Privacy policy

555GROUP PTE. LTD.(UEN: 202006462D), registered at 68 Kaki Bukit Avenue 6, #01-09, Singapore 417896 (“555”, “we”, “us”, or “our”), is the data controller for personal data collected through the 555 wallet app, the 555 merchant POS, this website, and any related services in Singapore.

We process personal data in line with the Personal Data Protection Act 2012 (PDPA) and the supervisory expectations of the Monetary Authority of Singapore (MAS) and the Personal Data Protection Commission (PDPC). Our Data Protection Officer can be reached at [email protected].

We collect only what we need to operate the service. The categories and sources are:

• Identity and contact data — name, date of birth, nationality, government-issued ID number and image, selfie for liveness, email, mobile number, and residential address (collected at wallet onboarding to satisfy KYC obligations).
• Account and authentication data — username, hashed password, device IDs, push tokens, two-factor codes, and login timestamps.
• Wallet and transaction data — top-ups, payments, refunds, loyalty point movements, the merchant counterparty, amount, currency, and timestamp of each transaction.
• Merchant data — for merchant accounts: business name, UEN/SSM number, beneficial-owner identification, settlement bank account, outlet addresses, menu and inventory data, and POS device telemetry.
• Device and technical data — IP address, device model and OS, app version, NFC capability, language, time zone, and crash logs.
• Communications — support messages, contact-form submissions, recorded voice notes when you call us, and your feedback.
• Location data — only if you enable it in the app, used to surface nearby merchants. Off by default; never used for ad targeting.

What we do not collect. We do not collect biometric templates beyond the one-time liveness selfie used for ID matching (which is deleted after KYC is completed). We do not buy personal data from third parties. We do not fingerprint diners across merchants for advertising.

We rely on the following grounds to process your personal data:

• Performance of a contract — to provide the wallet, POS, loyalty, settlement, and customer support you signed up for.
• Legal obligation — to comply with payment-services, anti-money-laundering, counter-terrorism-financing, tax, and consumer- protection law in Singapore.
• Legitimate interests — to detect and prevent fraud, secure our systems, debug, and improve the product. We balance these against your rights and you can object at any time.
• Consent — for optional things: marketing emails, non-essential cookies (see our Cookie Policy), and using your location. You can withdraw consent at any time without affecting prior processing.

We retain personal data only for as long as we have a lawful reason to, then we delete or anonymise it.

• KYC records and transaction logs — at least 5 years after account closure or transaction date, as required by AML law in Singapore.
• Tax-relevant records — typically 5–7 years from the end of the relevant financial year.
• Account profile data — for the life of the account; on closure we delete it within 30 days unless retention is legally required.
• Support communications — 24 months from the last contact.
• Server and access logs — 90 days, unless we are investigating an incident.
• Marketing preferences — until you unsubscribe, plus a suppression entry afterward so we do not contact you again.

We share personal data only where it is necessary to deliver the service or required by law. We do not sell or rent personal data. The recipients fall into these categories:

• Payment partners — card networks, acquirers, top-up processors, PayNow/DuitNow rails, and our safeguarding bank, to settle transactions.
• KYC and fraud vendors — identity-verification, sanctions- screening, and device-risk providers, under written data-processing agreements.
• Cloud and infrastructure — our hosting provider, monitoring, error tracking, and email delivery (e.g. Resend), processing data on our instructions only.
• Merchants you transact with — receive only the minimum needed: amount, timestamp, masked wallet handle, and (if you redeem loyalty) your loyalty tier. They do not receive your email or address unless you explicitly share it (e.g. delivery orders).
• Regulators, law enforcement, and courts — where we are compelled to by valid legal process or where reporting is mandatory (e.g. Suspicious Transaction Reports).
• Professional advisors — auditors, lawyers, and insurers, under confidentiality.

A current vendor list is available on request from [email protected].

Some of our processors operate outside Singapore. Where personal data leaves Singapore, we rely on contractual safeguards equivalent to those in the originating jurisdiction (Standard Contractual Clauses, the ASEAN Model Contractual Clauses, or jurisdictional adequacy), and we transfer only the minimum needed for the named purpose.

Subject to local law, you have the right to:

• Access the personal data we hold about you.
• Correct data that is inaccurate or incomplete.
• Withdraw consent for any processing that relies on it.
• Port data you provided to us in a machine-readable format.
• Delete your account and the personal data we are not legally required to retain.
• Object to processing based on legitimate interests, including direct marketing.
• Complain to the Monetary Authority of Singapore (MAS) and the Personal Data Protection Commission (PDPC) if you believe we have mishandled your data.

Exercise any of these rights from in-app settings or by emailing [email protected]. We respond within one business day and complete most requests within 30 days. Verifying your identity is the first step — we will never act on a deletion or data request without it.

All traffic to and from 555 is encrypted (TLS 1.3). Personal and payment data at rest is encrypted with AES-256. Card numbers are tokenised by our PCI-DSS certified processors — we never see or store full PAN. Production access is multi-factor, audited, and limited to staff who need it. Penetration tests and independent security reviews are conducted at least annually.

The 555 wallet is not intended for users under 16. Where a younger user is permitted (e.g. a school canteen pass) we require parental authorisation and tighten the spending controls and data we collect accordingly.

We use a small set of first-party cookies for routing, language, and security; no advertising cookies; and no cross-site tracking. Optional analytics load only after consent. Full detail in the Cookie Policy.

We update this notice when the service or the law changes. The effective date and version above is the source of truth. Material changes are communicated 14 days in advance by email and in-app notice. Continuing to use 555 after the effective date constitutes acceptance, alongside our Terms of Service.

Data Protection Officer: [email protected]
General privacy questions: [email protected]
Mailing address: 555GROUP PTE. LTD., 68 Kaki Bukit Avenue 6, #01-09, Singapore 417896.

If we cannot resolve your concern, you may complain to the Monetary Authority of Singapore (MAS) and the Personal Data Protection Commission (PDPC).