identifier, merchant category, authentication timestamp, transaction amount, and authentication outcome.

This information helps us display transaction history, detect fraud, improve platform performance, maintain security, generate aggregated analytics, and improve user experience.

We do not sell individual merchant activity or location history.

7. Cookies and Similar Technologies

We may use cookies, local storage, session tokens, device fingerprinting, analytics technologies, and similar tracking technologies. These technologies help us authenticate users, prevent fraud, improve performance, analyze usage, and maintain security.

Users may disable cookies through browser settings, although some features may not function properly.

8. Sharing of Information

We may disclose information to:

• Payment processors
• Identity verification providers
• Fraud prevention providers
• Cloud infrastructure providers
• Analytics providers
• Customer support vendors
• Merchants participating in the Service
• Law enforcement where legally required
• Courts and regulators
• Successors in mergers, acquisitions, or corporate reorganizations

We disclose only information reasonably necessary for these purposes. We do not sell personal information to data brokers.

9. Data Retention

We retain information only as long as reasonably necessary to operate the Service, maintain security, detect fraud, comply with legal obligations, resolve disputes, and enforce agreements.

Upon account deletion, biometric information may be deleted, anonymized, or retained where reasonably necessary to investigate fraud, comply with applicable law, resolve disputes, or protect platform security.

10. Data Security

We implement reasonable administrative, organizational, physical, and technical safeguards designed to protect information. Safeguards may include encryption, secure storage, access controls, authentication controls, logging, monitoring, security testing, penetration testing, and infrastructure monitoring.

No security system can guarantee complete protection against unauthorized access.

11. Your Privacy Rights

Depending upon applicable law, you may have the right to:

• Access your information
• Correct inaccurate information
• Delete personal information
• Request portability
• Restrict certain processing
• Withdraw biometric consent
• Close your account
• Obtain information regarding biometric retention

Certain requests may be denied where legally permitted.

12. California Privacy Rights

California residents may have rights including: right to know, right to access, right to delete, right to correct, right to limit certain uses of sensitive personal information, right to opt out of certain sharing, and the right against discrimination for exercising privacy rights.

Requests may be submitted using the contact information below.

13. Biometric Privacy Rights

Where applicable law provides additional protections, users may request deletion of biometric information, information regarding biometric retention, withdrawal of biometric consent, and confirmation regarding biometric storage.

Withdrawal of biometric consent may disable biometric authentication features.

14. Children's Privacy

The Service is intended only for individuals who are at least eighteen (18) years old or the age of majority in their jurisdiction. We do not knowingly collect information from children. If we discover that information from a minor has been collected, we will take reasonable steps to delete such information.

15. International Data Transfers

Information may be stored or processed outside your country of residence where permitted by applicable law. By using the Service, you consent to such transfers.

16. Changes to This Policy

We may modify this Privacy Policy from time to time. Updated versions become effective upon posting on our website or otherwise providing notice. Continued use of the Service constitutes acceptance of the revised Policy.

17. Contact Information

Smiley Pay Limited
Address: [ADDRESS — TODO: set before launch]
Email: privacy@smileylimited.com
Website: smileylimited.com

For privacy requests, biometric information requests, deletion requests, or questions regarding this Policy, please contact us using the information above.