Qubit App – Privacy Policy (Draft)

1) Who we are

Qubit ("Qubit", "we", "us", or "our") provides the Qubit mobile and web apps and related services that enable buyers to top up a closed‑loop balance and pay participating vendors at supported events. Our contact details are in Section 15.

Primary jurisdiction: This policy is designed to comply primarily with Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA), and also includes provisions to help meet obligations under the EU/UK GDPR and the California Consumer Privacy Act (CCPA) where applicable.

2) What this policy covers

This policy applies to personal data we process when you:

• use Qubit as a Buyer,
• use Qubit as a Vendor (merchant) at events, and/or
• use Qubit as an Organizer (event host/admin) via our dashboards,
• visit our websites or contact our support.

3) Personal data we collect

We collect the following categories of data, depending on your role and how you use Qubit:

A. Identity & contact data

• Name, display name, profile photo
• Email, phone number, country/region, preferred language
• Government ID (only if required by law for KYC/AML at specific events – see Section 7)

B. Account & authentication

• Password (hashed) if you create a Qubit login
• Social sign‑in data when you register or log in with Google or LINE (e.g., your Google/LINE account identifier, email, name, profile photo as allowed by your consent and the provider’s APIs). We do not receive your Google or LINE passwords.

C. Wallet & transaction data (closed loop)

• Top‑ups and refunds (amount, time, method, location/event)
• Purchases with vendors (items/amounts, time, vendor, event)
• Wallet balance, voucher or promo usage
• QR code tokens used to authorize payments (rotating tokens; QR images may be generated in‑app)

D. Device & usage data

• Device identifiers, OS and app version, browser type, IP address, log data, crash reports
• Cookies and similar technologies (see Section 9)
• Approximate location (derived from IP) and, if you grant permission, precise device location to show nearby events or prevent fraud

E. Vendor & organizer data

• Business profile and contact details
• Store stall location and menu/catalog information you upload
• Event configuration data, staff/role assignments, and activity logs

F. Communications

• Support tickets, chat messages, email correspondence, call recordings (where permitted and with notice)

We collect data directly from you, automatically from your device, and from third parties (e.g., Google, LINE, payment partners, and organizers who register you for an event).

4) Why we use your data (purposes & lawful bases)

We process personal data for the purposes below under PDPA lawful bases (and GDPR equivalents):

1. Provide the service & perform a contract (PDPA: performance of a contract)
   • Create and manage accounts (Buyer, Vendor, Organizer)
   • Enable top‑ups and refunds in the closed‑loop wallet
   • Generate and validate QR codes for payments
   • Show real‑time balances and receipts
   • Operate event dashboards for organizers
2. Security & fraud prevention (legitimate interests / legal obligation)
   • Authenticate logins (including social sign‑in)
   • Detect suspicious activity (e.g., repeated failed scans, unusual top‑ups)
   • Prevent chargeback/abuse; protect users and vendors
3. Customer support & service communications (contract / legitimate interests)
   • Respond to requests; send service and transactional messages (e.g., top‑up confirmation, receipt)
4. Analytics & product improvement (legitimate interests / consent where required)
   • Measure usage; fix bugs; improve features and UI
5. Marketing (consent)
   • Send newsletters or event offers where you opt in; you can opt out anytime
6. Legal & compliance (legal obligation / public interest)
   • Accounting and tax; responding to regulators; KYC/AML where required by law or event rules

Where we rely on consent, you can withdraw it at any time (it won’t affect processing already done).

5) How QR payments work (closed loop)

• Buyers present a dynamic QR code in the app; vendors scan it to request payment.
• Qubit validates the token and asks the buyer to confirm the payment (in‑app). Where allowed by settings, low‑value payments may auto‑approve.
• If successful, funds move within the event’s closed loop from the buyer’s balance to the vendor’s event account; no card details are shared with the vendor.
• We log transaction metadata (time, amount, vendor, event) for receipts, disputes, and accounting.

6) When organizers can view data

Event organizers using Qubit dashboards can view and export event‑related data necessary to run the event, reconcile sales, and comply with legal obligations, such as:

• Aggregated and per‑transaction sales reports
• Buyer check‑in and wallet activity for their event only
• Vendor performance and settlement reports

Organizers must use this data only for authorized purposes under our contracts and applicable law. We do not allow organizers to access your global Qubit account outside of their event context.

7) Do we do KYC/AML checks?

For most events we do not require government ID. However, for specific events or legal requirements, we may ask for limited ID verification or watchlist checks via approved providers. If required, we will provide a clear notice and collect only the minimum data necessary.

8) Sharing your data

We share personal data only with:

• Organizers (for their events) to operate and reconcile the event (Section 6)
• Vendors (limited to what’s needed to fulfill a purchase, e.g., receipt details)
• Identity providers: Google and LINE (for login/authentication)
• Payment and top‑up partners (e.g., payment gateways, banks, e‑wallets) for funding the closed‑loop wallet
• Service providers (cloud hosting, analytics, support tools) under contracts that require confidentiality and security
• Authorities or third parties where required by law, to protect rights, or in connection with a merger or acquisition

We do not sell personal data.

9) Cookies and similar technologies

We use necessary cookies to operate our sites and dashboards. With your consent, we may use optional analytics cookies to understand usage and improve the service. You can manage preferences via our cookie banner or your browser settings.

10) International transfers

We may transfer personal data to countries outside your home country (e.g., cloud hosting regions). Where required, we use appropriate safeguards such as contractual clauses or PDPC‑approved mechanisms. You can contact us for details of specific safeguards.

11) Data retention

We keep personal data only as long as needed for the purposes in this policy, including to comply with legal, accounting, or reporting requirements, and to resolve disputes. Typical retention periods:

• Wallet & transaction records: up to 10 years (tax/accounting)
• Account data: for the life of your account, then deleted or anonymized within 90 days after closure (unless required longer by law)
• Support records: up to 3 years after resolution

12) Security

We apply industry‑standard security measures including encryption in transit, access controls, network monitoring, and regular backups. No system is 100% secure; we maintain incident response procedures and will notify you and regulators of significant breaches as required by law.

13) Your rights

Depending on your location (including under Thailand PDPA and EU/UK GDPR), you may have rights to:

• Access, correct, and delete your data
• Object to or restrict certain processing
• Data portability
• Withdraw consent at any time
• Lodge a complaint with a regulator (see Section 16)

You can exercise rights via in‑app settings or by contacting us (Section 15). We may need to verify your identity and may decline requests where an exception applies.

14) Children’s privacy

Qubit is not intended for children under 13 (or under 16 in the EEA/UK) and we do not knowingly collect their personal data without appropriate consent. If you believe a child has used Qubit without consent, please contact us.

15) How to contact us

Data Controller: Xlance Collective Co.,Ltd

Contact email: xlancecollective@gmail.com

Postal address: -

Data Protection Officer (if applicable): -

16) Complaints and regulatory contacts

If you have concerns, please contact us first. You can also contact your local data protection authority. In Thailand, this is the Office of the Personal Data Protection Committee (PDPC).

17) Changes to this policy

We may update this policy from time to time. We will post the updated version in the app and on our website and indicate the latest revision date. Significant changes will be notified via the app or email.

18) Additional notices for specific regions

A. EEA/UK GDPR

• Controller: Xlance Collective Co.,Ltd
• Legal bases: contract, legitimate interests, consent, legal obligation
• International transfers: safeguarded by standard contractual clauses (SCCs) or equivalents
• Representative (if required): -

B. California (CCPA/CPRA)

• We do not “sell” personal information as defined by CCPA. We may “share” for cross‑context behavioral advertising only with your consent; you can opt out at any time.
• Categories collected: identifiers; commercial info; internet/network activity; geolocation (if permitted); professional info (vendors/organizers). Purposes and retention as described above.
• California residents can exercise rights via Section 13.

19) Role‑based summaries

Buyers

• Data: profile, social sign‑in, wallet/balance, top‑ups, transactions, device/usage
• Use: operate closed‑loop wallet and QR payments, receipts, fraud prevention, support
• Visibility: organizers see event‑specific activity and aggregated sales; vendors see transaction receipts for their sales

Vendors

• Data: business profile, transactions, settlements, device/usage
• Use: process payments, reconcile, prevent fraud, support
• Visibility: organizers see vendor performance for their event; buyers see receipts

Organizers

• Data: admin profile, event setup, staff roles, event analytics
• Use: configure event, reconcile sales, compliance
• Visibility: access limited to their event’s scope per contracts and this policy

20) Key definitions

• Closed‑loop wallet: a stored‑value balance usable only within designated events/locations, not a general‑purpose e‑money product.
• Organizer: entity that hosts an event and contracts with Qubit to enable cashless payments and dashboards.
• Vendor: merchant approved to accept Qubit payments at an event.