Privacy, Data Control and Processing Policy

1. Introduction

Terms and definitions are used in accordance with Terms of Use. Defirex needs to collect and use certain types of information about Users (data subjects) that wish to participate in the Platform managed by Defirex. The personal information must be collected and dealt with appropriately in accordance with the company AML and KYC policies and in accordance with this Privacy Policy drawn up in accordance with the Estonian personal data protection act and International standards. In accordance with the provisions of GDPR any User who provides his/her information confirms that he/she understands and accepts the reason for the gathering of information and consents to the processing of information. Any User is entitled to know who is responsible for the processing of his or hers personal data. Any data collected during the work of the Platform whether is collected on paper, stored in a computer database, or recorded on other material is subject to this policy and is protected under the applicable law and the GDPR provisions regarding data control and processing.

2. Data Protection Officer

Defirex and its officers and employees shall be collectively referred to as the Data Protection Officer under this policy and in accordance with the relative provisions of the GDPR, which means that it determines what purposes personal information held will be used for. It is also responsible for cooperating with the state regulatory organs regarding the correct application of the state legislation, and the correct use and disclosure of information. The Data Protection Officer and Defirex in accordance with GDPR take upon themselves the following obligations: - Implement measure to ensure the compliance with GDPR; - Implement the necessary security measures to protect the rights of the data subjects when gathering and processing data; - Conduct data protection impact assessments of high risk processing activities; - Implement the valid data breach notification.

3. Disclosure

Defirex may share data with the state regulatory organs and other authorities when that is required by the applicable law or the provisions of the AML policy. The Platform User will be made aware in most circumstances how and with whom their information will be shared. Every Platform User shall agree with this policy and shall consent to his/her data being used in accordance with the provisions of this policy and the AML policy regarding analysis of data and disclosure of data. There are circumstances where the law allows Defirex to disclose data (including sensitive data) without the data subject’s consent. These are: - Carrying out a legal duty or as authorised by the Financial Inspection of Estonia or any other competent legal authority. - Protecting vital interests of any party, including the Platform User. - The information was already made public by other third parties. - For the conducting of any legal proceedings, obtaining legal advice or defending any legal rights. - Disclosing data to state authorities under the AML policy in order to avoid or prevent money laundering. Any User shall have the right to obtain from the Data Protection Officer the erasure of personal data concerning him or her without undue delay and the Data Protection Officer shall have the obligation to erase personal data without undue delay where one of the following grounds applies: - the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; - the data subject withdraws consent on which the processing is based (such a withdrawal constitutes that the User understands that Defirex will be entitled to terminate all cooperation with such a User); - the personal data have been unlawfully processed; - the personal data have to be erased for compliance with a legal obligation in European Union or Member State law to which the Data Protection Officer is subject. The information (personal data) may not be removed if the information was gathered: - for exercising the right of freedom of expression and information; - for compliance with a legal obligation which requires processing by Union or Member State law to which Defirex is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Protection Officer; - for reasons of public interest in the area of public health; - for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; - for the establishment, exercise or defence of legal claims. - to this end, Defirex will adhere to the Principles of data protection set by the GDPR and the valid legal provisions of the Estonian personal data protection act. Specifically, the Principles require that personal data: - Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met. - Shall be obtained for the purpose of the AML policy and shall be processed in order to adhere to the risk analysis under the AML policy or in order to protect the vital interests of the data subject or of another natural person, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Protection Officer, or when it is necessary for the purposes of the legitimate interests pursued by the Data Protection Officer or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a minor. - Shall be adequate, relevant and not excessive in relation to those purposes. - Shall be accurate and, where necessary, kept up to date. - Shall not be kept for longer than is necessary, but for no less than set by the AML policy. The gathered data is processed for the period that is reasonably necessary for the set purpose for which it was initially obtained. - Shall be processed in accordance with the rights of data subjects under the Estonian personal data protection Act and the provisions of GDPR. - Shall be kept secure by the Data Protection Officer who takes appropriate technical and other measures to prevent unauthorized or unlawful processing or accidental loss or destruction of, or damage to, personal information. Defirex will, through appropriate management and strict application of criteria and controls: - Observe fully conditions regarding the fair collection and use of information. - Meet its legal obligations to specify the purposes for which information is used. - Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements. - Ensure the quality of information used. - Ensure that the rights of the User about whom information is held, can be fully exercised under this policy. - These include: - The right to be informed that processing is being undertaken, - The right of access to one’s personal information, - The right to provide information necessary to correct the information, should it be inaccurate. - Take appropriate technical and organizational security measures to safeguard personal information. - Ensure that personal information is not transferred abroad without suitable safeguards as set by chapter 5 of the GDPR.

4. Data Collection and Control

Informed consent is when: - Any Platform User clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data. The access to the AML policy and this Privacy policy are considered sufficient to provide the Platform User with access to all the necessary information. - And then gives their consent by accepting the Terms of Use. - Clearly understands why the information is needed. - Understands what it will be used for and what the consequences are should the User decide not to give consent to processing. - As far as reasonably possible, grants explicit consent by creating a User account on the Site of Defirex and using the Platform by filling out the requested forms. - Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress. - Has received sufficient information on why his/her data is needed and how it will be used.

5. Data Storage

Information and records relating to Users will be stored securely and will only be accessible to Data Protection Officer. Information will be stored for only as long as is needed under the AML policy or required legal act and will be disposed of appropriately.

6. Data Access and Accuracy

All Platform Users shall have the right to access the information Defirex holds about them. Defirex will also take reasonable steps to ensure that this information is kept up to date by asking data subjects whether there have been any changes. In addition, Defirex will ensure that: - Everyone processing personal information understands that they are contractually responsible to follow good data protection practice. - Everyone processing personal information is appropriately trained to do so. - Everyone processing personal information is appropriately supervised. - It deals promptly and courteously with any enquiries about handling personal information. - It will regularly review and audit the ways it holds, manages and uses personal information. - It regularly assesses and evaluates its methods and performance in relation to handling personal information. - All staff members are aware that a breach of the rules and procedures identified in this policy may lead proper legal action taken against them. This policy will be updated as necessary to reflect best practice in data management, security and control. The User shall have the right to obtain from the Data Protection Officer restriction of processing where one of the following applies: - the accuracy of the personal data is contested by the data subject, for a period enabling the Data Protection Officer to verify the accuracy of the personal data; - the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; - the Data Protection Officer no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; - the User has objected to processing pending the verification whether the legitimate grounds of the Data Protection Officer override those of the data subject. Any User whose data is being gathered and processed under this policy has the right contact the Data Protection Officer on the following matters: - the purposes of the processing; - the categories of personal data concerned; - the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; - where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; - the existence of the right to request from the Data Protection Officer rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; - the right to lodge a complaint with a supervisory authority; - where the personal data are not collected from the data subject, any available information as to their source. Any User shall have the right to obtain from the Data Protection Officer without undue delay the rectification of inaccurate personal data concerning him or her. In case of any queries or questions in relation to this policy, please contact the Defirex Data Protection Officer at