Last Updated: April 2026

Hashira FinTech Private Limited (“Hashira”, “we”, “our”, or “us”) is committed to protecting your personal data in accordance with the Personal Data Protection Act 2012 of Singapore (“PDPA”) and the Digital Personal Data Protection Act 2023 of India (“DPDPA”), as applicable. This Privacy Policy explains how we collect, use, disclose, transfer, and protect your personal data when you visit our website at www.hashira-fintech.com or otherwise engage with our services.

1. Personal Data We Collect

When you interact with our website or services, we may collect the following categories of personal data:

1.1 Information you provide directly

• Your name
• Email address
• Phone number
• Company or organisation name and your role
• Country or region of residence
• Any other information you voluntarily provide through our contact forms, enquiry submissions, or correspondence

1.2 Information collected automatically

• IP address and approximate geographic location
• Browser type, version, and operating system
• Pages visited, time spent, and referring URL
• Date and time of access
• Device identifiers and similar technical data

1.3 Information from career applications

If you apply for a position with us, we may also collect your employment history, qualifications, references, identification documents (such as passport details where required), and any other information you choose to share in your application or curriculum vitae.

2. How We Collect Your Data

We collect personal data through the following means:

• Contact and enquiry forms: When you submit a request through our website.
• Email correspondence: When you email us directly at [email protected].
• Telephone: When you call us at (+65) 6818 6023.
• Career applications: When you apply through our Careers section or submit a CV.
• Cookies and similar technologies: Through your interaction with our website (see Section 10).
• Third-party sources: Where permitted by law, from publicly available sources or business networks (e.g., LinkedIn) for legitimate business purposes such as recruitment or partnership outreach.

3. Purposes for Collecting and Using Your Data

We collect and use your personal data for the following purposes:

• To respond to your enquiries and service requests
• To provide information about our consulting and banking IT services
• To negotiate, enter into, and perform service contracts with our clients
• To process and evaluate career applications
• To communicate with you regarding our services and operational matters
• To comply with applicable laws, regulations, and legitimate requests from public authorities
• To investigate, prevent, and address security incidents, fraud, or unauthorised use of our website
• To improve our website, services, and customer experience
• To send marketing communications, where you have consented (see Section 11)

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

• Consent: Where you have given your express or deemed consent (PDPA), or your free, specific, informed, and unambiguous consent through clear affirmative action (DPDPA).
• Contractual necessity: Where processing is required to enter into or perform a contract with you or your organisation.
• Legal obligation: Where processing is required to comply with applicable laws or regulatory requirements.
• Legitimate interests: Where processing is necessary for our legitimate business interests, provided these are not overridden by your rights or freedoms.
• Specified legitimate uses (DPDPA): For purposes recognised under Section 7 of the DPDPA, including responding to medical emergencies, employment-related processing, and certain functions of the State as applicable.

5. Disclosure of Personal Data

We do not sell, rent, or trade your personal data to any third parties. We may disclose your personal data to:

• Hashira group entities: Including Hashira FinTech India Private Limited, our Chennai-based subsidiary, for shared business operations and centralised functions.
• Authorised service providers: Including hosting providers, email service providers, IT support, and analytics partners, all bound by confidentiality and data protection obligations.
• Professional advisors: Including legal, audit, and tax advisors, where necessary.
• Regulatory and legal authorities: Where required by law, court order, or valid request from public authorities.
• Successors in interest: In connection with a merger, acquisition, restructuring, or sale of all or part of our business, subject to the receiving party honouring the terms of this Privacy Policy.

6. Cross-Border Data Transfers

As a group operating across Singapore and India, your personal data may be transferred between our entities for the purposes set out in Section 3. We take reasonable steps to ensure that any cross-border transfer is conducted in accordance with applicable law:

• Transfers from Singapore are conducted in accordance with PDPA Section 26 and the Personal Data Protection Regulations 2021, ensuring that the recipient is bound by legally enforceable obligations to provide a comparable standard of protection.
• Transfers from India are conducted in accordance with Section 16 of the DPDPA and any restrictions notified by the Central Government from time to time.

Where required, we use Standard Contractual Clauses or other approved transfer mechanisms to safeguard your data during international transfers.

7. Protection of Personal Data

We implement reasonable technical and organisational security measures to protect your personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. These measures include:

• SSL/TLS encryption for data transmission
• Web application firewall and bot protection at the network edge
• Multi-factor authentication for administrative access
• Role-based access controls and least-privilege principles
• Regular security reviews, patching, and vulnerability management
• Confidentiality obligations on all personnel and service providers

However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in significant harm to you or affects a number of individuals that meets the prescribed threshold under applicable law, we will:

• Notify the Personal Data Protection Commission of Singapore (PDPC) within 3 calendar days of assessing the breach as notifiable, in accordance with the PDPA’s Data Breach Notification obligation.
• Notify the Data Protection Board of India and affected Data Principals as required under Section 8(6) of the DPDPA.
• Notify affected individuals as soon as reasonably practicable, with information on the nature of the breach, likely consequences, and steps you can take to protect yourself.

9. Retention of Personal Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws and regulations. Indicative retention periods include:

• Website enquiry data: Up to 24 months from last contact, unless an ongoing business relationship requires longer retention.
• Client contract and project records: 7 years from contract termination, in line with statutory record-keeping requirements.
• Career application data: 12 months from application date for unsuccessful applicants; for successful candidates, retained per employment record obligations.
• Marketing consent records: Until consent is withdrawn, plus a reasonable period thereafter to evidence compliance.
• Web server logs: Up to 12 months for security and audit purposes.

When your personal data is no longer needed, we will dispose of it in a secure manner.

10. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to ensure proper functionality and to improve your experience. We use the following categories:

• Strictly necessary cookies: Required for the website to function (e.g., session management, security, cookie consent preferences). These cannot be disabled.
• Functional cookies: Remember preferences and choices you make to enhance your experience.
• Analytics cookies: Help us understand how visitors interact with our website. Used only with your consent.

A cookie consent banner is displayed upon your first visit, allowing you to accept, reject, or manage your preferences. You may also configure your browser to reject cookies, although this may affect your experience on our website.

11. Marketing Communications

We may send you marketing communications about our services where you have provided consent or where permitted under applicable law. You may withdraw your consent or opt out of marketing communications at any time by:

• Clicking the “unsubscribe” link in any marketing email we send you
• Emailing us at [email protected] with the subject “Unsubscribe”

For Singapore residents, our practices comply with the Do Not Call Provisions of the PDPA. We will not send telemarketing messages, calls, or faxes to a Singapore telephone number registered with the Do Not Call Registry without obtaining clear and unambiguous consent.

12. Your Rights as a Data Subject

Subject to applicable law, you have the following rights in relation to your personal data:

• Access: Request access to the personal data we hold about you and information on how it has been used.
• Correction: Request corrections to any inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful (DPDPA Section 12).
• Withdrawal of consent: Withdraw your consent for the collection, use, or disclosure of your personal data at any time, subject to legal and contractual restrictions. Withdrawal of consent may affect our ability to provide certain services to you.
• Data portability: Request a copy of your data in a commonly used machine-readable format, where applicable.
• Grievance redressal (DPDPA): Indian Data Principals may submit grievances to our Data Protection Officer (Section 14). If unresolved, you may approach the Data Protection Board of India.
• Nomination (DPDPA): Indian Data Principals may nominate another individual to exercise these rights in the event of death or incapacity.

To exercise any of these rights, please contact our Data Protection Officer using the details in Section 14. We will respond to your request within 30 calendar days, or such other timeframe as required by applicable law.

13. Children’s Personal Data

Our website and services are not directed at children. We do not knowingly collect personal data from individuals under the age of 18.

For Indian Data Principals, in accordance with Section 9 of the DPDPA, we will not process personal data of any individual under the age of 18 without verifiable consent from a parent or lawful guardian, and we will not undertake tracking, behavioural monitoring, or targeted advertising directed at children. If you become aware that a child has provided personal data to us, please contact us so that we can take appropriate action.

14. Data Protection Officer

In accordance with Section 11(3) of the PDPA, we have designated a Data Protection Officer to oversee compliance with this Privacy Policy and to handle queries or complaints relating to personal data. The same office serves as the point of contact for grievance redressal under the DPDPA for our Indian operations.

15. Third-Party Links

Our website may contain links to third-party websites, including our company page on LinkedIn. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party websites you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any updates will be posted on this page with a revised “Last Updated” date at the top. Material changes will be communicated through prominent notice on our website or, where appropriate, by direct communication. Your continued use of our website following an update constitutes your acceptance of the revised policy, subject to applicable consent requirements.

17. Contact Us

For general enquiries about this Privacy Policy, you may contact us at the addresses below. For data protection enquiries specifically, please use the Data Protection Officer contact in Section 14.