Welcome to the Oma application and related services (hereinafter "the App" or "the Service"). This Privacy Policy is formulated by OMA TECHNOLOGY SDN. BHD. to explain how we collect, use, store, share, and protect your personal information, and the rights you are entitled to.
If you do not agree with all or part of this Privacy Policy, you may be unable to use some or all features.
This Privacy Policy applies to the mobile and related service features provided by the current version of Oma, including but not limited to:
- Email verification code login;
- Google Sign-In and Apple Sign-In;
- QR code generation, scanning, recognition, and saving;
- Transfers, payment collection, invitation scanning, and other account interaction features;
- KYC / identity verification, document recognition, selfie verification, and liveness detection;
- Receipt / voucher image or file upload;
- Biometric unlock or security verification;
- Local preference settings, cache, and login state management.
Depending on the specific features you use, we may collect the following information:
2.1 Account & Login Information
- Email address;
- Phone number and country calling code (if bound or used for transfers/verification);
- Third-party login information such as Google or Apple account identifiers, email, nickname, and avatar;
- Login credentials, access tokens, refresh tokens, login method, and user ID;
- Country code, device source identifiers, and other information submitted for risk control or login processes.
2.2 Identity Verification & KYC Information
When you use the KYC / identity verification feature, we may collect:
- Full name, national ID number, or passport number;
- Date of birth, gender, nationality;
- Residential address, country, state/province, city, postal code;
- Mother's maiden name, occupation, employer name;
- Front and back photos of ID documents or passport photos;
- Selfie photos, facial verification images, liveness detection videos;
- OCR recognition results, identity verification results, and file identifiers returned from uploads.
Note: Document text recognition and certain facial detection capabilities are triggered locally on the device to assist with scanning. When you submit identity verification, document images, selfie photos, and liveness videos may still be uploaded to our servers or identity verification services for review and validation.
2.3 Transaction & Business Data
- Phone number, email, and country calling code of transfer recipients that you actively enter;
- QR code content, including payment codes, invitation QR codes, user QR codes, URLs, or text content;
- Receipts, vouchers, supporting documents, and other images or PDF files you actively upload;
- Bills, cards, income/expense records, and other data generated during service processing.
2.4 Device, Network & Usage Information
- Network request information processed for login, API calls, and security verification;
- Device-generated and cached identifiers (such as in-app device IDs);
- Device language, currency preferences, biometric settings, and other configuration items;
- Country code inferred from IP address, used for default country/region or language settings;
- Necessary error logs, debug logs, and API response status for troubleshooting and security risk control.
Note: No precise GPS location collection logic has been found in the current codebase. The App infers country codes primarily through network IP rather than requesting system location permissions.
2.5 Locally Stored Information
To ensure a smooth experience, we store certain data locally on your device, such as:
- Login state, user ID, and user profile summary;
- Access tokens, refresh tokens, and expiration times;
- Biometric toggle state;
- Language, currency, and other preference settings;
- KYC draft data and occupation information drafts;
- Cached country codes and partial business cache data.
- Completing registration, login, identity verification, and account management;
- Providing core features such as transfers, payment collection, QR code recognition, and receipt uploads;
- Completing identity verification, document recognition, facial comparison, liveness detection, and risk control review;
- Saving your settings and draft content to improve continuity of use;
- Determining default country/region and optimizing page display and language experience;
- Ensuring transaction security, identifying abnormal behavior, and handling complaints and disputes;
- Performing troubleshooting, performance optimization, and security audits;
- Fulfilling legal and regulatory requirements, including anti-money laundering and anti-fraud compliance obligations.
| Permission | Required? | Usage Scenario | Impact if Denied |
|---|---|---|---|
| Camera | As needed | QR scanning, receipt capture, ID/passport scanning, selfie verification, liveness detection | Unable to use scanning, photo upload, document scanning, or facial verification |
| Photo Library | As needed | Select QR/ID/receipt images from gallery; save "My QR Code" to gallery | Unable to select images from gallery or save QR codes |
| Photo Library Write | As needed | Save "My QR Code" to system photo library | Unable to save QR code images to gallery |
| File Access | As needed | Select jpg, jpeg, png, or pdf files as vouchers or supporting documents | Unable to select and upload documents from file manager |
| Biometrics / Face ID / Touch ID | Optional | Post-login identity check, sensitive operation confirmation, account security | Can use password/verification code; biometric quick verification unavailable |
| Google Account | Optional | Google Sign-In | Unable to use Google Sign-In; other login methods remain available |
| Apple Account | Optional | Apple Sign-In | Unable to use Apple Sign-In; other login methods remain available |
| Network Access | Required | Login, API calls, data sync, file upload, KYC review, IP country detection | Unable to use most online features |
Additional Notes
- Camera: Used for QR scanning, document capture, selfie, and liveness verification. Liveness detection video is configured to not capture audio — microphone permission is not requested for this feature.
- Photo Library: Only used when you actively select gallery images or save QR code images.
- File Access: Reads only files you actively select via the system file picker; the App does not continuously access your entire file system.
- Biometrics: Only activated after you explicitly enable the feature.
- Network Access: A fundamental requirement for App operation; typically does not require a separate pop-up authorization.
Based on the current codebase, the following permissions are not actively requested or required:
- Precise location permission;
- Microphone permission;
- Contacts permission;
- SMS reading permission;
- Push notification permission.
If future versions add any of the above capabilities, we will notify you through updated privacy policies, permission prompts, or in-app notices.
To enable certain features, we may interact with third-party services within the necessary scope:
- Google Sign-In: Authentication information is provided by Google through its authorization flow;
- Apple Sign-In: Authentication information is provided by Apple through its authorization flow;
- IP Country Detection: The App uses
ipapi.coto query country codes based on network IP for default region display and experience optimization; - Firebase Core: Integrated as part of base service component initialization;
- Business Backend APIs: Login, KYC, file upload, and transaction processing require communication with our business servers.
When you scan a URL and choose to open it, the system may invoke an external browser. Third parties may process your information according to their own privacy policies.
We will not sell your personal information to third parties, except:
- With your separate consent or authorization;
- As necessary to fulfill a feature you have actively initiated;
- To comply with laws, regulations, court orders, or regulatory requirements;
- As necessary to maintain transaction security or protect legitimate interests.
We adopt reasonable technical and administrative measures to protect your personal information, including access controls, identity authentication, least-privilege access, and security audits.
Some information is stored locally on your device to maintain login state and preferences. Transaction, KYC, and risk control data may be stored on our servers for business processing, compliance review, and dispute resolution.
Data retention follows:
- The minimum period necessary to fulfill business purposes;
- Requirements of laws, regulations, audits, and anti-money laundering/anti-fraud obligations;
- Periods needed for dispute resolution or system security assurance.
After these periods expire, we will delete or anonymize the relevant information in accordance with applicable law.
To the extent permitted by applicable law, you generally have the right to:
- Access and correct your account or identity information;
- Delete your account or request deletion of specific personal information;
- Withdraw consent for a particular permission or authorization;
- Disable biometric features, log out, or clear local cache;
- Request an explanation of personal information processing rules;
- Where permitted by law, request to copy, export, or restrict processing of relevant data.
You can disable camera, photo library, biometric, and other permissions through your device system settings. After revoking permissions, certain features will no longer be available. Information related to KYC, transactions, or anti-money laundering obligations may not be immediately and completely deleted.
If you are a minor, please use this Service only after your guardian has read and agreed to this Privacy Policy. If we discover that we have collected information from a minor without valid consent as required by applicable law, we will take steps to delete or anonymize such information as soon as possible.
We may update this Privacy Policy based on product features, laws, or regulatory requirements. Updated versions will be presented through in-app pages, our official website, or other appropriate means. If updates involve significant changes to your rights, we will notify you in a more prominent manner.
If you have any questions, comments, or complaints regarding this Privacy Policy, please contact us:
If you believe our personal information processing practices have infringed upon your legitimate rights and interests, you may also seek remedies from the competent data protection regulatory authority or court of law.