Privacy Policy

DISCLOSURE PURSUANT TO ARTICLE 13 OF EUROPEAN REGULATION 679/2016 (GDPR)

FOR PROCESSING PERSONAL DATA IN THE CONTEXT OF LENDING PRODUCT SOLUTIONS OFFERED TO CUSTOMERS

Dear Customer,

In compliance with the legislation on the protection of personal data of natural persons - EU Regulation 2016/679 (hereinafter 'GDPR') – we recommend carefully reading the following information on the processing of your personal data ('Personal Data') collected and processed, in the context of lending products and financial services (the 'Services') offered to customers.

1. Data Controller

Products and Services are intended as all the Services offered by the Data Controller that refer to the legal person, public authority, service or other entity which, individually or jointly, determines the purposes and means for processing Personal Data.

The Data Controller of your Personal Data is the company Business Innovation Lab S.p.A., VAT No. 07956480961, Parent Company with registered office in Viale Carlo Espinasse, 163, 20156

Contact email to receive information on the processing of Personal Data: privacy@opyn.eu.

The Data Controller has appointed - as a contact point for Data Subjects - a Data Protection Officer ('DPO') available at the following contacts:

• Silvia Boschello, lawyer

• Corso Milano No. 106 - 35139 Padua - Tel. +39 049/5000200

• e-mail: s.boschello@responsabileprotezione.it

• certified email: s.boschello@bclpartnerscert.com.

The Data Controller's policy on the protection of personal data is shared in a joint controllership, pursuant to Article 26 of the GDPR, within the group with the company Mo.Net S.p.a., a single shareholder company listed in the Register of Payment Institutions pursuant to Article 114 septies of the Italian Consolidated Banking Act with code 36058.6 and the company ART SGR S.p.a. with single shareholder, listed in the Register of Management companies pursuant to Article 35, paragraph 1, section FIA of the Consolidated Banking Act with registration code 161 ART SGR, which is authorised to manage alternative investment funds reserved for professional investors. All the companies of the group use the Opyn platform, in its various forms, to offer fintech solutions to their customers (hereinafter the ‘Portal’).

The Joint Controllership Agreement is available to Data Subjects in the Transparency section of the Portal.

2. Processing methods – Purposes of processing and legal bases

The Personal Data are processed by automated tools for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are adopted to prevent data loss, possible illegal or improper use of data and unauthorised access.

The Personal Data collected will be processed for the purposes described below:

1. the conduct of activities instrumental to the execution of contracts in all their phases, including those phases related to pre-contract offers for the Services of

• OPYN NOW

• providing the commercial services presented on the Portal (for example the Free Demo service);

• providing the services presented on the Portal where users can request and possibly obtain funding;

• providing the services presented on the Portal referred to in Article 1, paragraph 1, letter h-septies.1, numbers 3 and 4 (the ‘Payment Services’), in compliance with the regulatory requirements defined by the Consolidated Banking Act referred to in Italian Legislative Decree 385 of 1 September 1993, as amended;

• carrying out activities connected and instrumental to customer relations management, the identification of the same also through 'Video Chats,' consisting of a call made to an operator who through the use of a webcam and following a specific procedure must verify that the documents provided belong to the connected person and then proceed to recognition with a snapshot of the face of the person, which will be kept for the purposes of control and prevention of fraud;

• carrying out activities related to credit risk control and fraud prevention (e.g., acquisition of information prior to contract conclusion, execution of transactions based on the obligations arising from the contract concluded with customers, etc.);

• protecting the legitimate interests of the Data Controller, including in particular defence in court.

• OPYN PAY LATER

• Providing an end-to-end service to manage B2B payments in a flexible and secure manner, allowing entrepreneurs to maximise and simplify sales, improve cash flows, reduce administrative costs and overdue risks.

For all Services:

• fulfil the obligations established by laws, regulations and Community legislation as well as by provisions issued by authorities legitimated by law and by supervisory and control bodies (e.g., usury law, anti-money laundering, tax charges, insurance, etc.);

• provide assistance, including telephone support, to the user in relation to the services offered in the Portal;

• verify the satisfaction of users and business partners and measure the effectiveness and adequacy of the service offered through the Portal;

• carry out market research aimed at detecting the degree of user satisfaction;

• the administrative management of relations, including commercial ones, with the third parties indicated in the previous points;

• provide its partners (banks, financial intermediaries, credit funds, guarantee consortia, etc.) with the data and all the information necessary for the provision of the services requested by the user in order to verify creditworthiness, including through access to the Bank of Italy's Risk Centre, for the establishment of the relationship and its management;

• carry out all the activities to recover the sums lent.

B) (direct marketing) - subject to the express consent of the Data Subject - promotion and sale of Services carried out by telephone, through advertising material, automated communication systems, etc. Market surveys and customer satisfaction surveys also carried out through the work of specialised companies through interviews, questionnaires, online surveys aimed at the specific proposal of products and services within the scope of their activity or through the other Joint Controllership companies also within the scope of their activity.

C) (commercial and promotional communications - direct marketing carried out by third-party companies) - subject to the express consent of the Data Subject - communicate the data to the Joint Controllership companies as well as to their partner companies that may process them to provide promotional and/or commercial information as well as send promotional advertising material or carry out commercial communications about their products, sales activities of payment or financing services and other activities of the aforementioned partner companies, or carry out market research.

3. Legal bases and data retention times

The legal basis for the purposes referred to in letter A are the contractual or legal obligations to which the Data Controller is subject. The Personal Data provided are necessary in order to provide the Services and all the activities related to the execution of the contract, as well as to comply with current legal regulations; the failure, partial or incorrect provision of the same could result in the impossibility of fulfilling contractual and legal obligations. The Personal Data will be processed for a period of time equal to the minimum necessary, i.e., until the termination of any pre-contractual and contractual relationships in place with the Data Controller, taking into account the terms of the legal prescription. In any case, except for the specific legislation of the financial and credit sector, the data will be kept for no more than 10 years from the end of the relationship which coincides with the statutory terms, except for the time necessary for the protection of the legitimate interests of the Data Controller. In any case, the principles of necessity, proportionality and non-excess will apply.

The legal basis for the purposes referred to in letters B and C is the prior, express consent of the Data Subject, possibly given by the same through the Portal. Said communications can be made by sending emails, by telephone, or by sending advertising material, by message or even by social media. Failure to provide consent for these specific purposes has the sole consequence of not being able to carry out commercial communication activities. The data provided for the aforementioned purposes will be kept for the period necessary for each purpose and in any case until the consent of the Data Subject is revoked, and regardless no later than two years from the termination of the contractual relationship or consent renewal. In fact, as established by the GDPR, if the Data Subject has given consent to the Processing of Personal Data for one or more of the purposes for which it was requested, they can revoke their consent at any time, totally or partially, without prejudice to the lawfulness of consent-based Processing given prior to revocation. The methods for revoking consent are very simple and intuitive; simply contact the Processing Data Controller using the contact channels listed in this Policy.

4. Disclosure of Personal Data

The Personal Data will be communicated by the Data Controller to third parties ('Recipients') which carry out part of the processing activities and/or activities connected and instrumental thereto on behalf of the Data Controller

The aforementioned third parties are essentially included in the following categories: a) our employees and collaborators who have assumed an obligation of confidentiality and comply with specific rules for processing Personal Data and who are all appointed as Authorised to process; b) companies that carry out IT, banking, insurance and financial services; - c) subjects operating in the management of national and international systems for the control of fraud, - d) subjects to whom the right of access to Personal Data is recognised by provisions of law and secondary legislation or by provisions issued by Authorities entitled to do so by law – e) third parties who carry out or provide specific services strictly necessary for the establishment and execution of the contractual relationship (including through continuous processing), such as: - IT services companies; companies that perform payment services, etc.; - companies operating in digitisation, digital signature and certified email services; - f) persons, companies, associations or professional firms that provide services or assistance and consultancy activities, with particular, but not exclusive, reference to matters relating to accounting, administrative, legal, tax and financial matters; - auditing and certification companies of the financial statements or statutory auditors; - g) companies that carry out promotional, marketing or commercial activities, market research and service quality surveys; - h) companies that provide services related to debt collection and services connected and instrumental to managing the relationship with the Data Subject; i) other credit intermediaries, credit mediation companies or agencies in financial activities; - l) suppliers of goods or services – m) information providers (Cerved, Info Camere, Crif, etc.) n) other public authorities or public bodies for the fulfilment of legal obligations (including in the field of anti-money laundering) to which the Data Controller is subject, and any other public entity entitled to request the data, in the cases established by Law.

5. Transfer of Personal Data

The Personal Data will be processed by the Data Controller within the territory of the European Union. If for technical and/or operational reasons it becomes necessary to rely on subjects located outside the EU, the transfer of Personal Data, limited to the performance of specific Processing activities, will be regulated in accordance with the provisions of the GDPR. All necessary precautions will therefore be taken in order to guarantee the fullest protection of the data by basing this transfer: (i) on adequacy decisions of the recipient third countries expressed by the European Commission; (ii) on adequate guarantees expressed by the recipient third party pursuant to Article 46 of the Regulation; (iii) on the adoption of binding corporate rules.

6. Respect for Data Subject rights: Articles 15, 16, 17, 18, 19, 20, 21, 22 and 77 of the GDPR.

The Data Subject is informed of the existence of the right of access to personal data, rectification, cancellation, limitation of processing, notification, data portability, opposition, not to be subject to a decision based solely on automated processing, which may be exercised at any time to the processing of Personal Data. We remind you that the Data Subject has the right to withdraw consent to the processing of data at any time, without prejudice to the lawfulness of the processing based on the consent given prior to revocation (Article 7, paragraph 3 of the GDPR). Pursuant to Article 77 of the GDPR, the Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State where they usually reside, work or in the place where the alleged violation occurred.

For a more precise explanation of these rights, the Data Subject can obtain further information in the Web Privacy Policy of the Portal.

7. Contacts

To exercise rights or for any request or need related to this Disclosure, the Data Subject can contact the Data Controller or other Joint Controller at the email address: privacy@opyn.eu or the Data Protection Officer at the contact addresses indicated above.

The Data Controller