PRIVACY NOTICE

As a personal data controller, we are committed to protecting our users' privacy. Keeping the information you share with us secure and ensuring your understanding of how we collect, use, and maintain your personal information is important to us at Kredium. Therefore, we treat your personal data in line with the applicable data protection laws and highest international standards of personal data protection. We also continually assess new technology for protecting information and, when appropriate, we upgrade our information security systems accordingly.

We will not make your Personal Data available to third parties for any purposes other than as described in this Privacy Notice, and we will never sell your Personal Data.

In order to make the personal data processing transparent, we have made available this Privacy Notice which provides relevant information on our data processing activities, the security of your personal data, and rights of data subjects, all in connection with data processing for the purpose of providing you with our services.

Please read this Privacy Notice before using our Website and our Services or submitting personal information to us. Any changes to the Notice will be posted on this page. You are encouraged to check the page regularly as the changes will be binding once posted on the site.

I Definitions

When used in this Privacy Notice, the following terms have the following meaning:

“Personal Data” or “Personal Identifiable Information” (PII) means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Sensitive Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life, or sexual orientation.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, access, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Data Subject” means an identified or identifiable natural person to which the Personal Data pertain (Data Subjects).

“Data Controller” means the entity which, alone or jointly with others, determines the purposes of the Processing of Personal Data.

“Data Processor” means the entity which processes Personal Data on behalf of the Data Controller.“Recipient” means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not.

“Data Security Measures” means technical and organizational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorized access, disclosure, alteration, destruction, and all other forms of unlawful data Processing, including measures to ensure the confidentiality of Personal Data.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

This Privacy Notice is an integral part of Kredium’s Terms of Service. All terms used in this Privacy Notice that are not otherwise defined shall be construed as defined in Kredium’s Terms of Service. Any matter not contained in this Privacy Notice shall be subject to Kredium’s Terms of Service as provided to and accepted by you.

II Who we are

We are Kredium, a corporation organized and existing under the laws of the United Arab Emirates, with the registered address at Office 13 & 14 Ground Floor, The Iridium Building, Umm Suqeim Road, Al Barsha 1, PO Box 418766, Dubai, United Arab Emirates and the company number 1040588 (“Kredium” or “Company”).

The Company has appointed its Data Protection Officer (DPO) whom you may contact for all the inquiries related to personal data processing, as well as for exercising your privacy rights. You may contact our DPO by one of the following means:

• Sending an email to: info@kredium.ae

III Types of Data we process

In order to provide our services, we collect and process the following types of data:

a) Directly from clients:

• Personal data (name, last name, email, phone number, year of birth, home address, UAE residency status),
• Data on the purchased real estate (address, number, city, price, purpose, and type of property),
• Data and documents for the purposes of the loan application which may depending on the case include gross salary, information about savings or other available finances, payslips, proof of previous employment, additional bank statements; Emirates ID, details of passport, and visa if you are a UAE expat; copy of passport and latest salary certificate with length of employment and position if you are a UAE non-resident).

b) indirectly:i. Usage DataWe may also collect information on how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data. This usage data may be processed for the purposes of analysing the way the website is used. However, where we collect usage data through non-essential cookies, we may request your consent. For more information, please check our Cookie Policy.

ii. Enquiry Data

We may process information contained in any enquiry you submit to us such as your first, and last name, email and phone number, and content of the message.

The enquiry data may be processed for the purposes of responding to you and offering, marketing, and selling relevant services to you. The legal basis for this processing is your consent.

iii. Location DataWe may use and store information about your location if you give us permission to do so (“Location Data”). We use this data to provide features of our Service, to improve and customize our Service. You can enable or disable location services when you use our Service at any time, through your device settings.

iii. Tracking & Cookie DataWe use cookies and similar tracking technologies to track the activity on our website and store certain information.

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser on your device. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

For more details on how we use cookies on our website, please visit the following link: Cookie Policy.

iv. Job application data

We may process your information like your contact details, your CV, and your cover letter ("job application data"). Depending on the personal data you provide to us, the job application data may include your name, address, telephone number, email address, profile pictures, gender, date of birth, relationship status, interests and hobbies, educational details, and employment details.

The application data may be processed for the following purposes: to assess your skills, qualifications, and suitability for the role, to communicate with you about the recruitment process, and to keep records related to our hiring processes.

The legal basis for processing Job application data is your consent. We may retain personal data from your CV for as long as it is necessary for our recruitment process but not longer than one year. You may withdraw your consent at any time by sending us an email on info@kredium.ae .

v. Other Data

We may process any of your personal data identified in this Notice where necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings, or in an administrative or out-of-court procedure.

We may process any of your personal data identified in this Notice where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice.

In addition to the specific purposes for which we may process your personal data set out in this section, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests, or the vital interests of another natural person.

Please do not supply any other person's personal data to us, unless we ask you to do so.

IV Legal Basis and Purpose of Data processing

Kredium may process your personal data for one of the following purposes, based on the specific legal basis:

• The legal basis for data processing for the purpose of providing a brokerage service in order to conclude a loan agreement is performance of contract. Once you have given your consent, you can revoke it at any time, in one of the ways described in Section XII – Data Subjects’ Rights. Explicit consent is required to process specific types of personal information that is necessary to provide certain services or products. Please note that if you revoke your consent for the processing of personal data necessary in order to provide our services, we will not be able to provide you with the desired service;
• The legal basis for processing your personal data is performance of contract concluded between you and us, or for taking action, at your request, before concluding the contract itself. Namely, data processing is necessary for the purposes of providing our Services to you. If you refuse to provide the information required for this purpose, the Company will not be able to enter into a contract with you or provide you with the requested service;
• The Company may process your personal data also when processing is necessary in order to comply with the statutory obligations of the controller (for example: compliance with the statutory obligations of the controller prescribed by the Law on Prevention of Money Laundering and Terrorist Financing, to meet the requirements of competent state authorities, etc.). The processing of data that is necessary for the purpose of complying with the law and fulfilling the prescribed legal obligations does not require the consent of the data subject;
• The Company may process your data when that processing is necessary in order to protect your vital interests or the vital interests of another individual;
• The Company processes personal data only for the purposes for which the data were collected.The purpose for which the Company processes data depends on the type of products and services you contract with us, where all data are processed to fulfill the purpose for which they are collected (to provide you with the most favorable offers and conditions for obtaining a home loan from Lenders).

Direct Marketing

Subject to the following paragraph, and as already mentioned above, we may use your Personal Data for marketing purposes, in particular to display to you or present you with advertisements and promotional materials, or to provide you information about our new products and other such information which we believe may be of interest to you, based on your use of and your interests in our Services, always provided that such use complies with applicable law.

Depending on the jurisdiction you reside in and in accordance with applicable law in your country, we will ask you to expressly consent to receiving marketing material or product information before we send you any marketing or promotional material.

You can change your mind about your preferences in respect of direct marketing at any time by using the unsubscribe button on every marketing communication, by updating your user profile or account data or by contacting us as detailed in this Privacy Notice. If you do so, note that we will not remove your Personal Data from our databases to the extent that this Personal Data is still required by us under the terms of this Privacy Notice or otherwise to continue to provide you with our Services.

V Sharing of your personal data with third parties

The Company has the right to disclose personal data and documentation related to a client, as well as data related to concluded Contracts with a client, to third parties, as follows:

• Lenders based on the cooperation agreement entered into between Kredium and Lender;
• Credit bureaus, insurance companies, and all other entities who, due to the nature of the work they perform, must have access to such data, in accordance with the relevant regulations;
• Individuals with whom the Company has concluded an Agreement regulating the handling of confidential information;
• Bodies and individuals to whom the Company is obliged by law to submit appropriate data, including persons to whom your data are disclosed for the purpose of executing the contract we have concluded with you;
• Service providers - We may disclose your Personal Data to companies that provide services to us, such as companies that provide cloud computing services. The service providers are required to keep your Personal Data confidential and are not permitted to use your Personal Data for any other purpose than to carry out the services they are performing for us;
• For litigation and security purposes: We may also disclose your personal information if required to do so by law, or in our good faith that such action is reasonably necessary to comply with legal provisions, to comply with a legal requirement, or to protect security, or the rights of the Company, its clients or the public;
• In case of merger or acquisition of all or part of the Company by another company, or in case Kredium sells or otherwise disposes of all or part of the Company's business, the acquirer would have access to information available to the Company, which may include personal data, in accordance with applicable law. Similarly, personal data may be transferred as part of a corporate reorganization, insolvency proceeding, or other similar event, if permitted, which will be done in accordance with applicable law;
• Other third parties with your consent - We may also share your Personal Data with other third parties when you consent to such sharing.

The Company will never share your personal information with any third party that intends to use it for direct marketing, unless we have previously notified you, and you have given us explicit consent to do so.

VI International data transfers

Your Personal Data will be processed by Kredium that is located in Dubai, United Arab Emirates. In addition, when we share your Personal Data with other entities for purposes of providing you services, (as described in the section above on Sharing of Your Personal Data with Third Parties), such companies may be located outside the United Arab Emirates.

Before transferring your Personal Data outside the United Arab Emirates, we will take steps to ensure that such data will be afforded the same level of protection as under applicable data protection laws in the United Arab Emirates and in accordance with the General Data Protection Regulation where it applies . For data transfers outside of these territories, the Company uses applicable safeguards, including the standard contractual clauses adopted by the European Commission, where appropriate, and will make available a copy to you upon request.

VII Data Retention

Your Personal Data will be retained only for so long as reasonably necessary for the purposes set out above, in accordance with applicable laws, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements. If a deletion of your Personal Data would only be possible with unreasonable efforts, we will anonymise it instead of deletion. We will not collect Personal Data about you that is not necessary for the purposes it is collected for.

VIII Privacy of Children

All processing of personal data presented in this document refers exclusively to persons aged at least 18 years. The use of the system, as well as the results of processing, is prohibited for children under this age without the consent of their parents / guardians. In the event that, despite our reasonable efforts to prevent this, such processing occurs, we will discontinue it after noticing the fact that the users are younger than the stated age.

IX Security of Data

The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

X Automated decision making and profiling

The personal data referred to herein may be subject to automated decision-making, including profiling. Based on the data you provide to Kredium and upon your consent, your profile will be provided to a Service Provider. The purpose of this type of processing is to provide you with the Services based on your consent for data processing. In this case, You as a Data Subject have the right to challenge the decision made in the automated decision-making process, explained in section XII of this Notice.

XI Links To Other Sites

Our Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Notice of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

XII Data Subjects’ Rights

Within the context of processing of your personal data, you have the following rights:

a. The right to access your data

The right of access implies that the Data Subject may obtain from the Company information on whether his or her personal data are being processed and, if so, permission to access his or her personal data and obtain information on the processing. Upon request, the Company will provide a copy of the personal data it processes. For additional requests, the Company may charge a reasonable fee for administrative costs. If the request is submitted electronically and unless otherwise requested, the Company will submit the information in electronic form.

b. The right to request the rectification or erasure of personal data

At the request of the Data Subject, the Company will correct the personal data that are inaccurate or supplement the incomplete data. At the request of the Data Subject, the Company will delete his/her personal data if the conditions prescribed by the Law are met (e.g. if the purpose for which they were collected was met, if the consent for processing was withdrawn and there is no legal basis for processing). The Company may not delete personal data: if the obligation to process them is prescribed by law or the processing is mandatory for reasons of public interest protection (e.g. acting on behalf of a state body) or is necessary to protect the Company's interests such as initiating, filing or defending a legal request (e.g. filing a lawsuit, etc.).

c. The right to request the restriction of processing

At the request of the Data Subject, the Company will restrict the processing of his/her personal data in cases prescribed by law.

d. The right to data portability

At the request of the Data Subject, the Company shall provide personal data in a structured, commonly used, and machine-readable form (e.g. on a computer) and allow it to be transmitted to another controller without interference by the Company if the following conditions are met: (a ) processing is based on consent or is necessary for the execution of the contract and (b) processing is performed automatically. This right includes the possibility to require the Company to transfer personal data directly to another controller if technically feasible.

e. The right to withdraw your consent for processing

You have the right to revoke your consent for processing of personal data at any time, however, please note that the revocation of consent does not affect the admissibility of processing on the basis of consent prior to your revocation.

You can revoke your consent by submitting a request to revoke the consent via the Company's email, by sending a letter to the address of the Company's registered office or by submitting the letter directly to the Company's premises with the reference "for Personal Data Protection Officer".

If you revoke your consent for processing of personal data that are necessary for the performance of our services, we will not be able to provide you with the desired service.

g. The right not to be subject to a decision based solely on automated processing, including profiling

Within the business relationship between the Company and the Data Subject, and in order to exercise the rights and obligations arising from it, the Company may process client’s data in whole or in part in an automated manner, in order to offer and provide services that meet the specific needs of the Data Subject, as well as in order to improve the Company's business relationship with clients.

If he/she considers that his/her rights have been violated by a decision made in an automated decision-making process, the Data Subject has the right to challenge such a decision, express his/her position and request that the decision be reviewed with the participation of an authorized employee of the Company.

h. The right to file a complaint with the competent Data Protection Authority and the right to address the competent courts of law.

The data subject has the right to file a complaint with the competent Data Protection Authority or similar body handling data protection complaints if he/she considers that the processing of his/her personal data is carried out contrary to the provisions of the Law or other applicable regulations. Also, Data Subjects can address the courts in order to exercise their data protection rights.

However, before addressing these institutions, we encourage you to contact us by email on info@kredium.ae .

The exercise of these rights is possible at any time.

Likewise, in case you want to withdraw your consent given for direct marketing purposes, you may use the “withdrawal” option offered in every marketing communication.

XIII Obligation to provide data

Providing your personal information allows us to perform the service for which you hired us. However, if you refuse to provide us with any requested information - we will not be able to perform the service for which you hired us, nor will we establish a contractual relationship with you, i.e. we will have to terminate the already established contractual relationship.

XIV Amendments to this Notice

The Company may from time to time change and update these privacy policies as necessary. The Company will notify you of any changes to this Privacy Notice, and will ensure that the notification is made in a manner that ensures your confirmation, for example, by using the email address you have provided to us, or in any other appropriate manner that allows effective communication.

XV Contact

Any questions regarding this document can be addressed to the Company’s Data Protection Officer, via the following email info@kredium.ae .

Updated on 17^th May 2022