Privacy Policy

Last updated: April 7, 2026

1. Introduction

Blueforce ("we," "us," or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, process, store, and share your information when you use our platform, website (blueforceprime.com), mobile application, and related services (the "Service").

We comply with the Thailand Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and, to the extent applicable, the EU General Data Protection Regulation 2016/679 ("GDPR") for users who are residents of the European Economic Area.

2. Information We Collect

Account & Identity Information

  • Full legal name, email address, phone number
  • Government-issued identification documents (passport, national ID, or driver's licence)
  • Date of birth, nationality, and residential address
  • Biometric data — facial recognition or liveness detection images collected during KYC verification, processed by our third-party identity verification provider
  • Tax identification numbers where required by law

Financial Information

  • Cryptocurrency wallet addresses linked to your Blueforce account
  • Transaction history: deposits, conversions, card purchases, rewards
  • Card reference data (last four digits, card type) — we do not store full card numbers
  • Account balances and conversion records

Technical & Usage Information

  • IP address, browser type, operating system, device identifiers
  • Cookies and similar tracking technologies (see Section 8)
  • Usage data: pages viewed, features used, session duration, click patterns
  • App crash logs and performance diagnostics

Waitlist Information

  • Email address submitted via our pre-launch waitlist form, used only to notify you about our launch and updates

3. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Performance of a contract — processing necessary to provide the Service you have signed up for
  • Legal obligation — processing required to comply with AML, KYC, tax reporting, and other applicable laws
  • Legitimate interests — fraud prevention, security monitoring, and service improvement, where these interests are not overridden by your rights
  • Consent — for marketing communications and optional analytics; consent may be withdrawn at any time

4. How We Use Your Information

  • Provide, maintain, and improve the Service
  • Process cryptocurrency deposits and point-of-sale conversions
  • Issue and manage your payment card through our licensed card-issuing partner(s)
  • Verify your identity and comply with KYC, AML, and sanctions screening obligations under Thai law and applicable regulations
  • Detect and prevent fraud, money laundering, and other prohibited activities
  • Send transactional notifications: transaction receipts, security alerts, account updates
  • Send marketing communications about new features, card drops, and promotions — only with your explicit consent and only until consent is withdrawn
  • Conduct analytics to improve user experience and service quality
  • Comply with court orders, legal process, and requests from regulatory authorities

5. How We Share Your Information

We do not sell your personal data. We share information only as described below:

  • Licensed card-issuing partner(s) — to issue, activate, and manage your payment card; they process personal and financial data under their own regulated privacy frameworks
  • KYC/AML and identity verification providers — to perform legally required identity checks, including biometric verification; these providers operate under strict data processing agreements
  • Cryptocurrency liquidity and conversion providers — transaction data (amounts, wallet addresses) necessary for conversion; personal identity data is not shared unless legally required
  • Cloud infrastructure and hosting — data is processed and stored on servers located primarily in Singapore operated by Supabase and related cloud providers
  • Analytics, monitoring, and customer support tools — operating under data processing agreements that restrict use to the purposes described in this Policy
  • Law enforcement, regulators, and courts — when required by a valid legal process, court order, or regulatory request in Thailand or any applicable jurisdiction
  • Business transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity subject to equivalent privacy protections

6. Data Retention

We retain personal data for as long as your account is active and as long as required by applicable law:

  • Financial transaction records — retained for a minimum of 5 years following the transaction date, as required under Thai AML regulations and the Thai Revenue Code
  • KYC and identity documents — retained for a minimum of 5 years after the end of the customer relationship, or longer if required by law
  • Account data — retained for 12 months after account closure, then deleted or anonymised unless longer retention is required by law
  • Waitlist emails — retained until service launch or until you request removal, whichever is earlier
  • Marketing consent records — retained as long as necessary to demonstrate compliance with consent requirements

7. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any right, contact us at privacy@blueforceprime.com. We will respond within 30 days.

Rights under the Thai PDPA (Thai residents)

  • Right to access — request a copy of the personal data we hold about you
  • Right to correction — request correction of inaccurate or incomplete data
  • Right to deletion — request deletion of your data, subject to legal retention obligations
  • Right to object — object to processing based on legitimate interests or for direct marketing
  • Right to data portability — request your data in a structured, machine-readable format
  • Right to withdraw consent — withdraw consent for any processing based on consent at any time, without affecting the lawfulness of prior processing
  • Right to lodge a complaint — with the Office of the Personal Data Protection Committee of Thailand

Additional rights under GDPR (EU/EEA residents)

  • Right to restriction of processing — request that we restrict how we process your data in certain circumstances
  • Right not to be subject to automated decision-making — including profiling that produces legal or similarly significant effects
  • Right to lodge a complaint — with your local EU data protection supervisory authority (in addition to the Thai PDPC)

8. Cookies

We use the following types of cookies and similar technologies:

  • Essential cookies — required for authentication, session management, and core Service functionality; cannot be disabled without impairing the Service
  • Analytics cookies — optional; used to understand how users interact with the Service; only activated with your consent
  • Preference cookies — store your settings and preferences to personalise your experience

You can manage cookie preferences through your browser settings or our in-app consent controls. Withdrawing consent for optional cookies will not affect your ability to use core features.

9. International Data Transfers

Your personal data is primarily stored and processed on servers located in Singapore. Singapore maintains comparable data protection standards to many jurisdictions; however, it is not recognised as having "adequate" data protection under GDPR.

For transfers of personal data outside Thailand:

  • We rely on standard contractual clauses (PDPA Chapter 7 / EU SCCs) with our data processors to ensure adequate protection
  • Where SCCs are not available, we rely on your explicit informed consent for the specific transfer

10. Data Security

We implement industry-standard technical and organisational security measures including:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of sensitive data at rest using AES-256
  • Role-based access controls and least-privilege principles
  • Regular security assessments and penetration testing
  • 24/7 infrastructure monitoring and intrusion detection

In the event of a personal data breach that is likely to risk your rights and freedoms, we will notify affected users and relevant authorities as required by law.

11. Data Protection Officer

A formal Data Protection Officer (DPO) will be appointed following company incorporation, as required under the Thai PDPA. Until that appointment, all data protection inquiries should be directed to:

Privacy Team
Blueforce
Email: privacy@blueforceprime.com

12. Children's Privacy

Blueforce is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a minor has provided us personal data, please contact us at privacy@blueforceprime.com and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice within the Service at least 30 days before changes take effect. The "Last updated" date at the top reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance.

14. Contact

For all privacy inquiries or to exercise your rights:

Email: privacy@blueforceprime.com
Website: blueforceprime.com