Track. Earn. Fly.

Privacy Policy

Version 1.0 · Effective Date: 14 July 2026
This Privacy Policy is issued in compliance with the Personal Data Protection Act 2012 (No. 26 of 2012) of Singapore ("PDPA") and its subsidiary regulations, including the Personal Data Protection Regulations 2021. If you have questions about how we handle your personal data, you may contact us at the details in Section 14 or lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

1. Introduction

This Privacy Policy ("Policy") describes how Soon Duan Zhi Benedict, operating as AVI (the "Operator", "we", "us", or "our"), collects, uses, discloses, and protects the personal data of users ("you" or "User") of the AVI mobile application (the "Application").

The Operator is committed to protecting your personal data and to complying with the Personal Data Protection Act 2012 of Singapore ("PDPA"). This Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have in relation to it.

By using the Application, you consent to the collection, use, and disclosure of your personal data in the manner described in this Policy. If you do not agree with this Policy, please do not use the Application.

This Policy should be read together with our Terms and Conditions, which are available in the Application and govern your use of the Application.

Local-first by design: By default, the data you enter is stored only on your device and is not uploaded to our servers. Your data is stored in the cloud (see Sections 6 and 10) only if you choose to turn on Online Backup & Sync (Section 4.6). If you use AVI in local-only mode, we do not hold your transaction, card, or loyalty data on our servers.

2. Personal Data We Collect

We collect only the personal data that is necessary to provide you with the Application's features. The categories of personal data we collect are set out below.

2.1 Account Data

When you create an account, we collect:

2.2 Transaction Data

When you record expenses in the Application, we collect: transaction amount and currency; transaction date; spending category (e.g., dining, transport, groceries); which card you used for the transaction; estimated miles earned; and merchant name — only if you have given consent for the "Enhanced Sync" feature, which syncs merchant names across your devices.

2.3 Card Data

We collect information about which credit card types and templates you have configured in the Application (e.g., "DBS Altitude Visa", "OCBC 90°N Mastercard"). We do not collect and you must never enter: your credit card number or any part of it; your card verification value (CVV / CVC); your full primary account number (PAN); your card expiry date; or your card PIN or online banking password.

IMPORTANT: AVI does not require and you should never enter your full card number, CVV, PIN, or any online banking credentials into the Application. If you are ever prompted for these details by anything claiming to be AVI, please contact us immediately as this may indicate a security issue.

2.4 Loyalty Programme Data

When you add loyalty programme balances, we collect: the name of the loyalty programme (e.g., KrisFlyer, Asia Miles, Cathay); your current points or miles balance; and points expiry dates, if you choose to record them.

2.5 Consent Records

We maintain records of the consents you have given within the Application, including the type of consent, the date and time it was given or withdrawn, and the version of the policy in effect at the time.

2.6 Technical Data

Always collected: Application version number. With Analytics consent: device operating system type and version, crash reports, and anonymised usage analytics — collected only if you have given Analytics consent.

2.7 Data We Do Not Collect

For the avoidance of doubt, we do not collect: your bank account numbers or bank account credentials; your credit card numbers, CVV, PAN, or card expiry dates; your online banking login credentials or passwords; your income, salary, or financial statements; or your precise real-time location (we do not use location-based services).

3. How We Collect Your Personal Data

Directly from you when you: create an account; manually enter transaction, card, or loyalty data; adjust settings; or communicate with us. Automatically, but only to the extent of technical data and only where you have given Analytics consent — limited to crash reports and anonymised usage statistics.

We do not obtain your personal data from any third-party data brokers, social media platforms, or financial institutions. We do not connect to or scrape your bank or card issuer's systems.

4. Purposes of Collection and Use

In accordance with the PDPA, we only collect and use your personal data for the specific purposes set out below. We will not use your personal data for any purpose not described in this Policy without first obtaining your consent.

4.1 Core Service (No Additional Consent Required)

4.2 Analytics (Consent-Based)

If you grant Analytics consent (which you can do or revoke at any time in Settings): collecting crash reports and anonymised usage data to identify bugs and improve app performance; and analysing feature usage patterns to inform future product development.

4.3 Marketing Communications (Consent-Based)

If you grant Marketing consent: sending you tips on maximising miles earnings; notifying you of new Application features, promotions, and card offers; and sending newsletters and updates relevant to credit card miles in Singapore.

4.4 Enhanced Sync (Consent-Based)

If you grant Enhanced Sync consent: storing merchant names associated with your transactions in order to synchronise a consistent transaction history across your devices.

4.5 Referral and Affiliate Links

If you click an "Apply Now" or referral link within the Application, you will be directed to a third-party Partner Platform (e.g., SingSaver or MoneySmart) or a card issuer's website. The Operator may receive a referral commission if you subsequently apply for a financial product. This commission arrangement does not involve the sharing of your personal data with the Partner Platform or card issuer. Any personal data you submit on the Partner Platform or card issuer's website is governed solely by that party's privacy policy.

4.6 Online Backup & Sync (Consent-Based)

AVI is local-first: your data stays on your device unless you turn on Online Backup & Sync. If you grant this consent (which you can do or revoke at any time), we store a copy of your account, transaction, card, and loyalty data on our cloud servers (Supabase — see Sections 6 and 10) so that you can back it up and synchronise it across your devices. You may turn Online Sync off at any time; when you do, the cloud copy of your data is deleted and your data remains on your device.

5. Legal Basis for Processing

Under the PDPA, we process your personal data on the following legal bases: Contractual necessity for core service functionality; Consent for optional features (analytics, marketing, enhanced sync), which you may withdraw at any time; and Legitimate interests / legal obligation for security, fraud prevention, and legal compliance.

6. Disclosure of Personal Data to Third Parties

We do not sell your personal data to any third party. We may share your personal data only in the following limited circumstances:

6.1 Data Processors

6.2 Legal Disclosure

We may disclose your personal data where required or permitted by law, including to comply with a court order, subpoena, legal process, or regulatory requirement; to protect our legal rights or property; or to investigate or prevent suspected fraud or illegal activity.

6.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity, subject to that entity being bound by obligations at least as protective as this Policy.

7. Data Retention

Active account: retained for as long as your account is active. Deleted account: all personal data associated with your account will be permanently deleted from our systems within 30 days. Anonymised data may be retained indefinitely. Legal retention: certain records may be retained longer where required by law.

8. Your Rights Under the PDPA

To exercise any of these rights, please contact us at the details in Section 14 or use the relevant settings in the Application.

8.1 Right of Access

You may request a copy of the personal data we hold about you. Email us at support@aviappsg.com with the subject line "Data Access Request". We will respond within 30 days.

8.2 Right of Correction

If any personal data we hold is inaccurate or incomplete, you may request that we correct it. Most data can be corrected directly within the Application.

8.3 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw it at any time via the Privacy settings in the Application. Withdrawing consent will not affect the lawfulness of processing carried out prior to withdrawal.

8.4 Right to Data Portability

To the extent required by the PDPA, you may have the right to receive certain personal data in a commonly used machine-readable format. Please contact us to enquire.

8.5 Right to Account Deletion

You may delete your account at any time from the Account Settings within the Application. Upon deletion, all personal data associated with your account will be permanently deleted within 30 days, subject to any legal retention obligations. Deleting your account does not automatically cancel your subscription.

8.6 Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with the PDPA, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore — Website: www.pdpc.gov.sg, Email: pdpc_complaints@pdpc.gov.sg, 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including: encryption in transit (TLS 1.2+); encryption at rest (AES-256 on Supabase servers); access controls; data minimisation; and secure authentication via Supabase Auth. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. If you suspect your account has been compromised, please contact us immediately.

10. Cross-Border Data Transfers

The Application is operated from Singapore, but some of our third-party data processors are located in the United States, so — where you have enabled Online Backup & Sync, or in respect of subscription data — your personal data may be transferred to and stored in the United States (Supabase; RevenueCat). Where personal data is transferred outside Singapore, we ensure appropriate safeguards are in place in accordance with Section 26 of the PDPA. By using the Application, you consent to such transfers, subject to the protections described in this Section.

11. Children

The Application is intended for users who are at least 18 years of age. We do not knowingly collect personal data from individuals under 18. If you believe a child under 18 has provided us with personal data, please contact us immediately at support@aviappsg.com.

12. Cookies and Similar Technologies

The Application is a mobile application and does not use browser cookies. It may use locally stored data (e.g., device storage) to remember your preferences and settings; this local storage does not transmit personal data to us. If we introduce a web-based companion portal in future, we will update this Policy accordingly.

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. Where changes are material, we will provide at least fourteen (14) days' notice before they take effect, via an in-application notification, a push notification, or an email to the address associated with your account. Your continued use after the effective date constitutes acceptance of the updated Policy.

14. Contact Us

Data Controller / Operator:
Soon Duan Zhi Benedict
Operating as: AVI
Email: support@aviappsg.com
Singapore

We aim to respond to all data-protection enquiries within five (5) business days and to resolve data access and correction requests within 30 days of receipt.