Data Protection and Information Security Policy for BAS FAST

Last updated: 01.03.2026

1. Introduction

BAS FAST is committed to protecting the personal, financial, and operational data of its users, and to providing a secure environment for the use of electronic wallet services, transfers, payments, QR code payments, cash-in and cash-out services, agent services, merchant services, and support services.

This Policy explains the technical, organizational, and administrative measures adopted by BAS FAST to protect data against unauthorized access, unlawful use, loss, alteration, disclosure, damage, or misuse.

This Policy complements the BAS FAST Privacy Policy and does not replace it.

The Privacy Policy explains the types of data we collect, the purposes for which we use it, how we share it, and the rights of the user, while this Policy explains how we protect that data, regulate access to it, and handle security risks.

2. Scope of the Policy

This Policy applies to:

• The BAS FAST application.

• The official website.

• Electronic wallet systems.

• Databases and transaction records.

• KYC and identity verification systems.

• Agent and merchant systems.

• Administrative dashboards.

• Support and customer service systems.

• Servers and technical infrastructure.

• Employees, agents, service providers, and any party with authorized access to BAS FAST data.

3. Types of Data Covered by Protection

This Policy covers all data processed by BAS FAST, including:

• Account and registration data.

• Identity and KYC verification data.

• Regular personal photos and document images.

• Financial transaction data.

• Balance data and accounting records.

• Agent and merchant data.

• Contact data such as phone number and email address.

• OTP data and verification messages.

• Device and usage data.

• Login and session logs.

• Support and complaint data.

• Security records and audit logs.

• Any operational or technical data related to the provision of the service.

BAS FAST does not currently use biometric data, automated face matching technologies, or digital face templates. It relies only on regular personal photos and verification documents for KYC purposes, as explained in the Privacy Policy.

4. Data Protection Principles

BAS FAST adopts the following principles in protecting data:

• Confidentiality: Data is accessed only by authorized persons or systems.

• Integrity: Data is protected against unauthorized alteration or manipulation.

• Availability: Systems and data are made available to the extent necessary to operate the service.

• Minimum access: No employee, agent, or service provider receives access to data except to the minimum extent necessary to perform their task.

• Specific purpose: Data is used only for legitimate operational, security, financial, compliance, or legal purposes.

• Review and accountability: Sensitive operations are recorded and reviewed when needed.

• Continuous improvement: Protection measures are updated based on risks and technical and operational developments.

5. Protection of Data in Transit

BAS FAST uses appropriate safeguards to protect data while it is transmitted between the user and the platform or between internal systems, including:

• Using secure communication protocols such as SSL/TLS.

• Protecting login sessions and connections to servers.

• Reducing the transmission of sensitive data when it is not necessary.

• Preventing passwords or PIN codes from being sent in exposed formats.

• Using secure channels when exchanging data between internal systems or service providers.

The purpose of these measures is to prevent data from being intercepted, read, or altered while transmitted over networks.

6. Protection of Data at Rest

BAS FAST works to store personal, financial, and operational data within secure technical environments. Protection measures include:

• Storing data on secure servers or hosting environments.

• Protecting databases from unauthorized access.

• Applying access permissions based on the user’s role.

• Protecting passwords and PIN codes using secure storage methods such as appropriate encryption or hashing.

• Using secure backups when needed.

• Protecting financial records and transaction records from unauthorized deletion or modification.

• Separating certain environments or permissions when needed between production, testing, administration, and support.

BAS FAST is not required to mention the name of every hosting or infrastructure provider in this Policy, unless this is required legally, regulatorily, or operationally.

7. Access Permission Management

BAS FAST adopts an access permission system based on the “need-to-know” principle, so that no employee, agent, or service provider is granted access to data unless such access is necessary to perform a specific task.

Access management includes:

• Clearly defining internal user roles.

• Restricting employee permissions according to job function.

• Restricting agent permissions according to the authorized service.

• Reviewing permissions periodically.

• Revoking permissions when the relationship ends or the role changes.

• Recording sensitive operations performed through dashboards.

• Preventing the sharing of internal accounts between more than one person.

• Using additional authentication for administrative or sensitive accounts when needed.

8. Account Protection and Authentication Methods

BAS FAST applies security procedures to protect user accounts, including:

• Password or PIN.

• OTP verification codes.

• Verification via WhatsApp.

• Verification via email.

• Security notifications when needed.

• Additional verification when sensitive data is changed.

• Monitoring unusual login attempts.

• Restricting or suspending the account when a security risk is suspected.

The user is responsible for protecting the password, PIN, and OTP codes and not sharing them with any person, including agents, support employees, or any party claiming to represent BAS FAST.

9. Protection of KYC Data and Documents

Due to the sensitivity of identity verification data, BAS FAST applies special controls to protect it, including:

• Restricting access to KYC data to authorized employees or systems.

• Using KYC data only for verification, compliance, fraud prevention, or legal and operational requirements.

• Preventing the use of document images or personal photos for marketing or advertising purposes.

• Not sharing KYC data with agents or external parties except where there is a legitimate need and to the minimum extent necessary.

• Retaining KYC data according to the periods necessary for compliance, auditing, and fraud prevention, as explained in the Privacy Policy.

• Protecting documents against unauthorized access, copying, or downloading as much as possible.

10. Protection of Financial Transaction Data

Financial transaction data is considered among the most sensitive data within BAS FAST and includes records of transfers, payments, cash-in, cash-out, settlement, fees, balances, and review logs.

BAS FAST takes measures to protect this data, including:

• Recording each transaction with a reference number or traceable record.

• Maintaining financial and operational records for review and auditing purposes.

• Preventing unauthorized modification of transaction records.

• Monitoring unusual, repeated, or high-risk transactions.

• Reviewing disputed transactions according to internal records.

• Protecting balance and settlement records from unauthorized access.

• Applying internal controls to correction, modification, freezing, or cancellation operations when applicable.

11. Monitoring Suspicious Activities and Risks

BAS FAST uses internal monitoring mechanisms to detect unusual or suspicious activities, including:

• Repeated or failed login attempts.

• Use of the account from unusual devices or patterns.

• Transactions that are inconsistent with the nature of the account.

• Attempts to bypass account limits or controls.

• Fraud or identity impersonation indicators.

• Activities that may be linked to money laundering or terrorist financing.

• Abnormal use of agents or cash-out and cash-in channels.

When a potential risk is detected, BAS FAST may take precautionary measures, such as:

• Requesting additional verification.

• Temporarily suspending a transaction.

• Restricting certain account features.

• Freezing part of the balance subject to review.

• Internally reviewing the account.

• Closing the account or refusing the service when necessary.

• Cooperating with competent authorities where there is a legal or regulatory basis.

12. Protection of Agent and Merchant Data

BAS FAST deals with agents and merchants as important parties within the ecosystem and therefore applies controls to protect data related to them and their customers.

These controls include:

• Granting the agent or merchant only specific permissions.

• Not enabling agents or merchants to access data they do not need.

• Recording operations performed by agents or merchants.

• Preventing the use of user data for personal purposes or outside the scope of the service.

• Monitoring compliance with approved procedures.

• Restricting or revoking the permissions of an agent or merchant in the event of misuse or violation of policies.

13. Protection of Support and Customer Service Systems

The support team may need access to certain data to process requests and complaints. Therefore, BAS FAST adopts special controls, including:

• Verifying the identity of the request owner before processing sensitive data.

• Not disclosing account information except to the account holder or legally authorized person.

• Not requesting the user’s password, PIN, or OTP.

• Recording complaints, requests, and responses when needed.

• Restricting support employees’ access to the minimum necessary to process the request.

• Preventing the use of support data for personal or unauthorized marketing purposes.

14. External Service Providers

BAS FAST may rely on external service providers to operate certain technical or operational aspects, such as:

• Cloud hosting and infrastructure.

• WhatsApp services for sending OTP or alerts.

• Email services for sending OTP or necessary messages.

• Crash monitoring tools.

• Cybersecurity tools.

• Backup services.

• Support or compliance services when needed.

BAS FAST deals with service providers according to the principles of necessity and data minimization, and works to select appropriate providers and take reasonable measures to ensure that data is used only for the specified purposes.

15. Backups and Service Continuity

BAS FAST may use backup systems to protect data against loss, damage, or technical failures.

Backup and service continuity procedures include:

• Creating secure backups when needed.

• Restricting access to backups.

• Using backups only for restoration, security, or compliance purposes.

• Retaining backups according to approved technical schedules.

• Testing restoration procedures when needed.

• Establishing measures for service continuity in the event of failures or emergency circumstances.

16. Security Incident Management

In the event of a security incident, or suspicion of unauthorized access, leakage, breach, or data loss, BAS FAST takes appropriate measures according to the nature and severity of the incident.

These measures may include:

• Isolating or stopping the source of risk.

• Assessing the scope of the incident.

• Protecting affected accounts or systems.

• Changing or revoking sessions or codes when needed.

• Temporarily suspending certain services when necessary.

• Conducting an internal investigation and documenting the incident.

• Taking corrective measures to prevent recurrence.

• Notifying users or competent authorities when required or appropriate.

Not every technical failure or attempted attack means that an actual data breach has occurred. Each case is assessed according to the approved technical and operational standards.

17. Reporting Vulnerabilities or Security Risks

BAS FAST encourages users or good-faith parties to report any potential vulnerability or security risk through the official channels.

When reporting a vulnerability or security issue, the reporter must:

• Not exploit the vulnerability.

• Not access data that does not belong to the reporter.

• Not attempt to disrupt the service.

• Not publicly disclose the vulnerability before BAS FAST reviews it.

• Provide sufficient details to assist with verification and remediation.

Security-related reports may be sent through:

• Official privacy email: privacy@basfast.com

• Technical support email: support@basfast.com

18. User Responsibilities in Protecting Data

Data protection does not depend on BAS FAST alone, but also requires the user’s commitment to basic security procedures.

The user must:

• Not share the password, PIN, or OTP with any person.

• Use a secure and updated device.

• Download the application only from official sources.

• Not use modified or untrusted versions of the application.

• Not open suspicious links claiming to represent BAS FAST.

• Not hand over the phone, SIM card, or account to third parties.

• Verify recipient details before executing a transfer.

• Notify BAS FAST immediately if the phone is lost or account compromise is suspected.

• Update the phone number or email address when they change.

• Not use the account to execute transactions on behalf of others without authorization.

BAS FAST may not be responsible for losses or damages resulting from the user’s negligence, sharing of data or verification codes, or use of unofficial channels.

19. Account Deletion and Its Effect on Data Protection

BAS FAST provides an option or mechanism to request account deletion through the application or official channels.

When account deletion is requested, BAS FAST deletes or anonymizes data that is no longer necessary, while retaining data that must or may be retained for legal, financial, accounting, compliance, or security reasons.

Data that may be retained after account deletion may include:

• Financial transaction records.

• KYC data.

• Compliance records.

• Complaint and dispute records.

• Fraud prevention data.

• Data required for auditing, accounting, or protection of rights.

• Data required by law, license, or request from competent authorities.

This does not conflict with the Privacy Policy, because retaining certain financial and compliance records after account closure is necessary due to the nature of electronic wallet services.

20. No Sale of Data and No Advertising Tracking

BAS FAST does not sell users’ personal or financial data.

BAS FAST does not currently use user data for advertising tracking across third-party applications or websites, and does not currently use advertising SDK tools to track users outside BAS FAST services.

BAS FAST may use operational or internal statistical data to improve the service, measure performance, prevent fraud, protect the platform, or send necessary or informational messages related to the service, without selling user data or using it to track users for advertising purposes across third-party services.

21. Training and Internal Compliance

BAS FAST works to strengthen a culture of data protection within its operational and administrative teams through:

• Educating employees and agents on the importance of data confidentiality.

• Restricting access based on need.

• Establishing procedures for handling sensitive data.

• Preventing the use of data outside the scope of work.

• Taking internal measures in the event of data misuse or violation of policies.

• Reviewing security and operational procedures when needed.

22. Limits of Protection and Liability

BAS FAST exercises reasonable and professional care to protect data and systems. However, absolute protection cannot be guaranteed for any electronic system, communication method, or storage method.

BAS FAST shall not be responsible for damages resulting from:

• The user sharing the password, PIN, or OTP.

• The use of unofficial links, applications, or channels.

• Compromise of the user’s device, email, or WhatsApp account.

• Handing over the account, phone, or SIM card to third parties.

• Failures beyond reasonable control.

• Large-scale cyberattacks or force majeure events despite taking reasonable protection measures.

• Errors or negligence by communication providers, devices, or networks outside the control of BAS FAST.

23. Relationship with the Privacy Policy

This Policy is dedicated to explaining data protection and information security procedures within BAS FAST.

The Privacy Policy explains:

• What data BAS FAST collects.

• Why it collects it.

• With whom it may share it.

• How long it retains it.

• The rights of the user.

• The account and data deletion mechanism.

• App store requirements and disclosures.

In the event of any apparent conflict between this Policy and the Privacy Policy, the two documents shall be interpreted together. If this is not possible, the Privacy Policy shall be the primary reference for matters relating to data collection, use, sharing, and user rights, while this Policy shall be the primary reference for matters relating to protection, security, and technical and organizational risk management.

24. Updates to this Policy

BAS FAST may update this Policy from time to time for reasons including:

• Developing protection systems.

• Adding new services.

• Technical or operational changes.

• Legal or regulatory requirements.

• Updates to Google Play or Apple App Store requirements.

• Improving risk management.

• Enhancing transparency toward users.

The updated version will be published on the website or inside the application, with the “Last updated” date amended. Users may be notified of material changes through the appropriate official channels.

25. Contact Us

For any question, request, or report relating to data protection or information security, BAS FAST may be contacted through:

• Official privacy email: privacy@basfast.com

• Technical support email: support@basfast.com

• Phone number: 00963936335231

• Website: www.basfast.com

The user must use only the official channels when submitting any request or report related to the account, data, or security.

26. Acknowledgment

By using BAS FAST or continuing to use its services, you acknowledge that:

• You understand that BAS FAST applies technical and organizational measures to protect data.

• You understand that account protection requires your cooperation and that you must not share login data or verification codes.

• You agree to the protection, monitoring, and security review procedures necessary to operate the service.

• You understand that certain financial data and KYC data may be retained after account closure for legal, compliance, accounting, or security reasons.

• You acknowledge that this Policy complements the Privacy Policy and does not replace it.

BAS FAST | Electronic Wallet and Digital Payment Service/ Electronic Financial Services 

Owned and operated by Emitis Group