01     Who we are

This Privacy Policy is issued by MC²Ai Pte Ltd ("MC²Ai", "we", "us", or "our"), a company incorporated in Singapore (UEN: [INSERT UEN]; registered address: [INSERT REGISTERED ADDRESS]). ScamSmart is our emotion-aware scam-detection and coaching service.

This policy covers personal data we handle through:

• our website at mc2ai.site;
• the MC²Ai Global ScamSmart web application; and
• the MC²Ai Global ScamSmart mobile apps for Android and iOS.

Where we provide ScamSmart to an organisation (for example, a bank, government agency, or business), that organisation may have its own privacy notice governing how its employees' data is handled. In those cases this policy applies to data MC²Ai handles as part of delivering the service.

02   Our commitment & legal basis

We process personal data in accordance with Singapore's Personal Data Protection Act 2012 (PDPA) and align our governance with the IMDA Data Protection Trustmark (DPTM). This means we observe the PDPA obligations on consent, purpose limitation, notification, accuracy, protection, retention limitation, transfer limitation, access and correction, and data breach notification.

We rely on the following bases to process your data:

• Your consent — for example, when you submit a message for analysis, sign up, or accept analytics cookies.
• Performance of a service you request — to deliver scam detection, alerts, coaching, and reporting features.
• Legitimate interests — such as securing our service and preventing fraud and abuse, where these do not override your rights.
• Legal obligation — where we are required to retain or disclose data by law.

If you are located in the EU or UK, we also apply the relevant principles of the GDPR / UK GDPR to your data.

03   Data we collect

Information you give us

• Contact & enquiry details — your name, email address, phone number, organisation, and the content of messages you send us (for example, via the contact form or a demo request).
• Account details — where ScamSmart requires an account, your login credentials and profile settings.
• Content you submit for analysis — see Section 04.

Information we collect automatically

• Device & technical data — IP address, browser or device type, operating system, and similar identifiers.
• Usage data — pages viewed, features used, and timestamps, collected through analytics tools described in Section 08.
• Cookies & similar technologies — set only as you allow through our consent banner.

04  Content you submit for analysis

ScamSmart works by examining the content of emails, SMS, and other messages you choose to submit — analysing tone, sentiment, and psychological cues to flag manipulation such as false urgency, fear tactics, and impersonation.

A message you submit may contain another person's personal data — for example a sender's name, phone number, or email address. Please only submit content you are entitled to share, and avoid including more personal data of others than is necessary for the analysis.

We treat submitted content as confidential. We use it to:

• perform the scam analysis you requested and return an explainable result;
• generate coaching and educational guidance; and
• where you choose, prepare a report to the relevant authority (see Section 07).

Whether and how submitted content is retained or used to improve our detection models is explained in Section 06 and Section 12.

05  How we use your data

We use personal data only for purposes you would reasonably expect, including to:

• provide scam detection, explainable alerts, coaching, and one-click reporting;
• create and manage your account and respond to your enquiries and demo requests;
• maintain, secure, and improve the reliability of our service;
• understand how the service is used so we can improve it;
• send service-related communications, and — only with your consent — occasional product updates; and
• comply with legal obligations and protect against fraud, abuse, and security threats.

We will seek fresh consent if we ever wish to use your data for a materially different purpose.

06  AI processing & model improvement

ScamSmart uses artificial intelligence to analyse the content you submit. Analysis may be performed by our own models and by trusted AI infrastructure providers acting on our instructions (see Section 10).

Improving our detection

To keep pace with evolving scams, we may use submitted content to improve and retrain our detection models. Where we do this, we apply safeguards such as:

• de-identification — removing or masking details that could identify you or a third party before content is used for model improvement; and
• access controls — limiting who can access this data and for what purpose.

Users can opt out of having their content used for model improvement, and how — e.g. a setting in the app or a request to the sales team. The content might be used for training.

We do not use your submitted content to make automated decisions that produce legal or similarly significant effects about you without human involvement.

07  Reporting scams to authorities

ScamSmart's one-click reporting feature lets you forward a suspected scam to the relevant authority. This sharing happens only when you choose to report. When you do, the message content and the details needed for the report are sent to the receiving authority.

Once a report is submitted, the receiving authority handles that data under its own rules and privacy notice. We do not keep a record of reports you make through ScamSmart and do not have a history of your submissions.

08  Cookies & analytics

Our website uses cookies and similar technologies. Strictly necessary cookies keep the site working; all others are set only with your consent through our cookie banner, which you can change at any time via Privacy Settings.

Third-party services that may set cookies or collect usage data on our website include:

• IONOS Site Analytics — to understand site traffic and usage;
• Website Translator — to translate page content on request; and
• Google Maps — to display location information.

Each provider processes data under its own privacy terms. Declining non-essential cookies will not stop you from using the core information on our website.

09  Mobile app permissions

The ScamSmart mobile apps may ask for device permissions to provide their features. We request only what is needed, explain why at the point of asking, and you can change permissions in your device settings at any time. Depending on the features you use, these may include:

• Notifications — to send you alerts about analysis results;
• Camera or photo access — only if you choose to submit a screenshot of a message for analysis; and
• Clipboard / share access — to let you paste or share a message into ScamSmart.

If the Android app reads SMS or call logs directly, disclose it precisely here and ensure it meets Google Play's SMS/Call Log Permissions policy. If users instead paste or forward messages manually, state that ScamSmart does not read your messages automatically.

10  Who we share data with

We do not sell your personal data. We share it only in these limited situations:

• Service providers acting on our instructions — including cloud hosting and infrastructure (such as IONOS and Vercel), AI processing providers, and analytics tools. They may only use the data to provide services to us.
• Authorities — when you use the reporting feature (see Section 07), or where we are legally required to disclose data.
• Professional advisers — such as legal or accounting advisers, where necessary and under confidentiality.
• In a business transfer — if MC²Ai is involved in a merger, acquisition, or restructuring, subject to this policy.

11  International transfers

Some of our service providers process data on servers outside Singapore. Where we transfer personal data abroad, we comply with the PDPA's Transfer Limitation Obligation by ensuring the data receives a standard of protection comparable to that under the PDPA — for example, through contractual safeguards with the receiving party.

12  How long we keep data

We keep personal data only for as long as needed for the purposes set out in this policy, or as required by law, after which we securely delete or anonymise it.

13  How we protect data

We apply organizational and technical measures appropriate to the sensitivity of the data, which may include encryption in transit, access controls on a need-to-know basis, and ongoing monitoring. No system is perfectly secure, but if a data breach likely to result in significant harm occurs, we will notify the affected individuals and the PDPC in line with the PDPA's breach notification requirements.

14  Your rights

Under the PDPA, and where applicable the GDPR / UK GDPR, you have the following rights:

Right

What it means

Access

Ask what personal data we hold about you and how it has been used.

Correction

Ask us to correct data that is inaccurate or incomplete.

Withdraw consent

Withdraw consent for any processing based on it, at any time.

Deletion

Ask us to delete your data where we no longer have a legal basis to keep it.

Object / restrict

Where applicable, object to or limit certain processing.

Portability

Where applicable, receive certain data in a portable format.

To exercise any of these, contact our sales (see Section 17). We will respond within the timeframes required by law. Withdrawing consent may mean we can no longer provide some features. If you have a concern we cannot resolve, you may contact Singapore's Personal Data Protection Commission (PDPC).

15  Children

ScamSmart is intended for adults. We do not knowingly collect personal data from children under 13 who will need parental guidance. If you believe a child has provided us data, contact our sales and we will delete it.

16  Changes to this policy

We may update this policy from time to time. We will post the updated version here and revise the "Last updated" date above. If changes are significant, we will provide a more prominent notice where appropriate.

17  Contact Our Sales Team

For any privacy question or to exercise your rights, contact our sales@mc2ai.site