Privacy Policy

1. Introduction & scope

This Privacy Policy describes how Digital Flow Pte. Ltd. (UEN 202350828Z), a private company incorporated in Singapore with registered office at 68 Circular Road, #02-01, 049422, Singapore, operating the Summer product (“Summer”, “we”, “us”), collects, uses, discloses and otherwise processes personal data.

This Policy applies to the Summer marketing website at smrfnc.com, the Summer application at app.smrfnc.com, and any related services we provide (together, the “Service”). The Service is provided B2B; the natural persons whose personal data we process are typically employees and contractors of our business customers (“Users”) and the counterparties they transact with (“Payees”).

This document is a draft pending review by Singapore-qualified counsel and is not legal advice. The “Draft” notice above remains in place until that review is complete.

2. Information we collect

We collect personal data in the following categories:

Account & profile data (from Users). Name, work email address, company name, role, time zone, and authentication identifiers such as hashed credentials and session tokens.

Service usage data. Actions taken inside the product (creating invoices, initiating payouts, configuring wallets, approving transactions), audit log entries (who did what, when, from which device), and feature usage telemetry.

Counterparty & transaction data. Submitted by Users about their Payees and inflows: display names, wallet addresses, chain, asset, transaction hashes, payout amounts, invoice line items, and AML/KYT risk scores returned by our screening provider for those addresses and transactions.

Technical & device data. IP address, browser type and version, operating system, device identifiers, language, referrer, and crash and performance telemetry.

Communications. Demo bookings, support tickets, e-mails sent to support@vaultnow.co, and the content of messages submitted via the contact form on the website.

We do not knowingly collect special categories of personal data (e.g., health or biometric data). We do not collect government- issued identifiers from Users for the operation of the Service. [CONFIRM: confirm against the live data model; remove any category we do not in fact collect]

3. How we use personal data

• To provide, operate, secure and improve the Service.
• To authenticate Users, authorise actions, and enforce approval policies and access controls.
• To run AML/KYT screening on incoming and outgoing wallets and transactions, in support of the customer’s own compliance program.
• To reconcile transactions against invoices and to produce reports (Cash Flow, P&L, budget vs. actual) for the customer.
• To provide customer support and send service notifications.
• To detect, investigate and prevent fraud, abuse and breaches of our terms.
• To comply with legal obligations, court orders and lawful requests from competent authorities.
• To send relevant marketing communications where you have opted in, with an unsubscribe option in every message.

We do not sell personal data and we do not use personal data to train third-party generative-AI models. We use aggregated, de- identified data to operate and improve the Service.

4. Legal basis for processing

Singapore PDPA. Where the Personal Data Protection Act 2012 applies, we process personal data with consent (which may be deemed under PDPA where notification has been provided and the purposes are within those notified), and under recognised PDPA bases including processing reasonably necessary for the conclusion or performance of a contract, and legitimate interests (with the required balancing).

EU / UK GDPR (where applicable). For Users and visitors located in the EEA, the UK or other GDPR- equivalent jurisdictions, our lawful bases are: performance of a contract (Art. 6(1)(b)), our legitimate interests (Art. 6(1)(f)) subject to the balancing test, compliance with legal obligations (Art. 6(1)(c)), and your consent (Art. 6(1)(a)) for non-essential cookies and marketing.

California (CCPA / CPRA). For California residents we provide a “notice at collection” in this Policy. We do not sell personal information and we do not share it for cross-context behavioral advertising.

5. Sharing & disclosure

We share personal data with the following categories of recipients, under contracts that require them to protect the data and to use it only for the purposes we instruct:

• Cloud infrastructure and hosting providers. [CONFIRM: name vendors]
• Authentication, identity and access management providers. [CONFIRM: name vendors]
• AML / KYT analytics and risk-scoring providers. [CONFIRM: name vendors]
• Custody and wallet infrastructure providers (e.g., Fireblocks where managed wallets are used by the customer).
• E-mail delivery, customer support and helpdesk tools. [CONFIRM: name vendors]
• Product and website analytics (privacy-preserving / aggregated). [CONFIRM: name vendors]
• Booking and scheduling tools (e.g., Calendly for demo bookings).
• Payments, accounting and corporate-finance tools used for our own internal operations.
• Professional advisors (legal, accounting, audit, insurance).
• Successors or acquirers in connection with a merger, acquisition, financing or sale of all or substantially all of our assets.

We disclose personal data when required by law, court order or valid request from a competent authority, and where we believe in good faith that disclosure is necessary to protect the rights, property or safety of Summer, our customers or the public.

A current list of sub-processors is available on request to support@vaultnow.co. [CONFIRM: decide whether to publish the sub-processor list at / sub-processors and link from here]

6. International transfers

We are established in Singapore. Personal data may be processed by us and our service providers in jurisdictions outside Singapore, including (without limitation) the United States and the European Economic Area. [CONFIRM: actual processing regions for hosting, AML provider, Fireblocks and analytics]

For transfers from the EEA, the UK or Switzerland we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum / the Swiss equivalent) with appropriate supplementary technical, contractual and organisational measures where required.

For PDPA cross-border transfer obligations, we take reasonable steps to ensure recipients are bound by a standard of protection comparable to PDPA.

7. Retention

We retain personal data only for as long as we need it for the purposes set out in this Policy, plus a reasonable additional period to meet legal, accounting, audit and dispute-resolution obligations.

Indicative retention windows (subject to confirmation):

• Account and profile data — for the life of the customer relationship and for [CONFIRM: e.g. 6 years] thereafter.
• Transaction records, audit logs and AML/KYT records — for the period required by applicable financial and AML rules, typically [CONFIRM: 5–7 years under SG AML].
• Support correspondence — [CONFIRM: e.g. 3 years].
• Marketing-consent records — until you withdraw consent and for a short audit period thereafter.
• Encrypted backups — retained for a limited additional period before they roll off.

8. Security

We apply technical and organisational measures appropriate to the risk, which currently include: encryption in transit (TLS), encryption at rest for data stores, strong authentication and role-based authorization, audit logging, network segregation, least-privilege staff access, vendor due-diligence, and periodic security review of our systems and providers.

For managed wallets, key material is held by the customer’s chosen institutional custody provider (e.g., Fireblocks) under their security controls; Summer does not have direct access to private keys. For bring-your-own self-custody wallets, keys remain entirely with the User.

No system is perfectly secure. We will notify affected customers of security incidents in accordance with applicable law and our contractual commitments. [CONFIRM: note any certifications in progress (e.g., SOC 2, ISO 27001) — do not list certifications we do not in fact hold]

9. Your rights

PDPA (Singapore). You have the right to request access to and correction of personal data we hold about you, and to withdraw consent for our processing. Withdrawal may affect our ability to continue providing the Service to you.

GDPR / UK GDPR. If located in the EEA or UK, you also have rights of rectification, erasure, restriction of processing, data portability, objection, and the right to lodge a complaint with your local supervisory authority.

CCPA / CPRA (California). California residents have rights to know, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and not be discriminated against for exercising these rights. As stated above, we do not sell personal information and do not share it for cross-context behavioral advertising.

To exercise these rights, e-mail support@vaultnow.co with sufficient detail to verify your identity. We will respond within the time required by applicable law.

If you are a User employed or engaged by a Summer customer, the customer is typically the controller / organisation responsible for your personal data in the Service. Please direct rights requests to your employer or customer first; we will support them in fulfilling your request.

10. Cookies

We use cookies and similar technologies on the website and application. See our Cookie Policy for the categories of cookies used and how to manage them.

11. Children's privacy

The Service is provided B2B and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact support@vaultnow.co and we will delete it.

12. Changes to this policy

We may update this Policy from time to time. Material changes will be communicated by reasonable means, such as an in-product notice or e-mail to your account address. The “Last updated” date below indicates the most recent change.

13. Contact

Controller. Digital Flow Pte. Ltd. (UEN 202350828Z).

Registered address. 68 Circular Road, #02-01, 049422, Singapore.

Privacy enquiries. support@vaultnow.co. You may also reach us via the contact page.