Privacy Policy

• Incorporated in Malta with Company Reg. No. C85571

Last updated: 29 September 2025

1. Introduction

ShareRing Ltd (“ShareRing,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the ShareRing Platform, in compliance with applicable global privacy laws, including:

• UK General Data Protection Regulation (UK GDPR)
• EU General Data Protection Regulation (EU GDPR)
• California Consumer Privacy Act (CCPA)
• Thailand Personal Data Protection Act, B.E. 2562 (PDPA)
• UK Data (Use and Access) Act 2025 (DUAA)
• Digital Identity and Attributes Trust Framework (DIATF, Gamma certified)
• Other applicable national data protection laws

This Privacy Policy applies to all personal information collected by ShareRing Ltd and its affiliates when you use our products and services or interact with the ShareRing Platform.

Our Role Under PDPA
ShareRing may act either as a Data Controller or a Data Processor, depending on the context:

• Where ShareRing provides services directly to users (e.g., via the ShareRing app), we act as a Data Controller.
• Where ShareRing supplies technology under contract with Transformational and Thai Post (e.g., Prompt Post and Prompt Pass), ShareRing acts as a Data Processor, processing data only on the instructions of the Data Controller (Transformational/Thai Post).

2. Information We Handle

ShareRing does not centrally collect or retain user identity data. Instead:

Identity Data (stored on your device not collected by ShareRing)

• Identity attributes, biometric data, identity documents, and sensitive personal data remain encrypted and securely stored on your device. 
• ShareRing has no access to this data.

Data Sharing (with your consent)

• You control when and with whom your data is shared. 
• Relying Parties (e.g., banks, merchants, government agencies) may request access, but data is only shared if you explicitly consent.
• Relying Parties are solely responsible for any data they receive from you, including their own retention and compliance obligations.

Metadata Processed by ShareRing

• Device & Connection Data: IP address, device identifiers, operating system, and browser details.
• Usage Data: Platform interactions, access times, and language preferences.
• Fraud Prevention & Security Metadata: Limited technical information used to detect anomalies or abuse.

Data Minimisation & Purpose Limitation

• • ShareRing processes only the minimum metadata necessary to operate and secure the platform. 

• Metadata is never used for profiling, marketing, or resale.

What do we mean by Metadata?

Metadata is technical information about how you use the ShareRing Platform, such as your device type, language preference, or the time you log in. It never includes your personal identity data (like your name, ID documents, or biometrics), which always remain securely on your device and under your control.

3. Lawful Basis for Processing Personal Data

ShareRing only processes limited metadata (see Section 2). Identity data remains under your control and is shared directly with Relying Parties only with your consent. The lawful bases for processing metadata are:

3.1 Legitimate Interest 

We process personal data under Legitimate Interest for:

• Fraud prevention and risk mitigation – Processing metadata and providing technology that enables users to present verified identity attributes to Relying Parties, who make the final verification decision
•  Supporting age verification for Relying Parties – Enabling technology that supports user-controlled age verification where required (e.g., alcohol, gambling, adult content), with the verification decision and record held by the Relying Party Platform security and abuse prevention – Monitoring for anomalies or misuse to protect the integrity of the ShareRing Platform.
• Ensuring service reliability and performance

In the UK, under the Data (Use and Access) Act 2025 (DUAA), we may also rely on Recognised Legitimate Interests for specific purposes such as innovation, security, and direct marketing, subject to safeguards. Users have the right to object to processing under Legitimate Interest, as outlined in Section 7 (User Rights).

3.2 Consent 

Identity data (such as verified credentials, biometric information, or identity documents) is only shared with a Relying Party (RP) when you provide explicit consent.:

• You remain in control of your identity data 

Consent may be withdrawn at any time

3.3 Contractual Necessity
We may process limited metadata when necessary to:

• Deliver and support our services
• Provide technical support and security features
• Process payments where applicable

3.4 Legal Obligations
We may process limited metadata where required to comply with applicable laws, regulations, or court orders. This may include:

• Maintaining technical logs for security and audit purposes
• Cooperating with lawful requests from regulators or law enforcement

Complying with data protection or cybersecurity requirements in the jurisdictions where we operate

4. How We Use Your Information

We use limited Metadata for:

• Operating and improving services – Supporting the operation and performance, and security of the ShareRing Platform.
• Fraud prevention, and security – Using metadata and security checks to detect anomalies, reduce misuse of the platform, and support Relying Parties in their fraud prevention measures. ShareRing does not retain or centrally verify user identity data. Supporting age verification for Relying Parties – Providing the technology that enables users to prove their age directly to a Relying Party (e.g., alcohol or gambling merchant) under their own control. ShareRing does not retain or decide the outcome of the verification.
• Regulatory compliance – Meeting our obligations under data protection and cybersecurity laws, and responding to lawful requests from regulators or law enforcement. 
• Communication – Sending service-related updates and necessary communications about the ShareRing Platform
• Automated Decision-Making – Using automated processing of metadata (e.g., anomaly or fraud detection). These checks do not have legal or significant effects on users. Where Relying Parties perform automated identity verification, they are responsible for safeguards such as human review and challenge rights.

5. Sharing Metadata and Data You Control 

We may share Metadata in the following circumstances:

• With Service Providers – We may share limited metadata with trusted providers (e.g., hosting, fraud prevention, technical operations).
• With Relying Parties (RPs) – You decide when and if to share your identity data. ShareRing does not transmit or control this data; it flows directly from you to the Relying Party with your explicit consent With Authorities – We may share limited metadata if required to comply with legal obligations or law enforcement requests.

6. International Data Transfers

ShareRing does not transfer or store identity data. Any transfer of identity data occurs directly between you and a Relying Party, subject to your consent. 

Metadata that we process (e.g., logs, technical information) may be processed in countries outside your location, including Australia, the UK, the EU, the US, and Thailand. We apply:

• Standard Contractual Clauses (SCCs) for UK/EU transfers
• Adequacy decisions where applicable
• UK DUAA’s revised “not materially lower” adequacy test for transfers into the UK
• PDPA-compliant safeguards for transfers from Thailand
• Industry-standard security measures to protect data integrity

7. User Rights & Opt-Out Mechanism

Users have rights under GDPR, PDPA, DUAA, and other applicable laws, including:

• Right to Access – Obtain a copy of the limited metadata we process. Your identity data remains on your device and under your control.

• Right to Rectification – Correct inaccurate or incomplete metadata we may process (e.g., account preferences).

• Right to Erasure – Request deletion of metadata (“right to be forgotten”). Your identity data can be deleted at any time directly from your device.

• Right to Restrict Processing – Limit the way we process metadata.

• Right to Object – Object to processing under Legitimate Interest or Recognised Legitimate Interests, including direct marketing.

• Right to Data Portability – Export or transfer your identity data to another service provider. This function is managed directly through the ShareRing app on your device.

• Right to Withdraw Consent – Withdraw consent at any time for sharing identity data with Relying Parties.

• Right to Challenge Automated Decisions – Request human review and explanation of automated metadata checks performed by ShareRing. Where automated decisions are made by Relying Parties (e.g., identity verification), those parties are responsible for providing safeguards.

• Right to Lodge a Complaint – Thai residents may contact the Personal Data Protection Committee (PDPC). UK residents may contact the Information Commissioner’s Office (ICO). Other users may contact their local data protection authority.

For UK users, if additional information is required to process a Subject Access Request (SAR), the statutory response timeframe may be paused (“stop the clock”) until the required information is received.

8. Sensitive Personal Data

Some categories of personal data are considered sensitive under PDPA and DUAA (e.g., biometric data, health data, religious beliefs). ShareRing does not collect or retain sensitive data. Instead:

• Sensitive data such as biometric templates or identity documents remain encrypted and securely stored on your device.

• Such data is only shared directly with Relying Parties when you provide explicit consent.
• ShareRing’s technology ensures safeguards such as encryption, user-controlled sharing, and prevention of unauthorised access.
• ShareRing does not use sensitive data for profiling, marketing, or any secondary purposes.

9. Data Retention & Security

• Identity data: ShareRing does not collect or retain identity data (e.g., documents, biometrics, personal attributes). This information remains encrypted on your device and under your control.

• Metadata: We may retain limited metadata (e.g., logs or fraud prevention records) only for as long as necessary to operate the platform securely, meet contractual obligations, or comply with applicable law.

• Security: Encryption, role-based access controls, and regular security audits are applied to protect the integrity of metadata and to ensure the ShareRing Platform safeguards your identity data on your device.

10. Updates to This Policy

ShareRing’s privacy and security practices are aligned with DIATF Gamma certification requirements, demonstrating our commitment to strong governance and assurance in handling digital identity

We may update this Privacy Policy periodically. The latest version will always be available on our website.

11. Contact Us

For privacy inquiries or to exercise your rights, contact:

• Email: privacyofficer@sharering.network
• Website: https://sharering.network/contact

Thailand PDPC (Regulator Contact Information)

Personal Data Protection Committee (PDPC)

120 Moo 3, 5-7th Floor, Government Complex Commemorating His Majesty’s 80th Birthday Anniversary (Building C)

Chaeng Watthana Soi 7, Chaeng Watthana Road, Thung Song Hong, Lak Si, Bangkok 10210, Thailand

Phone: +66 2 111 8800

Email: pdpc@pdpc.go.th

UK Information Commissioner’s Office (ICO)

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

Phone: +44 303 123 1113

Website: https://ico.org.uk