Privacy Policy

PRIVACY POLICY

Last Updated: 07 May 2026

This Privacy Policy explains how personal data is collected, used, disclosed, transferred, retained, and protected when you access or use the Akira platform, including any websites, mobile applications, web applications, interfaces, APIs, software, features, and related services made available from time to time (collectively, the “Platform”). References to “Company,” “we,” “us,” or “our” refer to Exodia Labs Sdn. Bhd. [Registration No.: 202601017485 (1679582-A)], a private company incorporated in Malaysia, and the operator of the Akira Platform. References to “you” or “User” refer to any individual or entity that accesses or uses the Platform. By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

The Company is a technology platform provider. Certain services accessible through the Platform are provided directly or indirectly by independent third-party service providers, which may include issuers, program managers, bank partners, payment partners, payment network operators, card networks, wallet providers, digital asset service providers, infrastructure providers, identity verification providers, compliance service providers, fraud monitoring providers, analytics providers, and other service providers. Where personal data is processed by such third parties, their respective privacy policies, terms, compliance requirements, and data handling practices may also apply.

Personal Data We Collect
We may collect personal data that you provide directly, data generated through your use of the Platform, and data obtained from third-party sources where permitted by law.

Personal data you provide may include identifiers and onboarding information such as name, email address, phone number, date of birth, nationality, residency information, address information, government-issued identification details, photographs, biometric verification data where required by third-party service providers, account credentials, business information, beneficial ownership information, director or authorized user information, communication content, and information submitted through onboarding, support channels, forms, or provider-related flows.

Usage and technical data may be collected automatically when you access or use the Platform. This may include IP address, device identifiers, operating system, browser type, app version, access timestamps, interaction data, logs, diagnostic information, security events, crash reports, session data, referral data, and metadata relating to Platform usage. When accessing the Platform via a mobile device, this may include device IDs, mobile operating system information, device model, network information, and app permissions where applicable.

Transactional and service-related metadata may be generated in connection with Platform usage. This may include timestamps, service access records, event logs, risk indicators, transaction references, payment or transfer status indicators, virtual card or card-related metadata, wallet-related metadata, conversion-related metadata, top-up or withdrawal-related metadata, settlement-related metadata, merchant or payment category information, domestic payment rail metadata, virtual account-related metadata, and interaction records. The Company does not custody funds or digital assets and does not itself process regulated payment transactions; however, limited metadata may be processed to facilitate service access, provider integration, security, compliance coordination, dispute support, risk review, fraud prevention, and operational integrity.

We may also receive personal data from third-party service providers, compliance partners, identity verification providers, fraud prevention providers, analytics providers, infrastructure providers, payment-related providers, card-related providers, wallet-related providers, digital asset service providers, and other partners where you interact with their services through the Platform or where permitted by law.

How We Use Personal Data
We process personal data for purposes including operating and maintaining the Platform, enabling access to services, verifying identity where required, communicating with users, providing customer support, monitoring Platform performance, detecting fraud, preventing misuse, managing risk, ensuring security, complying with legal and regulatory obligations, improving products and services, conducting analytics, and supporting internal business operations.

Personal data may also be used to personalize Platform features, improve user experience, analyze trends, develop new services, and support research and development activities. Marketing communications are only sent where permitted by applicable law or with your consent, and you may opt out where required.

We may use aggregated, anonymized, or de-identified data for analytics, product development, service optimization, market research, business intelligence, reporting, model improvement, and other lawful business purposes. Such data does not identify you personally and may be used or shared where permitted by applicable law.

Automated Analysis and Artificial Intelligence
To improve the security, performance, functionality, reliability, and overall operation of the Platform, the Company may use automated systems, including machine learning or artificial intelligence–based tools, to analyze Platform usage data, transactional metadata, device information, risk indicators, and related signals. Such analysis may be used for purposes including fraud detection, risk assessment, identity verification support, sanctions screening support, transaction monitoring, dispute support, compliance reporting, provider integration, service optimization, personalization, analytics, product development, and enforcement of the Terms, subject to applicable law and this Privacy Policy.

Any automated analysis is conducted in accordance with applicable laws and does not constitute automated decision-making producing legal or similarly significant effects on users without appropriate safeguards, including human review where required. Automated systems may be assessed for accuracy, fairness, security, and compliance.

We may use Platform data, usage data, transactional metadata, risk signals, support records, and aggregated, anonymized, de-identified, or minimized data to develop, train, test, improve, and monitor internal systems, analytics tools, risk models, fraud detection tools, compliance support tools, automation features, and artificial intelligence systems, subject to applicable law and appropriate safeguards. Where reasonably practicable, we use aggregated, anonymized, de-identified, or minimized data for such purposes.

Disclosure of Personal Data
We may disclose personal data to third parties only as necessary and permitted by law, including to independent service providers that support Platform operations such as hosting, cloud infrastructure, analytics, security, fraud prevention, customer support, communications, compliance tooling, technical infrastructure, and professional advisors.

Personal data may be disclosed to independent third-party service providers that offer or support services accessible through the Platform, including virtual card services, card issuance, card program management, payment processing, acquiring, settlement, bank transfer rails, e-wallet services, QR payment systems, domestic payment rails, virtual accounts, money movement, fiat-to-digital-asset conversion, digital-asset-to-fiat conversion, digital asset liquidity, merchant services, identity verification, sanctions screening, fraud monitoring, transaction monitoring, compliance review, dispute handling, and related infrastructure services.

Personal data may also be disclosed where necessary to comply with applicable laws, regulations, sanctions requirements, provider policies, card network rules, payment network rules, issuer rules, banking partner requirements, compliance standards, onboarding requirements, supported jurisdiction rules, restricted jurisdiction rules, prohibited-use policies, transaction limits, spending restrictions, risk controls, or operational requirements.

We may disclose personal data to public authorities, regulators, courts, law enforcement agencies, tax authorities, or other competent authorities where required by law, regulation, legal process, or to protect rights, safety, security, and legitimate business interests.

In the event of a corporate transaction such as a merger, acquisition, restructuring, financing, reorganization, sale of assets, transfer of business, or similar transaction, personal data may be disclosed to relevant parties subject to appropriate safeguards.

Cross-Border Data Transfers
Personal data may be transferred, stored, or processed in jurisdictions outside your country of residence, including where our service providers, infrastructure providers, partners, or third-party service providers operate. Where such transfers occur, we implement appropriate safeguards designed to protect personal data in accordance with applicable data-protection laws.

Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal and regulatory obligations, satisfy provider-related compliance or operational requirements, resolve disputes, support investigations, enforce agreements, maintain security, and protect legitimate business interests. Retention periods may vary depending on the nature of the data, the relevant service, applicable laws, provider requirements, and operational needs. When personal data is no longer required, it is securely deleted, anonymized, or otherwise handled in accordance with applicable law.

Where personal data is collected or processed in connection with Third-Party Services, the Company may retain relevant records, metadata, verification status, service access records, support records, compliance coordination records, and integration records for as long as necessary to support Platform operations, security, fraud prevention, dispute handling, provider coordination, legal compliance, audit purposes, and legitimate business interests, subject to applicable law. Where necessary for compliance, security, fraud prevention, dispute handling, audit, provider coordination, or legal purposes, such records may include copies or extracts of information submitted through the Platform, subject to applicable law, access controls, retention limits, and security safeguards.

Security Measures
We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction. These measures may include access controls, encryption, monitoring, logging, security reviews, vendor controls, and security assessments. However, no system can guarantee absolute security, and residual risks may remain.

Your Rights
Subject to applicable law, you may have rights in relation to your personal data, including the right to access, correct, update, object to processing, request restriction, request deletion, withdraw consent where applicable, and request data portability. Requests may be subject to identity verification, security checks, legal limitations, regulatory obligations, provider requirements, and retention requirements.

Where personal data is processed by third-party service providers acting as independent controllers, requests relating to that processing may need to be directed to the relevant provider.

Children
The Platform is not intended for individuals under the age of eighteen (18) or the age of majority in their jurisdiction. We do not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected, we will take appropriate steps to delete it where required by applicable law.

Third-Party Links and Services
The Platform may contain links, integrations, APIs, hosted flows, SDKs, redirects, or access points to third-party websites, services, applications, providers, or infrastructure not operated by the Company. This Privacy Policy does not apply to those third parties, and we encourage you to review their privacy policies and terms before interacting with them.

Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes become effective when posted on the Platform. Continued use of the Platform after an update constitutes acknowledgement of the revised Privacy Policy.