Privacy Policy for CarBa

Last updated: November 25, 2025

This Privacy Policy describes how we collect, use and disclose your information when you use our Service, and explains your privacy rights and how the law protects you.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Interpretation and Definitions

Interpretation

Words with initial capital letters have specific meanings under the following definitions. The definitions shall have the same meaning whether they appear in singular or plural.

Definitions

For the purposes of this Privacy Policy:

• Account means a unique account created for you to access our Service or parts of our Service.
• Affiliate means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
• Application refers to CarBa, the software program provided by the Company.
• Business (for the purpose of CCPA/CPRA) refers to the Company as the legal entity that collects Consumers’ personal information and determines the purposes and means of processing that personal information and does business in the State of California.
• CCPA / CPRA refer to the California Consumer Privacy Act (the “CCPA”) as amended by the California Privacy Rights Act of 2020 (the “CPRA”).
• Company (referred to as either “the Company”, “we”, “us” or “our” in this Agreement) refers to CARBA TECHNOLOGIES LIMITED.
  For the purpose of the GDPR, the Company is the Data Controller.
• Consumer (for the purpose of the CCPA/CPRA) means a natural person who is a California resident, including
  (1) every individual who is in the USA for other than a temporary or transitory purpose, and
  (2) every individual who is domiciled in the USA who is outside the USA for a temporary or transitory purpose.
• Country refers to: Hong Kong SAR China.
• Data Controller (for the purposes of the GDPR) refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
• Device means any device that can access the Service such as a computer, cellphone or digital tablet.
• Do Not Track (DNT) is a concept promoted by US regulatory authorities (including the U.S. Federal Trade Commission) for the Internet industry to allow users to control the tracking of their online activities across websites.
• GDPR refers to the EU General Data Protection Regulation.
• Personal Data is any information that relates to an identified or identifiable individual.
  • For GDPR purposes, this includes information such as a name, identification number, location data, online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
  • For CCPA/CPRA purposes, this includes information that identifies, relates to, describes or is capable of being associated with you, or could reasonably be linked, directly or indirectly, with you.
• Service refers to the Application.
• Service Provider means any natural or legal person who processes data on behalf of the Company, including third-party companies or individuals employed by the Company to facilitate the Service, provide the Service, perform services related to the Service or assist the Company in analyzing how the Service is used. For GDPR purposes, Service Providers are considered Data Processors.
• Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
• You means the individual accessing or using the Service, or the company or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under GDPR, you may be referred to as the Data Subject or User.

2. Personal Data We Collect

2.1 Personal Data You Provide

While using our Service, we may ask you to provide certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:

• Email address
• Face data (see Section 3 for details on face/biometric data)

2.2 Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as:

• Your Device’s Internet Protocol address (IP address)
• Browser type and version
• The pages of our Service that you visit
• The time and date of your visit
• The time spent on those pages
• Unique device identifiers and other diagnostic data
• Mobile operating system

2.3 Information Collected While Using the Application

While using our Application, and only with your prior permission, we may collect:

• Information regarding your location
• Pictures and other information from your device’s camera and photo library

We use this information to provide features of our Service and to improve and customize our Service. This information may be:

• Uploaded to the Company’s servers and/or a Service Provider’s server, or
• Stored on your device only.

You can enable or disable access to this information at any time through your device settings.

3. Collection, Use and Retention of Face Data (Biometric Information)

CarBa collects and processes face data exclusively to enable and support user verification features.

3.1 Purpose of Face Data

You may be required to upload a selfie or similar image to:

• Verify the authenticity of your account
• Prevent the creation of automated, fraudulent or impersonated profiles
• Maintain the overall security and integrity of the CarBa platform

Face data collected through this process is used solely to confirm that you are a real individual and to uphold the trust and safety of the CarBa community.

Face data is not used for:

• Advertising
• Profiling or personalization
• Any form of third-party marketing

3.2 Use of Face Data

Face data is processed strictly for:

• Completing the user identity verification workflow
• Confirming or re-confirming a user’s identity when necessary
• Resolving verification-related issues, such as failed verifications
• Processing user appeals or account-related disputes (including account suspension, reinstatement or potential misuse)
• Maintaining platform security and ensuring the authenticity of user accounts while such matters are being resolved

3.3 Retention of Face Data

CarBa does not retain face data beyond what is strictly necessary to fulfill the verification purpose.

• Face data is automatically deleted immediately after the verification process is completed.
• CarBa does not store face data indefinitely.

This ensures that biometric information is retained only for legitimate verification needs and is promptly erased to protect user privacy.

3.4 Security of Face Data (Amazon Rekognition Face Liveness)

CarBa uses Amazon Web Services (AWS), including Amazon Rekognition Face Liveness, to process face data. We implement industry-standard technical and organizational measures to protect Face Data against unauthorized access, alteration, disclosure or destruction.

• Encryption in transit:
  All Face Data transmitted between CarBa, our clients and AWS services is encrypted in transit using secure HTTPS connections with Transport Layer Security (TLS). Amazon Rekognition API endpoints only support encrypted connections over HTTPS.
• Encryption at rest:
  All session-related data stored by Amazon Rekognition Face Liveness is fully encrypted at rest. By default, reference and audit images are encrypted using AWS-owned keys, and we may optionally use customer-managed keys via AWS Key Management Service (KMS).

When Face Data (including reference or audit images) is stored in Amazon S3, it is protected using server-side encryption (such as SSE-S3 or SSE-KMS) with 256-bit AES.

These controls help ensure that Face Data remains confidential and protected throughout its lifecycle.

4. How We Use Your Personal Data

The Company may use Personal Data for the following purposes:

• To provide and maintain our Service
  Including to monitor the usage of our Service.
• To manage your Account
  To manage your registration as a user of the Service. The Personal Data you provide can give you access to different functionalities of the Service as a registered user.
• Photo Verification
  You may choose to participate in optional features, including Photo Verification. The facial information collected for this feature may qualify as biometric data under the laws of certain jurisdictions (see Section 3).
• For the performance of a contract
  For the development, compliance and performance of the purchase contract for products, items or services you have purchased, or any other contract with us through the Service.
• To contact you
  By email or other electronic forms of communication (including push notifications) regarding updates, security alerts or informative communications related to functionalities, products or contracted services.
• To provide you with offers and information
  To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those you have already purchased or enquired about, unless you have opted out.
• To manage your requests
  To attend and manage your requests to us.
• For business transfers
  To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, in which Personal Data about Service users is among the assets transferred.
• For other purposes
  Such as data analysis, identifying usage trends, measuring the effectiveness of promotional campaigns, and improving our Service, products, services, marketing and your experience.

Sharing Your Personal Information

We may share your personal information in the following situations:

• With Service Providers
  To monitor and analyze the use of our Service, for payment processing or to contact you.
• With Affiliates
  In which case we will require those affiliates to honor this Privacy Policy. Affiliates include our parent company and any subsidiaries, joint venture partners or other companies that we control or that are under common control with us.
• With other users
  When you share personal information or otherwise interact in public areas with other users, such information may be viewed by all users and may be publicly distributed outside.
• With your consent
  We may disclose your personal information for any other purpose with your consent.

5. Retention and Transfer of Your Personal Data

5.1 Retention

• The Company will retain your Personal Data only for as long as necessary for the purposes set out in this Privacy Policy.
• We will retain and use your Personal Data to the extent necessary to:
  • Comply with legal obligations
  • Resolve disputes
  • Enforce our legal agreements and policies

Usage Data is generally retained for a shorter period, except when:

• It is used to strengthen security or improve the functionality of the Service, or
• We are legally obligated to retain this data for longer periods.

Face Data retention is described in Section 3.3.

5.2 Transfer

Your information, including Personal Data, may be processed at the Company’s operating offices and in other locations where the parties involved in processing are located. This means your information may be transferred to and maintained on computers located outside your state, province or country where data protection laws may differ.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to such transfers.

The Company will take all reasonably necessary steps to ensure your data is treated securely and in accordance with this Privacy Policy and that no transfer will take place to an organization or country without adequate safeguards in place.

6. Your Rights to Access, Update and Delete Your Data

You have the right to delete or request that we assist in deleting Personal Data we have collected about you.

• Our Service may allow you to delete certain information about you from within the Service.
• You may update, amend or delete your information at any time by signing into your Account (if you have one) and using the account settings section.
• You may also contact us to request access to, correct or delete any personal information you have provided.

We may retain certain information where we have a legal obligation or lawful basis to do so.

7. Disclosure of Your Personal Data

7.1 Business Transactions

If the Company is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy.

7.2 Law Enforcement

Under certain circumstances, the Company may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or government agency).

7.3 Other Legal Requirements

The Company may disclose your Personal Data in the good faith belief that such action is necessary to:

• Comply with a legal obligation
• Protect and defend the rights or property of the Company
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public
• Protect against legal liability

8. Security of Your Personal Data

The security of your Personal Data is important to us. While we strive to use commercially acceptable means to protect your Personal Data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee its absolute security.

9. Service Providers and Third-Party Processing

The Service Providers we use may have access to your Personal Data. These third-party vendors collect, store, use, process and transfer information about your activity on our Service in accordance with their privacy policies.

9.1 Payments

We may provide paid products and/or services within the Service and may use third-party services for payment processing.

• We do not store or collect your payment card details.
• That information is provided directly to our third-party payment processors whose use of your personal information is governed by their own privacy policies.
• These processors adhere to PCI-DSS standards managed by the PCI Security Standards Council (a joint effort of brands like Visa, Mastercard, American Express and Discover).

Examples include:

• Apple Store In-App Payments – see Apple’s Privacy Policy
• Google Play In-App Payments – see Google’s Privacy Policy

9.2 Usage, Performance and Miscellaneous

We may use third-party Service Providers to maintain and improve our Service, such as:

• Google Places – a service that returns information about places and may collect information from you and your device for security purposes, in accordance with Google’s Privacy Policy.
• Amazon Web Services (AWS) – for hosting and processing (including Amazon Rekognition for face liveness as described in Section 3.4).
  
  

Please refer to the respective provider’s privacy policies for more details.
Google’s Privacy Policy: https://www.google.com/intl/en/policies/privacy/
AWS Privacy Policy: https://aws.amazon.com/en/privacy

10. GDPR Privacy

10.1 Legal Basis for Processing under GDPR

We may process Personal Data under one or more of the following legal bases:

• Consent: You have given your consent for one or more specific purposes.
• Performance of a contract: Processing is necessary for the performance of an agreement with you and/or for any pre-contractual obligations.
• Legal obligations: Processing is necessary to comply with a legal obligation.
• Vital interests: Processing is necessary to protect your vital interests or those of another natural person.
• Public interest: Processing is related to a task carried out in the public interest or in the exercise of official authority vested in the Company.
• Legitimate interests: Processing is necessary for the legitimate interests pursued by the Company.

We will help clarify which legal basis applies to specific processing and whether providing Personal Data is a statutory or contractual requirement.

10.2 Your Rights under GDPR

If you are in the EU/EEA, you have the right to:

• Request access to your Personal Data
• Request correction of inaccurate or incomplete data
• Object to processing based on legitimate interests (including profiling)
• Object to processing for direct marketing
• Request erasure of your Personal Data where there is no good reason for us to continue processing it
• Request the transfer (portability) of your Personal Data in a structured, commonly used, machine-readable format
• Withdraw your consent at any time where processing is based on consent

You may exercise these rights by contacting us. We may ask you to verify your identity before responding to such requests.

You also have the right to lodge a complaint with your local data protection authority in the EEA.

11. CCPA/CPRA Privacy Notice (California Residents)

This section applies solely to visitors, users and others who reside in the State of California.

11.1 Categories of Personal Information Collected

In the last twelve (12) months, we may have collected the following categories of personal information as defined by the CCPA/CPRA:

• Category A: Identifiers – e.g., real name, alias, postal address, unique personal identifier, IP address, email, account name, or similar identifiers.
  • Collected: Yes
• Category B: Customer Records Information (Cal. Civ. Code § 1798.80(e)) – e.g., name, signature, address, telephone number, financial information, etc. (some items may overlap with other categories).
  • Collected: Yes
• Category C: Protected Classification Characteristics – e.g., race, religion, disability, sexual orientation, etc.
  • Collected: No
• Category D: Commercial Information – e.g., records of products or services purchased or considered.
  • Collected: Yes
• Category E: Biometric Information – e.g., faceprints and similar identifiers used for verification.
  • Collected: Yes (see Section 3)
• Category F: Internet or Other Similar Network Activity – e.g., interaction with our Service or advertisements.
  • Collected: Yes
• Category G: Geolocation Data – e.g., approximate physical location.
  • Collected: Yes
• Category H: Sensory Data – e.g., audio, electronic, visual data.
  • Collected: No
• Category I: Professional or Employment-Related Information
  • Collected: No
• Category J: Non-public Education Information
  • Collected: No
• Category K: Inferences Drawn from Other Personal Information
  • Collected: No
• Category L: Sensitive Personal Information – e.g., account login and password, geolocation data.
  • Collected: Yes

Personal information under CCPA/CPRA does not include:

• Publicly available information
• Deidentified or aggregated consumer information
• Information covered by specific sectoral privacy laws (such as HIPAA, GLBA, FCRA, etc.)

11.2 Sources of Personal Information

We obtain the categories of personal information listed above from:

• Directly from you (e.g., forms you complete, preferences, purchases)
• Indirectly from you (e.g., by observing your activity on our Service)
• Automatically from your device (e.g., through cookies)
• Service Providers (e.g., payment processors or vendors helping provide the Service)

11.3 Use, Disclosure and Sharing of Personal Information

We may use or disclose personal information we collect for “business purposes” or “commercial purposes” as defined in CCPA/CPRA, including:

• To operate and provide our Service
• To provide support and respond to inquiries
• To fulfill the reason you provided the information (e.g., process a purchase)
• To comply with law or court orders
• For internal administration and auditing
• To detect security incidents and protect against malicious or illegal activity

We may have used or disclosed, in the last twelve (12) months, personal information in:

• Category D: Commercial Information

We may share your personal information with:

• Service Providers
• Payment processors
• Our affiliates and business partners
• Third-party vendors to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide

11.4 Sale or Sharing of Personal Information

As defined under CCPA/CPRA, “sell” or “sale” can include providing personal information to a third party for valuable consideration, even if not monetary.

• We do not sell personal information in the common sense of selling data for money.
• We may allow Service Providers to use personal information for certain business purposes described in this Privacy Policy, which may be deemed a “sale” or “sharing” under CCPA/CPRA.

You have the right to opt-out of any such sale or sharing of your personal information (see “Your Rights under CCPA/CPRA” below).

11.5 Personal Information of Minors Under 16

We do not knowingly collect personal information from minors under the age of 16 through our Service.

We do not sell the personal information of consumers we actually know are under 16 years of age, unless we receive affirmative authorization (“opt-in”) from:

• The consumer (13–16 years old), or
• The parent or guardian of a consumer less than 13 years of age.

If you believe a child under 13 (or 16) has provided us with personal information, please contact us so we can delete it.

11.6 Your Rights under the CCPA/CPRA

If you are a California resident, you have the following rights:

• Right to Notice – To know which categories of Personal Data are being collected and for what purposes.
• Right to Know / Access – To request that we disclose information about our collection, use, sale, disclosure and sharing of your personal information.
• Right to Say No to Sale or Sharing (Opt-Out) – To direct us not to sell or share your personal information.
• Right to Correct – To request correction of inaccurate personal information.
• Right to Limit Use and Disclosure of Sensitive Personal Information – To request limiting use and disclosure of certain sensitive data to what is necessary to provide the Service.
• Right to Delete – To request deletion of your Personal Data, subject to certain exceptions (such as legal obligations, security, debugging, research, internal uses, etc.).
• Right Not to Be Discriminated Against – We will not discriminate against you for exercising any of your CCPA/CPRA rights.

11.7 Exercising Your CCPA/CPRA Rights

You may exercise your rights by contacting us:

• By email: support@carba.com.hk
• By visiting: https://carba.com.hk/en/en-privacy

Your request must:

• Provide sufficient information to allow us to reasonably verify that you are the person about whom we collected personal information or an authorized representative; and
• Describe your request with sufficient detail so we can properly understand and respond to it.

We cannot respond to your request