SCOPE AND PURPOSE OF THIS PRIVACY NOTICE

This privacy notice (the "Notice") details the data processing activities being undertaken by Moneybite Limited ("Moneybite"), a limited company incorporated in Malta (Company Number C 86493), whose registered office is at Level 2, Ennglad, Triq il-Wied Tal-Msida, Msida, MSD 9022, MALTA (collectively referred to as "Moneybite", "We", "Us" and "Our").

This Notice and its updates shall be available at this link

Moneybite is the data controller of your personal data, and has appointed a Data Protection Officer ("DPO"), who may be contacted at the details provided below:

Address: Level 3, Ennglad, Valley Road, Msida. MSD 9022. Malta

Email: [email protected]

This document sets out how Moneybite processes personal data and sets out the rights of Data Subjects pursuant to the Data Protection Act, Chapter 586 of the Laws of Malta (and any subsidiary legislation issued thereunder) and the EU Regulation 2016/679 (the "GDPR") (collectively, the "Data Protection Legislation"), as may be amended from time to time. You are responsible for ensuring that any third-parties whose Personal Data you provide to Us (e.g. authorised representatives, beneficial owners) are provided with and informed about the existence and contents of this Notice.

The term "personal data" and/or "personal information" refers to all personally identifiable information about a living natural person, such as name, surname and address, and includes all information which may arise that can be identified, either directly or indirectly, with a living natural person.

The terms "process", "processing" or "processed" shall mean any operation or set of operations which is performed on the personal data or on sets of personal data, whether or not by automated means, by Moneybite and includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the personal data.

2. INFORMATION WE COLLECT ABOUT YOU

The personal data we typically collect and process are:

a. The personal data that We collect for the fulfilment of our client onboarding procedures including all personal data in our client application forms, due diligence documentation, and any documents or information which you may be required to supply to Us for such purposes, possibly including, personal data relating to criminal convictions and offences;

b. Personal data that We may process as a result of legal obligations imposed on Us (including AML/CTF obligations);

c. Your identity details such as your name, surname, title, position, and status and/or any information contained in documents made available on public registries, and/or by you and/or third parties, following the establishment of a business relationship;

d. Personal data contained in documents publicly available and accessed in order to allow Us to provide you with Our services and/or evaluate whether We are in a position to provide you with Our services;

e. Your contact information such as your email address, physical address and telephone numbers;

f. Your bank account details and other financial information;

g. Information you provide to Us for the purposes of attending meetings or events;

h. Personal data provided to Us by, on behalf of or in relation to Our clients, business partners, service providers and employees;

i. Any personal data lawfully generated by Us in the course of executing Our client’s instructions; and

j. Any personal data which you may voluntarily provide to Us.

Note that special categories of personal data include data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric or health data, sexual orientation and data related to your conviction and offences. Typically, We do not envisage any processing of special categories of personal data.

Should the processing of special categories of personal data become envisaged, We will ensure that We have additional grounds for processing your personal data and will communicate to you any relevant information which may be required under applicable Data Protection Legislation

3. HOW YOUR PERSONAL INFORMATION IS COLLECTED

As a VFA Service Provider Moneybite regularly collects personal data as part of Our regulated services and obligations.

We typically collect personal data:

As part of Our client onboarding procedures;

In order to properly service an ongoing business relationship, or an occasional transaction with you, including any ongoing monitoring and updating of our files in order to comply with applicable laws and our risk programmes;

When you or your company provide services to Us or refers clients to Us; and

When you contact Us voluntarily in other circumstances such as when seeking a meeting with Us or seeking to attend an event which we may be sponsoring.

Generally, you would have provided your personal data to Us. However, in some instances, We may collect personal data about you from third party sources, such as online searches or from public registers. Third parties such as Our clients and business partners may also have provided your personal data to Us.

4. HOW YOUR PERSONAL DATA MAY BE USED

Irrespective of the manner that We have collected your personal data, We will only process such data where We have at least one lawful basis in terms of the Data Protection Legislation to do so.

As a general practice, we envisage to process your personal data for:

• Contractual Agreement – the steps taken to enter into Our services contract, including but not limited to the assessments undertaken by Us in deciding whether We are in a position to provide you with Our services;

• Legal Obligation - Complying with Our legal obligations, in particular Our legal obligations with respect to anti- money laundering and combating the funding of terrorism;

• Legitimate Interest - Conflict check purposes; Ongoing monitoring in line with our AML/KYC obligations.

• Legitimate Interest and Contractual Agreement - Managing our relationship with you, or your company, including for billing and debt collection purposes and/or with any third parties appointed by you;

• Legitimate Interest - The purpose of a legitimate interest pursued by Us or by a third party, provided such interest does not override your interests, fundamental rights and freedoms;

• Consent - Keeping you updated with legal, financial, regulatory updates, proposed projects, new initiatives and proposed transactions, potential cooperation between you, your service providers, and/or any of your contacts and Us, news, and events organised by the firm where it is in our legitimate interests to do so, provided that such interests do no override your interests, fundamental rights and freedoms; and

• The purposes you would have requested when providing Us your personal data.

We may also process your personal data for the purposes of establishing, exercising or defending legal proceedings.

5. FAILURE TO PROVIDE DATA

If you fail, are unable or otherwise refuse to provide personal information when requested, and such personal information is necessary for Us to consider your on-boarding process, or else to continue to monitor your activity on our platform is in line with our various legal obligations and legitimate interests, We will not be able to on-board you successfully or else to maintain your position as a customer of Moneybite. For example, if we require you to fill in questionnaires and related modules and/or parts of client application forms, and you fail to provide us with relevant details, we will not be able to take your on-boarding further.

6. LEGAL BASIS FOR PROCESSING

We process your personal data on the basis of the following legal basis:

Entering into and performing a contract – in particular to provide Our services, managing Our relationship or receiving a service from you or your company. Providing such personal data is necessary for our performance of such contract (including the services rendered under Our Engagement Letter subject to the terms and conditions set forth therein). The consequence for not doing such processing would be that we would be unable to provide you with our services and enter into a contract of services;

Our legitimate interests – in particular legitimate interests which may arise directly or indirectly in relation to Our client’s instructions, Our internal policies, proposed projects, new initiatives and proposed transactions, potential cooperation between you, your service providers, and/or any of your contacts and Us. When we process your personal data on the basis of Our legitimate interests, we ensure that the legitimate interests pursued by Us are not overridden by your interests, rights and freedoms;

Your explicit consent – in which case, Our processing shall be limited to the purposes specifically indicated when your consent was requested. Processing on the basis of your consent is not envisaged, except with respect to communications related to events, news and legal updates where we do not have a legitimate interest to send you such communications; and

Compliance with legal obligations imposed on Us – in particular obligations imposed on Us as a result of anti-money laundering and combating the funding of terrorism legislation, and to prevent, detect, respond or report other potential illegal activities.

On the basis of our legitimate interests or compliance with legal obligations, as applicable, We may also process your personal data for the purposes of establishing, exercising or defending legal proceedings.

7. INFORMATION ABOUT CRIMINAL CONVICTIONS

We may be required to collect information about your criminal convictions history for the purposes of our KYC and AML procedures. For certain transactions, we are required and/or entitled to carry out a criminal records check in order to ensure that there is nothing in your criminal convictions history which makes you unsuitable to be onboarded as a client. In particular We might be legally required by the FIAU, MFSA and/or any other applicable regulatory authority to carry out criminal record checks for certain services.

8 AUTOMATED DECISION MAKING

You will not be subject to automated decisions without human intervention that will result in a significant impact on your fundamental rights, freedoms and interests. However, Moneybite does use automated means for example in order to assist its human decision-making bodies on levels of risk, both at onboarding stage as well as with respect to the monitoring of ongoing transactions.

9. DATA SHARING

We only share data internally on a need to know basis.

We may share your personal information with the following third parties for the purposes of processing your application to onboard with Moneybite, or for the purposes of carrying out an occasional transaction or the business relationship:

third parties to whom disclosure may be required as a result of the relationship with Our client such as banks, electronic money institutions, and payment service providers;

the Malta Financial Services Authority, the Financial Intelligence Analysis Unit and/or public authorities where We are required to do so by law or court order.

We have taken all reasonable and necessary precautions to ensure that all Our third-party service providers take appropriate security measures to protect your personal information in line with Our policies.

We may also share your personal data with third party recipients on a strictly need to know basis and not unless they are providing that particular services to the specific business relationship we create with you and who are:

• service providers that may have access to your personal data in rendering Us with their support services, including KYC, IT and accounting service providers

• any business partners to whom you may have requested that we transfer your personal data; and

• third parties to whom disclosure may be required as a result of legal obligations imposed on Us.

• third parties involved in the organisation of Our events, if applicable;

Unless specifically instructed and consented by you, we do not share your personal data with any entity located outside of the EU or EEA.

10. DATA STORAGE AND SECURITY

Your personal data may be stored in paper files or electronically on Our technology systems hosted either by us, or on our behalf by in the Cloud.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, We limit access to your personal information to those employees, agents, contractors and other third parties on a need-to-know basis. Such are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

11. DATA RETENTION

We retain your personal data exclusively for the period which is lawfully permissible to retain your personal data. Thereafter, your personal data shall be immediately and irrevocably destroyed.

As a result of legal obligations imposed on Us, we typically retain your personal data for up to ten (10) years from the closure of your file and you cease to be Our client, unless we have a statutory obligation imposed on Us to retain your data for a further period or a business need or require your personal data to exercise or defend legal claims.

Invoices, credit notes and similar transactional documents or information will be kept by Us for up to nine (9) years from completion of the relevant transaction on the basis of legal obligations imposed on Us to retain such information.

We may have a legitimate interest to hold your data for longer periods such as when your data is required for exercising or defending legal claims.

Any personal data which We may hold on the basis of your consent shall be retained exclusively until when you withdraw your consent.

12. YOUR RIGHTS IN CONNECTION WITH PERSONAL INFORMATION

Under certain circumstances, you have the right to:

• Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information We hold about you ;

• Request correction of the personal information that We hold about you. This enables you to have any incomplete or inaccurate personal information We hold about you corrected;

• Request erasure of your personal information. This enables you to ask us to delete or remove personal information in certain circumstances;

• Object to processing of your personal information where We are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;

• Request the restriction of processing of your personal information. This enables you to ask Us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;

• Portability - you may request that We provide you with certain personal data which you have provided to Us in a structured, commonly used and machine-readable format. Where technically feasible, you may also request that We transmit such personal data to a third-party controller indicated by you;

• Right to lodge a complaint – you have the right to lodge a complaint regarding the processing of your personal data with the supervisory authority for data protection matters. Please refer to the relevant Section hereunder for further information on this;

• Withdraw your consent – where Our processing is based on your consent, you have the right to withdraw your consent. Withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of your consent; and

• Be informed of the source – where the personal data We hold about you was not provided to Us directly by you, you may also have the right to be informed of the source from which your personal data originates.

Please note that in terms of the applicable laws, your rights in relation to your personal data are not absolute.

You may exercise the rights indicated in this section by contacting Us at the details indicated above.

13. COMPLAINTS

If you have any complaints regarding our processing of your Personal Data, please note that you may contact Us on any of the details indicated above. You also have a right to lodge a complaint with the Office of the Information and data Protection Commissioner in Malta (www.idpc.gov.mt).

14. UPDATES

We may update this Privacy Notice in Our sole discretion including as result of a change in applicable law or processing activities. Any such changes will be communicated to you prior to the commencement of the relevant processing activity.