سياسة الخصوصية

1) Who we are

ME W.L.L. (trading as “MeCard”) (“MeCard”, “We”, “us”, “our”) is the data controller for personal data processed via our app, website and card programme. MeCard operates in the Central Bank of Bahrain (CBB) Regulatory Sandbox as a wallet with a prepaid card.

Contact: support@mecard.io

Website: www.mecard.io

Address: Seef District, Shop 1390, Building 2102, Road 2825, Block 428, Kingdom of Bahrain

MeCard does not sell or rent your personal data.

2) Scope & legal bases
كيف نستخدم المعلومات الخاصة بك

This Policy applies to our website, mobile apps and related services and is aligned with the Bahrain Personal Data Protection Law (PDPL) and applicable CBB Rulebook obligations. MeCard processes data under: legal obligation (e.g., AML/CFT), contract (to run your wallet/card), legitimate interests (security, fraud prevention, service improvement—balanced against your rights), and consent where required by law.

مشاركة البيانات

• Identity & KYC: basic identifiers and contacts, address proofs, ID documents/numbers,
• biometric KYC (e.g., facial image/video for liveness/match), employment/tax, source of income/wealth.

• Financial & transactions: wallet/card payments, top-ups, refunds, authorisations, chargebacks/disputes.

• Usage/technical & security: app/web interactions, device identifiers, IP, cookies/SDK IDs,
• geo-location (if enabled), logs and security signals, support interactions.
• Compliance/risk: sanctions/PEP screening and AML/fraud monitoring results; risk scores (where used).

• Public sources: information you have made publicly available.

اختياراتك

• Service delivery & account management (Contract / Legitimate interests / Legal obligation): open and run your wallet/card; process payments; maintain records; provide support; manage disputes/chargebacks.

• Regulatory compliance & risk (Legal obligation / Public interest): KYC/CDD, sanctions/PEP screening, AML/CFT monitoring, record-keeping and lawful requests.

• Security & integrity (Legitimate interests / Legal obligation): protect against unauthorised access, fraud and abuse; secure and test systems.

• Product improvement (Legitimate interests): enhance performance and features; use aggregated/anonymised analytics.

• Communications & marketing (Contract / Legitimate interests / Consent): service messages (mandatory); marketing where permitted by law. You can opt out of marketing at any time by emailing support@mecard.io.

أمان البيانات

meAssistant provides optional AI-powered insights

(e.g., spend analysis, budgeting prompts). MeCard processes only what is needed to provide these features under contract and legitimate interests, and seek consent where required by law. You can turn off AI at any time in the app.

خصوصية الأطفال

MeCard does not disclose personal or sensitive data to external organisations except where it is necessary to: provide or improve the Services; complete a legitimate transaction you request; comply with Applicable Law or the CBB Rulebook; or as otherwise permitted or required by law.

التغييرات على هذه السياسة

• Banks, issuer/BIN sponsors, payment processors, card schemes and payment networks involved in authorising, processing, settling or reversing your transactions.

6.2 Government & regulatory bodies

• The Central Bank of Bahrain (CBB), the Personal Data Protection Authority (PDPA), and other governmental bodies when required by law, regulation or formal instruction.
• Law enforcement agencies and courts where needed to establish, exercise or defend legal claims.

6.3 Technology providers

• Third-party companies that provide cloud hosting, IT systems and support, cybersecurity, analytics and

AI service providers MeCard configures to prevent model training on your personal data and to limit retention where available, in order to maintain and operate our systems.

6.4 Ancillary service providers

• Records storage/archiving and secure destruction vendors; external legal counsel; professional advisers and consultants; and external auditors.
• Other service providers necessary to fulfil our business operations.

Protection. Whenever MeCard uses an external organisation, it requires appropriate contractual, technical and organisational safeguards and limits processing to the purposes stated above. MeCard remains your single point of contact for privacy matters.

7) Retention

MeCard retains personal data only as long as needed for the purpose or as required by law. AML/CFT and statutory records are kept for minimum legal periods. Operational data is retained as needed for security/support. When no longer necessary, data is erased or anonymised.

8) Your rights

Under the Bahrain PDPL and subject to legal limits, you may access, rectify, erase/block, restrict processing, port data, object to direct marketing, withdraw consent (where used), and request human review for certain decisions. How to exercise: in-app (Settings ▸ Privacy) or support@mecard.io. MeCard responds within timeframes required by law and may ask for ID to verify your request.

9) Minors & guardians

Under-18 users require verified parent or legal guardian consent. The guardian is the contracting party and manages permissions (including marketing).

10) Security & breaches

MeCard applies administrative, technical and physical safeguards (e.g., encryption, access controls, monitoring and testing). If a personal data breach occurs, MeCard will assess impact and notify the PDPA and affected users where required by law,

11) Changes to this Policy

MeCard may update this Policy to reflect changes in law, regulation, technology or our practices. MeCard will post updates here and, where changes are material, notify you (e.g., email or in-app). Your continued use after the effective date means you accept the updated Policy. The date of the latest update will always be shown at the top of this Policy.

12) Liability & third-party links

This Policy is for information and transparency and does not create obligations beyond Applicable Law and our Terms.

Third-party links. The Services may contain links to third-party websites or services. MeCard is not responsible for the content, security, or privacy practices of third parties.

No warranties; limitation. The Services and related materials are provided “as is” and “as available.” To the extent permitted by law, MeCard disclaims all warranties (express or implied) and is not liable for any indirect, incidental, special, consequential or punitive damages, or for loss of profits, data, goodwill, or other intangible losses, arising from or related to the Services, your use of them, actions or third parties, or events beyond our reasonable control. Nothing in this Policy limits liability that cannot be limited under law (including duties under the PDPL and CBB requirements).