SoWidate Privacy Policy

Last updated: 27 April 2026

This Privacy Policy explains how Quotech Pte. Ltd. ("Quotech", "we", "us", or "our") collects, uses, discloses, stores, protects, transfers, retains, and otherwise processes personal data when you access or use SoWidate, including the website, application, document intake features, analysis features, reports, account features, payment features, credit features, and related services (the "Platform").

"SoWidate" refers to the product and platform made available by Quotech.

This Privacy Policy should be read together with the SoWidate Terms of Use and any written agreement between you and us.

By accessing or using the Platform, creating an account, joining a workspace, submitting a case, uploading documents, purchasing Credits, or otherwise providing personal data through the Platform, you acknowledge that personal data will be processed as described in this Privacy Policy.

If you access or use the Platform on behalf of a company, financial institution, fund manager, corporate service provider, professional firm, partnership, organization, or other legal entity, you represent that you are authorized to provide personal data to the Platform and to make decisions regarding that entity's use of the Platform.

The Platform is intended for business, institutional, commercial, professional, and internal operational use only. It is not intended for consumer, personal, domestic, or household use.

1. Scope and Roles

This Privacy Policy applies to personal data that we process in connection with the Platform.

"Personal data" means information about an identified or identifiable individual, including information contained in account records, uploaded case files, Source-of-Wealth materials, relationship manager write-ups, onboarding materials, payment records, usage records, support communications, and Platform outputs.

Where a business customer or workspace submits personal data about its clients, prospective clients, employees, representatives, beneficial owners, shareholders, directors, counterparties, connected persons, family members, professional advisers, or other individuals, that customer or workspace is responsible for ensuring that it has the required rights, notices, consents, permissions, authorizations, and lawful bases to submit, process, analyze, store, transfer, and use that data through the Platform.

To the extent we process personal data on your behalf and for your purposes, we generally act as a data intermediary, processor, service provider, or equivalent role, as applicable. You remain responsible for determining the purposes and means of processing, providing required notices, obtaining required consents or other lawful bases, and responding to individual requests where applicable.

Where we process personal data for our own business purposes, including account administration, billing, security, service improvement, product administration, compliance, and legal purposes, we may process such data as an independent organization, controller, or equivalent role, as applicable.

2. Personal Data We Collect

We may collect and process the following categories of personal data.

2.1 Account and Access Data

This may include information used to create, verify, administer, secure, and support user accounts, workspace access, user permissions, login sessions, and account preferences.

2.2 Workspace and Organization Data

This may include information about the organization, workspace, team members, user roles, permissions, administrative settings, billing status, usage status, and workspace activity.

2.3 Case and Review Data

This may include information submitted for case creation, case review, Source-of-Wealth assessment, onboarding support, compliance review, internal notes, case references, case status, customer profile information, relationship manager inputs, and related review materials.

2.4 Uploaded Materials

This may include documents, images, files, forms, statements, records, write-ups, explanations, declarations, correspondence, and other materials uploaded or submitted through the Platform.

Uploaded materials may contain sensitive, confidential, financial, tax, identity-related, professional, or third-party information. You must not upload such information unless you have the legal right and authority to do so.

2.5 Platform-Generated and Derived Data

This may include information generated, extracted, summarized, organized, classified, compared, analyzed, or otherwise derived through the Platform, including draft outputs, review notes, indicators, references, follow-up items, and reports.

2.6 Payment and Credit Data

This may include information relating to payment status, transaction references, purchased Credits, Credit usage, Credit balance, Credit expiry, adjustments, refunds, billing references, and related payment or account administration records.

We do not intentionally collect full payment card numbers directly through the Platform. Payment processing may be handled by third-party payment service providers, and payment data may be processed according to their terms and privacy notices.

2.7 Technical, Security, and Usage Data

This may include information relating to device access, browser or system environment, session activity, authentication activity, usage activity, security events, errors, diagnostics, and Platform performance.

2.8 Communications Data

This may include support requests, feedback, inquiries, service messages, user comments, marketing preferences, unsubscribe records, and other communications with us.

2.9 Aggregated, De-Identified, Desensitized, or Pseudonymized Data

We may create or process aggregated, de-identified, desensitized, pseudonymized, or otherwise privacy-protected information derived from the categories above.

De-identified or aggregated data that no longer reasonably identifies an individual may be retained and used for longer periods. Pseudonymized or desensitized data may still be treated as personal data where required by applicable law.

3. How We Use Personal Data

We may use personal data for the following purposes.

3.1 Providing and Operating the Platform

We use personal data to create and manage accounts, authenticate users, manage workspaces, configure access permissions, receive and process submitted materials, create and manage cases, generate outputs, provide Platform functionality, maintain records, and deliver related services.

3.2 Source-of-Wealth Review Support

We use personal data to support Source-of-Wealth review, document review, case analysis, internal assessment preparation, follow-up identification, report generation, and human review by authorized users.

The Platform supports user review and decision-making by the relevant customer or workspace. We do not use Submitted Content to make automated onboarding, customer acceptance, customer rejection, suspicious transaction reporting, sanctions, regulatory, legal, tax, or compliance decisions on our own behalf.

3.3 Payment, Credits, and Billing

We use personal data to process payments, allocate Credits, maintain payment and Credit records, apply Credit expiry, process eligible Credit usage, support refunds or adjustments where applicable, prevent payment abuse or fraud, and comply with accounting, tax, audit, and recordkeeping obligations.

3.4 Support, Administration, and Communications

We use personal data to provide customer support, respond to inquiries, troubleshoot issues, send service notices, send security notices, send account administration messages, send billing and Credit-related messages, communicate policy updates, manage user feedback, and operate internal administrative processes.

3.5 Security, Fraud Prevention, and Misuse Detection

We use personal data to detect, investigate, prevent, and respond to unauthorized access, misuse, fraud, abuse, suspicious activity, security incidents, and breaches of our Terms of Use. We may also use personal data to protect the Platform, users, workspaces, Submitted Content, service providers, and our legal, regulatory, commercial, and operational interests.

3.6 Product Improvement and Quality Control

We use personal data, technical data, usage data, diagnostic data, feedback, and quality-control information to improve Platform reliability, security, accuracy, usability, functionality, performance, and user experience.

Our use of Submitted Content for product improvement is subject to Section 4 below.

3.7 Legal, Regulatory, Accounting, Audit, and Contractual Purposes

We may use personal data to comply with applicable laws and regulations, respond to lawful requests, maintain accounting and tax records, support audits, resolve disputes, enforce agreements, defend claims, preserve legal rights, conduct internal reviews, and meet contractual obligations.

3.8 Marketing

We may use account and contact information to send marketing communications about SoWidate, Quotech, related services, product updates, events, offers, research, and commercial opportunities where permitted by applicable law and subject to your choices.

You may opt out of marketing communications as described in this Privacy Policy.

4. Automated Processing and Product Improvement

The Platform uses automated and technology-assisted processing to support document review, information organization, analysis, and report preparation.

This may involve processing submitted materials, user instructions, case data, and Platform outputs through our systems and selected service providers as necessary to provide, secure, support, troubleshoot, and improve the Platform.

4.1 No Fully Automated Decision-Making by Quotech

We do not use Submitted Content to make automated onboarding, customer acceptance, customer rejection, enhanced due diligence, suspicious transaction reporting, sanctions, legal, tax, regulatory, or compliance decisions on our own behalf.

The Platform provides analytical support to authorized users. The relevant customer or workspace remains responsible for human review and all decisions, actions, omissions, escalations, non-escalations, filings, and reports.

4.2 Internal Product Improvement

Unless otherwise agreed in writing, we may use usage data, technical data, error reports, performance data, diagnostic data, feedback, aggregated statistics, and non-identifying derived learnings to operate, secure, evaluate, improve, and develop the Platform.

Subject to applicable law and this Privacy Policy, we may use de-identified, aggregated, pseudonymized, desensitized, or otherwise privacy-protected information to test, evaluate, improve, and develop Platform functionality, quality controls, product features, security controls, and internal systems, provided such information does not identify you, your workspace, your customers, or any individual.

We may own or use derived know-how, configurations, methods, analytics, improvements, product learnings, and aggregated insights developed from operating, securing, supporting, or improving the Platform, provided they do not identify you, your workspace, your customers, or individuals contained in your Submitted Content.

4.3 Use of External Service Providers

We will not use your original Submitted Content to train general-purpose third-party foundation models unless you have expressly agreed, instructed us to do so, or such use is permitted under a separate written agreement.

Selected service providers may process Submitted Content, instructions, and outputs as necessary to provide Platform functionality, subject to applicable provider terms, safeguards, and configurations.

Provider capabilities, retention practices, security controls, processing locations, and policies may differ and may change from time to time.

4.4 Privacy-Protective Processing

Where technically supported, we may apply privacy-protective measures to reduce exposure of selected sensitive information during processing, storage, analysis, or review.

Important limitations:

• original uploaded materials may still contain personal data;
• some submitted narratives or documents may need to be processed in less-restricted form to support the requested review;
• automated privacy-protective measures may not detect every identifier or sensitive field;
• de-identified, desensitized, aggregated, or pseudonymized data may be retained for product improvement, quality assurance, analytics, security, or product development for longer than related operational case data where permitted by law; and
• Platform outputs must be reviewed by authorized users before reliance.

5. Customer Responsibilities

Where you or your workspace submits personal data to the Platform, you are responsible for ensuring that:

• you have the legal right and authority to submit the data;
• you have provided all required notices;
• you have obtained all required consents, permissions, authorizations, or other lawful bases;
• your use of the Platform is permitted under applicable laws and regulations;
• your use of the Platform is permitted under applicable confidentiality, banking secrecy, data protection, employment, contractual, fiduciary, professional, and regulatory obligations;
• your internal policies permit the processing, storage, transfer, and analysis of the relevant data through the Platform;
• users in your workspace are authorized to access the relevant personal data;
• access rights are promptly updated when users join, move roles, or leave;
• you do not submit data that you are not authorized to process;
• you maintain original documents, evidence, approvals, working papers, and records where required; and
• you independently review all Platform outputs before relying on them.

You are responsible for assessing whether the Platform is suitable for your intended use, including any required vendor due diligence, outsourcing assessment, technology risk assessment, information security assessment, privacy assessment, transfer assessment, internal approval, or regulatory review.

6. Information Security and Safeguards

The Platform is designed with technical and organizational safeguards intended to protect personal data and sensitive business materials.

These safeguards may include access controls, authentication controls, administrative controls, data protection measures, activity records, monitoring, and other security measures appropriate to the nature of the Platform.

These safeguards reduce risk but do not guarantee absolute security.

No system, network, storage environment, service provider, or transmission method is completely secure. Security controls, privacy settings, and monitoring measures support privacy-aware operation, but should not be read as a guarantee that every privacy or security risk is eliminated.

You are responsible for maintaining appropriate security controls on your own systems, devices, networks, accounts, credentials, downloaded files, exported reports, and user access arrangements.

7. Disclosure of Personal Data

We may disclose personal data to the following categories of recipients.

7.1 Authorized Workspace Users

We may disclose personal data to authorized users in the same workspace according to the Platform permission model.

You are responsible for determining who is authorized to access personal data within your workspace.

7.2 Quotech Personnel and Support Providers

We may disclose personal data to our personnel, contractors, advisors, professional service providers, and support providers who need access to operate, secure, support, troubleshoot, improve, or administer the Platform.

7.3 Service Providers

We may disclose personal data to selected service providers that support the Platform, including providers involved in infrastructure, security, communications, payment processing, support, analytics where implemented, processing, storage, and other operational functions.

These providers may process personal data only as needed to provide, secure, support, troubleshoot, or improve the Platform, subject to applicable contractual, technical, and organizational safeguards.

Provider locations, subprocessors, infrastructure, systems, and processing routes may change from time to time.

7.4 Payment Service Providers

We may disclose payment-related information to payment service providers for checkout, payment processing, fraud prevention, dispute handling, refunds, payment records, and related payment services.

Your payment data may be subject to the payment provider's own terms and privacy notice.

7.5 Legal, Regulatory, and Professional Recipients

We may disclose personal data to regulators, courts, law enforcement, public authorities, auditors, professional advisors, insurers, dispute resolution bodies, or other parties where required or permitted by law, regulation, legal process, contractual obligation, or legitimate business need.

7.6 Business Transfers

We may disclose personal data to parties involved in an actual or proposed business transfer, merger, financing, restructuring, investment, acquisition, sale of assets, insolvency process, or similar transaction involving all or part of Quotech or the Platform.

7.7 Other Disclosures

We may disclose personal data to other parties:

• with your consent;
• at your direction;
• as reasonably necessary to provide the Platform;
• as reasonably necessary to protect Quotech, the Platform, users, service providers, or third parties; or
• as otherwise permitted by applicable law.

8. No Sale of Personal Data

We do not sell personal data.

We do not disclose personal data to third-party marketing partners for their own independent marketing unless you have consented or applicable law permits it.

We may send marketing communications about SoWidate, Quotech, related services, product updates, events, offers, research, and commercial opportunities where permitted by applicable law and subject to your choices.

9. Cross-Border Transfers

The Platform and our service providers may process, store, access, or transfer personal data in Singapore and other jurisdictions.

Where personal data is transferred outside Singapore, we will take reasonable steps, where required by applicable law, to ensure that the transferred personal data receives a standard of protection comparable to that under applicable data protection law, including through contractual, technical, and organizational safeguards.

You are responsible for assessing whether your use of the Platform and any cross-border processing, transfer, access, storage, or disclosure of personal data through the Platform is permitted under laws, regulations, confidentiality obligations, banking secrecy obligations, outsourcing requirements, technology risk requirements, and internal policies applicable to you.

If your use of the Platform requires specific data residency, transfer, subcontractor, outsourcing, or regulatory approval arrangements, those arrangements must be agreed with us in writing.

10. Data Breach and Security Incidents

If we become aware of a data breach or security incident affecting personal data processed through the Platform, we will assess the incident and take reasonable steps to contain, investigate, and remediate it.

Where required by applicable law, we will notify affected customers, regulators, and/or individuals.

Where a business customer or workspace is primarily responsible for the affected personal data, we may notify that customer so that it can assess and perform any notification obligations applicable to it.

We may not notify you of unsuccessful attacks, scans, probes, or incidents that do not materially affect the confidentiality, integrity, or availability of personal data or the Platform.

You must promptly notify us if you become aware of any unauthorized access, credential compromise, misuse, suspected breach, or security issue involving your account, workspace, users, Submitted Content, downloaded files, exported reports, or Platform access.

11. Cookies and Similar Technologies

The Platform may use cookies, browser storage, analytics tools where implemented, device identifiers, and similar technologies to support authentication, security, preferences, Platform operation, performance analysis, product improvement, troubleshooting, and marketing attribution where implemented and permitted.

You may be able to control cookies through your browser settings. However, disabling certain cookies or similar technologies may affect Platform functionality, authentication, security, or performance.

12. Marketing Choices

We may use your account and contact information to send product updates, offers, events, research invitations, and other marketing communications about SoWidate, Quotech, or related services where permitted by applicable law.

You may opt out of marketing communications by using the unsubscribe mechanism in the message or contacting us.

We may still send non-marketing communications, including service, account, billing, Credit, security, legal, policy, technical, and transactional notices.

Where Singapore Do Not Call, anti-spam, electronic marketing, or similar laws apply, we will handle marketing communications according to applicable consent, identification, contact, and opt-out requirements.

13. Retention

We retain personal data for as long as reasonably necessary to provide the Platform, maintain accounts and workspaces, preserve case history and reports, support auditability, comply with legal and accounting obligations, resolve disputes, enforce agreements, secure the Platform, prevent fraud, support business continuity, and improve the service.

Different categories of data may have different retention periods depending on customer configuration, operational need, legal requirements, product functionality, security needs, dispute handling, and contractual arrangements.

Credit expiry does not necessarily mean deletion of related payment, ledger, case, or audit records. We may retain those records after Credits expire where needed for accounting, auditability, customer support, dispute handling, fraud prevention, legal compliance, and Platform administration.

Unless otherwise agreed or configured, operational case data may be retained while the workspace remains active and for a reasonable period thereafter for auditability, support, dispute handling, security, legal compliance, and product administration.

De-identified or aggregated data that no longer reasonably identifies an individual may be retained for longer. Pseudonymized or desensitized data may still be retained and treated as personal data where required by applicable law.

We may retain personal data for longer where necessary or permitted for legal, regulatory, accounting, tax, audit, dispute, fraud prevention, security, contractual, or business continuity purposes.

Enterprise customers may request different retention, deletion, or export arrangements under a separate written agreement.

14. Deletion, Export, and Workspace Closure

Subject to applicable law, Platform functionality, contractual arrangements, and verification of authority, a workspace administrator may request deletion or export of certain workspace data.

We may decline, delay, or limit deletion or export requests where:

• retention is required or permitted by law;
• retention is required for accounting, audit, tax, legal, regulatory, security, fraud prevention, or dispute purposes;
• the request conflicts with another customer's rights or obligations;
• we cannot verify authority;
• deletion would affect system integrity, security, or ordinary business records;
• data is contained in aggregated, de-identified, archived, backup, or system-record form;
• deletion is technically impracticable or commercially unreasonable; or
• a separate agreement provides otherwise.

Deletion from active systems may not result in immediate deletion from backups, archives, logs, or disaster recovery records. Backup and archival copies may be retained for a limited period and deleted or overwritten according to our ordinary retention and backup cycles, unless longer retention is required or permitted.

15. Access, Correction, Withdrawal, and Other Requests

Subject to applicable law and verification of your identity and authority, you may request access to, correction of, deletion of, or restriction of certain personal data. You may also withdraw consent where processing is based on consent.

Some requests may need to be made through the business customer or workspace that submitted the relevant case data. Where we process personal data on behalf of a customer or workspace, we may refer your request to that customer or workspace.

We may decline, delay, charge for, or limit requests where permitted by law, including where:

• we cannot verify your identity or authority;
• the request is excessive, unfounded, repetitive, or disproportionate;
• the data is controlled by a business customer or workspace;
• disclosure would reveal another person's personal data or confidential information;
• retention is required or permitted for legal, regulatory, audit, payment, dispute, security, fraud prevention, contractual, or business purposes;
• the data is subject to legal privilege or confidentiality obligations;
• the request would compromise security, investigation, enforcement, or system integrity; or
• applicable law allows or requires refusal.

If consent is withdrawn, we may not be able to provide some or all Platform features.

16. Customer-Controlled Data

Where a workspace uploads personal data about third-party individuals, the workspace may be the organization primarily responsible for notifying those individuals, responding to their requests, and determining whether the data should be submitted to the Platform.

If you are an individual whose data was submitted by a SoWidate customer, please first contact that customer unless you do not know who submitted your data or applicable law allows you to contact us directly.

We may not be able to respond fully to requests relating to customer-controlled data without instructions or authorization from the relevant customer or workspace.

17. Children's Data

The Platform is intended for business and professional use. It is not intended for children or for personal consumer use by minors.

Users should not submit children's personal data unless they have a lawful basis, the submission is necessary for an authorized business, compliance, legal, or regulatory purpose, and the submission is permitted under applicable law and internal policy.

18. Third-Party Links and Services

The Platform may contain links to third-party websites, platforms, services, or payment pages. Third-party services are governed by their own terms and privacy notices.

We are not responsible for the privacy, security, content, accuracy, availability, or practices of third-party websites or services that are not controlled by us.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

If changes are material, we will take reasonable steps to notify users through the Platform, email, or another appropriate channel.

Continued use of the Platform after an updated Privacy Policy takes effect means you acknowledge the updated policy.

The "Last updated" date at the top of this Privacy Policy indicates when it was last revised.

20. Contact

For privacy questions, requests, complaints, or data protection matters, contact us at:

info@sowidate.com

Attention: Data Protection Officer / Privacy Contact

You may also contact us through the contact details published on the Platform.