Credezo Finance | Fast Business Loans Singapore

1. Introduction and Scope

1.1 About This Policy

This Privacy Policy describes how Credezo Finance Pte Ltd (UEN: 202557582H) ("Credezo", "we", "us", or "our") collects, uses, discloses, and protects your personal data in accordance with the Personal Data Protection Act 2012 ("PDPA") of Singapore.

1.2 Scope of This Policy

This Policy applies to:

(a) visitors to our website (www.credezo.com);
(b) loan applicants and borrowers;
(c) directors, shareholders, and guarantors of borrowing entities;
(d) accredited investors applying for loans;
(e) business contacts, referral partners, and introducers;
(f) job applicants and employees.

1.3 Data Controller

Credezo Finance Pte Ltd is the data controller responsible for your personal data. Our Data Protection Officer ("DPO") can be contacted at dpo@credezo.com.

1.4 Acceptance of This Policy

By using our website, submitting a loan application, or otherwise providing your personal data to us, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal data as described herein.

2. Personal Data We Collect

2.1 Information You Provide Directly

We collect the following categories of personal data that you provide to us:

Identity Data: Full legal name, NRIC/FIN number (or last 4 digits), passport details, date of birth, nationality, residency status, gender, photograph
Contact Data: Email address, mobile telephone number, residential address, business address
Company Data: Company name, Unique Entity Number (UEN), registered address, operational address, nature of business, SSIC codes, director and shareholder information
Financial Data: Bank statements (6 months or more), audited and unaudited financial statements, management accounts, tax assessments (Notice of Assessment), GST returns, existing loan and credit information
Guarantor Data: NRIC/passport copies, Notices of Assessment, income and employment information, residential address, credit bureau consent forms
Accredited Investor Data: Net asset declarations, income evidence, bank statements, and other documentation supporting accredited investor status
Employment Data: Employer name, occupation, employment duration, income details
Property Data: Property ownership details, housing type, estimated property value

2.2 Information from Third Parties

We may collect personal data about you from third-party sources, including:

Credit Bureau Information: Credit reports and scores from Singapore Commercial Credit Bureau (SCCB) and other credit bureaus where we have direct access. We may also request that you provide credit reports from Credit Bureau Singapore (CBS).
Corporate Registry Information: Company profiles, BizFile extracts, and corporate information from ACRA (Accounting and Corporate Regulatory Authority of Singapore)
Referral Partner Information: Basic application information provided by brokers, introducers, or business partners who referred you to us
Government Sources: Information retrieved via MyInfo or Singpass with your consent (when implemented)

2.3 Information Collected Automatically

When you visit our website, we automatically collect:

Technical Data: IP address, browser type and version, operating system, device type and identifier
Usage Data: Pages visited, time spent on pages, navigation paths, referral source, click patterns
Cookie Data: Information collected via cookies and similar tracking technologies (see Section 14)

3. Purposes for Collection, Use, and Disclosure

3.1 Primary Purposes (Contractual Necessity)

We collect and use your personal data for the following primary purposes, which are necessary for the performance of your contract with us or to take steps at your request before entering into a contract:

(a) Processing and evaluating your loan application
(b) Conducting credit assessments and risk evaluation
(c) Verifying your identity, eligibility, and accredited investor status (where applicable)
(d) Performing Know Your Customer (KYC) and anti-money laundering (AML) checks
(e) Administering and servicing your loan account
(f) Processing payments and managing repayments
(g) Communicating with you about your application, account status, payment reminders, and queries
(h) Enforcing our legal rights under loan agreements and personal guarantees
(i) Recovering outstanding amounts and managing defaults

3.2 Legal and Regulatory Compliance

We may use and disclose your personal data to comply with legal and regulatory obligations:

(a) Complying with regulatory requirements and government directives
(b) Filing Suspicious Transaction Reports (STRs) with the Suspicious Transaction Reporting Office (STRO) under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act
(c) Responding to court orders, subpoenas, and regulatory requests
(d) Reporting to credit bureaus as required under our membership agreements
(e) Complying with tax reporting requirements to IRAS

3.3 Legitimate Business Interests

We may use your personal data for the following legitimate business interests:

(a) Improving our services, products, and website functionality
(b) Conducting research, data analysis, and statistical analysis (using aggregated or anonymised data where possible)
(c) Training our staff on loan processing and customer service
(d) Preventing and detecting fraud, money laundering, and other illegal activities
(e) Protecting our legal rights and managing business risks
(f) Maintaining security of our systems and premises

3.4 Marketing Purposes (With Separate Consent)

With your explicit opt-in consent, we may use your personal data for marketing purposes, including:

(a) Sending promotional materials about our products and services via email or SMS
(b) Notifying you of special offers, events, or partnerships
(c) Conducting customer satisfaction surveys

4. Consent

4.1 Express Consent

We obtain your express consent for the following:

(a) Marketing communications (separate opt-in checkbox required)
(b) Disclosure of your personal data to third parties not necessary for the primary service
(c) Collection of sensitive personal data, including NRIC numbers and credit information
(d) Retrieval of data via MyInfo/Singpass (when implemented)

4.2 Deemed Consent

Under Section 15 of the PDPA, consent may be deemed given when:

(a) You voluntarily provide personal data for a purpose that would be considered appropriate by a reasonable person in the circumstances
(b) You submit a loan application, thereby agreeing to credit checks and related processing necessary to evaluate your application
(c) You provide guarantor information as part of the loan application, implying consent for guarantee-related processing

4.3 Deemed Consent by Notification

For certain purposes, we may notify you of our intent to collect, use, or disclose your personal data and provide you with a reasonable opportunity to opt out. If you do not opt out within the specified period, you are deemed to have consented to such collection, use, or disclosure.

4.4 Withdrawal of Consent

You may withdraw your consent to the collection, use, or disclosure of your personal data at any time by contacting our DPO at dpo@credezo.com. Please note:

(a) Withdrawal of consent may affect our ability to provide services to you or process your loan application
(b) Withdrawal does not affect the lawfulness of processing before withdrawal
(c) Certain personal data must be retained for legal, regulatory, or contractual reasons even after consent is withdrawn
(d) We will process withdrawal requests within 10 business days and inform you of the consequences

5. Disclosure to Third Parties

5.1 Service Providers

We may disclose your personal data to the following service providers who assist us in operating our business:

Credit Bureaus: Credit Bureau Singapore (CBS), Singapore Commercial Credit Bureau (SCCB) - for credit checks, credit reporting, and ongoing account monitoring
Cloud Service Providers: Hosting and data storage providers (including providers with infrastructure outside Singapore)
Payment Processors: Banks and payment service providers for processing loan disbursements and repayments
Professional Advisers: Lawyers, accountants, auditors - for professional advice and legal proceedings
Debt Collection Agencies: In case of default, for recovery of outstanding amounts
Email and Communication Providers: For sending transactional and account-related communications

5.2 Regulatory and Legal Authorities

We may disclose your personal data to regulatory and legal authorities when required:

(a) Suspicious Transaction Reporting Office (STRO) - under AML/CFT requirements
(b) Ministry of Law - as required by law
(c) Courts and tribunals - in legal proceedings
(d) Law enforcement agencies - when required by law or court order
(e) Inland Revenue Authority of Singapore (IRAS) - for tax compliance
(f) Personal Data Protection Commission (PDPC) - in response to investigations or complaints

5.3 Other Parties

We may also disclose your personal data to:

(a) Guarantors and co-borrowers - information relevant to the guarantee or loan
(b) Referral partners and brokers - limited information necessary for referral management, with your consent
(c) Potential business transferees - in the event of a merger, acquisition, or restructuring (subject to confidentiality obligations)

5.4 No Sale of Personal Data

We do NOT sell your personal data to third parties for their marketing purposes.

6. Overseas Transfers

6.1 Cross-Border Transfers

Your personal data may be transferred to, stored, or processed in jurisdictions outside Singapore in connection with our operations. This includes:

(a) Cloud infrastructure providers with servers located outside Singapore
(b) Third-party service providers located outside Singapore

6.2 Transfer Safeguards

In accordance with Section 26 of the PDPA, when transferring your personal data overseas, we ensure that:

(a) The recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA; or
(b) You have provided consent to the transfer after being informed that the overseas recipient may not provide equivalent protection; or
(c) The transfer is necessary for the performance of your contract with us; or
(d) The transfer is necessary for the conclusion or performance of a contract in your interest.

6.3 Current Transfer Destinations

As of the date of this Policy, personal data may be transferred to:

(a) United States (cloud infrastructure and analytics providers)
(b) Other jurisdictions where our service providers operate

6.4 Your Consent

By using our services and providing your personal data, you consent to the transfer of your personal data overseas as described above. You acknowledge that overseas jurisdictions may not provide data protection equivalent to Singapore law.

7. Data Retention

7.1 Retention Periods

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by applicable laws and regulations:

Data Category	Retention Period
Loan application data (declined applications)	7 years from application date
Active loan account data	Duration of loan + 7 years
Completed/closed loan records	7 years after loan closure
Credit bureau reports	7 years from date of report
Financial statements and tax documents	7 years from submission
Guarantor information	Duration of guarantee + 7 years
Identity documents (NRIC copies)	7 years after last interaction or loan closure
Website usage data and analytics	24 months
Marketing consent records	Duration of consent + 2 years
Enquiry and correspondence records	7 years

7.2 Basis for Retention Periods

Our retention periods are based on:

(a) Limitation Act 1959 (6-year limitation period for contract and tort claims)
(b) Income Tax Act requirements for record keeping
(c) Anti-Money Laundering and Counter-Terrorism Financing requirements
(d) Guidance from the Personal Data Protection Commission

7.3 Disposal of Personal Data

When personal data is no longer required, we will:

(a) Securely delete electronic records using industry-standard methods;
(b) Securely shred or destroy physical documents; or
(c) Anonymise data such that individuals can no longer be identified.

8. Data Breach Notification

8.1 Our Obligations

In accordance with Sections 26A to 26E of the PDPA, in the event of a data breach that:

(a) is likely to result in significant harm to affected individuals; or
(b) is of a significant scale (affecting 500 or more individuals),

we will:

(a) Notify the Personal Data Protection Commission (PDPC) within 3 calendar days of our assessment that the breach is notifiable
(b) Notify affected individuals as soon as practicable if the breach is likely to result in significant harm to them

8.2 Notification Content

Our notification to affected individuals will include:

(a) A description of the data breach
(b) The types of personal data affected
(c) Steps we are taking in response to the breach
(d) Actions individuals can take to protect themselves
(e) Contact information for our Data Protection Officer

8.3 Your Obligations

You agree to:

(a) Promptly notify us of any suspected unauthorised access to your account
(b) Keep your login credentials secure and confidential
(c) Report any suspicious communications purporting to be from Credezo

9. Access and Correction

9.1 Right of Access

Under Section 21 of the PDPA, you have the right to request access to your personal data that is in our possession or under our control, and to be informed of how such data has been or may have been used or disclosed within the past year.

9.2 Access Request Process

To request access to your personal data:

(a) Submit a written request to our DPO at dpo@credezo.com
(b) Provide sufficient information to identify yourself and locate the data requested
(c) We will acknowledge your request within 5 business days
(d) We will respond to your request within 30 days of receiving a valid request
(e) If we require additional time, we will notify you within 30 days

9.3 Access Request Fee

We may charge a reasonable fee to cover administrative costs of processing access requests:

(a) Standard request: S$20
(b) Complex or voluminous requests: To be advised based on the scope of the request

9.4 Right of Correction

Under Section 22 of the PDPA, you have the right to request correction of any personal data that is inaccurate, incomplete, or out of date.

9.5 Correction Request Process

(a) Submit a written request to our DPO with details of the correction required
(b) Provide supporting documentation where necessary
(c) We will process the correction within 30 days
(d) If we cannot make the correction, we will inform you of the reasons

9.6 Exceptions

We may refuse access or correction requests if:

(a) The request is frivolous or vexatious
(b) Providing access would reveal confidential commercial information
(c) The data relates to legal proceedings or investigations
(d) Access would threaten the safety or physical/mental health of another individual
(e) The data was collected for evaluative purposes (e.g., credit assessment)
(f) Required or permitted by law

10. Do Not Call (DNC) Registry

10.1 Compliance

We comply with the Do Not Call (DNC) provisions under Part IX of the PDPA.

10.2 Marketing Communications

We will not send marketing messages via voice calls, SMS/MMS, or fax to Singapore telephone numbers unless:

(a) You have provided clear and unambiguous consent to receive such messages; or
(b) You have an ongoing relationship with us (as a borrower, applicant, or enquirer within the past 12 months) and have not opted out.

10.3 Ongoing Relationship Exception

If you are an existing borrower or have made an enquiry within the last 12 months, we may contact you regarding our services unless you opt out.

10.4 Opt-Out

You may opt out of marketing communications at any time by:

(a) Clicking the unsubscribe link in our marketing emails
(b) Replying "STOP" to our SMS marketing messages
(c) Emailing our DPO at dpo@credezo.com
(d) Registering your number with the national DNC Registry

11. Data Protection Officer

11.1 Appointment

We have appointed a Data Protection Officer (DPO) who is responsible for:

(a) Ensuring compliance with the PDPA and this Privacy Policy
(b) Handling access and correction requests
(c) Responding to complaints and enquiries about our data protection practices
(d) Managing data breach incidents and notifications
(e) Liaising with the PDPC on data protection matters

11.2 Contact Details

Data Protection Officer
Credezo Finance Pte Ltd
Email: dpo@credezo.com
Address: 101 Cecil Street, Tong Eng Building, Singapore 069533

12. Security Measures

12.1 Technical Measures

We implement appropriate technical measures to protect your personal data, including:

(a) Encryption of data in transit (TLS/SSL) and at rest
(b) Secure cloud infrastructure with reputable providers
(c) Access controls and multi-factor authentication for staff
(d) Regular security assessments and vulnerability testing
(e) Intrusion detection and monitoring systems
(f) Secure backup and disaster recovery procedures

12.2 Organisational Measures

We also implement organisational measures, including:

(a) Staff training on data protection and security
(b) Access to personal data on a need-to-know basis
(c) Confidentiality agreements with staff and contractors
(d) Incident response procedures
(e) Regular policy reviews and updates
(f) Due diligence on third-party service providers

12.3 No Guarantee

While we implement reasonable security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your personal data.

13. Third-Party Links

Our website may contain links to third-party websites that are not operated by us. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal data. A link to a third-party website does not constitute an endorsement by us.

14. Cookies and Tracking Technologies

14.1 What Are Cookies

Cookies are small text files placed on your device when you visit our website. We use cookies and similar technologies (such as web beacons and pixels) to enhance your browsing experience and understand website usage.

14.2 Types of Cookies We Use

Cookie Type	Purpose	Duration	Third Party?
Essential/Strictly Necessary	Site functionality, security, authentication	Session	No
Authentication	Maintain login state and session	Session/Persistent	No
Analytics	Usage statistics, site improvement	Up to 2 years	Yes (Vercel Analytics)
Preference	Remember your settings and preferences	1 year	No

14.3 Third-Party Analytics

We use Vercel Analytics to understand how visitors use our website. Vercel Analytics may collect:

(a) Page views and navigation paths
(b) Geographic location (country/region level)
(c) Device and browser information
(d) Referral sources

For more information, please review Vercel's Privacy Policy at: https://vercel.com/legal/privacy-policy

14.4 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to:

(a) Block all cookies
(b) Block only third-party cookies
(c) Delete cookies when you close your browser
(d) Receive notification before cookies are placed

Note: Blocking certain cookies (especially essential cookies) may affect website functionality and your ability to use our services.

14.5 Do Not Track

We do not currently respond to "Do Not Track" (DNT) browser signals as there is no industry standard for interpreting such signals.

15. MyInfo and Singpass Integration

15.1 MyInfo Integration

We may offer MyInfo integration to streamline your loan application process. If you choose to use MyInfo:

(a) You will be redirected to the Singpass portal to authenticate your identity
(b) You will see and approve the specific data fields to be shared with us
(c) Government-verified data will be retrieved directly from MyInfo
(d) This reduces manual data entry and document submission requirements

15.2 Singpass Login

We may offer Singpass login for account authentication. This provides:

(a) Secure government-verified authentication
(b) Two-factor authentication via the Singpass app

15.3 Your Control

(a) Use of MyInfo/Singpass is voluntary - you may choose to submit information manually
(b) You control which data fields are shared through the MyInfo consent screen
(c) You may revoke MyInfo access at any time via the Singpass portal

15.4 Data Source Indication

When data is retrieved via MyInfo, we will indicate this in your records to distinguish government-verified data from manually-entered information.

16. Children's Data

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact our DPO.

17. Changes to This Policy

17.1 Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. Updates will be posted on our website with a new "Last Updated" date.

17.2 Material Changes

For material changes to this Policy, we will:

(a) Post a prominent notice on our website
(b) Send notification to your registered email address (for existing borrowers and registered users)
(c) Provide at least 7 days' notice before material changes take effect

17.3 Continued Use

Your continued use of our services after changes to this Policy take effect constitutes your acceptance of the updated Policy. If you do not agree with any changes, you should discontinue use of our services.

18. Contact Us and Complaints

18.1 General Enquiries

For general enquiries about our services:
Email: hello@credezo.com
Phone: +65 8495 5611

18.2 Data Protection Enquiries

For enquiries about this Privacy Policy or our data protection practices:
Data Protection Officer
Email: dpo@credezo.com
Address: 101 Cecil Street, Tong Eng Building, Singapore 069533

18.3 Complaints

If you are dissatisfied with how we handle your personal data, please contact our DPO at dpo@credezo.com. We will acknowledge your complaint within 5 business days and investigate and respond within 30 days.