Sambapay Privacy Policy

Omni Matrix Pte Ltd, Singapore, doing business as “Sambapay”

Last updated: 01.03.2026

1. Introduction

This Privacy Policy describes how Omni Matrix Pte Ltd, operating under the brand Sambapay (“Sambapay”, “we”, “us”, or “our”), collects, uses, discloses, processes, and protects personal data in accordance with the Singapore Personal Data Protection Act 2012 (“PDPA”) and applicable data protection laws.

Sambapay operates as an Independent Sales Organisation (ISO), facilitating merchant onboarding and payment services for businesses in Singapore.

2. Scope

This Policy applies to:

  • Merchants and prospective merchants
  • Employees and contractors
  • Website users and business contacts
  • Any individual whose personal data is processed by Sambapay

3. Types of Personal Data Collected

We may collect and process the following categories of personal data:

  • Identification data (name, NRIC/passport, date of birth)
  • Contact details (email, phone number, address)
  • Business information (company details, ACRA data, ownership structure)
  • Financial information (bank account details, transaction data)
  • KYC/AML documentation (identity verification, beneficial ownership)
  • Employment-related data (for staff and agents)
  • Technical data (IP address, device data, website usage)

We do not intentionally collect sensitive personal data unless required for regulatory compliance.

4. Purpose of Collection, Use and Disclosure

Personal data is collected and used for the following purposes:

  • Merchant onboarding and account setup
  • Identity verification and KYC/AML compliance
  • Submission of applications to Fiserv and associated partners
  • Provision of payment and POS services
  • Fraud prevention and risk management
  • Customer support and relationship management
  • Compliance with legal and regulatory obligations
  • Internal business operations, analytics and reporting
  • Marketing (only where consent has been obtained)

We only process personal data where there is a legitimate business or legal basis.

5. Disclosure of Personal Data

We may disclose personal data to:

  • Fiserv Merchant Solutions Pte Ltd (acquirer and processor)
  • Payment networks (Visa, Mastercard, etc.)
  • KYC/AML providers (e.g. MVSI and verification platforms)
  • Financial institutions and banking partners
  • IT service providers and cloud infrastructure providers
  • Professional advisors (legal, compliance, audit)
  • Regulatory authorities where required by law

All third parties are contractually bound to comply with data protection obligations.

6. Data Security Measures

Sambapay implements appropriate organisational and technical safeguards to protect personal data, including:

  • Encryption of data at rest and in transit
  • Secure access controls and authentication systems
  • Role-based access limitations
  • Secure cloud infrastructure (e.g. AWS or equivalent)
  • Regular system monitoring and vulnerability assessments
  • Internal policies on data handling and confidentiality

We take reasonable steps to prevent unauthorized access, disclosure, or misuse of personal data.

7. Retention and Deletion Policy

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

  • Regulatory retention requirements (e.g. AML laws)
  • Contractual obligations
  • Dispute resolution and legal compliance

Typical retention:

  • KYC/AML data: 5–7 years after relationship ends
  • Transaction data: as required by financial regulations
  • Marketing data: until consent is withdrawn

Data is securely deleted or anonymised once no longer required.

8. Data Subject Rights

Individuals have the right to:

  • Access their personal data
  • Request correction of inaccurate data
  • Withdraw consent (where applicable)
  • Request deletion where legally permissible

Requests can be submitted via the contact details below. We respond within reasonable timeframes in accordance with PDPA.

9. Privacy Notice

All data subjects are provided with a Privacy Notice at the point of data collection, explaining:

  • What data is collected
  • Why it is collected
  • How it will be used and shared

This ensures transparency and informed consent.

10. Employee Training

All employees and relevant contractors:

  • Receive privacy and data protection training upon onboarding
  • Undergo periodic refresher training
  • Are subject to confidentiality obligations

Training includes:

  • PDPA compliance
  • Data handling procedures
  • Security awareness
  • AML/KYC data sensitivity

11. Data Protection Officer (DPO)

Sambapay has appointed a Data Protection Officer responsible for:

  • Ensuring compliance with PDPA
  • Handling data protection inquiries
  • Reporting to senior management

Contact:
Email: privacy@sambapay.com

The DPO has direct access to company leadership where required.

12. Data Breach and Incident Response

Sambapay maintains a documented incident response process:

  • Immediate containment and assessment of breaches
  • Notification to relevant authorities where required
  • Notification to affected individuals where necessary
  • Maintenance of incident logs and records
  • Post-incident review and remediation

13. Monitoring Legal and Regulatory Changes

We maintain procedures to monitor changes in:

  • Singapore PDPA
  • Payment industry regulations
  • AML/KYC requirements

Policies are reviewed periodically and updated accordingly.

14. Third-Party Data Processing Agreements

All third-party service providers that process personal data on our behalf:

  • Are subject to contractual data protection obligations
  • Must implement appropriate security measures
  • Are reviewed periodically

15. Special Categories of Data

Where special categories of data are processed (e.g. identity documents):

  • Additional access restrictions apply
  • Enhanced encryption and storage controls are implemented
  • Processing is limited strictly to compliance purposes

16. International Data Transfers

Where personal data is transferred outside Singapore:

  • Adequate protection measures are implemented
  • Transfers comply with PDPA requirements
  • Contractual safeguards are in place

17. Complaints Handling

Individuals may raise complaints regarding personal data handling via:

Email: privacy@sambapay.com

We aim to:

  • Acknowledge complaints within 2 business days
  • Resolve complaints within 10–30 days depending on complexity

All complaints are logged and reviewed internally.

18. Updates to This Policy

This Privacy Policy is reviewed periodically and updated as required.

The latest version will always be available on our website.

19. Contact Information

Omni Matrix Pte Ltd (Sambapay)
133 Cecil Street
#14-01 Keck Seng Tower
Singapore 069535

Email: contact@sambapay.com