Privacy Policy & Data Protection Notice

This Privacy Policy was last updated on 16 April 2026

This Data Protection Notice (“Notice”) sets out the basis which Circular Now Pte. Ltd. (UEN 202108518R) (and its wholly owned subsidiaries, including Circular Now (SG) Financial Pte. Ltd. (UEN 202437838N)) may collect, use, disclose or otherwise process personal data in accordance with the Personal Data Protection Act 2012 of Singapore (“PDPA”).

Any reference to:

  1. we”, “us”, “our” or “Circular” should be understood as a reference to Circular Now Pte. Ltd. or the other subsidiaries within the group; and
  2. you” or “your” should be understood as a reference to an individual whose personal information we control or process for the purposes described in this privacy policy.

This Notice applies to personal data in our possession or under our control, including personal data in the possession of organisations that we have engaged to collect, use, disclose or process personal data for our purposes.

1. Who this Notice applies to

This Notice applies to individuals whose personal data we handle in connection with our business, including individuals who:

  1. contact us to find out more about our products and services;
  2. apply for, use or have used our products or services;
  3. enter into or may enter into a contract with us;
  4. are authorised representatives, guarantors, beneficial owners, directors, officers or personnel of our customers or counterparties; or
  5. otherwise interact with us in a personal capacity.

2. Meaning of personal data

In this Notice, “personal data” means data, whether true or not, about an individual who can be identified:

  1. from that data; or
  2. from that data and other information to which we have or likely to have access.

Other terms used in this Notice shall, where the context permits, have the meanings given to them in the PDPA.

3. Personal data we may collect

Depending on the nature of your interaction with us, we may collect various types of personal data. Examples of the types of personal data we may collect include, but are not limited to, the following:

  1. name and identification details;
  2. contact details, such as address, email address and telephone number;
  3. nationality, date of birth, gender and other profile information;
  4. photographs, recordings and other audio-visual information;
  5. employment and business information;
  6. payment and transaction information, including billing details, payment card details and bank account information;
  7. account, login and usage information relating to our products or services;
  8. information required for identity verification, fraud prevention, risk assessment, collections or regulatory compliance; and
  9. any other personal data that you or your authorised representative provide to us, or that we otherwise collect in connection with your relationship with us in accordance with applicable law.

4. How we collect personal data

We generally collect personal data:

  1. when you provide it to us directly;
  2. when your authorised representative provides it to us on your behalf;
  3. when you use our website, applications, platforms, products or services;
  4. when you communicate with us by email, telephone, messaging services, social media or other channels;
  5. from third parties such as business partners, service providers, credit bureaus, payment providers, identity-verification providers, fraud-prevention providers and publicly available sources, where permitted by law; and
  6. in other situations where collection, use or disclosure without consent is permitted or required under the PDPA or other applicable laws.

5. Purposes for which we may collect, use or disclose personal data

We may collect, use and disclose your personal data for one or more of the following purposes:

  1. providing, operating, maintaining and supporting our products and services;
  2. processing applications, orders, transactions and payments;
  3. verifying your identity and carrying out customer due diligence, screening and know-your-customer checks;
  4. responding to your enquiries, requests, feedback and complaints;
  5. managing our relationship with you;
  6. administering accounts, subscriptions, rewards, promotions or events;
  7. monitoring, improving and developing our products, services, systems and business operations;
  8. detecting, preventing and investigating fraud, abuse, security incidents and other unlawful or improper activity;
  9. conducting risk assessments, credit assessments, account reviews, collections and recoveries;
  10. complying with legal, regulatory, audit, risk management and internal governance requirements;
  11. disclosing to our professional advisers, auditors, insurers, service providers, business partners and relevant regulators or authorities where reasonably necessary;
  12. sending you marketing and promotional communications in accordance with applicable law; and
  13. any other purpose that is reasonably related to the above or that you have otherwise been notified of.

6. Legal basis under the PDPA

Where required, we will collect, use or disclose your personal data with your consent.

Depending on the circumstances, we may also collect, use or disclose personal data without consent where this is permitted or required by the PDPA or other applicable laws, including where:

  1. the collection, use or disclosure is necessary to perform a contract with you or to provide a product or service requested by you;
  2. the collection, use or disclosure is reasonably necessary for legitimate interests that outweigh any likely adverse effect on you, and the conditions under the PDPA are satisfied;
  3. the collection, use or disclosure is necessary to comply with legal or regulatory requirements;
  4. the personal data is publicly available; or
  5. another exception under the PDPA applies.

7. Credit reports and third-party checks

Where relevant to your application for, or use of, our products or services, we may obtain and use your personal credit report and other credit-related information from Singapore credit bureaus and other permitted sources for purposes such as:

  1. assessing applications;
  2. conducting credit, affordability, fraud and risk assessments;
  3. managing your account, including setting and reviewing limits;
  4. monitoring repayment behaviour;
  5. carrying out collections and recoveries; and
  6. complying with legal and regulatory obligations.

For these purposes, we may disclose relevant personal data to:

  1. Singapore credit bureaus;
  2. payment, billing, collections and debt recovery service providers;
  3. identity-verification and fraud-prevention providers; and
  4. professional advisers and other service providers supporting credit, fraud, risk and recovery processes.

8. To whom we may disclose personal data

We may disclose your personal data to:

  1. our related corporations and affiliates;
  2. third-party service providers who process personal data on our behalf, including providers of cloud hosting, data storage, analytics, communications, customer support, logistics, payments, identity verification, fraud prevention, marketing and security services;
  3. banks, payment networks and financial institutions;
  4. credit bureaus and collections or recovery agencies;
  5. professional advisers such as lawyers, auditors, consultants and insurers;
  6. regulators, law enforcement agencies, government authorities, courts or tribunals; and
  7. other third parties where disclosure is reasonably necessary for the purposes described in this Notice or otherwise permitted or required by law.

9. Marketing communications data

Where permitted by applicable law, we may use your personal data to send you information about our products, services, offers, campaigns, events or promotions.

You may opt out of receiving marketing communications from us at any time by following the unsubscribe instructions in the relevant communication or by contacting us using the details below.

Where we send telemarketing messages to Singapore telephone numbers, we will do so in accordance with the PDPA’s Do Not Call provisions and other applicable requirements.

10. Withdrawal of consent

Where we rely on your consent, you may withdraw that consent by contacting us in writing using the details below.

Upon receiving your request, we may require reasonable time to process it and to inform you of the consequences of withdrawal, including any legal or service-related consequences. Once consent is withdrawn, we will stop collecting, using or disclosing your personal data for the relevant purpose unless we are permitted or required by law to continue doing so.

Withdrawal of consent does not affect the lawfulness of any collection, use or disclosure carried out before the withdrawal, and does not affect our right to continue processing personal data where permitted or required under applicable law.

11. Access and correction

Subject to the PDPA, you may request:

  1. access to personal data about you that is in our possession or under our control; and
  2. information about the ways in which we have used or disclosed your personal data within a year before the date of your request; and
  3. correction of personal data about you that is in our possession or under our control.

We may require your request to be made in writing and may ask for information to verify your identity and clarify the scope of your request.

A reasonable fee may be charged for an access request where permitted by law. If so, we will tell you the fee before processing the request.

We will respond to your request as soon as reasonably possible. Where we are unable to respond within 30 days, we will inform you in writing of the time by which we expect to respond.

12. Accuracy

We generally rely on personal data provided by you or your authorised representative. To help us keep your personal data accurate, complete and up to date, please let us know if your personal data changes.

13. Protection of personal data

We implement reasonable administrative, physical and technical security arrangements to protect personal data in our possession or under our control from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

These arrangements may include access controls, authentication measures, encryption, logging and monitoring, secure disposal processes, staff training, contractual safeguards with service providers and other measures appropriate to the sensitivity of the personal data and the nature of the processing. The PDPA requires reasonable security arrangements, rather than absolute security.

However, no method of transmission over the Internet and no method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

14. Retention

We retain personal data only for as long as it is reasonably necessary to fulfil the purposes for which it was collected, or as otherwise required or permitted by applicable law.

When personal data is no longer necessary for legal or business purposes, we will cease to retain it, or remove the means by which the data can be associated with particular individuals.

Retention periods may vary depending on the nature of the data and the purpose of processing, including legal, regulatory, accounting, dispute-resolution, fraud-prevention and operational requirements.

15. Transfers of personal data outside Singapore

Our service providers, affiliates, business partners and systems may be located outside Singapore. As a result, your personal data may be transferred to, stored in, or accessed from countries or territories outside Singapore.

Where we transfer personal data outside Singapore, we will do so in accordance with the PDPA and take appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection to the personal data that is at least comparable to the protection under the PDPA, unless a relevant exception under the PDPA applies. That matches the PDPA’s transfer-limitation framework.

These steps may include contractual commitments, binding corporate rules, reliance on recognised certifications, or other appropriate safeguards.

16. Personal data breach management

We maintain processes for identifying, assessing, containing and responding to personal data breaches.

Where required by the PDPA, we will notify the Personal Data Protection Commission and affected individuals of an eligible data breach within the time required by law. The current PDPA framework includes a Data Breach Notification Obligation.

17. Business contact information

To the extent permitted under the PDPA, this Notice does not apply to business contact information when handled solely in that capacity.

18. Contacting us

If you have any questions, feedback or requests relating to this Notice or our handling of personal data, please contact our Data Protection Officer:

Email: [email protected]

19. Changes to this Notice

We may update this Notice from time to time. The updated version will be published on our website or otherwise made available by us, and the revised version will take effect from the date stated in the updated Notice.