Salmon App Privacy Notice 

(for Super-App Users))

SALMON GROUP LTD. (the “COMPANY”) complies with the Data Privacy Act of 2012 (the “DPA”), its Implementing Rules and Regulations (“IRR”), and such other rules and regulations issued by the National Privacy Commission and other relevant regulators (collectively, the “Applicable Privacy Laws”) and other relevant issuances of the Philippines. The COMPANY is committed to respecting its customers’ privacy rights and protecting their Personal Data from misuse or unauthorized disclosure. Thus, the COMPANY is providing this application privacy notice (this “Privacy Notice”) in accordance with the Applicable Privacy Laws.

I. IDENTITY AND CONTACT DETAILS OF THE PERSONAL INFORMATION CONTROLLER

Controller: SALMON GROUP LTD. (the “COMPANY”)

Address: Cloud Bubble B01, Level 14, Al Sarab Tower, Abu Dhabi Global Market Square, Al Maryah Island, Abu Dhabi, United Arab Emirates

Data Protection Officer (“DPO”): [email protected]
 

II. DEFINITIONS

For purposes of this Privacy Notice, all of the definitions in the Applicable Privacy Laws are adopted verbatim unless otherwise provided:

a. “Applicable Privacy Laws” refers to the Data Privacy Act of 2012 (the “DPA”), its Implementing Rules and Regulations (“IRR”), and such other rules and regulations issued by the National Privacy Commission and other relevant regulators;

b. “Ambassadors” refers to brand ambassadors who have signed a contract with the Salmon Groupfor 
the promotion of the Salmon Group's products and/or services;

c. “Clients” refers to natural persons who register and use the Super-App;

d. “Controller” or “Personal Information Controller” refers to a natural or juridical person, or any other body who controls the processing of Personal Data, or instructs another to process Personal Data on its behalf. The term excludes: (i) A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or (ii) A natural person who Processes Personal Data in connection with his or her personal, family, or household affairs. Control is present if the natural or juridical person or any other body decides on what Personal Data is collected, or the purpose or extent of its Processing;

e. “Covered Persons” means all entities defined as covered persons under the Anti-Money Laundering Act of 2001, the Terrorist Financing Prevention and Suppression Act, the Anti- Terrorism Act of 2020, and all other related issuances;

f. “Data Subject” means refers to an individual whose Personal, Sensitive Personal, or Privileged Information is Processed;

g. “Merchants” refers to partners/merchants which signed retailer agreements with the Salmon Group;

h. “Personal Data” refers to all types of Personal Information, including Sensitive Personal Information and Privileged Information;

i. “Personal Information” refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;

j. “Potential Clients” means a natural persons who submitted or desire to submit an application for a 
product and/or service with the COMPANY;

k. “Privileged Information” refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication;

l. “Processing” or “Process” or “Processes” refers to any operation or any set of operations performed upon Personal Data, including, but no limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of Personal Data. Processing may be performed through automated means or manual Processing if the Personal Data are contained or are intended to be contained in a filing system;

m. “Processor” or “Personal information processor” refers to any natural or juridical person or any other body to whom a Controller may outsource or instruct the processing of Personal Data pertaining to a Data Subject;

n. “Salmon Application” or the “Super-App” refers to the mobile application “Salmon” that is owned  and managed by the COMPANY;

o. “Salmon Group” refers to (i) Salmon Group Ltd. (formerly Fintech Holdings Ltd.) (ii) its affiliates  and subsidiaries, including, but not limited to, FHL Financing Company, Inc., Salmon Services Inc., Sunprime Finance Inc; and (iii) their respective shareholders, directors, officers, employees, agents,  representatives, assigns, and anyone acting under their direction or in their behalf;

p. “Sensitive Personal Information”, refers to Personal Information (1) about an individual’s race,  ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations; (2) about  an individual’s health , education, genetic, or sexual life, or to any proceeding for any offense  committed or alleged to have been committed by such individual, the disposal of such proceedings,  or the sentence of any court in such proceedings; or (3) issued by government agencies peculiar to an  individual, which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension, or revocation, and tax returns;

q. “Super-App Users” refers to all users of the Super-App including Clients, Ambassadors, and Merchants.

III. SALMON GROUP

“SALMON” is a trademark owned by the holding company, Salmon Group Ltd. (formerly FINTECH HOLDINGS LTD."SALMON” or the “COMPANY”) and is used across its group of companies. SALMON owns and operates the platform “Salmon Application” (the “Super-App”):

The COMPANY is the 100% owner of SUNPRIME FINANCE, INC., which  provides both online &  offline lending through its Online Lending Platform License, as well as FHL FINANCING COMPANY, INC. which only services offline point-of-sale (“POS”) loans. The COMPANY is a platform provider which provides the “Super-App” to serve as an intermediary between the Clients and financial institutions such as FHL FINANCING COMPANY, INC. and SUNPRIME FINANCE, INC.
 

IV. SCOPE AND APPLICATION

The Super-App is accessible to the following users (collectively, the “Super-App User”):

a. Salmon Application Clients (“Super-App User - Clients”);
b. Salmon Application Ambassadors (“Super-App User - Ambassadors”); and
c. Salmon Application Merchants (“Super-App User - Merchants”).

This Privacy Notice specifically applies to Personal Data provided to or collected by the COMPANY from the Super-App User.

V. SOURCES OF THE CATEGORIES OF PERSONAL DATA

The COMPANY may acquire your Personal Data from the following sources:

a. Directly from you via: 

• The Super-App when you register and log-in;
• Interaction with the Super-App;
• Your offline application for products and/or services of the COMPANY;
• Your gadget;
• Your e-mails; and

b. Third-party service providers such as, but not limited to, credit scoring bureaus and companies in the 
course of the provision of their services.

VI. CATEGORIES OF PERSONAL DATA 

The COMPANY may Process the following categories of Personal Data (the “Categories of Personal Data”). Note that the enumerations per Categories of Personal Data are not exclusive but serve merely as examples:
 

a.   Identity data

• Full name (First, Middle, Last)
• Mobile Number 

b.  Contact details data

• Email address
• Mobile number 
• Address
•Push notifications

c.   Security & Fraud prevention data

• Biometric
• Location & Time zone difference 
• Device type 
• Device model
• Date and time 
• Content of the query (specific page)
• Access Status/HTTP Status Code
• Website or application from which the request originates
• Browser
• Operating system and its user interface
• Language and version of the browser software
• Cookies
• Other internet and computer-related behavior
• Contact lists

d.  Customer Due Diligence data

• Name
• Birthday
• Address
• Place of birth
• Date of Birth
• Sex
• Nationality/Citizenship
• Contact details
• Biometric/specimen signature
• Employers
• Sources of funds
• Nature of work
• Salary
• Name of employer, or nature of self-employment or business
• Supporting information on the intended nature of the business relationship
• Source of funds
• Source of wealth
• Nature of occupation and/or business
• Reasons for the intended or performed transactions
• List of companies where Data Subject is a director, officer or stockholder
• List of banks where the Data Subject has maintained or is maintaining an account
• Other relevant information available through public databases or internet or available elsewhere
• Other Customer due diligence information

e.   Government-issued data
• Government-issued ID or numbers
• Philsys-related numbers (e.g., PSN, etc.)

f.   Bank Account/e-Wallet data
• Bank account/e-wallet number
• Bank account branch

g.  Reference Person data
• Reference name
• Reference contact details
• Reference relationship

h.  Referrals data
• Referral name
• Referral contact details
• Referral relationship

i.   Service requests data
• Personal Data provided when raising service requests or queries
• Emails 
• Tickets

j.   Optional location data
• GPS location

k.  Loan Application data
• Customer due diligence information
• Name
• Birthday
• Address
• Place of birth
• Date of Birth
• Sex
• Nationality/Citizenship
• Contact details
• Biometric/specimen signature
• Employers
• Sources of funds
• Nature of work
• Salary

l.   Analytics data
• Cookies
• Combination of VI(a) to VI(l)

VII. PURPOSES AND LEGAL BASIS FOR PROCESSING 

The COMPANY may Process the Categories of Personal Data for the purposes and based on the legal bases  enumerated below:

a. The identity data are Processed (i) identify you in relation to your interactions and contract with the COMPANY, (ii) for sharing with the Salmon Group or other Third-Party Service Providers that you choose to avail products and/or services from; and (iii) for market analysis. The legal basis for Processing the Personal Data under (i) and (ii) are that the Processing is necessary and related to take steps at your request prior to entering into a contract with you and/or to fulfil the obligations of the COMPANY/Salmon Group/Third-Party Service Providers under the said contract (Section 12(b), DPA) and the Processing is necessary to comply with the COMPANY/Salmon Group/Third-Party Service Providers’ legal obligations under anti-money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations (Section 12(c), DPA). The legal basis for Processing the Personal Data under (iii) is the COMPANY’s legitimate interests to improve the Super-App (Section 
12(f), DPA).

b.  The contact details data are Processed to (i) communicate with you about your request prior to entering into a contract with the COMPANY or with respect to the contract you entered with the COMPANY (e.g., collection, etc.), (ii) to deliver the necessary notifications, communications, and notices to you; (iii) for sharing with the Salmon Group or other Third-Party Service Providers that you choose to avail products and/or services from; and (iv) for marketing purposes. The legal basis for Processing the Personal Data under (i), (ii) and (iii) is that the Processing is necessary and related to take steps at your request before entering into a contract with you and/or to fulfil the obligations of the COMPANY/Salmon Group/Third-Party Service Providers under the said contract (Section 12(b), DPA). The legal basis for Processing the Personal Data under (iv) is the COMPANY/Salmon Group/Third-Party Service Providers legitimate interests to inform you about important updates and improve collection (Section 12(f), DPA) or your consent (Section 13(a), DPA) if used for the purpose of promoting the COMPANY/Salmon Group/Third-Party Service Providers’ products and/or services.

c. The security & fraud prevention data are Processed for purposes of (i) customer verification and fraud prevention, and (ii) security purposes. The legal basis for Processing the Personal Data are that the Processing is necessary and related to take steps at your request prior to entering into a contract with you and/or to fulfil the obligations of the COMPANY under the said contract (Section 12(b), DPA) and the Processing is necessary to comply with the COMPANY’s legal obligations under anti- money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations (Section 12(c), DPA), as well as the COMPANY’s legitimate interests to prevent hacking, security breaches, data breaches, fraud, and other misuse of the Super-App (Section 12(f), DPA).
 

d. The Customer Due Diligence data are Processed for purposes of (i) customer due diligence, (ii) credit assessment, and (iii)for sharing with the Salmon Group or other Third-Party Service Providers that you choose to avail products and/or services from. The legal basis for Processing the Personal Data are that the Processing is necessary and related to take steps at your request prior to entering into a contract with you and/or to fulfil the obligations of the COMPANY/Salmon Group/Third- Party Service Providers under the said contract (Section 12(b), DPA) and the Processing is necessary to comply with the COMPANY/Salmon Group/Third-Party Service Providers legal obligations under anti-money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations (Section 12(c), DPA), as well as the COMPANY/Salmon Group/Third-Party Service Providers’ legitimate interests to prevent losses due to bad debt (Section 12(f), DPA).

e. The government-issued data are Processed for purposes of (i) customer verification and fraud prevention, , (ii) security purposes, (iii) for sharing with the Salmon Group or other Third-Party Service Providers that you choose to avail products and/or services from. The legal basis for Processing the Personal Data are that the Processing is necessary and related to take steps at your request prior to entering into a contract with you and/or to fulfil the obligations of the COMPANY/Salmon Group/Third-Party Service Providers’ under the said contract (Section 12(b), DPA) and the Processing is necessary to comply with the COMPANY/Salmon Group/Third-Party Service Providers’ legal obligations under anti-money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations (Section 12(c), DPA), as well as the COMPANY/Salmon Group/Third-Party Service Providers’ legitimate interests to prevent fraud and identity theft. The bank account/e-wallet data are Processed for loan or other monetary disbursement. The legal basis for Processing the Personal Data are that the Processing is necessary and related to take steps at your request prior to entering into a contract with you and/or to fulfil the obligations of the COMPANY/Salmon Group/Third-Party Service Providers’ under the said contract (Section 12(b), DPA) and your consent (Section 12(a), DPA).

f. The reference person data are Processed for credit assessment and background checking for availment of products and services. The legal basis for Processing the Personal Data are that the Processing is necessary and related to take steps at your request prior to entering into a contract with you and/or to fulfil the obligations of the COMPANY/Salmon Group/Third-Party Service Providers’ under the said contract (Section 12(b), DPA) and the Processing is necessary to comply with the COMPANY/Salmon Group/Third-Party Service Providers’ legal obligations under anti-money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations (Section 12(c), DPA), as well as the COMPANY/Salmon Group/Third-Party Service Providers’ legitimate interests to prevent fraud or bad debts (Section 12(f), DPA). The referrals data are Processed for generating new leads of potential Clients. The legal basis for Processing the Personal Data is the COMPANY/Salmon Group/Third-Party Service Providers’ legitimate interests to grow its userbase. (Section 12(f), DPA).

g. The service requests data are Processed for purposes of (i) customer verification, and (ii) to address your service requests and queries. The legal basis for Processing the Personal Data are that the Processing is necessary and related to take steps at your request prior to entering into a contract with you and/or to fulfil the obligations of the COMPANY/Salmon Group/Third-Party Service Providers’ under the said contract (Section 12(b), DPA) and the Processing is necessary to comply with the COMPANY/Salmon Group/Third-Party Service Providers’ legal obligations under anti-money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations (Section 12(c), DPA).

h. The optional location data are Processed for purposes of providing the Clients with personalized experience such as when the Clients wish to locate the closest merchants to their location. The legal basis for Processing the Personal Data is consent (Section 12(b), DPA) through the settings of the Clients.

i. The loan application data are Processed for purposes of (i) customer due diligence, and (ii) credit assessment of the financial institutions to which the COMPANY provides Platform-as-a-Service and/or part of the Salmon Group. The legal basis for Processing the Personal Data are that the Processing is necessary and related to fulfil the obligations of the COMPANY under the said contract (Section 12(b), DPA) and the Processing is necessary to comply with the COMPANY’s legal obligations under anti-money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations (Section 12(c), DPA), as well as the COMPANY’s legitimate interests to prevent losses within the Salmon Group due to bad debt (Section 12(f), DPA).

j. The analytics data are Processed for purposes of analytics, developing data products (including training machine learning models), creating personal recommendations for our current or potential clients, and to improve the COMPANY/Salmon Group/Third-Party Service Providers’ products and/or services. The legal basis for Processing the Personal Data is the COMPANY/Salmon Group/Third-Party Service Providers’ legitimate interests to gather and use analytics to improve its  products and services (Section 12(f), DPA).

VIII. THIRD-PARTY CONTROLLERS

The Super-App provides Platform-as-a-Service to the following separate and independent Personal Information Controllers which are part of the Salmon Group:

a. SUNPRIME FINANCE INC.
b. FHL FINANCING COMPANY, INC.

Further, the Super-App offers Clients the option to be redirected to third-party webpages or platforms for the Client’s convenience such as, but not limited to, the following (collectively referred to as, “Third-Party Service Providers”):

a. Xendit Philippines Inc.;
b. Paynamics Technologies Inc.;
c. Paymongo Philippines Inc.;

When the Clients clicks the relevant links in the Super-App, the Clients will be redirected to the Third-Party Service Providers’ platform or page where the Clients have to read and accept the Third-Party Service Providers’ terms & conditions, privacy notice, etc. The Third-Party Service Providers’ platform or page is totally under the control of the Third-Party Service Providers as separate and independent Personal Information Controllers so any questions or complaint in relation to how they Process Personal Data using the Third-Party Service Providers’ platform or page should be directed to the relevant Third-Party Service Provider.

IX. CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Within the scope of the COMPANY’s activities and services, it may become necessary for the COMPANY to share, disclose, or transfer your Personal Data within or outside the Philippines to the COMPANY’s affiliates and subsidiaries in the Salmon Group, Third-Party Service Providers, and government institutions, which assist the COMPANY/Salmon Group/Third-Party Service Providers in carrying out its business activities in relation to the purposes indicated in Section VII.

When your Personal Data is shared, disclosed, or transferred outside of the Philippines, the COMPANY will ensure that your Personal Data is transferred to countries that provide a level of confidentiality, and protection similar to the levels required by Applicable Privacy Law or that there are acceptable contractual guarantees in place to ensure that the Processing of your Personal Data is in accordance with the Applicable Privacy Laws’ data protection level.

Recipients of your Personal Data generally fall into the following categories of recipients:

a. The COMPANY and its subsidiaries and affiliates (the “Salmon Group”);
b. Payment Service Providers, Banks and other Covered Persons;
c. Information technology (IT) service provider for IT infrastructures;
d. Telecommunications providers;
e. Cloud providers;
f. Other third-party service providers for outsourced Processes (e.g., consultants, contractors, 
collectors, lawyers, etc.);
g. Government institutions (e.g., Bureau of Internal Revenue, Anti-Money Laundering Council, 
Securities and Exchange Commission, Bangko Sentral ng Pilipinas, etc.);
h. Credit scoring bureaus (e.g., Credit Information Corporation, etc.);
i. Alternative/Non-traditional credit scoring providers;
j. Transferee or assignee in case of merger or acquisition;
k. Investors.

X. Security and Protection of Your Personal Data

Your Personal Data Processed internally are generally managed using the COMPANY’s Systems and are stored in a private cloud hosted in servers, data centers, and/or computers located in the Philippines, or Singapore, or the European Union. Only authorized employees are given access to your Personal Data in accordance with established structure of permissions or defined security roles on a need-to-know basis and with the obligation to keep your Personal Data confidential. The COMPANY implements reasonable and appropriate technical, organizational, and physical security (“TOPS”) measures for the protection of your Personal Data against any accidental or unlawful Processing, accidental loss or destruction, and unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. The COMPANY has a Privacy Manual (the “Manual”) that documents all of the TOPS Measures that the COMPANY has in place to protect your Personal Data.
 

XI. Cookies

Salmon (“We” and “Our”) uses cookies on our website (https://salmon.ph/). This Cookie Provision explains what cookies are, how we use them, the types of cookies we use, and how you can control your cookie preferences.

Cookies are small text or data files stored on your device. These cookies are essential for enhancing your browsing experience by remembering your preferences, tracking your activities, and improving our services. We primarily employ cookies for analytics, enabling us to optimize website performance, and for security and fraud prevention, ensuring a secure website environment. While our cookies do not gather personal information that directly identifies you, they do assist in delivering a more personalized experience. By continuing to use our website, you consent to the use of cookies outlined in this policy. You may choose to disable cookies through your browser settings; however, this could impact the website's overall functionality.

Salmon may update this Cookie Provision occasionally to reflect changes in our practices or legal obligations. Thus, we encourage you to review this policy periodically for any updates or changes. We utilize these cookies to help you browse our website in a more personalized manner for your better convenience and experience:

I. Transient Cookies - Transient Cookies are automatically deleted when the Data Subject closes the browser. These are mostly session Cookies, which save a so-called “session-ID”, which allows for the assigning of different queries within the Data Subject’s browser during a particular session. This can be used to identify the Data Subject’s device when they repeatedly visit a website during a session. These Cookies shall be deleted once the Data Subject logs out or closes the browser window. 
 

II. Persistent Cookies - Persistent Cookies enable the Website to remember the Data Subject’s information and settings on the Data Subject’s next visit. This gives the Data Subject faster and more convenient access to the Website since the Data Subject does not have to change its language settings again, for example. How long the Persistent Cookies remain on the Data Subject’s device depends on the duration or expiration date of the respective cookie and the Data Subject’s browser settings. The Persistent Cookies are automatically deleted after a set period which can differ from Cookie to Cookie. Persistent Cookies shall be capable of deletion via the security settings of the Data Subject’s browser at any time.
 

XII. Retention Period

Your Personal Data will be retained for as long as is necessary for the Purposes set out above, or in accordance with the retention period provided by law and/or the COMPANY’s policies, whichever is applicable. In general, your Personal Data will be retained up to ten (10) years from end of your business relationship with the COMPANY in accordance to the COMPANY’s internal retention policy unless Philippines laws require a longer period. Rest assured that the COMPANY’s use of your Personal Data will be limited to what is necessary to achieve the Purposes, and/or only to the exceptions permitted by Applicable Privacy Laws. After the retention periods have lapsed, the COMPANY will delete or anonymize your Personal Data securely using generally-accepted industry standards.

XIII. Your rights as a Data Subject (“DSR”)

a. You have the following DSR with respect to your Personal Data as provided in the Applicable 
Privacy Laws:

• Right to be informed (Section 16(a) & 16(b), DPA)
• Right of access (Section 16(c), DPA): 
• Right to rectification (Section 16(d), DPA):
• Right to erasure or blocking (Section 16(e), DPA):
• Right to damages (Section 16(f), DPA):
• Right to data portability (Section 18, DPA):
• Right to object (Section 34(b), IRR):

More information about your DSRs are available at the COMPANY’s Privacy Portal or at NPC Advisory 2021-01.

b. Inquiries and requests regarding your DSR, including any objections to or complaints regarding the COMPANY’s Processing of your Personal Data, can be sent to the DPO by raising the proper ticket using the COMPANY’s Privacy Portal

c. If you feel that the COMPANY has not responded in an appropriate manner to your requests or 
complaints regarding our Processing of your Personal Data, you have the right to complain to the 
National Privacy Commission through their website or email ([email protected]).

XIV. Changing the Privacy Notice

The COMPANY reserves the right to modify or amend this Privacy Notice from time to time to keep up with any changes in relevant Applicable Privacy Laws or with how the COMPANY Processes your Personal Data. Any changes or updates will be notified to you via the Super-App and/or other official communication channels.