1. GENERAL TERMS AND CONDITIONS

This mobile application and web platform (the “Platform”) is made available by BEEP Digital Solutions Sdn Bhd, a company limited by guarantee and registered in Brunei with number RC20003283 and with its business address at Unit 9, 2nd Floor, Spg 32-37, iCentre Block B28, Kg Anggerek Desa, Jalan Berakas, Brunei Darussalam (“BDS”, “us”, “we” or “our”). The Platform includes the BeepMart marketplace, Group Buy services, and all related services (collectively, the “BDS Services”).

Beep Digital Solutions Sdn Bhd is licensed under the BDCB Order, 2010 – Notice No PSO/N-1/2020/1 on Requirements for Payment Systems.

Merchant, the user of the Platform, confirms its acceptance of these Terms of Use (“Agreement”). If Merchant does not agree to this Agreement, Merchant must immediately discontinue use of the Platform. This Agreement should be read alongside our Privacy Policy, Data Processing Agreement, and Cookie Policy.

2. DEFINITIONS

In this Agreement, unless the context otherwise requires:

“Applicable Data Protection Law” means the Personal Data Protection Order 2025 of Brunei Darussalam (“PDPO 2025”), as enacted on 8 January 2025 and implemented in phases, and any subsidiary legislation, regulations, guidelines, or orders issued thereunder by the Authority for Info-communications Technology Industry of Brunei Darussalam (“AITI”) or any successor authority.

“Cloud Service Provider” means a third-party provider of cloud computing infrastructure, platform, or software services used by BDS to host, process, or store data in connection with the Platform, including but not limited to Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, or equivalent providers.

“Data Controller” means the Party which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.

“Data Processor” means the Party which Processes Personal Data on behalf of the Data Controller.

“Data Subject” means an identified or identifiable natural person whose Personal Data is Processed under this Agreement.

“End User” means any individual who accesses or uses the Platform to browse, search, place orders, or participate in Group Buy activities.

“Group Buy” means a collective purchasing mechanism facilitated by the Platform whereby multiple End Users aggregate demand for a single Merchant’s product or service to achieve a pre-defined discount threshold. For the avoidance of doubt, Group Buy campaigns involve only one Merchant per campaign.

“Marketplace” means the BeepMart e-commerce marketplace operated by BDS, enabling Merchant-to-End-User transactions, Group Buy activities, and related services.

“Operating Hours” means the Platform’s designated trading hours, being 8:00 AM to 10:00 PM Brunei time (UTC+8) daily, or such other hours as BDS may notify Merchants from time to time.

“Personal Data” means personal data as defined under the PDPO 2025, being data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.

“Processing” means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction, as contemplated under the PDPO 2025.

“Settlement” means the transfer of funds from BDS to the Merchant in respect of completed and verified Transactions, net of applicable fees and deductions.

“Sub-processor” means any third party (including Cloud Service Providers) appointed by BDS or the Merchant to Process Personal Data on behalf of the relevant Data Controller.

3. USE OF PLATFORM

BDS hereby grants, and Merchant hereby accepts, a non-exclusive, non-transferable, revocable, limited license, without right to sublicense, for Merchant to use the Platform during the term of this Agreement. All other rights in the Platform are reserved by BDS.

In the event Merchant breaches any of these terms, BDS will be entitled to terminate the Merchant Licence immediately.

Merchant acknowledges that its agreement with its mobile network provider (“Mobile Provider”) will apply to Merchant’s use of the Platform. Merchant acknowledges that it may be charged by the Mobile Provider for data services while using certain features of the Platform or any such third-party charges as may arise, and Merchant accepts responsibility for such charges.

4. COMPLIANCE WITH LAW

4.1 General.

Each of the Parties will comply with all applicable laws in connection with the operation of its business and performance of its obligations under this Agreement. The Merchant will at its own cost, keep such records and do such things as are reasonably necessary to ensure that BDS complies with all applicable laws; provided always that the Merchant shall not be required to do anything which is inconsistent with or in breach of any applicable laws. Both Parties shall comply with the PDPO 2025 and all subsidiary regulations, guidelines, and directions issued by AITI in connection with the Processing of Personal Data under this Agreement.

In connection with the exercise of Merchant’s rights and obligations under this Agreement (including, without limitation, any related to individual privacy), Merchant will comply, at Merchant’s own expense, with all laws, policies, guidelines, regulations, ordinances, rules applicable to Merchant, this Agreement, End User data or the Transactions and/or orders of any governmental authority or regulatory body having jurisdiction over the subject matter hereof. Merchant shall comply with all the current policies, procedures and guidelines of BDS governing the BDS Services, including, without limitation, the Prohibited Activity list. BDS reserves the right to amend, modify or change such policies, procedures, and guidelines with no less than thirty (30) days’ prior written notice to Merchant. Material changes to commission rates, settlement terms, or fee structures shall require sixty (60) days’ prior written notice. Merchant shall not use the BDS Services in any manner, or in furtherance of any activity that may cause BDS, its Affiliates and Partners to be subject to investigation, prosecution, or legal action.

4.2 Information Verification.

In order for BDS to satisfy its obligations and to comply with the relevant requirements under applicable law, upon reasonable request by BDS, the Merchant will share records and information (including the Transaction Information) with BDS from time to time and BDS is authorised by the Merchant to provide the relevant records and information to governmental agencies, regulatory authorities and third-party service providers for examination and verification as necessary.

4.3 AML Requirements.

The Merchant shall comply with all applicable laws on anti-money laundering, counter-terrorism financing and sanctions (collectively “AML”). The Merchant shall fully cooperate with BDS’s reasonable due diligence (on site or in writing) of the Merchant’s AML policies and procedures, including but not limited to Merchant management, review of sanctions and politically exposed people, and suspicious Transaction monitoring and reporting.

4.4 Limitation and Reporting.

In accordance with its AML, anti-fraud, and other compliance and security policies and procedures, BDS may impose reasonable limitations and controls on the Merchant’s ability to utilize the BDS Services. Such limitations may include but are not limited to rejecting Payments and/or suspending/restricting any BDS Service with respect to certain Transactions, Merchants and/or prospective Merchants of the Merchant. BDS may, for the purposes of complying with the relevant suspicious Transaction reporting requirements under applicable laws, report suspicious Transactions to the relevant authorities without informing the Merchant.

5. MARKETPLACE AND GROUP BUY TERMS

5.1 Platform Role.

BDS operates the BeepMart Marketplace as an intermediary platform connecting Merchants with End Users. BDS is not a party to the sale contract between Merchant and End User. BDS does not take title to, or assume risk of loss for, any products or services listed on the Platform. The Merchant remains solely responsible for the quality, safety, legality, and fulfilment of its products and services.

5.2 Group Buy Mechanics (Single-Merchant Model).

The Platform supports Group Buy campaigns on a single-Merchant basis only. Each Group Buy campaign shall relate to the products or services of one Merchant. Multi-merchant Group Buy campaigns are not supported on the Platform. Where a Merchant offers products or services through the Group Buy feature, the following terms apply:

(a) The Merchant shall specify the minimum quantity threshold, discount rate, and campaign duration for each Group Buy offer prior to publication on the Platform.

(b) If the minimum quantity threshold is not met within the specified campaign duration, the Group Buy shall be deemed unsuccessful. BDS shall notify all participating End Users, and any pre-authorised payments shall be reversed within five (5) Business Days.

(c) If the minimum quantity threshold is met, the Group Buy shall be deemed successful, and the Merchant shall be obligated to fulfil all orders at the stated discount price.

(d) The Merchant shall not cancel or materially alter the terms of an active Group Buy campaign without prior written consent from BDS.

(e) BDS shall not be liable for the Merchant’s failure to fulfil Group Buy orders. The Merchant shall indemnify BDS against any claims, losses, or refund obligations arising from the Merchant’s failure to fulfil a successful Group Buy.

(f) End Users participating in a Group Buy do so on the basis that the Group Buy may not reach the minimum threshold. BDS shall clearly communicate this to End Users at the point of participation.

5.3 Merchant Listings and Content.

The Merchant is solely responsible for the accuracy, completeness, and legality of all product listings, descriptions, images, pricing, and promotional content published on the Platform. BDS reserves the right to remove or suspend any listing that it reasonably believes to be inaccurate, misleading, or in violation of this Agreement or applicable law, upon written notice to the Merchant.

6. INTELLECTUAL PROPERTY

The Merchant agrees that the Platform contains proprietary information and material that is owned by BDS or its Licensors and is protected by applicable intellectual property and other laws, including but not limited to copyright. The Merchant agrees that it will not use such proprietary information or materials in any way whatsoever except for use of the Platform in compliance with this Agreement and any third-party license agreement, as applicable. No portion of the Platform may be reproduced in any form or by any means, except as expressly permitted in this Agreement.

7. DATA PROTECTION AND PRIVACY

7.1 Applicable Law.

This Section is governed by and shall be interpreted in accordance with the PDPO 2025 and all subsidiary legislation, regulations, guidelines, codes of practice, and directions issued by AITI. Where the PDPO 2025 is implemented in phases, the Parties shall comply with the applicable requirements as and when they come into force. Both Parties acknowledge that AITI is the designated authority for personal data protection in Brunei Darussalam and shall cooperate with AITI as required.

7.2 Roles and Responsibilities.

For the purposes of the PDPO 2025: (a) where the Merchant determines the purposes and means of Processing Personal Data of its customers or employees, the Merchant shall be the Data Controller and BDS shall act as Data Processor in respect of such data; (b) where BDS Processes Personal Data for its own purposes (including platform analytics, fraud prevention, and regulatory compliance), BDS shall be the Data Controller; (c) where both Parties jointly determine the purposes and means of Processing, they shall be joint Data Controllers and shall enter into a separate joint controllership arrangement specifying their respective obligations.

7.3 Consent and Lawful Basis.

In accordance with the PDPO 2025, each Party shall ensure that it has obtained valid consent from Data Subjects for the collection, use, and disclosure of Personal Data, unless a recognised exception under the PDPO 2025 applies (including deemed consent by conduct, deemed consent by contractual necessity, or deemed consent by notification). Consent must be informed, specific, and capable of being withdrawn at any time. Where consent is withdrawn, the relevant Party shall cease Processing the affected Personal Data unless a legal basis other than consent permits continued Processing.

7.4 Data Subject Rights.

Each Party shall implement appropriate processes to enable Data Subjects to exercise their rights under the PDPO 2025, including the right of access to Personal Data and the right to request correction of inaccurate or incomplete Personal Data. Where one Party receives a request from a Data Subject in relation to Personal Data Processed by the other Party, the receiving Party shall promptly notify the other Party and provide reasonable cooperation in responding to the request within the timeframes specified under the PDPO 2025 and any AITI guidelines.

7.5 Data Processing Obligations.

When acting as Data Processor, each Party shall: (a) Process Personal Data only on documented instructions from the Data Controller and only for the purposes specified in this Agreement; (b) ensure that persons authorised to Process Personal Data are bound by appropriate confidentiality obligations; (c) implement appropriate technical and organisational security measures to protect Personal Data against unauthorised access, loss, destruction, or damage; (d) not engage a Sub-processor without prior written authorisation from the Data Controller; (e) assist the Data Controller in responding to Data Subject requests; (f) at the Data Controller’s election, delete or return all Personal Data upon termination of the relevant Processing and delete existing copies unless retention is required by law; and (g) make available all information necessary to demonstrate compliance with these obligations.

7.6 Data Breach Notification.

Each Party shall notify the other Party of any Personal Data breach as soon as practicable upon becoming aware of such breach, and in any event within the timeframe required by the PDPO 2025 and AITI guidelines. The notification shall include: (a) the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) the contact details of the Party’s data protection officer or designated contact. Where required by the PDPO 2025, the relevant Data Controller shall notify AITI and affected Data Subjects in accordance with the prescribed requirements.

7.7 Cross-Border Data Transfers and Cloud Services.

The Parties acknowledge that BDS utilises Cloud Service Providers whose infrastructure may be located outside of Brunei Darussalam. Personal Data may therefore be transferred to, stored in, and processed in jurisdictions outside Brunei Darussalam in connection with the operation of the Platform.

Such cross-border transfers shall only occur where:

(a) the receiving jurisdiction provides a standard of protection for Personal Data that is comparable to the protection afforded under the PDPO 2025, as determined by AITI or by BDS’s own assessment conducted in good faith;

(b) BDS has entered into binding contractual arrangements with the Cloud Service Provider that impose data protection obligations no less protective than those set out in the PDPO 2025, including requirements for security measures, breach notification, and restrictions on onward transfer;

(c) BDS has conducted and documented a transfer impact assessment evaluating the data protection laws and practices of the receiving jurisdiction, the nature and sensitivity of the Personal Data being transferred, and any supplementary measures necessary to ensure adequate protection; and

(d) the Data Subject has been informed that their Personal Data may be transferred outside Brunei Darussalam, and the purposes for such transfer, in accordance with the notification obligations under the PDPO 2025.

BDS shall maintain a register of all cross-border data transfers, including: the identity and location of each Cloud Service Provider and Sub-processor; the jurisdiction(s) where Personal Data is stored and processed; the categories of Personal Data transferred; and the safeguards relied upon. This register shall be made available to the Merchant upon reasonable request and to AITI upon demand.

BDS shall ensure that its Cloud Service Provider agreements include: (i) the right for BDS to audit or obtain audit reports on the provider’s data protection and security practices; (ii) obligations for the provider to notify BDS of any data breach, government access request, or change in law that may affect the protection of Personal Data; and (iii) provisions for the return or deletion of Personal Data upon termination of the cloud services agreement.

7.8 Data Retention.

Personal Data shall not be retained for longer than is necessary for the purposes for which it was collected, in accordance with the PDPO 2025. Each Party shall implement and maintain a data retention policy specifying retention periods for each category of Personal Data. Transaction records shall be retained for a minimum of seven (7) years for regulatory compliance purposes. Upon expiry of the applicable retention period, Personal Data shall be securely deleted or anonymised.

7.9 Data Protection Impact Assessments.

Where a type of Processing is likely to result in a high risk to Data Subjects (including but not limited to profiling, automated decision-making, or large-scale Processing), the relevant Data Controller shall conduct a Data Protection Impact Assessment prior to commencing such Processing, in accordance with the PDPO 2025 and AITI guidelines.

7.10 Data Protection Officer.

BDS shall designate a Data Protection Officer in accordance with the PDPO 2025. The Merchant shall be provided with the contact details of such person. Where required by the PDPO 2025, the Merchant shall also designate its own Data Protection Officer. Both Parties shall ensure their respective Data Protection Officers are appropriately qualified, as contemplated under the competency framework developed by AITI.

7.11 Sub-processors.

BDS shall maintain a list of approved Sub-processors (including Cloud Service Providers) and shall make such list available to the Merchant upon request. BDS shall notify the Merchant of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance. The Merchant may object on reasonable grounds. BDS shall ensure that all Sub-processors are bound by data protection obligations no less onerous than those set out in this Agreement and the PDPO 2025.

8. SETTLEMENT TERMS

8.1 Settlement Schedule.

BDS shall settle funds to the Merchant in respect of completed and verified Transactions on a regular settlement cycle. Unless otherwise agreed in writing, settlement shall occur within seven (7) Business Days following the end of each settlement period (weekly). BDS shall provide the Merchant with a detailed settlement statement for each settlement cycle, including: (a) gross transaction value; (b) applicable fees and deductions (MDR, commission, delivery fee share); (c) net settlement amount; and (d) any adjustments for refunds or disputed Transactions.

8.2 Settlement Delays.

If BDS is unable to meet a settlement deadline due to circumstances within its reasonable control, BDS shall notify the Merchant within two (2) Business Days of the missed deadline and provide a revised settlement date. If settlement is delayed by more than five (5) Business Days beyond the scheduled date without reasonable cause, the Merchant may: (a) request an explanation in writing; (b) escalate to BDS’s designated settlement officer; and (c) if the delay exceeds fifteen (15) Business Days, terminate this Agreement with immediate effect upon written notice.

8.3 Group Buy Settlement.

For Group Buy Transactions, settlement shall occur within seven (7) Business Days following: (a) the successful completion of the Group Buy campaign (minimum threshold met); and (b) confirmation of fulfilment by the Merchant. Where a Group Buy is unsuccessful, any pre-authorised payments shall be reversed to End Users within five (5) Business Days, and no settlement shall be due to the Merchant.

9. SERVICE LEVEL AGREEMENT

9.1 Platform Availability.

BDS shall use commercially reasonable efforts to maintain Platform availability of not less than 99.5% uptime during Operating Hours (8:00 AM to 10:00 PM Brunei time, daily) per calendar month. Uptime shall be measured only during Operating Hours and shall exclude: (a) scheduled maintenance windows notified at least forty-eight (48) hours in advance; (b) downtime attributable to force majeure events; (c) downtime caused by third-party services outside BDS’s reasonable control (including Cloud Service Provider outages and internet service disruptions); and (d) downtime resulting from Merchant-side issues. For the avoidance of doubt, the Platform may undergo maintenance, updates, or reduced functionality outside of Operating Hours without triggering SLA obligations.

9.2 Payment Processing Availability.

BDS shall maintain payment processing availability of not less than 99.5% uptime during Operating Hours per calendar month. In the event of payment processing downtime exceeding two (2) continuous hours during Operating Hours, BDS shall: (a) notify affected Merchants within one (1) hour of becoming aware of the outage; (b) provide regular status updates at intervals not exceeding two (2) hours; and (c) provide a root cause analysis within five (5) Business Days following resolution.

9.3 Scheduled Maintenance.

Scheduled maintenance shall, where practicable, be conducted outside of Operating Hours. Where maintenance must occur during Operating Hours, BDS shall provide at least seventy-two (72) hours’ written notice and shall schedule such maintenance during off-peak periods (before 11:00 AM or after 9:00 PM Brunei time) where possible.

9.4 Remedies for Service Level Failures.

Where Platform availability during Operating Hours falls below the committed 99.5% uptime in any calendar month, and such failure is attributable to BDS, the Merchant shall be entitled to a service credit equal to the pro-rata portion of the monthly fees attributable to the period of downtime during Operating Hours. Service credits shall be applied to the Merchant’s next settlement cycle. Service credits shall constitute the Merchant’s sole and exclusive remedy for SLA failures, unless otherwise required by applicable law.

9.5 Monitoring and Reporting.

BDS shall maintain monitoring systems to track Platform and payment processing uptime during Operating Hours. Monthly uptime reports shall be made available to Merchants upon request. Any dispute regarding uptime measurement shall be resolved by reference to BDS’s server-side monitoring logs, which shall be the authoritative source.

10. DISCLAIMER OF WARRANTIES; LIABILITY LIMITATION

MERCHANT EXPRESSLY ACKNOWLEDGES AND AGREES THAT USE OF THE PLATFORM IS AT MERCHANT’S SOLE RISK. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED PLATFORM AND ANY SERVICES PERFORMED OR PROVIDED BY THE PLATFORM ARE PROVIDED “AS IS” AND “AS AVAILABLE”, WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND BDS TOGETHER WITH ITS LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE PLATFORM AND ANY SERVICES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, PERFORMANCE, FITNESS FOR A PARTICULAR PURPOSE, OF ACCURACY, QUIET ENJOYMENT, AND NONINFRINGEMENT OF THIRD-PARTY RIGHTS.

TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL BDS BE LIABLE FOR PERSONAL INJURY OR ANY INCIDENTAL, SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS OR INCOME, LOSS OR CORRUPTION OF DATA, BUSINESS LOSS OR INTERRUPTION, OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO MERCHANT’S USE OR INABILITY TO USE THE PLATFORM, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF BDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BDS’S TOTAL AGGREGATE LIABILITY UNDER OR IN CONNECTION WITH THIS AGREEMENT SHALL NOT EXCEED THE GREATER OF: (A) THE FEES RECEIVED FROM MERCHANT DURING THE SIX (6) MONTH PERIOD IMMEDIATELY PRIOR TO THE DATE THE APPLICABLE CLAIM AROSE; OR (B) BND 5,000. THE FOREGOING LIMITATIONS WILL APPLY EVEN IF THE ABOVE STATED REMEDY FAILS ITS ESSENTIAL PURPOSE.

NOTWITHSTANDING THE FOREGOING, NOTHING IN THIS AGREEMENT SHALL LIMIT OR EXCLUDE EITHER PARTY’S LIABILITY FOR: (A) FRAUD OR FRAUDULENT MISREPRESENTATION; (B) DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE; (C) BREACH OF DATA PROTECTION OBLIGATIONS UNDER THE PDPO 2025; OR (D) ANY LIABILITY WHICH CANNOT BE LIMITED OR EXCLUDED BY APPLICABLE LAW.

11. INDEMNIFICATION

BY USING THE PLATFORM, MERCHANT AGREES, TO THE EXTENT PERMITTED BY LAW, TO INDEMNIFY AND HOLD BDS, ITS DIRECTORS, OFFICERS, EMPLOYEES, AFFILIATES, AGENTS, CONTRACTORS, AND LICENSORS HARMLESS WITH RESPECT TO ANY CLAIMS ARISING OUT OF MERCHANT’S BREACH OF THIS AGREEMENT, MERCHANT’S USE OF THE PLATFORM, OR ANY ACTION TAKEN BY MERCHANT AS PART OF ITS INVESTIGATION OF A SUSPECTED VIOLATION OF THIS AGREEMENT.

BDS AGREES, TO THE EXTENT PERMITTED BY LAW, TO INDEMNIFY AND HOLD MERCHANT HARMLESS WITH RESPECT TO ANY THIRD-PARTY CLAIMS ARISING DIRECTLY FROM: (A) BDS’S MATERIAL BREACH OF ITS DATA PROTECTION OBLIGATIONS UNDER THE PDPO 2025; (B) BDS’S GROSS NEGLIGENCE OR WILFUL MISCONDUCT IN THE OPERATION OF THE PLATFORM; OR (C) ANY INFRINGEMENT OF THIRD-PARTY INTELLECTUAL PROPERTY RIGHTS BY THE PLATFORM ITSELF (EXCLUDING MERCHANT CONTENT).

12. TERMINATION

12.1 Graduated Response.

Prior to terminating this Agreement for Merchant breach (except in cases of fraud, AML violations, or illegal activity), BDS shall: (a) issue a written notice specifying the breach and required remedial actions within fourteen (14) Business Days; (b) if unremedied, suspend access for up to thirty (30) days; (c) if still unremedied, terminate with immediate effect upon written notice.

12.2 Immediate Termination.

BDS may terminate immediately without prior notice if the Merchant: (a) engages in fraudulent activity; (b) violates AML requirements; (c) engages in illegal activity; (d) causes material harm to End Users or the Platform; or (e) becomes insolvent.

12.3 Merchant Termination.

Merchant may terminate this Agreement with immediate effect by delivering notice to BDS, if BDS fails to perform or otherwise materially breaches any of its obligations, and the failure continues for thirty (30) Business Days after Merchant delivers notice reasonably detailing the breach.

12.4 Consequences of Termination.

Upon termination: (a) Merchant shall cease all use of the Platform; (b) BDS shall settle all outstanding amounts within fifteen (15) Business Days; (c) each Party shall return or destroy Confidential Information and Personal Data, except where retention is required by law or the PDPO 2025; and (d) Sections 7, 8, 10, 11, 13, 19, and 21 shall survive.

13. CONFIDENTIAL INFORMATION

Each Party acknowledges that the Confidential Information of the other is valuable to it and agrees to treat as confidential all Confidential Information received from the other Party in connection with this Agreement. Neither Party will disclose such Confidential Information to any third party except to its employees, officers, agents, suppliers, advisors who have the need to access the Confidential Information for such Party to perform its obligations under this Agreement or as required by Applicable Law or government authorities, and in each case, the disclosing Party will, to the extent permitted under Applicable Law, give the other Party prior notice of such disclosure. Upon termination of this Agreement or at the written request of the other Party, each Party will promptly return or destroy all material embodying Confidential Information of the other Party.

14. PUBLICITY

Neither Party will issue any press release or make any public announcement pertaining to this Agreement without the prior written consent of the other Party unless required by applicable law binding the Party. Notwithstanding the foregoing, the Merchant agrees that the preceding limitation will not be interpreted to prevent BDS from making statements about BDS’s business or about the BDS Services in general, including but not limited to identifying the Merchant as a business partner.

15. PROHIBITED PRODUCTS OR SERVICES

The Merchant acknowledges and agrees that the Merchant must not use the BDS Services for any Transaction(s) which is prohibited by this Agreement or Applicable Law or violates BDS internal policies. The current list of Prohibited Products and Services is set out in Schedule 1 to this Agreement. BDS may update Schedule 1 upon thirty (30) days’ written notice. The Merchant must ensure that no Transaction involves Prohibited Products and Services. BDS will have the right to refuse any BDS Services with respect to any Prohibited Transaction and the Merchant will indemnify BDS for any damages arising therefrom.

16. MERCHANT’S OWN USE / FRAUD PREVENTION

The Merchant will only use the BDS Services for its own business operations and in such manner as stated in this Agreement. BDS shall settle funds in relation to the Transactions being processed and authorized (net the service fee it charges) directly to the Merchant. The Merchant will ensure that the BDS Services are not used for any purpose of account top-up, account transfer or any other purpose that is solely related to funds transfer without an underlying Transaction.

The Merchant must only use the BDS Services for their own account, for their own business purpose and will not make use of the payment interface provided by BDS for performing any services for third parties.

The Merchant shall not act in any way which may directly or indirectly impair or detract from the goodwill or reputation of BDS, its partners or related parties.

17. END USER TERMS AND CONSUMER PROTECTION

17.1 Consumer-Facing Terms.

BDS shall publish and maintain separate End User Terms and Conditions and a Consumer Privacy Notice. These shall clearly describe: (a) the relationship between BDS (marketplace operator) and the Merchant (seller); (b) the End User’s rights regarding orders, refunds, and complaints; (c) BDS’s data processing practices under the PDPO 2025; and (d) Group Buy participation terms and refund mechanics.

17.2 Refund and Returns.

The Merchant shall accept refund or replacement requests where: (a) the product delivered is materially different from the product ordered; (b) the product is unfit for consumption; or (c) the order was not delivered within the agreed delivery window.

17.3 Food Safety.

The Merchant shall hold all licences and permits required for the preparation, handling, storage, and delivery of food and beverage products. BDS may request evidence of compliance and suspend access if the Merchant fails to demonstrate adequacy.

18. CHANGES TO THIS AGREEMENT

BDS may amend this Agreement from time to time. For material changes (including commission rates, settlement terms, liability provisions, or data processing terms), BDS shall provide sixty (60) days’ prior written notice. For non-material changes, thirty (30) days’ notice. The Merchant may terminate without penalty within thirty (30) days of receiving notice of a material change. Continued use after the effective date constitutes acceptance.

19. DISPUTE RESOLUTION

19.1 Internal Resolution.

The Parties shall first attempt resolution through good faith negotiation within fourteen (14) Business Days of written dispute notice.

19.2 Mediation.

If unresolved within thirty (30) days, either Party may refer to mediation. Costs shared equally.

19.3 Arbitration.

If unresolved through mediation within sixty (60) days, the dispute shall be settled by arbitration under UNCITRAL Rules. The appointing authority shall be the President of the Law Society of Brunei Darussalam. One (1) arbitrator. Place: Bandar Seri Begawan. Language: English.

19.4 Small Claims.

Claims below BND 5,000 may be submitted to the relevant small claims process under Brunei law.

20. FORCE MAJEURE

Neither Party will be liable for failure to perform if caused by circumstances beyond reasonable control, including strikes, acts of God, war, riot, terrorism, epidemic, pandemic, government-mandated lockdowns, cyberattacks, or systemic Cloud Service Provider failures (“Event of Force Majeure”). Each Party shall give prompt notice. The affected Party shall use reasonable efforts to mitigate. If an Event of Force Majeure continues for more than forty-five (45) working days, either Party may terminate without further liability, except that Merchant remains liable for unpaid amounts. BDS shall settle outstanding amounts within fifteen (15) Business Days of termination.

21. GOVERNING LAW

This Agreement will be governed by and construed under Brunei Darussalam law, without regard to its principles of conflict of laws. The PDPO 2025 shall apply to all matters relating to the Processing of Personal Data under this Agreement.

22. SURVIVAL

The rights and obligations which by their nature must survive termination shall survive, including Sections 7, 8, 10, 11, 13, 19, and 21.

SCHEDULE 1: PROHIBITED PRODUCTS AND SERVICES

1. Products or services illegal under Brunei Darussalam law.

2. Alcoholic beverages (unless expressly authorised and approved by BDS in writing).

3. Tobacco products, e-cigarettes, vaping products, and accessories.

4. Controlled substances, narcotics, or prescription pharmaceuticals.

5. Products infringing third-party intellectual property rights.

6. Obscene, defamatory, or offensive products or services.

7. Weapons, firearms, ammunition, or explosives.

8. Counterfeit or pirated goods.

9. Products subject to governmental recall.

10. Any product BDS determines poses reputational or legal risk to the Platform.

SCHEDULE 2: DATA PROCESSING AGREEMENT SUMMARY

This Schedule summarises key data processing terms under the PDPO 2025.

Element

Details

Subject Matter

Processing of Personal Data via the Platform, including End User data, Transaction data, and Merchant employee data.

Applicable Law

Personal Data Protection Order 2025 (Brunei Darussalam) and all AITI regulations, guidelines, and directions.

Duration

Term of this Agreement plus applicable retention period under Section 7.8.

Nature and Purpose

Collection, storage, retrieval, and analysis of Personal Data for operating the Marketplace, processing Transactions, fulfilling orders, fraud prevention, and regulatory compliance.

Types of Personal Data

Name, contact details, payment information, order history, location data, device identifiers, IP addresses, delivery addresses.

Categories of Data Subjects

End Users, Merchant employees and representatives, delivery personnel.

Cloud Infrastructure

Platform hosted on Cloud Service Provider infrastructure located outside Brunei. Cross-border transfer safeguards per Section 7.7.

Security Measures

Encryption in transit (TLS 1.2+) and at rest, access controls, regular security assessments, incident response, employee training.

Breach Notification

As required by PDPO 2025 and per Section 7.6.

Data Subject Rights

Access and correction rights per PDPO 2025 and Section 7.4.

Sub-processors

List maintained per Section 7.11. Cloud Service Providers included.

Audit Rights

Data Controller may audit compliance upon thirty (30) days’ notice, once per year.