Privacy Policy
Last Updated: July 4, 2025
Introduction
This Privacy Policy details how Contegen Tech Limited, a Hong Kong-registered company with Business Registration Number 79156927, operating as Nalo (hereinafter referred to as "we", "our", "us", or "Nalo"), collects, uses, shares, and safeguards personal information related to your interaction with our Services and Platform at naloapp.co. Our policy complies with the Hong Kong Personal Data (Privacy) Ordinance (PDPO) and other relevant data protection laws, ensuring lawful, transparent, and secure handling of your data.
This document explains the types of personal data we collect through our Platform and Services, the methods and purposes of collection, how we use the data, and the third parties with whom we may share it. It also outlines your rights as a data subject and how you can exercise them.
We will communicate any updates to this Policy (and other policies, such as our Terms of Service) through our official channels, including our website. We encourage you to review this Policy to understand how your data is processed and your associated rights. For any inquiries about this Privacy Policy, data collection, usage, sharing, or other data-related concerns, please contact us via the channels listed below.
Definitions
For reference, we define the following terms used in this Privacy Policy:
Personal Data: Information that relates to an identified or identifiable individual, including names, addresses, email addresses, identification numbers, IP addresses, cookie identifiers, or any data that may reveal your physical, genetic, mental, economic, cultural, or social identity.
Data Subject: The individual whose personal data is collected and processed (i.e., you or any other person whose data we handle).
Data Controller: The entity that determines the purposes and methods of processing personal data. Nalo acts as the data controller in this context.
Data Processor: An entity that processes personal data on behalf of the data controller, such as our vendors or partners who process your data for purposes we define.
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to address inquiries about this Privacy Policy and our privacy practices. To raise concerns, exercise your rights as a data subject, or inquire about our data handling, please contact our DPO at yo@naloapp.co.
Information We Collect
To deliver our Services and Products, we collect certain information about you.
Information You Provide
This includes data you provide when using our Services and Platform. We do not collect details about your racial or ethnic origins, personal life, sexual orientation, political opinions, philosophical or religious beliefs, biometric or genetic data, or trade union membership. When you create an account or request access to payment or banking services, we may collect:
| Category | Examples (non-exhaustive) |
|---|---|
| Identity data | Full name, date of birth, gender, nationality, passport number, national ID number |
| Contact data | Email address, phone number, physical address, mailing address |
| Financial data | Bank account numbers, credit card details, income information, tax identification number |
| Location data | GPS coordinates, IP addresses |
| Employment data | Employment details, job titles, job descriptions |
| Transaction data | Purchase history, transaction amounts, payment methods used |
| Usage data | Platform usage patterns, session durations, pages visited |
| Marketing data | Marketing preferences, responses to marketing campaigns |
| User Account data | Usernames, account identifiers, user-generated content |
Communications
If you contact us directly, we may request additional details, such as your name, email address, physical address, phone number, or other relevant information. We will clearly explain the purpose of collecting this information during such communications.
Payment Information
Our Services allow you to choose your preferred payment method for transactions processed through third-party financial institutions or payment providers. We do not store your financial account details; these are securely managed by the payment provider, who may collect and process your data for their own purposes.
Information from Third Parties
To provide seamless Services, we may obtain personal data from third-party partners and vendors, who must have lawful grounds for collecting and sharing your data with us. These sources include:
- Payment Service Providers: We work with third-party providers to process fiat currency transactions, receiving data such as transaction history or account details.
- API Integrations: With your consent, we may access financial data (e.g., bank account details, transaction history, or balances) via third-party APIs to enhance our Services.
- Public Databases: We may retrieve publicly available data, such as names, addresses, or employment details, to improve our Services or meet legal obligations.
- Identity Verification Partners: We collaborate with verification services to obtain data like names, addresses, identification documents, or citizenship details for compliance and security purposes.
- Financial Institutions: We may receive financial data, such as transaction history or account balances, in compliance with legal and industry standards.
- Blockchain Data: We collect publicly available blockchain data (e.g., transaction details or wallet addresses) to monitor for illegal activities or ensure compliance with our terms.
- Marketing Partners, Advertisers, and Analytics: We may collect data to understand your platform interactions, refine marketing strategies, and provide personalized recommendations.
How We Use Your Data
We collect, use, and share your data based on lawful grounds, depending on the context:
- Consent: We process your data when you explicitly agree to our data processing purposes.
- Performance of a Contract: We process data necessary to fulfill a contract, such as processing orders or adhering to agreement terms.
- Legal Obligation: We process data to comply with legal requirements, such as anti-money laundering or fraud prevention regulations.
- Legitimate Interests: We process data to improve our Platform, maintain security, or prevent illegal activities, provided these interests align with our Services.
| Purpose | Description | Lawful Basis |
|---|---|---|
| Providing and Maintaining Services | Ensuring the functionality and availability of our Services and Platform | Performance of a contract |
| Payment Processing and Order Execution | Processing payments and orders in compliance with market fairness rules | Performance of a contract |
| Fraud Prevention | Detecting and preventing fraud or misuse of our Services | Legitimate interest |
| Compliance with Laws | Meeting anti-money laundering, terrorism financing, and other legal requirements | Legal obligation, Performance of a contract, Legitimate interest |
| User Communication and Support | Communicating for customer support, notifications, or marketing | Performance of a contract |
| Service Improvement | Enhancing the quality, performance, and features of our Services | Legitimate interest |
| Research and Development | Conducting research to improve our Services | Legitimate interest |
| Analytics | Measuring user interactions with our Services | Legitimate interest, Consent (if required) |
| Safety and Security | Ensuring the safety, security, and integrity of your funds and our Services | Legitimate interest, Performance of a contract |
| User Account Management | Managing account setup, recovery, and termination | Performance of a contract |
| Personalization | Tailoring user experiences based on preferences and behaviors | Legitimate interest, Consent (if required) |
| Third-Party Service Providers | Engaging providers for tasks like payment processing | Legitimate interest, Consent (if required) |
| User Feedback | Collecting feedback to improve our Services | Performance of a contract, Legitimate interest, Consent (if required) |
| Record Keeping | Maintaining records for auditing, accounting, and compliance | Legal obligation |
| Partnerships and Collaborations | Sharing data for joint initiatives or integrated services | Legitimate interest |
| User Education | Providing resources to enhance user knowledge | Legitimate interest |
How We Share Your Data
We may share your data with third parties to support our operations. Some providers operate outside Hong Kong; see the Data Transfers Outside Hong Kong section for details.
- Vendors and Service Providers: We work with providers for analytics, IT, hosting, software, and marketing services.
- Payment Service Providers: We share data with providers to process transactions and complete orders.
- Identity Verification Services: We use third-party services to verify identities for compliance and security.
- Advertisers: We may share data to deliver relevant promotions and content.
- Business Partners: We share data for integrated services or joint initiatives.
- Law Enforcement: We share data with authorities when required by law to support investigations or ensure compliance.
- Business Transfers: In cases of insolvency, acquisition, or merger, your data may be shared with the new owner or relevant parties.
How Your Data is Secured
Nalo prioritizes the security of your personal data, employing technical, organizational, and administrative measures, including:
- Data encryption
- Access controls
- Employee training
- Data backups
- Incident response protocols
- Blockchain technology
- User-controlled data options
- Smart contracts
- Cryptography
- Data minimization
- User education
We encourage you to:
- Use strong, unique passwords
- Enable multi-factor authentication
- Keep login credentials confidential
- Regularly update account information and review permissions
For concerns about data security or to learn about specific measures, contact us at yo@naloapp.co.
Data Retention
We retain your personal data only as long as necessary for the purposes for which it was collected. Retention periods vary by data type and purpose:
| Category | Retention Period |
|---|---|
| Legal obligations | As long as required by law |
| Marketing contact information | Retained with your consent |
| Correspondence | Up to five years |
| Technical information | Up to one year |
| Transaction history | Up to five years |
| Smart contract data | Indefinitely on the blockchain |
| User preferences | As needed for personalized experiences |
| Error and debug logs | Up to three years |
| Consent records | Valid consent duration plus five years after withdrawal |
| Blockchain metadata | Permanent part of the blockchain ledger |
| Security and access logs | Up to five years |
Your Rights as a Data Subject
As a user, you have rights over your personal data, including:
- Right to Access: View the data we hold about you.
- Right to Rectification: Correct inaccurate or incomplete data.
- Right to Erasure: Request deletion of your data (subject to legal obligations).
- Right to Restriction of Processing: Limit how your data is processed.
- Right to Data Portability: Receive your data in a portable format.
- Right to Object: Object to certain data processing activities.
- Rights Related to Automated Decision-Making and Profiling: Opt out of automated decisions.
Exercising Your Rights
To exercise these rights or raise concerns, contact our DPO at yo@naloapp.co. We respond to legitimate requests within 30 days, though complex or high-volume requests may require more time. Accessing your data or exercising these rights is free unless the request is manifestly unfounded or excessive, in which case a reasonable administrative fee may apply.
Data Transfers Outside Hong Kong
As some of our partners and providers operate outside Hong Kong, your data may be transferred internationally. We ensure compliance with data protection laws using safeguards like standard contractual clauses or binding corporate rules. For questions about international transfers, contact our DPO at yo@naloapp.co.
Policy Changes
We may update this Privacy Policy to reflect changes in practices or legal requirements. Significant updates will be communicated via our Platform.