Privacy Policy
Last updated: June 10, 2026
NNCash — Privacy Policy
Effective date: June 10, 2026 Last updated: June 10, 2026
This Privacy Policy describes how NNCash Pte. Ltd. ("NNCash", "we", "us", or "our") collects, uses, shares, and protects information about you when you use the NNCash mobile application (the "App"), the nncash.xyz website, or related services (collectively, the "Services").
We respect your privacy and are committed to protecting your personal data. This Policy explains what data we process, why, on what legal basis, and your rights.
If you do not agree with this Policy, do not use the Services.
1. Who we are
| Legal entity | NNCash Pte. Ltd. |
| Registration number | 202612345R |
| Registered address | 12 Marina Boulevard, Marina Bay Financial Centre, Singapore 018982 |
| Contact for privacy matters | privacy@nncash.xyz |
| Data Protection Officer (where required) | dpo@nncash.xyz |
NNCash is the data controller for personal data processed in connection with your account.
2. Data we collect
We collect data in three ways: (a) data you provide directly, (b) data generated by your use of the App, and (c) data from third-party providers (KYC, OAuth providers).
2.1 Identity & contact data
| Category | Examples | Source | Purpose |
|---|---|---|---|
| Name | Display name | You, via registration or SSO | Account identification, personalisation |
| Email address | Sign-in, contact | You / Google / Apple | Authentication, OTP delivery, support comms, transactional notices |
| Phone number (E.164) | Sign-in, OTP delivery | You | Authentication, OTP delivery, P2P recipient resolution |
| Username / @handle | Optional public identifier | You | P2P recipient lookup |
2.2 Identity verification (KYC) data
When you request a higher account tier (Silver, Gold, Platinum, Business), we facilitate identity verification through our partner Did.it. The data flow:
- We send Did.it: your NNCash user id, email, and phone
- You upload to Did.it directly: government-issued ID (passport, national ID, driver's licence), selfie image, and additional documents required by the requested tier
- Did.it returns to us: a verification status + provider reference
NNCash does not store copies of your ID documents or selfie. Did.it acts as an independent data controller for the verification artifacts under its own privacy policy. See Did.it's privacy notice at didit.me/privacy (or whichever URL applies at the time you use the service).
2.3 Financial & wallet data
| Category | Examples | Purpose |
|---|---|---|
| Wallet balances | Per-asset balance in NUSD, NEUR, NSAR, NCNY, NNC, USDC, USDT | Core wallet functionality |
| Transfer history | Sender, recipient, amount, asset, timestamp, optional note | Ledger record + activity display |
| Chain wallet address | bech32 nnc1… address tied to your account | Receive payments on chain |
| Custody key reference | Opaque reference to the encrypted key in the NNChain signing service | Custody — see §6 |
| Swap orders | Pair, amount, rate, timestamp | Functionality |
2.4 Device & technical data
| Category | Examples | Purpose |
|---|---|---|
| Device identifier | Firebase Cloud Messaging (FCM) token | Push notifications |
| App version | Build number | Compatibility + support |
| Operating system | iOS or Android version | Compatibility |
| Language / locale | en, ar, es, etc. | Localisation |
| IP address | Network address | Security, fraud detection, regional compliance |
| User-agent string | Browser / app version | Security |
| Approximate geographic region | Country/region inferred from IP | Regulatory compliance, geo-restriction |
2.5 Authentication artefacts (stored on your device only, never sent to NNCash)
| Category | Examples |
|---|---|
| Biometric template | Face ID / Touch ID / fingerprint, managed by iOS / Android |
| Refresh token | Local secure storage |
| PIN (if you set one) | Local secure storage, hashed |
We do not store or have access to your biometric data — it never leaves your device.
2.6 Support & communications
If you contact support@nncash.xyz or other support channels, we receive your message contents and any attachments you choose to share, plus the email address you write from.
2.7 What we do NOT collect
- We do not access your contacts, photo library, calendar, or microphone
- We do not collect precise GPS location (only approximate region from IP)
- We do not collect health, fitness, or biometric raw data (Face ID / fingerprint are processed on-device by Apple / Google — we receive only a yes/no match result)
- We do not use advertising identifiers (IDFA, AAID) — NNCash shows no ads
- We do not maintain browsing history or search history across other apps
3. How we use your data
We process your data for the following purposes and on the following legal bases (where GDPR applies):
| Purpose | Legal basis | Examples |
|---|---|---|
| Provide the Services | Contract performance | Process transfers, display balances, deliver OTPs, send push notifications |
| Comply with law | Legal obligation | KYC verification, AML transaction monitoring, sanctions screening, regulatory reporting |
| Prevent fraud & secure accounts | Legitimate interest | Suspicious activity monitoring, login anomaly detection, account-freeze enforcement |
| Customer support | Contract performance / consent | Respond to your tickets, investigate issues |
| Service improvement | Legitimate interest | Aggregate, de-identified usage analytics (no tracking SDKs) |
| Marketing communications | Consent (opt-in) | Product updates if you opt in. We do not send unsolicited marketing. |
4. Who we share data with
We share only the minimum data necessary with the following categories of recipients:
4.1 Service providers (processors acting on our behalf)
| Recipient | Data shared | Purpose | Location |
|---|---|---|---|
| Did.it | Name, email, phone, government ID | KYC verification | EU / US (per Did.it's infra) |
| Google (Firebase Cloud Messaging) | FCM token, message payload metadata | Push notification delivery | Google global infra |
| Google (Firebase services) | Anonymous app-startup diagnostics | Crash reporting + service health | Google global infra |
| Mailcow / SMTP provider | Email address, message content | Transactional email delivery (OTP, password reset) | Self-hosted in Singapore |
| Cloud hosting (VPS) | All app data passes through here | Hosting NNCash's backend | Hostinger International LTD (Singapore) |
4.2 Authentication providers
| Recipient | Data shared | When |
|---|---|---|
| Your Google account email + subject id | When you sign in with Google | |
| Apple | Your Apple ID email (or relay address) + subject id | When you sign in with Apple |
These providers act as independent controllers for the data they receive about your authentication.
4.3 NNChain network (public ledger)
When you make a deposit or withdrawal that crosses the chain boundary, transaction metadata is recorded on the NNChain public ledger. This includes:
- Source wallet address (
nnc1…) - Destination wallet address
- Amount and asset code
- Block timestamp
Wallet addresses are pseudonymous, but the on-chain record is permanent and public. Anyone can view it at NNScan.org or via NNChain RPC endpoints. NNCash cannot remove on-chain records.
Internal P2P transfers between NNCash users (not crossing chain) are recorded only in our private ledger, not published on chain.
4.4 Authorities and regulators
We may disclose personal data to government authorities, regulators, or law enforcement when:
- Required by valid legal process (subpoena, court order, regulatory request)
- Necessary to investigate, prevent, or respond to fraud, money laundering, terrorism financing, or sanctions violations
- Necessary to protect the rights, property, or safety of NNCash, our users, or the public
4.5 Business transfers
If NNCash is involved in a merger, acquisition, restructuring, or asset sale, your data may be transferred to the acquiring party. We will notify you of any such change and the resulting privacy implications.
4.6 What we DO NOT do
- We do not sell your personal data to anyone
- We do not share your data for cross-context behavioural advertising
- We do not allow third-party advertising SDKs in the App
5. International data transfers
Your data may be transferred to and processed in countries other than your country of residence. When we transfer data outside your jurisdiction, we use appropriate safeguards such as Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework, or your explicit consent.
6. Wallet custody model
Your NNChain wallet is created and managed by NNCash on your behalf. The cryptographic keys for your wallet are held in the NNChain signing service, which NNCash operates with strict access controls:
- Only senior operations staff with
SUPER_OPSrole can request key material - Each request is audit-logged with operator id, IP, reason, and timestamp
- An additional second factor is required at the custody backend before any actual private-key material is released
This is a custodial model — you do not currently hold the private keys yourself. We are working on a self-custody option in a future release.
You can freeze your wallet at any time from inside the App (Wallet → Freeze) to halt outgoing transfers if your device is lost or compromised.
7. Data retention
| Data category | Retention period |
|---|---|
| Account data (name, email, phone) | For as long as your account is active + [3] years after closure (regulatory retention) |
| Transfer & financial records | [5–7] years after the transaction (regulatory AML retention requirements) |
| KYC verification artifacts (held by Did.it) | Per Did.it's policy + regulatory minimum [5] years |
| Device tokens (FCM) | Until the App is uninstalled or you sign out |
| Support tickets | [3] years after ticket closure |
| Audit / fraud-investigation logs | [7] years |
After the retention period, we delete or anonymise the data unless we are legally required to retain it longer.
8. Security
We use industry-standard measures to protect your data:
- Encryption in transit: TLS 1.2+ for all client-server communication
- Encryption at rest: Sensitive fields (e.g. custody key references) encrypted in the database
- Password hashing: scrypt with OWASP-recommended parameters
- Access controls: Role-based admin access, mandatory two-factor authentication for staff
- Audit logging: Every privileged action recorded with actor, timestamp, IP, reason
- Biometric on-device: Face ID / fingerprint never leaves your device
No system is 100% secure. If you suspect unauthorised access to your account:
1. Freeze your wallet via the App (Wallet → Freeze) 2. Contact support@nncash.xyz immediately
We will notify you and applicable regulators if a data breach affects your personal data, as required by law.
9. Your rights
Subject to applicable law (GDPR, CCPA, etc.), you have the following rights regarding your personal data:
| Right | What it means | How to exercise |
|---|---|---|
| Access | Request a copy of the personal data we hold about you | Email privacy@nncash.xyz |
| Correction | Correct inaccurate or incomplete data | Update in App profile, or email us |
| Deletion | Request deletion of your account and associated data, subject to retention obligations | See §10 below |
| Portability | Receive a copy of your data in a structured, machine-readable format | Email privacy@nncash.xyz |
| Restriction | Restrict how we process your data while a dispute is being resolved | Email privacy@nncash.xyz |
| Objection | Object to processing based on our legitimate interests | Email privacy@nncash.xyz |
| Withdraw consent | Where we rely on consent, withdraw it at any time | Adjust in App settings or email us |
| Lodge a complaint | File a complaint with your local data protection authority | See §13 |
We respond to verifiable requests within 30 days (or as required by applicable law).
10. Account deletion
To request deletion of your NNCash account and associated personal data:
1. In-app: Profile → Settings → Delete account (when available) 2. By email: Send a request from your registered email to privacy@nncash.xyz with subject "Account Deletion Request"
What happens after a deletion request:
- Within 48 hours, we freeze your account to prevent further transactions
- We withdraw or convert any remaining wallet balances per your instructions, subject to applicable limits and regulatory holds
- We delete personal data we are not legally required to retain
- We retain transaction records, audit logs, and KYC outcomes for the legally required retention period (typically 5-7 years for AML compliance), after which they are deleted or anonymised
- On-chain records of deposits/withdrawals cannot be removed (they are permanently on NNChain's public ledger)
You can also request deletion without an account — if you contacted support but never registered, email privacy@nncash.xyz.
11. Children
The Services are intended for users 18 years or older. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us with personal data, contact privacy@nncash.xyz and we will delete it.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be:
- Posted at this URL with an updated
Effective date - Notified to active users via in-app notice and/or email at least 30 days before the change takes effect for material changes affecting your rights
Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.
13. Contact
For privacy questions, requests, or complaints:
- Email:
privacy@nncash.xyz - Postal: NNCash Pte. Ltd., 12 Marina Boulevard, Marina Bay Financial Centre, Singapore 018982
- Data Protection Officer:
dpo@nncash.xyz(if applicable in your jurisdiction)
If you are in the European Economic Area, United Kingdom, or Switzerland and we have not addressed your concern to your satisfaction, you have the right to lodge a complaint with your local data protection authority.
If you are in California, you have additional rights under the California Consumer Privacy Act (CCPA). Contact us to exercise these rights.
Last updated: June 10, 2026
This document is published in English. Translations may be provided for convenience; in the event of a conflict, the English version prevails.