Privacy policy for the SCANDIC brand ecosystem (global scope)

2.1 Responsible body within the meaning of the European Union's General Data Protection Regulation

For users from the European Union and the European Economic Area, as well as for processing related to the European Union, the following company is jointly responsible alongside SCANDIC FINANCE GROUP LIMITED:

SCANDIC FINANCE GROUP LIMITED
by Scandic Banking Hong Kong
Room 10, Unit A, 7/F
Harbour Sky, 28 Sze Shan Street
Yau Tong, Hong Kong / SAR – PRC
E Email: Office@ScandicFinance.Global

2.2 Data protection officer and central data protection contact point

Regardless of your country of residence, you can contact our central data protection contact point for all data protection issues:

Data Protection Officer for the SCANDIC Brand Ecosystem
SCANDIC FINANCE GROUP LIMITED
by Scandic Banking Hong Kong
Room 10, Unit A, 7/F
Harbour Sky, 28 Sze Shan Street
Yau Tong, Hong Kong
Email: Office@ScandicFinance.Global

Enquiries will be forwarded from there to the relevant company, in particular to SCANDIC FINANCE GROUP LIMITED in Hong Kong / SAR - PRC.

2.3 Joint responsibility and order processing

Depending on the service and product, there are different roles:

• Sole responsibility of one company, for example SCANDIC FINANCE GROUP LIMITED, for certain banking, financial or investment processes,
• Joint responsibility of several companies in the SCANDIC brand ecosystem, in particular for central platform and IT infrastructures,
• order processing, for example when LEGIER Beteiligungs Gesellschaft mit beschränkter Haftung or SCANDIC ASSETS FZCO provide IT or media services on behalf of SCANDIC FINANCE GROUP LIMITED.

We will provide a summary of the key content of agreements on joint responsibility upon request.

Terms such as "personal data", "processing", "controller", "processor" or "profiling" are used in accordance with the definitions in the European Union's General Data Protection Regulation. In other jurisdictions, we refer to comparable legal terms.

Depending on the service, contract type and interaction, we process the following categories of personal data in particular:

4.1 Master data

• Surname, first name, title (if applicable),
• Residential or business address,
• e-mail address, telephone numbers, preferred language of communication,
• nationality, date of birth, place of birth, if required for identification purposes.

4.2 Contract and financial data

• Contract numbers, customer numbers, account details,
• Information about the products and services you use, in particular in the areas of financial services, payment services, fiduciary services, structuring services, real estate and lifestyle services, health services, data and infrastructure services, and investment and token services,
• Transaction data, e.g. payments, transfers, card transactions, cryptographic wallet addresses, reference numbers,
• billing data, invoices and payment histories,
• Creditworthiness, risk and rating information, to the extent permitted by law and necessary for the respective purposes.

4.3 Data for identification, compliance and money laundering prevention

• Copies of identity documents, e.g. passport or identity card,
• Proof of residence or address, e.g. utility bills
• information on the beneficial owner,
• Information on status as a politically exposed person and results of checks against sanctions lists,
• Information on the origin of assets and funds as well as professional activity,
• Documentation of identification procedures, for example video identification procedures or comparable procedures.

4.4 Usage data and device data in the context of online services

• Internet Protocol address, date and time of access,
• device type, operating system, browser type, language settings,
• log files to ensure system and information security,
• usage profiles relating to our platforms, e.g. pages visited, click paths and session IDs, insofar as this is legally permissible and, where applicable, based on your consent.

4.5 Communication and content data

• Contents of contact enquiries by e-mail, contact form, letter or telephone,
• support and complaint requests,
• uploaded documents and attachments,
• Data provided in feedback, surveys or competitions.

4.6 Marketing and preference data

• Information about subscribed newsletters and consent logs,
• preferred topics, languages and communication channels,
• information about the effectiveness of campaigns, to the extent permitted by law and, where applicable, based on your consent.

4.7 Applicant data and business partner data

• Application documents, in particular CVs, certificates, letters of motivation and references,
• information about contact persons at business partners, compliance documents, contract contents and bank details.

As a rule, we do not process special categories of personal data such as health data, unless this is necessary for certain services, in particular in the health sector, is legally permissible and has been specifically explained to you.

We process personal data for the following purposes:

1. Contractual purposes and pre-contractual measures
   • Supporting interested parties, customers and clients
   • Initiating, concluding and executing contracts within the scope of SCANDIC services, in particular in the areas of banking services, payment services, card services, trust services, corporate and structuring services, real estate and lifestyle services, health services, data and infrastructure services, and investment and token services.
2. Fulfilment of legal obligations
   • Compliance with regulations on the prevention of money laundering and terrorist financing
   • Compliance with identification requirements for customers and business partners
   • Compliance with tax and commercial law retention obligations,
   • Fulfilment of reporting obligations to supervisory authorities, financial investigation agencies and other government agencies.
3. Technical operation, security and stability
   • Operation and monitoring of our IT systems, platforms and databases,
   • Detection and prevention of misuse, fraud, cyber attacks and other security risks,
   • Ensuring the availability, integrity and performance of our services.
4. Communication and customer support
   • Responding to enquiries and complaints,
   • customer care, relationship management and support in regulatory matters,
   • Communication within the framework of existing and initiated contractual relationships.
5. Marketing, analysis and further development of products
   • Sending information about markets, products and services, where legally permissible
   • Conducting customer satisfaction surveys,
   • Analysis of the use of our offerings to improve functionality, security and user-friendliness,
   • Personalisation of content, where legally permissible and, where applicable, covered by your consent.
6. Enforcement and defence of legal claims
   • Asserting, exercising or defending legal claims,
   • Conducting out-of-court and court proceedings,
   • internal compliance and investigation processes.

Depending on the applicable legal system and processing operation, the processing of personal data is based in particular on the following legal bases:

6.1 Within the European Union and the European Economic Area

• Consent pursuant to Article 6(1)(a) of the General Data Protection Regulation
  for example, for sending newsletters, using certain cookies or using analysis tools,
• Contract performance and pre-contractual measures pursuant to Article 6(1)(b) of the General Data Protection Regulation
  for example, for the initiation and execution of banking, payment, trust, card or investment contracts,
• Compliance with legal obligations pursuant to Article 6(1)(c) of the General Data Protection Regulation
  for example, tax obligations, money laundering documentation obligations,
• Safeguarding legitimate interests pursuant to Article 6(1)(f) of the General Data Protection Regulation
  for example, to ensure information security, prevent fraud, for internal administrative purposes or for direct marketing within the legally permissible framework.

Insofar as special categories of personal data are processed, this is only done under the conditions of Article 9 of the General Data Protection Regulation, for example, with your express consent or for health care purposes and in compliance with additional national regulations.

6.2 Switzerland, United Kingdom, Hong Kong, United Arab Emirates, Ukraine and other countries

In other jurisdictions, we base the processing of personal data on comparable grounds:

• fulfilment of a contract or implementation of pre-contractual measures,
• consent,
• fulfilment of legal obligations,
• safeguarding legitimate interests, for example to ensure security, prevent fraud or for internal administration.

We obtain personal data from the following sources in particular:

• directly from you when you register, enter into a contract, make enquiries or undergo identification procedures;
• from business partners, correspondent banks, payment service providers and intermediaries,
• from public registers and databases, such as commercial registers, sanctions lists or company registers,
• from credit agencies and service providers that carry out checks for money laundering prevention, creditworthiness or sanctions lists, to the extent permitted by law,
• from the use of our websites, applications and platforms, in particular through log files and usage analyses.

We transfer personal data exclusively within the scope of what is legally permissible to the following categories of recipients:

• Companies in the SCANDIC brand ecosystem and its affiliated companies,
• service providers in the context of order processing, in particular providers of IT hosting, cloud services, identification services, payment processing, printing and shipping services, communication and support systems,
• Financial institutions, payment service providers, card organisations and service providers in the field of cryptographic assets, insofar as this is necessary for the fulfilment of the contract,
• Consultants, in particular auditing firms, law firms, tax advisors and compliance consultants,
• Government authorities, supervisory authorities, financial investigation agencies and law enforcement agencies, insofar as we are legally obliged to do so or such transfer is necessary to protect our rights,
• Cooperation and distribution partners, insofar as this is necessary for the fulfilment of the contract or is based on your consent.

Contracts are concluded between us and service providers who process personal data on our behalf, which in particular ensure the protection of your personal data.

As a globally active financial, fiduciary and service ecosystem, we also transfer personal data to countries outside the European Union and the European Economic Area, in particular to:

• Hong Kong, Special Administrative Region of the People's Republic of China,
• the United Arab Emirates,
• the Swiss Confederation,
• the United Kingdom of Great Britain and Northern Ireland,
• Ukraine,
• and, where applicable, other countries in which cooperation partners or service providers are based.

Insofar as these transfers relate to data subjects within the European Union and the European Economic Area, we ensure an adequate level of protection for personal data. This is achieved, for example, through:

• Adequacy decisions by the European Commission,
• the conclusion of standard contractual clauses,
• additional technical and organisational protective measures such as encryption, pseudonymisation and strict access regulations.

Information on specific guarantees for certain data transfers is available on request.

We only store personal data for as long as is necessary to fulfil the aforementioned purposes or as we are legally obliged to do so. The storage period depends in particular on:

• statutory retention periods, in particular commercial and tax law provisions,
• special legal regulations on money laundering prevention and financial market supervision,
• contractual limitation periods and the need to assert or defend legal claims.

Once the purpose of processing has ceased to apply, personal data is deleted or anonymised. If deletion is not possible for legal or technical reasons, processing is limited to the necessary extent.

11.1 Server log files

When you visit our websites, information is automatically stored in server log files, in particular:

• Internet protocol address,
• date and time of access,
• page or file accessed,
• amount of data transferred,
• referring internet address,
• browser and operating system used.

This processing is based on our legitimate interest in the stability, security and technical optimisation of our websites and platforms.

11.2 Cookies and similar technologies

Our websites and platforms use cookies and similar technologies to:

• provide basic technical functions, such as session management and language selection,
• analyse usage and improve our offerings,
• support marketing and remarketing measures, where legally permissible and based on your consent, where applicable.

In particular, we distinguish between:

• technically necessary cookies, which are required for the operation of the website,
• convenience and preference cookies, for example for language selection and display settings,
• analysis and performance cookies,
• marketing and tracking cookies.

You can adjust your cookie settings via the cookie banner provided or a preference centre and deactivate unnecessary cookies at any time.

11.3 Web analytics and marketing tools

Depending on the website and service, analysis tools and marketing tools may be used. These tools are used, for example, to measure reach, evaluate user behaviour and optimise content.

Insofar as these tools process personal data or access information on end devices, this is done on the basis of:

• your consent, or
• our legitimate interest in analysing and improving our offerings, provided this is permissible under data protection law.

Details on individual tools can be found in separate notices on the respective websites, if applicable.

12.1 Identification, money laundering prevention and sanctions checks

Within the scope of the services provided by SCANDIC FINANCE, SCANDIC PAY, SCANDIC COIN, SCANDIC SEC, SCANDIC TRUST and comparable services, we are legally obliged to carry out comprehensive checks to prevent money laundering and terrorist financing. This includes in particular:

• the identification of customers and beneficial owners,
• checks against sanctions lists,
• classifying customers according to risk criteria,
• monitoring transactions to detect unusual or suspicious activities,
• documenting these processes and reporting suspicious circumstances to the competent authorities.

The legal basis for this is provided by the laws applicable in the respective countries for the prevention of money laundering and terrorist financing, as well as regulations issued by the financial supervisory authorities.

12.2 Profiling and automated decisions in individual cases

For risk assessment, fraud prevention and compliance with legal requirements, we may carry out automated assessments, for example:

• classifying customer relationships into risk or product categories,
• automated verification rules for detecting unusual transactions,
• internal warning or verification functions.

Fully automated decisions with legal effect, for example the fully automated rejection of a contract without human review, are only made if this is legally permissible and appropriate measures are in place to protect your rights. In such cases, you have the right to request a human review of the decision and to state your position.

Most of our services are aimed at adults. Persons who have not yet reached the age of majority in their country of residence may only use our financial, payment or investment services if the applicable legal requirements are met and, where applicable, the consent of their legal representatives has been obtained.

If we discover that personal data of minors has been processed without the required consent, we will take appropriate measures to delete this data, provided that there are no legal retention obligations to the contrary.

We take extensive technical and organisational measures to protect personal data from loss, misuse, unauthorised access and unauthorised disclosure. These include, in particular:

• Encryption of data transmissions,
• role-based access rights and authentication procedures,
• firewalls and systems for detecting and preventing attacks,
• logging and monitoring of security-related events,
• regular updating of the software and infrastructure used,
• raising awareness and training our employees.

In many cases, particularly for financial, payment and trust services, we are legally obliged to collect certain personal data. Without this data, we cannot:

• open accounts,
• process transactions,
• manage assets,
• or provide certain services.

Where possible, we indicate in forms or processes which information is required and which is optional.

Depending on the applicable data protection law, you have various rights regarding your personal data.

Within the European Union and the European Economic Area, these include in particular:

• Right to information about the personal data processed
• Right to rectification of inaccurate data
• Right to erasure of personal data, provided that there are no legal retention obligations to the contrary,
• Right to restriction of processing,
• the right to transfer your data in a structured, commonly used and machine-readable format,
• Right to object to certain processing, in particular direct marketing or processing based on legitimate interests,
• Right to withdraw consent with effect for the future.

In Hong Kong, the Swiss Confederation, the United Kingdom of Great Britain and Northern Ireland, the United Arab Emirates, Ukraine and other countries, there are functionally comparable rights, the specific form of which varies depending on the legal system.

16.1 Exercising your rights

To exercise your rights, you can contact our data protection contact point at any time:

SCANDIC FINANCE GROUP LIMITED
by Scandic Banking Hong Kong
Room 10, Unit A, 7/F
Harbour Sky, 28 Sze Shan Street
Yau Tong, Hong Kong / SAR - PRC
Email: Office@ScandicFinance.Global

Please describe your request as specifically as possible and, if possible, indicate the brand and country with which you have a business relationship. In individual cases, it may be necessary to request additional information to confirm your identity in order to protect information from unauthorised access.

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates applicable data protection law. In particular, you can contact the supervisory authority of your habitual residence, your place of work or the place of the alleged violation.

The following supervisory authority is specifically responsible for matters relating to the Hong Kong Special Administrative Region of the People's Republic of China:

Office of the Privacy Commissioner for Personal Data, Hong Kong
12/F, Sunlight Tower
248 Queen's Road East
Wan Chai
Hong Kong / SAR - PRC

You can contact this authority in English or Chinese. Matters relating to other countries are the responsibility of the relevant national data protection supervisory authorities.

If you provide us with your contact details, we will use them:

• to respond to your enquiries,
• to send you information in connection with existing or initiated contracts,
• to fulfil legal information obligations,
• to send you information about products and services, insofar as this is legally permissible.

18.1 Newsletter

If you expressly consent, we will send you regular newsletters or similar information. In this context:

• we will document your consent with the date and other relevant information,
• you can unsubscribe from the newsletter at any time via an unsubscribe link or by sending us a message,
• revocation of consent has no influence on the legality of the processing carried out up to the point of revocation.

Our brands and companies maintain presences on social networks and external platforms. When visiting these presences, the following also applies:

• the terms of use and data protection guidelines of the respective platform operator,
• where applicable, joint responsibility between us and the operator for certain processing operations, such as statistical evaluations.

We process data from these presences in order to communicate with you, present our offers and analyse our reach. This may involve data processing in countries outside the European Union and the European Economic Area.

We reserve the right to amend this privacy policy at any time with future effect, in particular:

• in the event of changes to legal requirements,
• in the event of extensions or adjustments to our services,
• in the event of organisational changes within the SCANDIC brand ecosystem.

The current version is usually published on the official websites of:

SCANDIC FINANCE GROUP LIMITED
by Scandic Banking Hong Kong
Room 10, Unit A, 7/F
Harbour Sky, 28 Sze Shan Street
Yau Tong, Hong Kong / SAR - PRC
Email: Office@ScandicFinance.Global

We will announce any significant changes that significantly affect your rights separately, for example by posting a notice on our websites or by email.

General data protection enquiries for the SCANDIC brand ecosystem:

SCANDIC FINANCE GROUP LIMITED
by Scandic Banking Hong Kong
Room 10, Unit A, 7/F
Harbour Sky, 28 Sze Shan Street
Yau Tong, Hong Kong / SAR - PRC
Email: Office@ScandicFinance.Global

Central data protection contact point and data protection officer:

SCANDIC FINANCE GROUP LIMITED
by Scandic Banking Hong Kong
Room 10, Unit A, 7/F
Harbour Sky, 28 Sze Shan Street
Yau Tong, Hong Kong /SAR - PRC
Email: Office@ScandicFinance.Global

When making enquiries, please indicate which SCANDIC ECO SYSTEM brand you are associated with and in which country you are based. This will facilitate the rapid and targeted processing of your data protection concerns.