Privacy Policy

1. Introduction

Fusion Link ("we", "us", or "our") operates a B2B chauffeur marketplace platform connecting professional drivers with ground transportation vendors in Singapore, Malaysia, United States, Canada, Mexico, United Kingdom, Ireland, France, Germany, Switzerland, Netherlands, Austria, Belgium, Luxembourg, Spain, Italy, Portugal, Greece, Croatia, Sweden, Norway, Finland, Denmark, Iceland, Poland, Czech Republic, Hungary, Bulgaria, Australia, New Zealand, Japan, Korea, Hong Kong, China, Thailand, India, United Arab Emirates, Saudi Arabia, Qatar, Israel, Egypt, South Africa, Nigeria, Brazil, Argentina, and Peru. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website and mobile applications.

This policy addresses our obligations under the Personal Data Protection Act 2012 (Singapore), the Personal Data Protection Act 2010 (Malaysia), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable U.S. state and federal privacy laws, the Personal Information Protection and Electronic Documents Act (PIPEDA), the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP, 2010), the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (Ireland), the General Data Protection Regulation (GDPR) and the French Loi Informatique et Libertés, the General Data Protection Regulation (GDPR) and the German Bundesdatenschutzgesetz (BDSG), the Federal Act on Data Protection (revFADP, 2023 revision) (Switzerland), the General Data Protection Regulation (GDPR) and the Dutch Uitvoeringswet AVG (UAVG), the General Data Protection Regulation (GDPR) and the Austrian Datenschutzgesetz (DSG), the General Data Protection Regulation (GDPR) and the Belgian Data Protection Act, the General Data Protection Regulation (GDPR) and the Luxembourg Loi du 1er août 2018, the General Data Protection Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) (Spain), the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Codice in materia di protezione dei dati personali (Legislative Decree 196/2003, as amended) (Italy), the General Data Protection Regulation (EU) 2016/679 (GDPR) and Lei n.º 58/2019 (Portugal), the General Data Protection Regulation (EU) 2016/679 (GDPR) and Law 4624/2019 (Greece), the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Implementation Act (Croatia), the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Swedish Data Protection Act (Dataskyddslagen), the General Data Protection Regulation (EU) 2016/679 (GDPR), as incorporated through the EEA Agreement, and the Norwegian Personal Data Act (Personopplysningsloven), the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Finnish Data Protection Act (Tietosuojalaki), the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven), the General Data Protection Regulation (EU) 2016/679 (GDPR), as incorporated through the EEA Agreement, and the Icelandic Act on Data Protection and the Processing of Personal Data No. 90/2018, the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Act of 10 May 2018 (Poland), the General Data Protection Regulation (EU) 2016/679 (GDPR) and Act No. 110/2019 Coll., on the Processing of Personal Data (Czech Republic), the General Data Protection Regulation (EU) 2016/679 (GDPR) and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act) (Hungary), the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Act (Bulgaria), the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the Privacy Act 2020 (New Zealand), the Act on the Protection of Personal Information (APPI, 2003, as amended in 2022) (Japan), the Personal Information Protection Act (PIPA, 2011, as amended in 2023) (Republic of Korea), the Personal Data (Privacy) Ordinance (Cap. 486) (Hong Kong), the Personal Information Protection Law (PIPL, 2021) (People's Republic of China), the Personal Data Protection Act B.E. 2562 (2019) (Thailand), the Digital Personal Data Protection Act 2023 (India), Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), the Personal Data Protection Law (PDPL, 2023) (Kingdom of Saudi Arabia), Law No. 13 of 2016 concerning Personal Data Protection (Qatar), the Protection of Privacy Law 5741-1981 and the Protection of Privacy Regulations (Data Security) 2017 (Israel), the Personal Data Protection Law (Law No. 151 of 2020) (Egypt), the Protection of Personal Information Act 4 of 2013 (POPIA) (South Africa), the Nigeria Data Protection Act 2023 (Nigeria), the Lei Geral de Proteção de Dados Pessoais (LGPD, Law 13.709/2018), the Personal Data Protection Law (Law 25.326, Argentina), and the Personal Data Protection Law (Law 29733, Peru) and its Regulations (Supreme Decree 003-2013-JUS). Where we operate in additional jurisdictions, this policy will be updated to reflect applicable local requirements.

Your use of the platform is also governed by our Terms of Service.

2. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our compliance with applicable data protection laws. For any questions about how we handle your personal data, or to exercise your data protection rights, you may contact our DPO at:

3. Information We Collect

3.1 Account Information

When you register for an account, we collect:

• Full name and contact details
• Phone number (used for authentication via OTP verification)
• Email address
• Profile photo
• Driver-specific information: driving licence details, vocational licence details, vehicle information, and identity documents
• Bank account and instant-pay details for payment processing

3.2 Location Data

We collect GPS location data when you are actively using the platform to perform jobs. Location data is used for job verification, checkpoint tracking, and ensuring accurate service delivery records. Location tracking is only active during job execution and is not collected in the background when you are not on an active job.

3.3 Photos and Media

We collect photos taken through the platform for job checkpoint verification (e.g., proof of pickup and drop-off). These images may include GPS metadata and timestamps embedded as watermarks. Images are stored securely on Cloudflare R2 storage infrastructure with encryption at rest and in transit.

3.4 Device Information

We automatically collect certain device information, including device type, operating system, browser type, and push notification tokens for delivering service notifications.

3.5 Usage Data

We collect information about how you interact with the platform, including pages visited, features used, job history, and timestamps of activity.

4. How We Use Your Information

We use your personal data for the purposes listed below. For each purpose, the legal basis on which we rely (for users in GDPR/UK GDPR/Swiss FADP jurisdictions) is shown in brackets:

• Authenticate your identity and manage your account [contractual necessity]
• Facilitate job matching between drivers and vendors [contractual necessity]
• Verify job completion through GPS location and photo evidence [contractual necessity; legitimate interests in fraud prevention and dispute resolution]
• Send transactional push notifications about job assignments and status updates [contractual necessity]
• Process wallet transactions and maintain financial records [contractual necessity; legal obligation for tax and bookkeeping retention]
• Improve, develop, and optimise the platform, its features, and related products and services by analysing aggregated, de-identified, or pseudonymised usage data [legitimate interests]
• Conduct analytics, research, statistical analysis, quality assurance, and evaluation of internal tooling on aggregated or de-identified data [legitimate interests]
• Comply with legal, regulatory, and tax obligations and resolve disputes [legal obligation; legitimate interests]
• Defend Fusion Link in any claim, investigation, or regulatory action, including by retaining and producing records as evidence [legitimate interests in establishing, exercising, or defending legal claims]
• Ensure the security and integrity of the platform and prevent fraud [legitimate interests; legal obligation where applicable]

Photographs and trip evidence. Checkpoint photos may incidentally capture identifiable individuals. We process these images strictly for verification, fraud prevention, and dispute resolution as described above; we do not use them for biometric identification or facial recognition. Where any image, document, or data could constitute a special category of personal data under Art. 9 GDPR (or equivalent), we rely on your explicit consent given at registration and on the necessity of processing for the establishment, exercise, or defence of legal claims.

Automated decisions. Some decisions on the Platform — including initial job-matching between drivers and vendors, and routine fraud-risk scoring of transactions — may be made on a solely automated basis within the meaning of Art. 22 GDPR. Such automated processing is necessary for entering into and performing the marketplace contract you have with us (Art. 22(2)(a) GDPR). You have the right to obtain human intervention, to express your point of view, and to contest any such decision by contacting our Data Protection Officer using the details in Section 2. Decisions with material consequence to your account (suspension, termination, dispute outcomes) are reviewed by a human before taking effect.

5. Legal Basis and Consent

We process your personal data on the following legal bases:

• Consent: We obtain your consent before collecting and processing your personal data during account registration. You may withdraw consent at any time, subject to legal and contractual restrictions.
• Contractual necessity: Certain data processing is necessary to provide the services you have requested, such as job matching, payment processing, and checkpoint verification.
• Legitimate interests: We may process data to improve our services, prevent fraud, and ensure platform security, where these interests do not override your data protection rights.
• Legal obligations: We process data as required by applicable law, including financial record-keeping and regulatory compliance.

For users in Malaysia, we note that processing of sensitive personal data (as defined under Section 40 of the PDPA 2010) requires explicit consent, which we obtain separately where applicable.

For users in the United States, certain categories of sensitive personal information (as defined under the CPRA) are processed only for the limited purposes permitted by law, and you may direct us to limit such use where applicable.

For users resident in Quebec, additional rights and obligations may apply under An Act respecting the protection of personal information in the private sector (Law 25), and we will honor those rights in accordance with applicable law.

For users in Mexico, processing of sensitive personal data (as defined under the LFPDPPP) requires your express written consent, which we obtain separately where applicable.

For users in Japan, we note that handling of special care-required personal information (yō-hairyo kojin jōhō) under Article 2(3) of the APPI requires the prior consent of the individual, which we obtain separately where applicable.

For users in the Republic of Korea, we note that processing of sensitive information (as defined under Article 23 of PIPA) and unique identifying information (Article 24) requires separate, explicit consent, which we obtain independently from general consent where applicable.

For users in the People's Republic of China, we note that processing of sensitive personal information (as defined under Article 28 of PIPL) requires separate consent, a specified necessity, and a personal information protection impact assessment, which we conduct independently where applicable.

For users in the UAE, we note that the financial free zones (DIFC and ADGM) operate under separate data-protection regimes. Where your personal data is processed within those free zones, the applicable free-zone law governs in addition to, or in place of, the federal PDPL.

6. Data Sharing

We may share your information with:

• Vendors: When a driver accepts a job, relevant driver information (name, contact details, vehicle information) is shared with the assigning vendor to facilitate service delivery.
• Service Providers: We use third-party services including Google Cloud Platform (Firebase) for authentication and data storage, Cloudflare R2 for media storage, Twilio for OTP verification, Stripe for payment processing, and Sentry for crash reporting and error monitoring. Sentry may receive technical diagnostic data including device information, IP address, and user identifiers to help us identify and resolve application errors. These providers process data on our behalf under strict contractual obligations.
• Legal Requirements: We may disclose information when required by law, regulation, or legal process, or to protect the rights, property, or safety of Fusion Link, our users, or others.

We do not sell your personal data to third parties.

7. Cross-Border Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside of your country of residence, including but not limited to the United States, as part of our use of cloud infrastructure providers. Specifically:

• Google Cloud Platform (Firebase): Account data, authentication records, and application data are stored on Google Cloud infrastructure.
• Cloudflare R2:Photos and media files are stored on Cloudflare's globally distributed storage network.
• Twilio: Phone numbers are processed for OTP delivery.
• Stripe: Payment card details and transaction data are processed for customer booking payments.
• Sentry: Crash reports and error diagnostics, which may include device information, IP address, and user identifiers, are processed for application stability monitoring.

We ensure that cross-border transfers are protected by appropriate safeguards, including (as applicable to the destination and the data subject):

• The European Commission's Standard Contractual Clauses (SCCs, Commission Decision 2021/914) for transfers from the EEA
• The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs for transfers from the United Kingdom
• The Swiss SCC addendum approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers from Switzerland
• Reliance on a recipient's certification under the EU-US Data Privacy Framework (DPF), UK Extension to the DPF, or Swiss-US DPF where the recipient (such as Google Cloud, Cloudflare, Stripe, or Sentry) is certified
• Transfer Impact Assessments (TIAs) where required by EDPB Recommendations 01/2020
• Contractual data-processing agreements (Art. 28 GDPR) with all third-party providers
• Encryption of data in transit (TLS) and at rest
• Access controls ensuring only authorised personnel can access personal data

For Singapore users: Cross-border transfers comply with the Transfer Limitation Obligation under Part IV, Division 5 of the PDPA 2012. We ensure receiving parties provide a comparable standard of data protection.

For Malaysia users: Cross-border transfers comply with Section 129 of the PDPA 2010. We take reasonable steps to ensure that the recipient country provides an adequate level of protection for your personal data.

For United States users: Personal information may be processed in jurisdictions outside of the United States. Where transfers occur, we take reasonable steps to ensure the receiving party maintains a level of protection consistent with applicable U.S. state privacy laws and our contractual safeguards.

For Canada users: Personal information may be transferred to and processed in jurisdictions outside of Canada. We use contractual and organizational safeguards to ensure a comparable level of protection consistent with PIPEDA and applicable provincial privacy laws.

For Mexico users: Cross-border transfers of personal data are carried out in accordance with the LFPDPPP and its Regulations. We require recipients to assume the same obligations set out in our Privacy Notice and to provide an adequate level of protection for your personal data.

For United Kingdom users: Cross-border transfers of personal data outside the United Kingdom are safeguarded through Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR (as retained in UK law), together with the UK International Data Transfer Agreement (IDTA) or the UK Addendum where applicable.

For Ireland users: Cross-border transfers of personal data outside the European Economic Area are safeguarded through Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR. We carry out transfer impact assessments where required.

For France users: Cross-border transfers of personal data outside the European Economic Area are safeguarded through Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR. We carry out transfer impact assessments where required.

For Germany users: Cross-border transfers of personal data outside the European Economic Area are safeguarded through Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR. We carry out transfer impact assessments where required.

For Switzerland users: Cross-border transfers of personal data are made only to countries providing an adequate level of protection as recognised by the Swiss Federal Council, or otherwise subject to appropriate safeguards under the revFADP (such as standard contractual clauses or binding corporate rules).

For Netherlands users: Cross-border transfers of personal data outside the European Economic Area are safeguarded through Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR. We carry out transfer impact assessments where required.

For Austria users: Cross-border transfers of personal data outside the European Economic Area are safeguarded through Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR. We carry out transfer impact assessments where required.

For Belgium users: Cross-border transfers of personal data outside the European Economic Area are safeguarded through Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR. We carry out transfer impact assessments where required.

For Luxembourg users: Cross-border transfers of personal data outside the European Economic Area are safeguarded through Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR. We carry out transfer impact assessments where required.

For Spain users: Cross-border transfers of personal data outside the European Economic Area are made only on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR, ensuring an essentially equivalent level of protection.

For Italy users: Cross-border transfers of personal data outside the European Economic Area are made only on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR, ensuring an essentially equivalent level of protection.

For Portugal users: Cross-border transfers of personal data outside the European Economic Area are made only on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR, ensuring an essentially equivalent level of protection.

For Greece users: Cross-border transfers of personal data outside the European Economic Area are made only on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR, ensuring an essentially equivalent level of protection.

For Croatia users: Cross-border transfers of personal data outside the European Economic Area are made only on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR, ensuring an essentially equivalent level of protection.

For Sweden users: Cross-border transfers outside the European Economic Area are made on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR.

For Norway users: Cross-border transfers outside the European Economic Area are made on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR.

For Finland users: Cross-border transfers outside the European Economic Area are made on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR.

For Denmark users: Cross-border transfers outside the European Economic Area are made on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR.

For Iceland users: Cross-border transfers outside the European Economic Area are made on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR.

For Poland users: Cross-border transfers of personal data outside the European Economic Area are made only on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR, ensuring an essentially equivalent level of protection.

For Czech Republic users: Cross-border transfers of personal data outside the European Economic Area are made only on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR, ensuring an essentially equivalent level of protection.

For Hungary users: Cross-border transfers of personal data outside the European Economic Area are made only on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR, ensuring an essentially equivalent level of protection.

For Bulgaria users: Cross-border transfers of personal data outside the European Economic Area are made only on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR, ensuring an essentially equivalent level of protection.

For Australia users: Cross-border disclosures comply with Australian Privacy Principle 8 (APP 8) under the Privacy Act 1988. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs in relation to that information.

For New Zealand users: Cross-border disclosures comply with Information Privacy Principle 12 (IPP 12) under the Privacy Act 2020. We only disclose personal information to a recipient outside New Zealand where the recipient is subject to comparable safeguards, or where another lawful basis under IPP 12 applies.

For Japan users: Cross-border transfers comply with Article 28 of the APPI. We rely on the consent of the individual, transfer to a country recognised by the Personal Information Protection Commission (PPC) as having an equivalent level of protection, or contractual safeguards that ensure the recipient implements measures equivalent to the APPI.

For Korea users: Cross-border transfers comply with Article 28-8 of PIPA. We rely on the separate consent of the data subject, a transfer agreement certified by the Personal Information Protection Commission (PIPC), or another lawful basis recognised under PIPA. We disclose the recipient, purpose, items and retention period before transfer.

For Hong Kong users: To the extent Section 33 of the Personal Data (Privacy) Ordinance (PDPO) restricting cross-border transfers is in force, we comply with it. Otherwise, and in any case, we voluntarily apply the safeguards set out in the PCPD's Guidance on Personal Data Protection in Cross-border Data Transfer, including contractual measures with recipients outside Hong Kong.

For China users: Cross-border transfers comply with Articles 38 to 39 of PIPL. We rely on one of the prescribed mechanisms — a security assessment organised by the Cyberspace Administration of China (CAC), certification by a CAC-accredited body, or execution of the CAC standard contract for cross-border transfers — and obtain the data subject's separate consent where required.

For Thailand users: Cross-border transfers comply with Sections 28 and 29 of the PDPA B.E. 2562. We transfer personal data only to destinations that provide adequate data-protection standards, or under appropriate safeguards approved by the Personal Data Protection Committee (PDPC).

For India users: Cross-border transfers are made in accordance with Section 16 of the DPDPA 2023. We transfer personal data outside India only to countries that have not been restricted by the Central Government for such transfers.

For United Arab Emirates users: Cross-border transfers comply with Articles 22 and 23 of the UAE PDPL. We transfer personal data outside the UAE only to jurisdictions recognised as providing an adequate level of protection, or where appropriate safeguards (including contractual clauses and explicit consent) are in place.

For Saudi Arabia users: Cross-border transfers comply with Article 29 of the Saudi PDPL and its Implementing Regulations. We transfer personal data outside the Kingdom only to jurisdictions providing an adequate level of protection as determined by the Saudi Data and Artificial Intelligence Authority (SDAIA), or under approved safeguards.

For Qatar users: Cross-border transfers comply with Law No. 13 of 2016 and the guidance issued by the Compliance and Data Protection Department (CDP). We take reasonable measures to ensure that personal data transferred outside Qatar continues to be protected to a comparable standard.

For Israel users: Cross-border transfers of personal data comply with the Protection of Privacy Regulations (Transfer of Data to Databases Abroad) 2001. We only transfer data to jurisdictions that ensure a level of protection no lesser than that provided under Israeli law, or where another permitted basis under the Regulations applies.

For Egypt users: Cross-border transfers of personal data comply with Chapter 4 of the Personal Data Protection Law (Law No. 151 of 2020). We only transfer data outside Egypt to jurisdictions that provide a level of protection no less than that required under Egyptian law, and with a licence or permit from the Personal Data Protection Center where required.

For South Africa users: Cross-border transfers of personal information comply with Section 72 of POPIA. We only transfer personal information to a recipient outside South Africa where the recipient is subject to a law, binding corporate rules or binding agreement that provides an adequate level of protection substantially similar to POPIA, or where another condition under Section 72 is satisfied.

For Nigeria users: Cross-border transfers of personal data comply with Sections 41 to 43 of the Nigeria Data Protection Act 2023. We only transfer data outside Nigeria where the recipient jurisdiction or recipient is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection, or where another lawful basis under the Act applies.

For Brazil users: Cross-border transfers comply with Article 33 of the LGPD. International transfers of personal data are only carried out where the destination country provides an adequate level of protection (as recognised by the ANPD), or where appropriate contractual safeguards or another specific legal basis under the LGPD applies.

For Argentina users: Cross-border transfers comply with Law 25.326 and the resolutions of the Agencia de Acceso a la Información Pública (AAIP). Argentina benefits from a European Union adequacy decision, and transfers to other jurisdictions are made only where the destination country provides an adequate level of protection or where appropriate contractual safeguards are in place.

For Peru users: Cross-border transfers comply with Law 29733 and Supreme Decree 003-2013-JUS. International transfers of personal data are only carried out to jurisdictions that provide adequate levels of protection, or where appropriate contractual safeguards or another lawful basis under the Peruvian data protection framework applies.

8. Data Retention

We retain your personal data for as long as is reasonably necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law, by a contractual obligation, or for legitimate business purposes such as fraud prevention, dispute resolution, enforcement of our Terms, or tax, accounting, and regulatory compliance. The specific retention period for any category of data depends on the nature of the data, the purpose for which it is processed, the risk of harm from unauthorised disclosure, and the applicable legal and regulatory retention requirements in the jurisdictions where we operate.

When you delete your account, we will take reasonable steps to remove or anonymise your personal data without undue delay and in any event within one (1) month of receiving your request (extendable by up to two further months for complex requests, with notice and reasons), except where retention is required or permitted as described above.

9. Data Security

We take reasonable technical and organisational measures to protect your personal data, including encryption in transit (TLS) and at rest, Firebase Auth with phone OTP, role-based access controls enforced at the database level, isolated per-user media folders on Cloudflare R2, and rate limiting on API endpoints. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for any activity that occurs under your account.

10. Data Breach Notification

In the event of a data breach that affects your personal data, we will take the following steps:

• Assessment: We will promptly assess the scope and impact of the breach.
• Containment: We will take immediate steps to contain the breach and prevent further unauthorised access.
• Notification (Singapore): In accordance with the PDPA 2012, we will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of completing our assessment if the breach is notifiable. We will also notify affected individuals if the breach is likely to result in significant harm.
• Notification (Malaysia): We will notify the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi) and affected individuals as required under the Personal Data Protection Act 2010 and any rules or amendments made under it from time to time (including the breach notification requirements introduced by the Personal Data Protection (Amendment) Act 2024 as and when the relevant provisions come into force). Where a breach is likely to result in harm to affected individuals, we will notify them without undue delay.
• Notification (United States): In accordance with applicable U.S. state breach-notification statutes, we will notify affected residents and, where required, the relevant state Attorney General without unreasonable delay following confirmation of a breach involving personal information.
• Notification (Canada): In accordance with PIPEDA, we will report any breach of security safeguards involving a real risk of significant harm to the Office of the Privacy Commissioner of Canada and notify affected individuals as soon as feasible.
• Notification (Mexico): In accordance with the LFPDPPP, we will notify affected data owners without delay of any security breach that materially affects their property or moral rights, so they may take appropriate action to defend their rights.
• Notification (United Kingdom): In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the UK GDPR. Affected individuals will be informed where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Ireland): In the event of a personal data breach, we will notify the Data Protection Commission (DPC) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (France): In the event of a personal data breach, we will notify the Commission Nationale de l'Informatique et des Libertés (CNIL) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Germany): In the event of a personal data breach, we will notify the competent German supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Switzerland): In the event of a personal data breach likely to result in a high risk to the personality or fundamental rights of data subjects, we will notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible under the revFADP, and inform affected individuals where required.
• Notification (Netherlands): In the event of a personal data breach, we will notify the Autoriteit Persoonsgegevens (AP) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Austria): In the event of a personal data breach, we will notify the Datenschutzbehörde (DSB) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Belgium): In the event of a personal data breach, we will notify the Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Luxembourg): In the event of a personal data breach, we will notify the Commission nationale pour la protection des données (CNPD) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Spain): In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Agencia Española de Protección de Datos (AEPD) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk.
• Notification (Italy): In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Garante per la protezione dei dati personali without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk.
• Notification (Portugal): In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Comissão Nacional de Proteção de Dados (CNPD) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk.
• Notification (Greece): In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Hellenic Data Protection Authority (HDPA) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk.
• Notification (Croatia): In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Croatian Personal Data Protection Agency (AZOP) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk.
• Notification (Sweden): We will notify the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. We will also notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Norway): We will notify the Norwegian Data Protection Authority (Datatilsynet) within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. We will also notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Finland): We will notify the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu) within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. We will also notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Denmark): We will notify the Danish Data Protection Agency (Datatilsynet) within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. We will also notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Iceland): We will notify the Icelandic Data Protection Authority (Persónuvernd) within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. We will also notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Notification (Poland): In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Urząd Ochrony Danych Osobowych (UODO) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk.
• Notification (Czech Republic): In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Úřad pro ochranu osobních údajů (ÚOOÚ) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk.
• Notification (Hungary): In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk.
• Notification (Bulgaria): In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Commission for Personal Data Protection (CPDP) without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk.
• Notification (Australia): In accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after we become aware of an eligible data breach likely to result in serious harm.
• Notification (New Zealand): In accordance with Part 6 of the Privacy Act 2020, we will notify the Office of the Privacy Commissioner (OPC) and affected individuals as soon as practicable after we become aware of a notifiable privacy breach that is likely to cause serious harm.
• Notification (Japan): In accordance with Article 26 of the APPI, where a leak, loss or damage of personal data is likely to harm the rights and interests of individuals, we will report the incident to the Personal Information Protection Commission (PPC) and notify affected individuals within the timeframes prescribed by the APPI Enforcement Rules.
• Notification (Korea): In accordance with Article 34 of PIPA and its Enforcement Decree, we will notify affected data subjects and report to the Personal Information Protection Commission (PIPC) without delay, and in any event within 72 hours of becoming aware of a qualifying personal information breach.
• Notification (Hong Kong): We will notify the Office of the Privacy Commissioner for Personal Data (PCPD) and affected data subjects as required under the Personal Data (Privacy) Ordinance and any rules or amendments made under it from time to time. Where breach notification is not mandatory, we follow the PCPD's Guidance on Data Breach Handling and the Giving of Breach Notifications and notify the PCPD and affected individuals as soon as practicable where a breach is likely to result in a real risk of harm.
• Notification (China): In accordance with Article 57 of PIPL, where a personal information breach occurs or is likely to occur, we will take immediate remedial measures and notify the Cyberspace Administration of China (CAC) and other relevant authorities, as well as affected individuals, in a timely manner unless the measures taken can effectively avoid harm.
• Notification (Thailand): In accordance with the PDPA B.E. 2562, we will notify the Personal Data Protection Committee (PDPC) within 72 hours of becoming aware of a personal-data breach. Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay.
• Notification (India): In accordance with the DPDPA 2023, we will notify the Data Protection Board of India (DPBI) and each affected Data Principal of any personal data breach upon becoming aware of it, in the form and manner prescribed under the Act.
• Notification (United Arab Emirates): In accordance with Article 9 of the UAE PDPL, we will notify the UAE Data Office of any personal-data breach without undue delay upon becoming aware of it, and will notify affected data subjects where the breach is likely to cause harm to their data, privacy, or confidentiality.
• Notification (Saudi Arabia): In accordance with the Saudi PDPL, we will notify the Saudi Data and Artificial Intelligence Authority (SDAIA) within 72 hours of becoming aware of a personal-data breach that may cause harm to personal data or affected individuals. Affected data subjects will be notified without undue delay where required.
• Notification (Qatar): In accordance with Law No. 13 of 2016, we will notify the Compliance and Data Protection Department (CDP) under the Ministry of Communications and Information Technology, and the affected individuals, of any breach of personal data that may cause serious damage to their data or privacy.
• Notification (Israel): In accordance with the Protection of Privacy Regulations (Data Security) 2017, we will report serious security events affecting our databases to the Privacy Protection Authority (PPA) without undue delay, and will notify affected individuals where required.
• Notification (Egypt): In accordance with Article 7 of the Personal Data Protection Law (Law No. 151 of 2020), we will notify the Personal Data Protection Center (PDPC) within 72 hours of becoming aware of any breach of personal data, and will notify affected data subjects within 3 days where the breach relates to sensitive personal data or national security.
• Notification (South Africa): In accordance with Section 22 of POPIA, where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and affected data subjects as soon as reasonably possible after discovering the compromise.
• Notification (Nigeria): In accordance with Section 40 of the Nigeria Data Protection Act 2023, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, and will communicate the breach to affected data subjects without undue delay where the risk is high.
• Notification (Brazil): In accordance with the LGPD, we will communicate any security incident that may result in relevant risk or harm to data subjects to the Autoridade Nacional de Proteção de Dados (ANPD) and to the affected data subjects within a reasonable time period.
• Notification (Argentina): In accordance with Law 25.326 and applicable AAIP resolutions, we will notify the Agencia de Acceso a la Información Pública (AAIP) of any security incident affecting personal data, and inform affected data subjects where the incident is likely to result in harm to their rights.
• Notification (Peru): In accordance with Law 29733 and its Regulations, we will notify the Autoridad Nacional de Protección de Datos Personales (ANPD), under the Ministry of Justice and Human Rights, of any security incident affecting personal data, and inform affected data subjects where the incident is likely to result in harm to their rights.

11. Your Rights

All Users

Regardless of your jurisdiction, you have the right to:

• Access your personal data that we hold
• Correct inaccurate or incomplete personal data
• Delete your account and associated personal data
• Withdraw consent for data processing, subject to legal and contractual restrictions

To exercise any of these rights, please contact our Data Protection Officer using the details in Section 2. We will respond to your request without undue delay and in any event within one (1) month of receipt. Where the request is complex or where we receive a high volume of requests, we may extend this period by up to two further months and will notify you of any extension and the reasons within the initial one-month period.

You can also self-serve a copy of your data or permanently delete your account from your privacy controls.

12. Children's Privacy

Fusion Link is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly.

13. Push Notifications

We use push notifications to inform you about job assignments, status updates, and important platform announcements. You can manage your notification preferences through your device settings at any time.

14. Changes to This Policy

We may amend, update, or replace this Privacy Policy at any time, in our sole discretion, with or without prior notice. The current version and its effective date are shown at the top of this page. It is your responsibility to review this Privacy Policy periodically for changes. Your continued use of the platform after any change constitutes your acceptance of the updated policy. If you do not agree to any change, your sole and exclusive remedy is to stop using the platform and close your account.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Regulatory authorities:

• Singapore: Personal Data Protection Commission (PDPC) — www.pdpc.gov.sg
• Malaysia: Department of Personal Data Protection (JPDP) — www.pdp.gov.my
• United States: California Privacy Protection Agency (CPPA) — cppa.ca.gov
• Canada: Office of the Privacy Commissioner of Canada (OPC) — www.priv.gc.ca
• Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — home.inai.org.mx
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• Ireland: Data Protection Commission (DPC) — www.dataprotection.ie
• France: Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr
• Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — www.bfdi.bund.de
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
• Netherlands: Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl
• Austria: Datenschutzbehörde (DSB) — www.dsb.gv.at
• Belgium: Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA) — www.autoriteprotectiondonnees.be
• Luxembourg: Commission nationale pour la protection des données (CNPD) — cnpd.public.lu
• Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es
• Italy: Garante per la protezione dei dati personali (Garante) — www.garanteprivacy.it
• Portugal: Comissão Nacional de Proteção de Dados (CNPD) — www.cnpd.pt
• Greece: Hellenic Data Protection Authority (HDPA) — www.dpa.gr
• Croatia: Croatian Personal Data Protection Agency (AZOP) — azop.hr
• Sweden: Integritetsskyddsmyndigheten (IMY) — www.imy.se
• Norway: Datatilsynet (Datatilsynet) — www.datatilsynet.no
• Finland: Office of the Data Protection Ombudsman (Tietosuojavaltuutettu) — tietosuoja.fi
• Denmark: Datatilsynet (Datatilsynet) — www.datatilsynet.dk
• Iceland: Persónuvernd (Persónuvernd) — www.personuvernd.is
• Poland: Urząd Ochrony Danych Osobowych (UODO) — uodo.gov.pl
• Czech Republic: Úřad pro ochranu osobních údajů (ÚOOÚ) — www.uoou.cz
• Hungary: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) — naih.hu
• Bulgaria: Commission for Personal Data Protection (CPDP) — www.cpdp.bg
• Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
• New Zealand: Office of the Privacy Commissioner (OPC) — www.privacy.org.nz
• Japan: Personal Information Protection Commission (PPC) — www.ppc.go.jp
• Korea: Personal Information Protection Commission (PIPC) — www.pipc.go.kr
• Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD) — www.pcpd.org.hk
• China: Cyberspace Administration of China (CAC) — www.cac.gov.cn
• Thailand: Personal Data Protection Committee (PDPC) — www.mdes.go.th
• India: Data Protection Board of India (DPBI) — www.meity.gov.in
• United Arab Emirates: UAE Data Office (UAE Data Office) — uaedataoffice.gov.ae
• Saudi Arabia: Saudi Data and Artificial Intelligence Authority (SDAIA) — sdaia.gov.sa
• Qatar: Compliance and Data Protection Department (CDP) — www.mcit.gov.qa
• Israel: Privacy Protection Authority (PPA) — www.gov.il/en/departments/the_privacy_protection_authority
• Egypt: Personal Data Protection Center (PDPC) — pdpc.mcit.gov.eg
• South Africa: Information Regulator (South Africa) (Information Regulator) — inforegulator.org.za
• Nigeria: Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd
• Argentina: Agencia de Acceso a la Información Pública (AAIP) — www.argentina.gob.ar/aaip
• Peru: Autoridad Nacional de Protección de Datos Personales (ANPD) — www.gob.pe/minjus