LunaPay Limited, registered in England and Wales under number 12409501 with registered address London City Point, 1 Ropemaker St, London, England, EC2Y 9HT (referred to as "LunaPay", "we", "us" or "our" in this notice) respects your privacy and is committed to protecting your personal data and corresponding rights. This privacy notice explains what personal data we collect, based on what we collect it, for which purposes we collect it, who we share it with, how long we keep it for, and what legal rights you have. In accordance with our obligations emanating from the data protection legislation we are registered with the data protection authority of the United Kingdom- Information Commissioner's Office (ICO). We have appointed Data Protection Officer (DPO) who is a focal point of contact in case you have any queries in regard to matters related to data protection. You may contact our DPO by means of writing to the following email: dataprotection@lunapay.com.

In order to have the possibility of providing you with our services, we need to obtain certain data about you. Overall, the information in question can be classified as follows:

Personally identifiable data includes information gathered when you register to use our website, apply for our services, open an account, search for a product or service, place an order on our website, enter a promotion or a survey, and when you report a problem with our website. The information that you give us may include but is not limited to your name; address; e-mail address and phone number; financial and credit card information; government-issued identification documents; other personal information, that you may reasonably need to provide in order to register and use our services. When we conduct fraud monitoring, prevention and detection activities, we may also receive personally identifiable data about you from our business partners, financial service providers, identity verification services, and publicly available sources (e.g., name, address, phone number, country), as necessary to confirm your identity and prevent fraud. Our fraud monitoring, detection and prevention services may use technology that helps us assess the risk associated with an attempted transaction that is enabled on the merchant's website or the application that collects information.

Browser and device data are automatically collected by us when you are visiting our website. This information includes but is not limited to your name: the Internet Protocol (IP) address used to connect your computer to the Internet; unique device identifier; location; login information; browser type and version; time zone setting; browser plug-in types and versions; operating system and platform; the full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time); referrer URL; products and services you viewed or searched for; page response times; download errors; length of visits to certain pages; page interaction information (such as scrolling, clicks, and mouse-overs); and methods used to browse away from the page; and any phone number used to call our customer service number.

Transaction data is automatically collected by us when you are visiting our webpage. This information includes but is not limited to your name: date; time; amount; currencies used; exchange rate; beneficiary details; details and location of the merchant; IP address of sender and receiver; sender's and receiver's name and registration information; messages sent or received with the payment; device information used to facilitate the payment and the payment instrument used.

Previously known as sensitive personal data, it refers to the data about an individual which is more sensitive, so requires more protection. This type of data could create more significant risks to a person's fundamental rights and freedoms, for example by putting them at risk of unlawful discrimination. The special categories include information about an individual includes: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sexual orientation. As a general rule, we do not collect or process special categories of personal data. However, it is possible that we may hold special category data when it is included in documentation that you have given us (for example ID document). When this is the case, LunaPay shall only process this information in strict accordance with the law.

Your personal data will only be processed for specific, explicit and legitimate purposes in accordance with the data protection principles. The core principles to which LunaPay adheres are the following:

• Lawfulness, fairness and transparency- we process data only in a lawful manner, which is fair and transparent within its means and aims;
• Data minimisation- we do not collect, store, or process more information than is reasonably required in order to achieve a particular aim;
• Accuracy- we keep all data accurate and up-to-date, and where relevant correct any wrong information;
• Storage limitation- we keep data in a form that allows your identification for no longer than is necessary for the purposes that it was collected;
• Integrity and confidentiality- we store and process the data in a manner that ensures appropriate security of the personal data;
• Accountability- we are accountable to follow our data protection obligations.

We mostly use your personal data in order to provide you with the services which are offered by us. In order to do so, we are relying on three legal bases while processing your data. Depending on the scope of data in question and the purpose of processing, we will rely on a different legal basis. Below you may find a description of legal bases on which we rely, with the description of the purposes and types of data that we use.

Performance of contract

We rely on the basis of contractual performance whenever we are providing, or are planning to enter into a contractual relationship, for the provision of services to you. Such situations are arising when you wish to register with LunaPay and open an account and benefit from the services which are offered by us. In such instances, we will collect a variety of information, such as:

All this information will be collected and processed for the sake of fulfilment of our lawful obligations which are arising from the agreements which govern your and our relationship. We may share the provided information with third-party fraud prevention service providers and databases to verify your identity. We are obliged to perform such checks in order to comply with our legal obligations that emanate from the legislation dealing with the prevention of financial crime.

• Personally identifiable data;
• Technical data;
• Transaction data.

We rely on the basis of consent whenever we are contacting you regarding subscription to marketing, informing about services which we offer, requesting to accept cookies used on our website, conducting market research, or for other specific matters where you will be explicitly informed that we require your consent for the processing of information. In such instances we may collect the following types of data:

• Personally identifiable data;
• Technical data.

We rely on the basis of legitimate interests whenever there are compelling reasons for processing your data. In such instances we may process the following data:

• Personally identifiable data;
• Technical data;
• Transaction data.

Notably, for pursuing different legitimate interests we will use different types of data. We will employ the data for the sake of following legitimate interests:

• To develop and provide a high-quality user experience and customer support;
• To further and keep our services of high quality;
• Keep you informed of the status of LunaPay services you use;
• To deal and improve how we deal with financial crime;
• Being efficient about how we fulfil our legal and contractual duties;
• To manage risk and protect the website, the app, the services and individuals from fraud;
• To help market and provide new relevant products and services; Page 4 of 6
• Check applications against certain fraud prevention databases.

As part of the processing of your personal data, decisions may be made by automated means. If you are rejected or negatively affected on the basis of an automated decision or automated profiling, you will be notified about this and you have the right to appeal.

We share your data for the same purposes as are outlined above. Sharing of data is required in order for us to have the possibility to provide high-quality services to you. The parties with who we share your data may include:

• Financial institutions, payment systems and card associations with whom we work together to develop or provide a product or service, to execute transactions, to resolve conflicts and to investigate and prevent fraud;
• Other transaction participants;
• Other companies that provide services to us. We may share personally identifiable information with other partners who provide services and functions on our behalf. These partners, for example, provide services to you as defined in our service agreements and/or offer additional functionality that you have requested;
• Third-parties for our business purposes or as permitted or required by law;
• With relevant authorities/third parties to investigate violations of any agreements or other legal provisions applicable to our services or to enforce legal rights.

Should you wish to receive a list of our data recipients with whom we shared your data, please contact our DPO.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to 'international frameworks' intended to enable secure data sharing.

To provide truly outstanding services we partner with and use service providers that are based outside the European Economic Area. We will only partner with organisations that meet the ICO and EU Commission's data privacy requirements and where a contractual agreement is in place to protect your personal data and rights.

In all cases, we will only share the personal data that is absolutely necessary to provide our services, fulfil our obligations to you, and to fulfil any legal or regulatory requirements.

LunaPay keeps your data for no longer than it is necessary in accordance with our obligations and legislation setting out the timeframes for the retention of information. As a general rule, we hold your data for a period of 5 years from the end of the business relationship or last transaction, whichever occurs last. In cases that your data relates to the merchant account we may be required to hold the data for a period of 7 years. The information which concerns transactions is retained for a period of 10 years while we are in a business relationship. Page 5 of 6 There are a couple of exceptions which may be applicable to these general time-periods:

• Our legal obligations establish that me must hold your data for a longer period, or delete it sooner.
• You exercise your right to have your personal data erased from our systems prior to the expiry of the period of retention.
• We have a legitimate reason to keep it (for example, helping us to respond to queries or complaints, to show that we have given you fair treatment, in the fight against financial crime).

A cookie is a small file and holds a certain amount of data, which our website can send to your browser. It may then be stored on your computer's hard drive and can be accessed by our web server. This cookie data can then be retrieved and can allow us to customise our web pages and services accordingly. It is important to clarify that cookies do not collect any personal data stored on your hard drive or device.

The cookies used on our website fall into three categories:

Our website uses these "cookies" to collect information and to improve our services. You have the option to either accept or refuse these cookies. If you choose to refuse our cookies, some of our services may not be available to you.

• Functional: These cookies are used to enable core website functionality and do not contain any personal information.
• Analytics: These cookies allow us to count page visits and traffic sources, so we can monitor and improve the performance of our website.
• Advertising cookies: We partner with affiliate networks and other websites to help promote LunaPay. If you use their websites or have come to our site via these affiliates, then their cookies will be sent through our website.

When you enter our websites for the first time, we provide you with an opportunity to accept or decline the usage of cookies. You will have a possibility to granularly accept cookies, meaning that you will have a choice on what type of cookies you will allow. You can also delete and block cookies at any time from this website through your browser. However, note that some features on this website will not function without cookies.

Data protection legislation offers you a number of rights that you may exercise that we will respect. Here we would like to briefly outline the relevant rights which you have:

We have a duty to inform you of the way that we process and store their data. In order to comply with this right, we have posted privacy notice on our website. As well, you may at all times request us for clarifications regarding our practices that relate to your data.

You have the right to be informed regarding the personal data which we hold about you. If you wish to ascertain the exact scope of data, you may request us to provide you with such information. A small fee will be payable if the request will be excessive or manifestly unfounded (for example, where you make repetitive requests to supply you with the information).

At all times during our collaboration, you have a right to withdraw your consent and hence not supply us with your information, stop using our services and stop our collection from third-parties.

You may request us to correct any information which you believe is incorrect or incomplete. In such an instance, you may be required to reveal to us the erroneousness of such data.

You may request us to erase any information which we hold about you. We will follow up with your request if there is no compelling reason for us to retain such data. You should keep in mind that we are subject to legal obligations and hence, in certain instances, we must retain certain data regardless of your request for us to erase it.

You have a right to restrict, block, or otherwise suppress the processing of personal data. Kindly note that in such an instance, LunaPay is permitted to store data if its processing has been restricted, but not to process it further.

You can object any of our action or inaction in relation to the handling of your personal information. We would prefer that complaints are emailed to complaints@luna-pay.com, but you may register your complaint via any of our customer service channels.

You have a right to request us to provide you or another third party with data that we hold about you in a commonly used format. In such a case, we will provide the data in a structured, commonly used and machine-readable format. This would normally be a CSV file, although other formats are acceptable.

If we fail to resolve your complaint to your satisfaction, you may pursue your complaint via the Information Commissioner's Office. Details of how to do so can be found at https://ico.org.uk/make-a-complaint/

If you wish to exercise any of your data protection rights, you may send us an email to: dataprotection@luna-pay.com If you believe that the processing of your personal data violates the applicable data protection law or your data protection rights have been violated in any way, you may choose to file a complaint with the Information Commissioner's Office by calling +44 303 123 1113 or filing a report over the Internet https://ico.org.uk/concerns/. If you are residing in another country, you may contact your competent national authority responsible for data protection.