Wio | Privacy Policy

Verison 1.2

A. APPLICATION OF THIS PRIVACY POLICY

i. This Privacy Policy (“Policy”) forms part a part of the WIO Bank PJSC Standard Terms
and Conditions and the WIO Securities LLC Standard Terms and Conditions (each
“Standard Terms”) relating to our Services provided to you through Digital Platforms,
such as our mobile application (“Mobile App”) and website.

ii. WIO Bank PJSC and WIO Securities LLC (each “WIO”, “us”, “we”, and “our”) is
committed to safeguarding the privacy of the personal data that is provided to us or
collected by us during the course of providing our Services as defined under the
Standard Terms to you. This Policy describes how and why we collect, store and use
personal information, and provides information about your rights. Please read the
following information carefully to understand our views and practices regarding how we
handle personal data.

iii. For the purposes of applicable data protection law, WIO Bank PJSC and Wio Securities
LLC are each independent data controllers of your personal information in relation to the
Services they provide. If you have any questions about this Policy, or our processing of
your personal data, please contact us at:

E-mail: Legal@wio.io

The following data protection information gives an overview of the collection and processing of your data:

1. What personal data we collect and from which sources?

1.1 We process personal data that we obtain from you (our customers) in the context of our business relationship. We also process - insofar as necessary to provide our Services - personal data that we obtain with permission from publicly accessible sources and other external sources (e.g., press, internet) or that is legitimately transferred to us by our other companies in the WIO Group or from other third parties (e.g. a credit ratings agency and other commercial information providers providing information on e.g. beneficial owners).

1.2 In order to facilitate, enable and/or maintain our business relationship, we collect and
otherwise process personal data relating to customers and any other person(s) involved in the business relationship, as the case may be, such as authorised representative(s), person(s) holding a power of attorney and beneficial owners, if different from the customers, each an “related party”.

1.3 Personal Data is the personal information of a customer or related party (name, address and other contact details, date and place of birth, and nationality), identification data and authentication data (e.g. sample signature). Furthermore, this can also be order data (e.g. payment instructions), data from the fulfillment of our contractual obligations (e.g. data in payment transactions), information about a customer’s or related party’s financial situation (e.g. creditworthiness data, scoring/rating data, origin of assets, source of wealth), marketing and sales data, documentation data (e.g. file notes or meeting minutes from a consultation), and other data similar to the categories mentioned.

2. What do we process your Personal Data for (purpose of processing) and on what
legal basis?

2.1 We process Personal Data in accordance with the applicable privacy and data
protection laws in the UAE including but not limited to the Central Bank Consumer
Protection Regulations including the Consumer Protection Standards (Circular No.
8 of 2020). We use your Personal Data in order to carry out our operations and
provide banking and financial products and Services to you and make sure we do
not breach any contracts. We may use your Personal Data for market research
(including providing hyper-personalized and contextual products), analysis and
developing statistics.

a. As a result of your express consent

As long as you have granted us your express consent to process your Personal
Data in relation to providing our banking and financial products and Services to
you, this processing is legal on the basis of your consent. Consent given can be
withdrawn at any time by notifying us using either of the contact methods set out
under clause A (iii). above, except to the extent that withdrawal is not permitted
under applicable law.

The withdrawal will take effect within 30 days of receiving your request to withdraw. Withdrawal of consent does not affect the legality of data processed prior to withdrawal.

b. For fulfillment of contractual obligations

Personal data is processed in order to provide banking and financial services in
accordance with our legal agreements with our customers or to carry out precontractual measures that occur as part of a request from you.

Examples:

processes needed to e.g. open an account or online service or for granting a
card or a credit
customer service during the contract period
possible establishment, exercise or defense of legal claims and collection
procedure
consulting with credit rating agencies to investigate creditworthiness and credit risks

c. Necessary for compliance with Applicable Law

As such, we are subject to various legal obligations, under the applicable laws.
(e.g. the Money Laundering, Terrorist Financing or other Financial Services Laws,
Regulations, Rules, the Financial Services and Markets Act 2000, MIFID and any
tax or sanctions laws regime, treaty or directive). We are a digital bank and are
authorized and regulated by the UAE Central Bank for the conduct of financial
services in and from the UAE. The purposes of processing include assessment of
creditworthiness, identity and age checks, fraud and money laundering prevention,
fulfilling control and reporting obligations under financial regulation, and measuring
and managing risks within the WIO Group.

Examples:

know your customer requirements
preventing, detecting, and investigating money laundering, terrorist financing,
and fraud
sanctions screening
bookkeeping regulations
reporting to tax authorities, police authorities, enforcements authorities,
supervisory authorities
risk management obligations such as credit performance and quality, capital
adequacy, and insurance risks
payment service requirements and obligations
other obligations related to service or product specific legislations, for example securities, funds, collateral, insurance or mortgage legislation
preventions and investigation of crimes
video surveillance and measures to protect the rights of an owner of premises
to keep out trespassers and to provide site security (e.g. access controls)

3. Who receives your Personal Data and confidentiality requirements?

3.1 We are under a duty of confidentiality to our customers and to prospective customers and are obliged to maintain confidentiality regarding all customer-related matters and assessments of which we acquire knowledge (banking confidentiality pursuant to obligations under the Central Bank Consumer Protection Standards).

3.2 The following paragraphs set out details on where we transfer customer Personal Data to and the purpose for any such transfer.

The WIO Group

3.3 We will share your Personal Data with other entities in the WIO Group where required to
fulfill our contractual and legal obligations. We will transfer your Personal Data in
connection with any services offered by any other member of the WIO Group or for risk control due to statutory or regulatory obligation. We may also pass on information about you to any other members of the WIO Group in connection with any Service which we think you may be interested in.

a. External recipients of data

We will transfer Personal Data about you with your express consent in the
course of conducting our usual business, or if legal, regulatory or market
practice requirements demand it to the following external recipients for the
following purposes:
- to public authorities and bodies (e.g. authorities such as the Central Bank of the UAE, other supervisory or licensing authorities and law enforcement
  agencies) either upon providing a legal or regulatory request or as part of
  our legislative and regulatory reporting requirements.
- to other credit and financial institutions or comparable institutions in order to carry out a business relationship with you (depending on the contract, e.g. correspondent banks, custodian banks, brokers, stock exchanges, credit rating agencies).
- to third parties (for example correspondent banks, brokers, exchanges, trade repositories, processing units and third-party custodians, issuers,
  authorities, and their representatives) for the purpose of ensuring that we
  can meet the requirements of applicable law, contractual provisions, market practices and compliance standards in connection with transactions you enter into and the services that we provide you with. If you are referred to Wio by a third party (such as a corporate service provider), we may disclose information on your application status to such third party.
- to any natural or legal person, public authority, agency or body for which you have given us your consent to transfer Personal Data to or for which you have released us from banking confidentiality.

b. To service providers and agents

We will transfer your Personal Data to service providers and authorised agents
appointed by us for the purposes given, subject to maintaining banking
confidentiality. These are companies in the categories of banking services, IT
services, logistics, printing services, telecommunications, collection, advice
and consulting, and sales and marketing.
We will implement appropriate organizational and technical safeguards to
protect the Personal Data for which we act as data controller at all times.

4. Will your Personal Data be transferred to a third country or an international
organization?

4.1 We will only transfer your Personal Data overseas as permitted by law and with your
consent otherwise we will hold and store all consumer and transaction data within the UAE as prescribed by the Central Bank. Additionally, we also establish a safe and secure backup of all the consumer data and transactions in a separate location for the required period of retention i.e. 5 years.

5. For how long will my Personal Data be stored?

5.1 We will process and store your Personal Data for as long as it is necessary in order to
fulfill our contractual, regulatory and statutory obligations. It should be noted here that our business relationship is a long-term obligation, which is set up on the basis of periods of years.

5.2 We will delete data provided that the data is no longer required in order to fulfill
contractual, regulatory or statutory obligations, or the fulfillment of any obligations to
preserve records according to commercial and tax law.

5.3 We will normally retain your records for a minimum of five (5) years from the date of
termination of the business relationship or the closing of a consumer’s account with WIO or completion of a casual transaction whichever is earlier unless there is a particular reason to hold the records for longer, including legal hold requirements, which require us to keep records for an undefined period of time. We will continue to maintain confidentiality and security measures in relation to your Personal Data after the termination of the relationship until the Personal Data is destroyed.

6. What data privacy rights do I have?

6.1 Every data subject has in relation to their Personal Data:

The right to withdraw consent;
The right of access, rectification of Personal Data;
The right to be informed of WIO’s intent to use and/or share Personal Data.
The right to restrict processing.
The right to be notified by the Controller about any rectification, erasure, of data.
The right to make enquiries or complaints in respect of the Personal Data to the
complaint management function of WIO.

6.2 If applicable, you also have a right to make a complaint to the Central Bank.

7. Am I Obliged to provide Personal Data?

7.1 In the context of our relationship, you must provide all Personal Data that is required for accepting and carrying out a business relationship and fulfilling the accompanying contractual obligations or that we are legally obliged to collect. Without this Personal Data, we are, in principle, not in a position to enter into a legal agreement with you to provide banking and financial services.

7.2 In particular, anti-money laundering regulations require us to identify you on the basis of your identification documents before establishing a business relationship and to collect and put on record name, place and date of birth, nationality, address and identification details for this purpose.

7.3 In order for us to be able to comply with these statutory obligations, you must provide us with the necessary information and documents in accordance with the applicable antimoney laundering regulations, and to immediately disclose any changes over the course of our relationship. If you do not provide us with the necessary information and documents, we cannot enter into or continue the business relationship you require.

8. To What Extent Is There Automated Decision Making?

8.1 We may use fully automated decision-making in establishing and carrying out a business relationship. If we use this procedure in individual cases, we will inform you of this separately, provided this is a legal requirement as per applicable law. You have a right to object in instances where a decision is taken by us based only on automated decision-making where such right is granted under applicable law.

9. Will Profiling Take Place?

9.1 We process some of your data automatically, with the goal of assessing certain personal aspects (profiling). For example, we use profiling in the following ways:

Due to legal and regulatory requirements, we are required to combat money
laundering, terrorism financing, fraud, assess risk and offences that pose a danger to assets.

9.2 Data assessments (including on payment transactions) are also carried out for this
purpose. At the same time, these measures also serve to protect you.

We use assessment tools in order to be able to specifically notify you and advise you regarding products. These allow communications and marketing to betailored as needed, including market and opinion research.

10. Cookies

10.1 Cookies enable websites to remember who you are. Information from cookies may
include information relating to your use of our websites, information about your computer (such as IP address and browser type), and demographic data. We collect process and analyze traffic data regarding the use of our webpages. Traffic data is data connected to visitors on the webpage and data handled in communication fields for sending, distributing or making messages available.

10.2 We use cookies and similar technologies to deliver products and Services to you. We
use them to provide a secure online environment, to manage our marketing and give a better online experience, track our website performance and to make our website
content more relevant to you. The data will not be used to identify individual visitors
except for WIO Netbanking customers.

10.3 You can set or amend your web browser controls to accept or reject cookies. If you
choose to reject cookies, you may still use our websites and some Services, however
your access to some functionality and areas of our website or Services may be restricted substantially.

10.4 For more information, see cookies on our website [please insert]

11. How changes to this Privacy Policy and the Cookies policy will be made

11.1 We are constantly improving and developing our Services, products and websites, so
we may change this Policy from time to time. We will not diminish your rights under this Policy or under applicable data protection laws in the jurisdictions we operate. If the changes are significant, we will provide a more prominent notice, when we are required to do so by applicable law. Please review this Policy from time to time to stay updated on any changes.

Version 1.1

A. APPLICATION OF THIS PRIVACY POLICY

i. This Privacy Policy (“Policy”) forms part of the Wio Bank PJSC Standard Terms and
Conditions (“Standard Terms”) relating to our Services provided to you through Digital
Platforms, such as our mobile application (“Mobile App”) and website.

ii. Wio Bank PJSC (“Wio”, “us”, “we”, and “our”) is committed to safeguarding the privacy
of the personal data that is provided to us or collected by us during the course of
providing our Services as defined under the Standard Terms to you. This Policy
describes how and why we collect, store and use personal information, and provides
information about your rights. Please read the following information carefully to
understand our views and practices regarding how we handle personal data.

iii. For the purposes of applicable data protection law, Wio, is the “data controller” of your
personal information. If you have any questions about this Policy, or our processing of
your personal data, please contact us at:

Telephone: 600500946

The following data protection information gives an overview of the collection and processing of your data:

1. What personal data we collect and from which sources?

1.1 We process personal data that we obtain from you (our customers) in the context of our
business relationship. We also process - insofar as necessary to provide our Services -
personal data that we obtain with permission from publicly accessible sources and other
external sources (e.g., press, internet) or that is legitimately transferred to us by our other
companies in the Wio Group or from other third parties (e.g. a credit ratings agency and
other commercial information providers providing information on e.g. beneficial owners).

1.2 In order to facilitate, enable and/or maintain our business relationship, we collect and
otherwise process personal data relating to customers and any other person(s) involved
in the business relationship, as the case may be, such as authorised representative(s),
person(s) holding a power of attorney and beneficial owners, if different from the
customers, each an “related party”.

1.3 Personal Data is the personal information of a customer or related party (name, address
and other contact details, date and place of birth, and nationality), identification data and
authentication data (e.g. sample signature). Furthermore, this can also be order data
(e.g. payment instructions), data from the fulfillment of our contractual obligations (e.g.
data in payment transactions), information about a customer’s or related party’s financial
situation (e.g. creditworthiness data, scoring/rating data, origin of assets, source of
wealth), marketing and sales data, documentation data (e.g. file notes or meeting
minutes from a consultation), and other data similar to the categories mentioned.

2. What do we process your Personal Data for (purpose of processing) and on what legal basis?

2.1 We process Personal Data in accordance with the applicable privacy and data
protection laws in the UAE including but not limited to the Central Bank Consumer
Protection Regulations including the Consumer Protection Standards (Circular No.
8 of 2020). We use your Personal Data in order to carry out our operations and
provide banking and financial products and Services to you and make sure we do
not breach any contracts. We may use your Personal Data for market research
(including providing hyper-personalized and contextual products), analysis and
developing statistics.

a. As a result of your express consent

As long as you have granted us your express consent to process your Personal
Data in relation to providing our banking and financial products and Services to
you, this processing is legal on the basis of your consent. Consent given can be
withdrawn at any time by notifying us using either of the contact methods set out
under clause A (iii). above, except to the extent that withdrawal is not permitted
under applicable law.

The withdrawal will take effect within 30 days of receiving your request to withdraw.
Withdrawal of consent does not affect the legality of data processed prior to
withdrawal.

b. For fulfillment of contractual obligations

Personal data is processed in order to provide banking and financial services in
accordance with our legal agreements with our customers or to carry out precontractual measures that occur as part of a request from you.

Examples:

processes needed to e.g. open an account or online service or for granting a card or a credit
customer service during the contract period
possible establishment, exercise or defense of legal claims and collection procedure
consulting with credit rating agencies to investigate creditworthiness and credit risks

c. Necessary for compliance with Applicable Law

As such, we are subject to various legal obligations, under the applicable laws.
(e.g. the Money Laundering, Terrorist Financing or other Financial Services Laws,
Regulations, Rules, the Financial Services and Markets Act 2000, MIFID and any
tax or sanctions laws regime, treaty or directive). We are a digital bank and are
authorized and regulated by the UAE Central Bank for the conduct of financial
services in and from the UAE. The purposes of processing include assessment of
creditworthiness, identity and age checks, fraud and money laundering prevention,
fulfilling control and reporting obligations under financial regulation, and measuring
and managing risks within the Wio Group.

Examples:

know your customer requirements
preventing, detecting, and investigating money laundering, terrorist financing, and fraud
sanctions screening
bookkeeping regulations
reporting to tax authorities, police authorities, enforcements authorities, supervisory authorities
risk management obligations such as credit performance and quality, capital adequacy, and insurance risks
payment service requirements and obligations
other obligations related to service or product specific legislations, for example securities, funds, collateral, insurance or mortgage legislation
preventions and investigation of crimes
video surveillance and measures to protect the rights of an owner of premises
to keep out trespassers and to provide site security (e.g. access controls)

3. Who receives your Personal Data and confidentiality requirements?

3.1 We are under a duty of confidentiality to our customers and to prospective customers
and are obliged to maintain confidentiality regarding all customer-related matters and
assessments of which we acquire knowledge (banking confidentiality pursuant to
obligations under the Central Bank Consumer Protection Standards).

3.2 The following paragraphs set out details on where we transfer customer Personal Data
to and the purpose for any such transfer.

The WIO Group

3.3 We will share your Personal Data with other entities in the Wio Group where required to
fulfill our contractual and legal obligations. We will transfer your Personal Data in
connection with any services offered by any other member of the Wio Group or for risk
control due to statutory or regulatory obligation. We may also pass on information about
you to any other members of the Wio Group in connection with any Service which we
think you may be interested in.

a. External recipients of data

i. We will transfer Personal Data about you with your express consent in the
course of conducting our usual business, or if legal, regulatory or market
practice requirements demand it to the following external recipients for the
following purposes:

to public authorities and bodies (e.g. authorities such as the Central Bank of
the UAE, other supervisory or licensing authorities and law enforcement
agencies) either upon providing a legal or regulatory request or as part of
our legislative and regulatory reporting requirements.
to other credit and financial institutions or comparable institutions in order to
carry out a business relationship with you (depending on the contract, e.g.
correspondent banks, custodian banks, brokers, stock exchanges, credit
rating agencies).
to third parties (for example correspondent banks, brokers, exchanges, trade
repositories, processing units and third-party custodians, issuers,
authorities, and their representatives) for the purpose of ensuring that we
can meet the requirements of applicable law, contractual provisions, market
practices and compliance standards in connection with transactions you
enter into and the services that we provide you with. If you are referred to
Wio by a third party (such as a corporate service provider), we may disclose
information on your application status to such third party.
to any natural or legal person, public authority, agency or body for which you
have given us your consent to transfer Personal Data to or for which you
have released us from banking confidentiality.

b. To service providers and agents

i. We will transfer your Personal Data to service providers and authorised agents
appointed by us for the purposes given, subject to maintaining banking
confidentiality. These are companies in the categories of banking services, IT
services, logistics, printing services, telecommunications, collection, advice
and consulting, and sales and marketing.

ii. We will implement appropriate organizational and technical safeguards to
protect the Personal Data for which we act as data controller at all times.

4. Will your Personal Data be transferred to a third country or an international organization?

4.1 We will only transfer your Personal Data overseas as permitted by law and with your
consent otherwise we will hold and store all consumer and transaction data within the
UAE as prescribed by the Central Bank. Additionally, we also establish a safe and secure
backup of all the consumer data and transactions in a separate location for the required
period of retention i.e. 5 years.

5. For how long will my Personal Data be stored?

5.1 We will process and store your Personal Data for as long as it is necessary in order to
fulfill our contractual, regulatory and statutory obligations. It should be noted here that
our business relationship is a long-term obligation, which is set up on the basis of periods
of years.

5.2 We will delete data provided that the data is no longer required in order to fulfill
contractual, regulatory or statutory obligations, or the fulfillment of any obligations to
preserve records according to commercial and tax law.

5.3 We will normally retain your records for a minimum of five (5) years from the date of
termination of the business relationship or the closing of a consumer’s account with Wio
or completion of a casual transaction whichever is earlier unless there is a particular
reason to hold the records for longer, including legal hold requirements, which require
us to keep records for an undefined period of time. We will continue to maintain
confidentiality and security measures in relation to your Personal Data after the
termination of the relationship until the Personal Data is destroyed.

6. What data privacy rights do I have?

6.1 Every data subject has in relation to their Personal Data:

The right to withdraw consent;
The right of access, rectification of Personal Data;
The right to be informed of Wio’s intent to use and/or share Personal Data.
The right to restrict processing
The right to be notified by the Controller about any rectification, erasure, of data.
The right to make enquiries or complaints in respect of the Personal Data to the
complaint management function of Wio.

6.2 If applicable, you also have a right to make a complaint to the Central Bank.

7. Am I Obliged to provide Personal Data?

7.1 In the context of our relationship, you must provide all Personal Data that is required for
accepting and carrying out a business relationship and fulfilling the accompanying
contractual obligations or that we are legally obliged to collect. Without this Personal
Data, we are, in principle, not in a position to enter into a legal agreement with you to
provide banking and financial services.

7.2 In particular, anti-money laundering regulations require us to identify you on the basis of your identification documents before establishing a business relationship and to collect
and put on record name, place and date of birth, nationality, address and identification
details for this purpose.

7.3 In order for us to be able to comply with these statutory obligations, you must provide us with the necessary information and documents in accordance with the applicable antimoney laundering regulations, and to immediately disclose any changes over the course of our relationship. If you do not provide us with the necessary information and
documents, we cannot enter into or continue the business relationship you require.

8. To What Extent Is There Automated Decision Making?

We may use fully automated decision-making in establishing and carrying out a business
relationship. If we use this procedure in individual cases, we will inform you of this separately, provided this is a legal requirement as per applicable law. You have a right to object in instances where a decision is taken by us based only on automated decision-making where such right is granted under applicable law.

9. Will Profiling Take Place?

9.1 We process some of your data automatically, with the goal of assessing certain personal aspects (profiling). For example, we use profiling in the following ways:

Due to legal and regulatory requirements, we are required to combat money
laundering, terrorism financing, fraud, assess risk and offences that pose a danger to
assets.

9.2 Data assessments (including on payment transactions) are also carried out for this
purpose. At the same time, these measures also serve to protect you.

We use assessment tools in order to be able to specifically notify you and advise you
regarding products. These allow communications and marketing to betailored as
needed, including market and opinion research.

10. Cookies

10.1 Cookies enable websites to remember who you are. Information from cookies may
include information relating to your use of our websites, information about your computer
(such as IP address and browser type), and demographic data. We collect process and
analyze traffic data regarding the use of our webpages. Traffic data is data connected to
visitors on the webpage and data handled in communication fields for sending,
distributing or making messages available.

10.2 We use cookies and similar technologies to deliver products and Services to you. We
use them to provide a secure online environment, to manage our marketing and give a
better online experience, track our website performance and to make our website
content more relevant to you. The data will not be used to identify individual visitors
except for Wio Netbanking customers.

10.3 You can set or amend your web browser controls to accept or reject cookies. If you
choose to reject cookies, you may still use our websites and some Services, however
your access to some functionality and areas of our website or Services may be restricted
substantially.

10.4 For more information, see cookies on our website Wio.io.

11. How changes to this Privacy Policy and the Cookies policy will be made

11.1 We are constantly improving and developing our Services, products and websites, so
we may change this Policy from time to time. We will not diminish your rights under this
Policy or under applicable data protection laws in the jurisdictions we operate. If the
changes are significant, we will provide a more prominent notice, when we are required
to do so by applicable law. Please review this Policy from time to time to stay updated
on any changes.

Version 1.0

A. APPLICATION OF THIS PRIVACY POLICY

i. This Privacy Policy (“Policy”) forms part of the Wio Bank PJSC Standard Terms and
Conditions (“Standard Terms”) relating to our Services provided to you through Digital
Platforms, such as our mobile application (“Mobile App”) and website.