privacy policy

Last Updated: April 11, 2026

This Privacy Policy (this “Policy”) describes how Oshikatsu Labo Pte Ltd, together with its affiliates (collectively, “Oshi,” “we,” “our,” or “us”), collects, uses, discloses, and otherwise processes personal data obtained through your use of the platform currently available at https://www.oshi.co/ (the “Platform”) and any other services offered by Oshi (together with the Platform, the “Services”). This Policy should be read together with the Oshi Terms of Service (the “Terms”). Capitalized terms that are used but not otherwise defined herein shall have the meanings set forth in the Terms.

By accessing or using the Services, you acknowledge that you have read, understood, and agree to the collection, use, disclosure, and processing of your personal data as described in this Policy. If you do not agree with this Policy, you should not access or use the Services.

1. Scope and Updates

This Policy applies to personal data collected through the Services. It does not apply to personal data collected by third-party websites, applications, or services that may be linked to or accessible from the Services, including Privy and third-party payment processors such as DePay and Stripe. We encourage you to review the privacy policies of any third-party services before providing personal data to them.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the “Last Updated” date above and post the revised Policy on the Services. Your continued use of the Services after the posting of changes constitutes your acceptance of such changes.

2. Personal Data We Collect

We collect personal data in the following ways:

A. Data You Provide Directly

Account and Registration Data. When you create an account (“Account”) or register for the Services, we may collect your name, email address, username, and any other information you choose to provide.

Payment and Transaction Data. When you purchase Valor Points or enter into Transactions on the Services, we collect information related to such transactions, including transaction amounts, dates, payment methods, and wallet addresses. Payment processing is handled by our third-party payment processors (currently DePay for cryptocurrency payments and Stripe for credit card payments), and their collection and use of your payment data is governed by their respective privacy policies.

Communications Data. When you contact us for support or otherwise communicate with us, we collect the information contained in your communications, including your name, email address, and the content of your messages.

Fan Content. If you post Fan Content (as defined in the Terms), we collect and store such content.

B. Data Collected Automatically

Device and Technical Data. When you access the Services, we automatically collect information about your device and technical environment, including your Internet Protocol (IP) address, browser type and version, operating system, device type and identifiers, referring webpage, pages visited, and search terms.

Usage Data. We collect information about your interactions with the Services, including the features you use, the time and duration of your visits, and your browsing patterns.

Location Data. We may collect approximate location information based on your IP address to verify your location for compliance purposes (including enforcement of Prohibited Jurisdictions restrictions under the Terms), prevent fraud, and comply with applicable laws.

Cookies and Similar Technologies. We use cookies, pixel tags, web beacons, and similar tracking technologies to collect information about your browsing activities and preferences. Cookies are small data files stored on your device that help us improve the Services and your experience. For more information, see Section 10 (“Cookies and Tracking Technologies”) below.

C. Data from Third Parties

Payment Processors. We may receive transaction confirmation data, fraud screening results, and other information from our payment processors and other third parties (e.g., DePay, Stripe, and Privy).

Others. When you interact with other third parties, they may share data with us from your interactions.

D. Blockchain Data

When you use the Services to interact with blockchain networks (including through Third-Party Wallets), certain information becomes part of the public blockchain ledger. This includes, among other things, wallet addresses, transaction amounts, and transaction details. Blockchain data is publicly visible, immutable, and cannot be deleted, modified, or recalled; as such, it may be analyzed by blockchain analytics providers and other third parties. Oshi does not control public blockchain ledgers and cannot retrieve, modify, or delete information recorded on them.

3. How We Use Your Personal Data

We use personal data for the following purposes:

A. Providing the Services

  • Creating and maintaining your Account
  • Allowing you to participate in the Services
  • Facilitating access to payment processors and Third-Party Wallets
  • Delivering customer support and responding to your inquiries
  • Sending transactional and administrative communications
  • Customizing your experience on the Services
  • Fulfill our obligations with respect to the reason you voluntarily provided the data (such as responding to an inquiry or provide you with information, products, or Services that you request from us or that may be of interest to you)
  • Provide co-branded services and features (such as contests, sweepstakes, or other promotions)
  • To achieve any other incidental business purposes related to or in connection with the above

B. Safety, Security, and Compliance

  • Detecting, investigating, and preventing fraud, unauthorized access, and other illegal or suspicious activity
  • Screening against sanctions lists (including those administered by Singapore, Japan, the United States, the United Kingdom, and the European Union)
  • Enforcing the Terms and this Policy
  • Complying with applicable laws, regulations, court orders, and governmental requests

C. Analytics and Improvement

  • Analyzing usage patterns and user behavior to improve the Services or other products, events, and services and for other business or commercial purposes
  • Developing new products, features, and services
  • Conducting market research and measuring service effectiveness
  • Optimize your experience on the Services (such as troubleshooting technical programs or storing your preferences)

D. Marketing and Communications

With your consent where required by applicable law, we may use your personal data to send you marketing and promotional communications about products, services, and events that may be of interest to you. If required by applicable law, you may opt out of receiving marketing communications at any time (see Section 9 below).

E. De-Identified and Aggregated Data

We may de-identify or aggregate personal data so that it can no longer be linked to you. We may use such data for any lawful purpose, including statistical analysis, research, business analytics, and service improvement.

4. How We Disclose Your Personal Data

We may disclose your personal data to the following categories of recipients:

A. Service Providers and Business Partners

We disclose personal data to third-party service providers and business partners who assist us in operating the Services, including:

  • Payment processors (DePay, Stripe) and wallet infrastructure providers (Privy)
  • Cloud hosting and infrastructure providers
  • Customer support platforms
  • Marketing and analytics providers
  • Professional advisors, including legal counsel and accountants

These service providers are contractually required to use personal data only as necessary to provide services to us and to maintain appropriate safeguards.

B. Affiliates

We may share personal data with our current and future parents, subsidiaries, affiliates, and other companies under common control and ownership for the purposes described in this Policy.

C. Legal and Regulatory Disclosure

We may disclose personal data when we believe in good faith that disclosure is necessary to:

  • Comply with applicable laws, regulations, and legal processes
  • Respond to lawful requests from governmental or regulatory authorities, courts, or law enforcement
  • Enforce the Terms and other agreements
  • Protect the rights, safety, and property of Oshi, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues

D. Business Transfers

If Oshi is involved in a merger, acquisition, reorganization, sale of assets, or similar transaction, your personal data may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your personal data.

E. With Your Consent

We may disclose your personal data for other purposes with your consent or at your direction.

5. International Data Transfers

Oshi is based in Malaysia and the Services are operated from Malaysia. Your personal data may be transferred to, stored in, and processed in Malaysia or other countries where we or our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

Where we transfer personal data internationally, we implement appropriate safeguards in accordance with applicable data protection laws, which may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, for transfers from the European Economic Area
  • Other lawful transfer mechanisms recognized by applicable data protection authorities
  • Your consent to the proposed transfer

By using the Services, you consent to the transfer of your personal data to countries outside your country of residence, which may have different data protection rules than your home country.

6. Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to:

  • Provide the Services to you
  • Comply with applicable laws, regulations, and regulatory requirements
  • Resolve disputes and enforce our agreements
  • Protect our legal rights and interests

Information recorded on public blockchains is permanent and immutable. Once your transaction information has been recorded on a blockchain, it cannot be deleted or retrieved, even if you request deletion of your personal data from our systems.

De-identified and aggregated data may be retained indefinitely as it cannot be linked back to you.

After the applicable retention period expires, we will securely delete or de-identify personal data, except to the extent we are required by law to retain it.

7. Data Security

We implement commercially reasonable technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet or electronic storage is completely secure. While we strive to use appropriate means to protect your personal data, we cannot guarantee its absolute security. By accessing the Services, you acknowledge that any transmission of data is at your own risk, to the extent permitted by applicable law.

8. Children’s Privacy

The Services are not directed to, and we do not knowingly collect personal data from, individuals under the age of 13. If we become aware that we have collected personal data from a child under 13 without appropriate consent, we will take steps to delete such data promptly. If you are a parent or guardian and believe we have collected personal data from your child, please contact us at support@oshi.co.

9. Your Privacy Choices and Rights

A. Communication Preferences

You may opt out of receiving promotional and marketing communications from us by clicking the unsubscribe link in our marketing emails or by contacting us at support@oshi.co. Please note that even if you opt out of marketing communications, we may still send you transactional and administrative messages related to your Account and use of the Services.

B. Cookie and Tracking Preferences

You may manage cookie preferences through your browser settings. Most browsers allow you to refuse cookies and similar tracking technologies. Please note that removing or rejecting cookies may affect the functionality of the Services. See Section 10 for more information.

C. Your Privacy Rights

Depending on your jurisdiction, you may have certain rights regarding your personal data, including:

  • Right to Access: You may request information about the personal data we hold about you and obtain a copy of such data.
  • Right to Correction: You may request that we correct or update inaccurate or incomplete personal data.
  • Right to Deletion: You may request that we delete personal data we hold about you, subject to certain exceptions (such as data we are required to retain for legal or regulatory purposes).
  • Right to Data Portability: You may request that we provide your personal data in a structured, commonly used, and machine-readable format.
  • Right to Restrict or Object to Processing: You may request that we restrict how we process your personal data or object to certain processing activities.
  • Right to Withdraw Consent: Where our processing is based on your consent, you may withdraw consent at any time. Withdrawal will not affect the lawfulness of processing that occurred prior to withdrawal.

Please note that certain rights may be limited with respect to information recorded on public blockchains, which is immutable and cannot be modified or deleted.

D. How to Exercise Your Rights

To exercise any of the rights described above, please contact us at support@oshi.co. We will verify your identity before processing your request and will respond within the timeframes required by applicable law.

E. Non-Discrimination

We will not deny you goods or services, charge you a different price, or provide you with a different quality of service based on your exercise of privacy rights, except to the extent permitted by applicable law.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your use of the Services. The types of cookies we use include:

  • Essential Cookies: Required for the operation of the Services and cannot be disabled.
  • Analytics Cookies: Help us understand how users interact with the Services so we can improve them.
  • Marketing Cookies: Used to deliver relevant advertising and track the effectiveness of our marketing campaigns.

You may manage your cookie preferences through your browser settings. Some web browsers transmit “do not track” signals. We do not currently respond to “do not track” signals or similar mechanisms.

You may also remove certain tracking technologies and opt out of online behavioral advertising messaging by using the opt-out tools available from online providers, including, but not limited to, the Digital Advertising Alliance (DAA Opt-Out Tool) and the Network Advertising Initiative (NAI Opt-Out Tools).

11. Legal Basis for Processing

Where required by applicable law (including the Singapore Personal Data Protection Act 2012 (“PDPA”) and the EU General Data Protection Regulation (“GDPR”)), we process your personal data on one or more of the following legal bases:

  • Consent: Where you have provided your consent to the processing (for example, for marketing communications). Under the PDPA, your consent may be deemed given where you voluntarily provide personal data to us for a purpose that is reasonable in the circumstances.
  • Contractual Necessity: Where processing is necessary to provide the Services and fulfill our obligations under the Terms.
  • Legal Obligation: Where processing is required to comply with applicable laws and regulations, including AML, KYC, sanctions, and tax reporting requirements.
  • Legitimate Interests: Where processing is necessary for our legitimate business interests (such as fraud prevention, security, and service improvement), provided such interests are not overridden by your rights and interests.

12. Supplemental Notice for Singapore Residents (PDPA)

If you are located in Singapore, the following additional terms apply to our processing of your personal data under the Personal Data Protection Act 2012 (“PDPA”):

Consent. By using the Services, you consent to the collection, use, and disclosure of your personal data as described in this Policy. You may withdraw your consent at any time by contacting us at support@oshi.co, subject to legal or contractual restrictions. Please note that withdrawal of consent may affect our ability to provide the Services to you.

Purpose Limitation. We will collect, use, and disclose your personal data only for the purposes described in this Policy, or for purposes that a reasonable person would consider appropriate in the circumstances.

Access and Correction. You have the right to request access to and correction of your personal data in our possession. We will respond to your request within thirty (30) days. We may charge a reasonable fee for processing access requests, as permitted by the PDPA.

Data Protection Officer. For questions or concerns regarding our personal data protection practices, please contact our Data Protection Officer at support@oshi.co.

Do Not Call Registry. If your Singapore telephone number is registered with the Do Not Call Registry, we will not send you marketing messages via telephone or SMS unless you have given us clear and unambiguous consent.

13. Supplemental Notice for Japan Residents (APPI)

If you are located in Japan, the following additional terms apply under the Act on the Protection of Personal Information (“APPI”):

Third-Party Provision. We will obtain your consent before providing your personal data to third parties, except where permitted under the APPI (such as where required by law, necessary for the protection of life or property, or necessary for public health).

Cross-Border Transfer. Where we transfer your personal data to a country outside Japan that does not have equivalent data protection standards, we will take appropriate measures in accordance with the APPI, including obtaining your consent or confirming that the recipient has established a system conforming to APPI standards.

Disclosure, Correction, and Cessation. You have the right to request disclosure, correction, addition, deletion, cessation of use, erasure, or cessation of provision of your personal data. To exercise these rights, please contact us at support@oshi.co.

14. Supplemental Notice for European Users (GDPR)

If you are located in the European Union, European Economic Area, or Switzerland, the following additional terms apply under the General Data Protection Regulation (“GDPR”):

Legal Basis. We process your personal data on the legal bases described in Section 11 above.

Your Rights. In addition to the rights described in Section 9, you have the right to lodge a complaint with your national data protection authority if you believe our processing of your personal data violates the GDPR.

International Transfers. Where we transfer personal data outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms.

Data Protection Officer. For inquiries regarding our GDPR compliance, please contact us at support@oshi.co.

15. Supplemental Notice for California Residents (CCPA/CPRA)

This section applies to California residents and supplements the privacy rights described in Section 9 above. This notice is provided pursuant to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

A. Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information:

  • Identifiers (name, email address, account ID, IP address, device identifiers, wallet addresses)
  • Commercial information (transaction history, Valor Points and Merit Points activity, payment information, Contribution history)
  • Internet or similar network activity (browsing history, search history, interaction with the Services)
  • Geolocation data (approximate location derived from IP address)
  • Financial information (payment method details, transaction amounts)
  • Inferences drawn from the above categories (user preferences, risk profiles)

B. Sources of Personal Information

We collect personal information from:

  • You (directly provided through account creation, Transactions, and communications)
  • Automatic collection through cookies and tracking technologies
  • Third-party service providers (payment processors, identity verification providers, blockchain analytics providers)
  • Public blockchain networks

C. Purposes for Collection

We collect personal information for the business and commercial purposes described in Section 3, including providing the Services, processing Transactions, compliance with legal and regulatory obligations, fraud prevention and security, service improvement and analytics, and marketing and advertising.

D. California Consumer Rights

California residents have the following rights under the CCPA/CPRA:

Right to Know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected, the sources of that information, our business purposes for collection, and the categories of third parties with whom we share it.

Right to Delete. You have the right to request deletion of personal information we have collected from you, subject to exceptions for information we must retain to provide the Services, comply with legal obligations, or exercise legal rights.

Right to Correct. You have the right to request that we correct inaccurate personal information.

Right to Opt-Out. You have the right to opt out of the “sale” or “sharing” of your personal information as defined under the CPRA. We do not sell personal information for monetary consideration. To opt out of any sharing for targeted advertising purposes, please contact us at support@oshi.co.

Right to Limit Use and Disclosure of Sensitive Personal Information. You have the right to request that we limit our use and disclosure of sensitive personal information to what is necessary to provide the Services.

E. No Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you a different price, provide a different level of quality, or threaten, intimidate, or retaliate against you for exercising your rights.

F. California “Shine the Light” Law

Under California Civil Code Section 1798.83, California residents may request, once per calendar year, information about the categories of personal information we share with third parties for their direct marketing purposes. To make such a request, please contact us at support@oshi.co.

G. How to Exercise Your Rights

To exercise any California privacy right, submit a verifiable consumer request by emailing support@oshi.co. We will verify your identity and respond to your request within forty-five (45) days. You may authorize an agent to submit a request on your behalf, provided that the agent submits appropriate proof of authorization.

16. Supplemental Notice for Other US State Residents

We recognize that additional US states have enacted privacy laws with similar rights to the CCPA/CPRA, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Montana (MCDPA), Delaware, Oregon, and others. These laws generally provide rights to access, correct, and delete personal information, as well as the right to opt out of targeted advertising and certain profiling activities. If you are a resident of a state with applicable privacy legislation, you may exercise the rights provided under your state’s law by contacting us at support@oshi.co. We will process your request in accordance with the applicable state law.

17. Blockchain and Digital Asset Disclosures

Given that the Services involve blockchain-based transactions and digital assets, we provide the following specific disclosures:

A. Public Blockchain Data

When you transact on public blockchains through the Services, your transactions become part of the permanent, immutable public ledger. This means:

  • Your wallet addresses are publicly visible to anyone with access to the blockchain network
  • Transaction amounts and dates are recorded permanently on the blockchain
  • Transaction information is accessible to blockchain analytics firms, law enforcement, and any member of the public
  • This information cannot be deleted, modified, or recalled once recorded

B. Immutability

Information recorded on blockchain networks is immutable. Your data subject rights regarding deletion, correction, or portability are limited with respect to blockchain-recorded information, as we cannot delete, modify, or control information on public blockchains.

18. Third-Party Websites and Services

The Services may contain links to, or allow you to interact with, third-party websites, services, and applications, including payment processors (DePay, Stripe), wallet providers (Privy, Metamask), and other third parties. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing personal data.

Please note that when you apply for a job with us, the privacy policy of our job applicant processing partner may also apply.

19. Contact Us

If you have questions about this Policy, our privacy practices, or your personal data, or if you wish to exercise any of your privacy rights, please contact us at:

Oshikatsu Labo Pte Ltd

Email: support@oshi.co

We will respond to all privacy inquiries and requests within the timeframes required by applicable law.