This Privacy Policy ("Policy") describes how Soon Duan Zhi Benedict, operating as AVI (the "Operator", "we", "us", or "our"), collects, uses, discloses, and protects the personal data of users ("you" or "User") of the AVI mobile application (the "Application").
The Operator is committed to protecting your personal data and to complying with the Personal Data Protection Act 2012 of Singapore ("PDPA"). This Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have in relation to it.
By using the Application, you consent to the collection, use, and disclosure of your personal data in the manner described in this Policy. If you do not agree with this Policy, please do not use the Application.
This Policy should be read together with our Terms and Conditions, which are available in the Application and govern your use of the Application.
We collect only the personal data that is necessary to provide you with the Application's features. The categories of personal data we collect are set out below.
When you create an account, we collect:
When you record expenses in the Application, we collect: transaction amount and currency; transaction date; spending category (e.g., dining, transport, groceries); which card you used for the transaction; estimated miles earned; and merchant name — only if you have given consent for the "Enhanced Sync" feature, which syncs merchant names across your devices.
We collect information about which credit card types and templates you have configured in the Application (e.g., "DBS Altitude Visa", "OCBC 90°N Mastercard"). We do not collect and you must never enter: your credit card number or any part of it; your card verification value (CVV / CVC); your full primary account number (PAN); your card expiry date; or your card PIN or online banking password.
When you add loyalty programme balances, we collect: the name of the loyalty programme (e.g., KrisFlyer, Asia Miles, Cathay); your current points or miles balance; and points expiry dates, if you choose to record them.
We maintain records of the consents you have given within the Application, including the type of consent, the date and time it was given or withdrawn, and the version of the policy in effect at the time.
Always collected: Application version number. With Analytics consent: device operating system type and version, crash reports, and anonymised usage analytics — collected only if you have given Analytics consent.
For the avoidance of doubt, we do not collect: your bank account numbers or bank account credentials; your credit card numbers, CVV, PAN, or card expiry dates; your online banking login credentials or passwords; your income, salary, or financial statements; or your precise real-time location (we do not use location-based services).
Directly from you when you: create an account; manually enter transaction, card, or loyalty data; adjust settings; or communicate with us. Automatically, but only to the extent of technical data and only where you have given Analytics consent — limited to crash reports and anonymised usage statistics.
We do not obtain your personal data from any third-party data brokers, social media platforms, or financial institutions. We do not connect to or scrape your bank or card issuer's systems.
In accordance with the PDPA, we only collect and use your personal data for the specific purposes set out below. We will not use your personal data for any purpose not described in this Policy without first obtaining your consent.
If you grant Analytics consent (which you can do or revoke at any time in Settings): collecting crash reports and anonymised usage data to identify bugs and improve app performance; and analysing feature usage patterns to inform future product development.
If you grant Marketing consent: sending you tips on maximising miles earnings; notifying you of new Application features, promotions, and card offers; and sending newsletters and updates relevant to credit card miles in Singapore.
If you grant Enhanced Sync consent: storing merchant names associated with your transactions in order to synchronise a consistent transaction history across your devices.
If you click an "Apply Now" or referral link within the Application, you will be directed to a third-party Partner Platform (e.g., SingSaver or MoneySmart) or a card issuer's website. The Operator may receive a referral commission if you subsequently apply for a financial product. This commission arrangement does not involve the sharing of your personal data with the Partner Platform or card issuer. Any personal data you submit on the Partner Platform or card issuer's website is governed solely by that party's privacy policy.
AVI is local-first: your data stays on your device unless you turn on Online Backup & Sync. If you grant this consent (which you can do or revoke at any time), we store a copy of your account, transaction, card, and loyalty data on our cloud servers (Supabase — see Sections 6 and 10) so that you can back it up and synchronise it across your devices. You may turn Online Sync off at any time; when you do, the cloud copy of your data is deleted and your data remains on your device.
Under the PDPA, we process your personal data on the following legal bases: Contractual necessity for core service functionality; Consent for optional features (analytics, marketing, enhanced sync), which you may withdraw at any time; and Legitimate interests / legal obligation for security, fraud prevention, and legal compliance.
We do not sell your personal data to any third party. We may share your personal data only in the following limited circumstances:
We may disclose your personal data where required or permitted by law, including to comply with a court order, subpoena, legal process, or regulatory requirement; to protect our legal rights or property; or to investigate or prevent suspected fraud or illegal activity.
In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity, subject to that entity being bound by obligations at least as protective as this Policy.
Active account: retained for as long as your account is active. Deleted account: all personal data associated with your account will be permanently deleted from our systems within 30 days. Anonymised data may be retained indefinitely. Legal retention: certain records may be retained longer where required by law.
To exercise any of these rights, please contact us at the details in Section 14 or use the relevant settings in the Application.
You may request a copy of the personal data we hold about you. Email us at support@aviappsg.com with the subject line "Data Access Request". We will respond within 30 days.
If any personal data we hold is inaccurate or incomplete, you may request that we correct it. Most data can be corrected directly within the Application.
Where processing is based on your consent, you may withdraw it at any time via the Privacy settings in the Application. Withdrawing consent will not affect the lawfulness of processing carried out prior to withdrawal.
To the extent required by the PDPA, you may have the right to receive certain personal data in a commonly used machine-readable format. Please contact us to enquire.
You may delete your account at any time from the Account Settings within the Application. Upon deletion, all personal data associated with your account will be permanently deleted within 30 days, subject to any legal retention obligations. Deleting your account does not automatically cancel your subscription.
If you believe we have not handled your personal data in accordance with the PDPA, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore — Website: www.pdpc.gov.sg, Email: pdpc_complaints@pdpc.gov.sg, 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438.
We implement appropriate technical and organisational measures to protect your personal data, including: encryption in transit (TLS 1.2+); encryption at rest (AES-256 on Supabase servers); access controls; data minimisation; and secure authentication via Supabase Auth. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. If you suspect your account has been compromised, please contact us immediately.
The Application is operated from Singapore, but some of our third-party data processors are located in the United States, so — where you have enabled Online Backup & Sync, or in respect of subscription data — your personal data may be transferred to and stored in the United States (Supabase; RevenueCat). Where personal data is transferred outside Singapore, we ensure appropriate safeguards are in place in accordance with Section 26 of the PDPA. By using the Application, you consent to such transfers, subject to the protections described in this Section.
The Application is intended for users who are at least 18 years of age. We do not knowingly collect personal data from individuals under 18. If you believe a child under 18 has provided us with personal data, please contact us immediately at support@aviappsg.com.
The Application is a mobile application and does not use browser cookies. It may use locally stored data (e.g., device storage) to remember your preferences and settings; this local storage does not transmit personal data to us. If we introduce a web-based companion portal in future, we will update this Policy accordingly.
We reserve the right to update this Privacy Policy at any time. Where changes are material, we will provide at least fourteen (14) days' notice before they take effect, via an in-application notification, a push notification, or an email to the address associated with your account. Your continued use after the effective date constitutes acceptance of the updated Policy.
Data Controller / Operator:
Soon Duan Zhi Benedict
Operating as: AVI
Email: support@aviappsg.com
Singapore
We aim to respond to all data-protection enquiries within five (5) business days and to resolve data access and correction requests within 30 days of receipt.