2.2. Source of Data
Information We Collect Automatically
We collect Personal Data automatically through cookies and action tags. This information helps us diagnose technical issues, administer our site, and identify visitors.

Cookies: We use cookies on our website to gather data about your visit, including usage data and other information automatically collected from your browser or mobile device. This may include your IP address, browser type and version, preferred language, geographic location (via IP address, GPS, wireless, or Bluetooth technology), operating system, and device. Cookies also allow you to navigate our website smoothly, count visits, and track popular areas and features.

Action Tags: We may use action tags to track pages you visit and how you interact with content on those pages. These tags help us identify you if you're logged into our website or our Android and iOS mobile apps. Action tags may also be used in emails to see if an email was opened or forwarded. When using our mobile apps, action tags may track your activity on websites linked from the apps.

For more information on the cookies we use and how to control your cookie settings, please refer to our Cookie Notice.

We also use third-party analytics tools to collect data about your device and internet connection, such as your IP address, geolocation, browser type, movements on our online services, and websites you visited before and after accessing YoWealth's services. This data helps us understand and improve the use of our services.

We also collect data about your use of our Android and iOS mobile apps, including actions like installation, registration, and navigation within the apps. This information is used to improve our apps.

By clicking links or enabling connections to third-party services, you allow those parties to collect or share data about you. We are not responsible for third-party websites or their privacy practices, so we encourage you to review their privacy statements.

Your browser settings may allow you to send a 'Do Not Track' signal to websites. Currently, we do not respond to these signals, but if we do in the future, we will update this Privacy Notice accordingly.

Information From Third Parties and Publicly Available Sources
For more details on information we obtain from third parties, please refer to the table in Addendum 1.

2.3. Legal Bases for Processing Your Personal Data
We will only use your Personal Data when the law permits us to. Most often, we process your Personal Data under the following circumstances:

Consent
When you provide us with your consent, such as granting access to your contacts or location. You have the right to withdraw your consent at any time. To withdraw consent, simply go to the privacy settings in our Android or iOS mobile apps or contact us at support@yowealth.com.

Contract
When we need to fulfill a contract with you, such as when you accept our terms and conditions or other agreements related to the services we provide. If we require personal data under a contract and you do not provide it when requested, we may not be able to offer certain services as part of that contract. In this case, we may need to cancel the service, and we will notify you accordingly.

Legal or Regulatory Obligation
When we are legally required to collect personal data. If you do not provide the requested data, we may not be able to offer our products or services under the contract. In such cases, we will inform you if we must cancel a product or service. For information about how we process your personal data for anti-money laundering purposes, please refer to our AML/KYC Privacy Notice.

Legitimate Interests
Legitimate interest refers to the broader benefits YoWealth gains from processing your personal data. For examples, please refer to the table in paragraph 2.1. When we rely on legitimate interests, we ensure that we consider and balance any potential impact on your rights before processing your data.

2.4. Purposes
We have outlined the ways we use your personal data, along with the legal basis for doing so, in the table found in paragraph 2.1. This table also clarifies how we define our legitimate interests. Please note that we may process your personal data for several legal reasons.

Marketing
At YoWealth, we respect your choices regarding how we use your personal data, especially for marketing and advertising purposes. We will obtain your consent before sending third-party marketing communications via email or text message. You have the right to withdraw your consent to receive third-party marketing communications at any time by contacting us.

Promotional Offers from Us
We may use your identity, contact, technical, usage, and profile data to better understand what products or services may be relevant to you. This helps us determine which offers and services to promote (referred to as marketing). You may receive marketing communications from us if you have requested information or purchased services, and you have not opted out of receiving such communications.

Lookalike Advertising on Third-Party Sites
When we share your personal information with advertising partners (as described in paragraph 2.1), we may ask them to find people with similar interests and behaviors to yours and display our ads to them on social media platforms. This is based on personal information you've provided to third-party sites during your use of their services. You have consented to profiling activities carried out exclusively by these third parties according to their terms and conditions. This personal data may include demographic information (such as age or gender) and interest-based data. No personal information is shared with us. Additionally, we may share anonymized data to improve ad targeting, ensuring no risks to your rights and freedoms. When we act as the controller of this personal data, it is in our legitimate interest to enhance advertising effectiveness by targeting individuals with similar interests to our customer base.

Using Tools Provided by Advertising Partners
Advertising partners may offer tools that help us deliver ads to individuals who are more likely to be interested in our products and services. For example, an advertising partner might categorize you as a ‘crypto-enthusiast’ based on data they have collected about you through third-party sites. If we wish to display a crypto-related ad, these partners may use their tools to help us target ads to you, without sharing your personal information with us. When we control this data, we consider it in our legitimate interest to ensure that the ads we deliver are relevant to those receiving them.

Change of Purpose
We will only use your personal data for the purposes for which it was collected. Once we’ve fulfilled the intended purpose or the relevant storage periods have expired, we will delete your data.

3. Third-Party Links
Please note that our website, Android app, and iOS mobile app may contain links to third-party websites, plugins, and applications. Clicking on these links or enabling these connections may allow third parties to collect or share data about you.

We generally instruct all third parties on how to process your personal data in connection with our current or future agreements with you through a Data Processing Agreement. However, if third parties process your data independently of our services, we do not control their data processing practices or their websites, and we are not responsible for their privacy policies. Therefore, when you leave our online services or mobile apps, we encourage you to review the Privacy Notice or Privacy Statement of every website or app you visit. We are not responsible for the security of data transmitted over the Internet or for any data you store, post, or provide directly to a third-party website, as those sites are governed by their own policies.

That being said, we carefully assess all third parties we partner with to ensure they are leaders in their field, whether in security, compliance, or marketing. If you have any further questions regarding security, feel free to contact us using the contact details provided above.

For a more detailed list of the service providers we work with, please refer to Addendum 2. For more information on our data processing activities related to third-party data during onboarding, please see Addendum 4.

4. Information We Share; Data Transfers
YoWealth does not sell or disclose your Personal Data that you provide to us or that we collect through our website, online services, or mobile apps, except as outlined below:

• 1. YoWealth Group Companies: We may share your personal data with other entities within the YoWealth group when necessary for the performance of a contract. These entities may act as joint controllers to help us provide our services to you.
• 2. Service Providers: We share data with third-party service providers that help deliver customer benefits, such as airport lounge access and Wi-Fi services.
• 3. Marketing: If you’ve given consent, we may share your data with third-party marketers for promotional materials.
• 4. Professional Advisors: We may share your data with professional advisers such as lawyers, auditors, and insurers when needed.
• 5. Regulators and Authorities: If required, we may share data with regulatory bodies or authorities who need to be informed about processing activities under certain circumstances.
• 6. Legal Obligations: We may disclose your data if required by law or legal process, or where we believe it’s necessary for compliance.
• 7. Protecting Rights: We may share data to protect the rights, property, and safety of YoWealth, our users, and the public—such as in connection with legal proceedings or to prevent criminal activity or fraud.
• 8. App Ratings: Your ratings of our app may be processed through third-party service providers.
• 
  

YoWealth is headquartered in Gibraltar, but due to the global nature of our services, we operate in various regions including North America, South America, and Asia. As part of our global services, we may transfer your personal data to countries outside the European Economic Area (EEA). When transferring your data to "third countries," we take steps to ensure your data is protected by implementing safeguards, such as those required under applicable data protection laws.

1. When we work with certain service providers, we ensure that the contracts we use are compliant with European Commission-approved language to protect your Personal Data in the same way it is protected in Europe.

2. For providers based in the United States, we transfer data using Standard Contractual Clauses, which require them to provide the same level of protection for Personal Data as is required between Gibraltar and the US.

For more information on these measures, you can contact us at dpo@yowealth.com.

The Categories of Providers Table provides details on the types of third-party recipients, their activities, industries, and locations.

5. 5. Security Measures and Data Breaches

We have implemented robust security measures to protect your Personal Data from accidental loss, unauthorized access, misuse, alteration, or disclosure. All Personal Data entered on our website (e.g., through contact forms) is transmitted securely via encrypted channels (TLS - Transport Layer Security) to YoWealth and stored in a secure manner.

Access to your Personal Data is strictly limited to employees, agents, contractors, and third parties who need it for specific purposes. These individuals are bound by confidentiality agreements and follow strict access control procedures outlined in our service agreements and internal policies.

To ensure the highest level of protection, we employ state-of-the-art security tools and advanced cyber intelligence to monitor activities and detect potential threats. Additionally, no personal data is stored at our physical headquarters, located at One Grand Casemates Square, Gibraltar, minimizing the risk of breaches.

In the event of a suspected or actual Personal Data breach, we have established a Data Breach Procedure. As required by Gibraltar's data protection regulations, we will notify you if a breach occurs that may pose a risk to your rights and freedoms. We also comply with notification requirements set by the Gibraltar Regulatory Authority and any applicable laws in other jurisdictions. For more details, please refer to our Derogations Section.

6. 6. Protection of Minors

YoWealth does not knowingly collect or request Personal Data from individuals under the age of 18. If you are under 18, please refrain from attempting to register for our services or submitting any Personal Data to us. If we discover that a user is underage and has registered in violation of our Terms & Conditions, we reserve the right to close the account and notify the individual accordingly.

7. 7.Data Retention

We retain your Personal Data in our systems as long as your account remains active or as needed to fulfill the purposes for which we collected it and to provide our services. Additionally, we will retain your information to meet any applicable legal, regulatory, tax, accounting, or reporting obligations. Your data may also be retained for dispute resolution, complaint management, or the enforcement of agreements.

Retention periods for your Personal Data may vary depending on the jurisdiction, but we will retain your information in accordance with legal requirements. We have outlined the retention periods for different categories of data and processing purposes in a table format, detailing the specific legal basis for each. Please note, we may retain your Personal Data for more than one lawful purpose depending on the circumstances, and certain data may be retained longer due to the nature of distributed ledger technology.

In certain cases, we may anonymize your Personal Data so that it can no longer be associated with you for research or statistical purposes. Once anonymized, the data is no longer considered Personal Data, and we may use it without further notification to you.

8. 8. Your Rights and Choices
9. 
   

Right to Information
You have the right to be informed about how your personal data is processed. To ensure transparency, we have created this Privacy Notice to clearly explain how we collect, use, and protect your personal information. Our goal is to help you feel confident that your personal data, along with your assets, is secure with us.

Right to Request Access
You have the right to request access to the personal data we hold about you. We are committed to providing you with details of your personal information in the format you request. To protect your privacy, we may ask for proof of identity before disclosing any personal data. You can exercise this right by reaching out to us using the contact details provided below.

Right to Rectification
If any of your personal data is inaccurate or incomplete, you have the right to have it corrected or completed. We are here to ensure that the information we hold about you is up-to-date and accurate.

Right to Erasure (Right to be 'Forgotten')
You have the right to request the deletion of your personal data in the following situations:

• 1. The personal data is no longer needed for the purpose it was collected for.
• 2. You withdraw your consent for processing, and there is no other legal basis for processing.
• 3. You object to the processing, particularly when it is based on legitimate interests or public interest.
• 4. You object to the processing for direct marketing purposes.
• 5. Your personal data has been processed unlawfully.
• 6. Deletion is necessary to comply with a legal obligation that applies to us.

We will process your erasure request promptly, to the extent we are able to do so. However, there may be circumstances where we are required to retain your data for longer periods, such as:

• 1. Exercising the right to freedom of expression and information
• 2. Complying with a legal obligation under applicable laws, including anti-money laundering regulations
• 3. Archiving for public interest, scientific, historical research, or statistical purposes
• 4. For the establishment, exercise, or defense of legal claims

Please note that by requesting the deletion of your personal data, we will need to close your YoWealth account. This action is irreversible, and once your data is erased, we will no longer be able to provide YoWealth services to you. However, this will not affect the legality of any processing carried out prior to your request for erasure.

Additionally, exercising this right may not result in the deletion of all your personal data. While we will make every reasonable effort to erase your information, certain data, such as those associated with blockchain interactions, may not be fully deletable.

Right to Restrict Processing
You have the right to request the restriction of processing your personal data under certain circumstances, such as when:

• 1. You contest the accuracy of your personal data;
• 2. You have objected to a processing activity based on legitimate interest, and verification of conditions is in progress;
• 3. You believe the processing is unlawful, and instead of requesting erasure, you prefer to limit the use of unlawfully processed data;
• 4, We no longer need to process your personal data but must retain it for the establishment, exercise, or defense of legal claims or to comply with regulatory requirements.
• 
  

Please note that depending on the type of restriction you request, we may need to close your YoWealth account. This action is irreversible, and by requesting us to restrict the processing of your data, we will no longer be able to provide YoWealth services to you. However, this will not affect the legality of any processing performed before the restriction request.

Right to Data Portability

When the legal basis for processing your personal data is your consent, or when the processing is necessary for the performance of a contract you are part of or to take steps prior to entering into a contract, you have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format.

Right to Object to Direct Marketing (Opting Out)
You have the option to decide whether or not you wish to receive marketing communications from us.

We will only contact you for marketing purposes if you have an existing business relationship with us, and we will rely on our legitimate interests as the legal basis for such communication.

In every marketing communication, we will provide an option for you to opt out (unsubscribe) by clicking the "unsubscribe" button in our marketing emails or using the similar opt-out feature in any forms where we collect your personal data.

Please note that administrative or service-related communications, such as notifications about our services, updates to this Privacy Notice, or changes to our terms and conditions, will be sent to clients or business partners. These communications are essential for providing our services and typically do not include an option to unsubscribe.

Therefore, your ability to opt out of receiving marketing materials does not affect our right to contact you regarding your use of our services or mobile apps, or in relation to any contractual relationship we have with you.

Right Not to Be Subject to Automated Decision-Making

We are committed to protecting you from unwanted automated decision-making (ADM) that may produce legal or similarly significant effects. You have the right to exercise this when processing is based solely on automated decision-making activities, as detailed under Article 22 of the GDPR.

If you do not agree with the processing activities described above, we will be unable to provide you with the high-level financial security services we offer. As a result, we cannot open or maintain your YoWealth account.

If you have any questions regarding our processes or the use of automated decision-making, feel free to reach out to our Customer Support team at support@yowealth.com.

Please note that the law specifies that this right cannot be exercised in the following cases:

• 1. The processing is necessary for the conclusion or performance of a contract with you,
• 2. We are required to comply with legal obligations, or
• 3. You have explicitly given your consent.
• 
  

Additionally, we aim to avoid processing sensitive data through automated decision-making. However, if such processing becomes necessary for onboarding or vetting purposes, we will ensure it is carried out under explicit consent or substantial public interest as the legal grounds.

Whenever processing relies on explicit consent or contractual obligations, you retain the right to express your opinion, request human intervention, and challenge the decision.

Right to Withdraw Consent

If the legal basis for processing your personal data is your consent, you have the right to withdraw that consent at any time by contacting us using the details provided below. Please be aware that withdrawing your consent will result in the closure of your YoWealth account, and this action is irreversible. By requesting us to stop processing your data, we will no longer be able to offer YoWealth services to you. However, this will not affect the lawfulness of any processing carried out before you withdrew your consent.

You can exercise any of the rights mentioned above free of charge by reaching out to us at dpo@yowealth.com.

Most of these rights are subject to certain limitations and exceptions. If we are unable to comply with your request, we will provide an explanation.

Right to Lodge a Complaint with a Supervisory Authority

If we have not responded to your request within a reasonable time, or if you feel that your complaint has not been resolved satisfactorily, you have the right to lodge a complaint with the relevant supervisory authority. In Gibraltar, this would be the Gibraltar Regulatory Authority (GRA), under the Gibraltar Data Protection Act 2004. You may contact the GRA using the following details:

Gibraltar Regulatory Authority
2nd Floor, Eurotowers 4,
1 Europort Road, Gibraltar

*Email: info@gra.gi
*Phone: (+350) 200 74636
*Fax: (+350) 200 72166

Additionally, you have the right to lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or where you believe an infringement of your rights has occurred, if located in the European Economic Area.

However, we would appreciate the opportunity to address your concerns before you approach the Gibraltar Regulatory Authority or any other relevant supervisory authority. Please feel free to contact us first at support@yowealth.com or dpo@yowealth.com.

9. Updates to Our Online Privacy Notice

We regularly review our Privacy Notice and will update it to reflect any changes.

Changes to this Privacy Notice may be necessary as we enhance our online services, Android and iOS mobile apps, to comply with new legal requirements, implement new technologies, or improve the services we offer. If we update our Privacy Notice in the future, we will post the revised version on our website, www.yowealth.com, along with the version number and date of the change. We encourage you to check this Privacy Notice periodically when you visit our website.

It is essential that the personal data we hold about you is accurate and up-to-date. Please inform us if your personal data changes during your relationship with YoWealth.

Addendum 1 – Data Obtained from Third Parties

When we collect personal data from third parties, we refer to the following categories:

• 1. Technical Data (e.g., IP address)
• 2. Identity and Contact Data (e.g., Name, phone number)
• 3. Financial and Transaction Data (e.g., Credit card details, transaction number)
• 4. Job Applicant Data (e.g., All data included in the application you submit to us)

Addendum 4 - AML and KYC Privacy Notice

At YoWealth, we process your identifying and profile data as part of our obligations for Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) compliance, including Know Your Customer (KYC) and Customer Due Diligence (CDD) procedures.

When we request CDD, this refers to the verification of your identity and address. This, along with the information collected during the application process, helps us establish a clear profile of each customer (KYC). Without KYC, YoWealth could unknowingly engage in illicit activities, which would expose us to reputational, operational, and legal risks, potentially resulting in significant financial loss or the closure of the institution. KYC is a key part of the global fight against money laundering.

Providing specific documentation, such as proof of address, proof of identity, source of funds, and/or completing AML-CTF questionnaires is mandatory for YoWealth users. Failure to comply may, in extreme cases, result in account suspension or refusal of services.

In response to the growing impact of money laundering, the European Union has passed directives aimed at combating money laundering and terrorism financing. These directives, alongside relevant national regulations, form the foundation of our AML/CTF obligations, providing the legal basis for processing your data and outlining the consequences of non-compliance.

Directive Compliance and Anti-Money Laundering (AML) Policies at YoWealth

YoWealth adheres to the following key European directives and regulations in order to maintain a secure and compliant financial environment:

• 1. Directive (EU) 2015/2366 of the European Parliament and Council, dated November 25, 2015, on payment services in the internal market.
• 2. Directive (EU) 2015/849 of the European Parliament and Council, dated May 20, 2015, on preventing the use of the financial system for money laundering or terrorist financing.
• 3. Council Decision (2000/642/JHA) on cooperation between financial intelligence units of EU member states regarding information exchange.
• 4. The Proceeds of Crime Act 2015
• 5. The Terrorism Act 2018
• 6. The Drug Trafficking Offences Act 1995
• 
  

In line with the Proceeds of Crime Act 2015, as stipulated in section 1k of part 1, we are required to treat anti-money laundering (AML) activities as matters of public interest when processing personal data. This means that we may need to collect, share, store, or otherwise process your personal data, even if you have requested deletion, in order to comply with legal obligations or public interest requirements. For more information on data deletion requests, please refer to Section 8 of this policy, and for data retention details, please consult Addendum 3.

YoWealth’s AML Policy

Our AML policy is designed to prevent money laundering and terrorism financing, in compliance with European standards. We have established systems and controls to mitigate the risk of YoWealth being used to facilitate financial crime. Our policy sets the minimum standards for AML compliance and includes the following key measures:

• 1. Appointment of a Money Laundering Reporting Officer (MLRO): We have appointed a senior and independent MLRO responsible for overseeing compliance with applicable legislation, regulations, industry rules, and guidance related to AML.

• 2. Risk-Based Approach (RBA): We maintain a risk-based approach to assessing and managing the risks of money laundering and terrorist financing. This includes gathering Customer Due Diligence (CDD) data and considering factors such as client status, transaction nature, financial products, and financial flows when assessing risk.

• 3. Customer Due Diligence (CDD) and Know Your Customer (KYC): We have established robust procedures for CDD, identification, and verification, in line with our KYC obligations. Enhanced due diligence is conducted for high-risk clients, including politically exposed persons (PEPs).

• 4. Ongoing Monitoring: We maintain risk-based systems to monitor ongoing customer activity, ensuring that we can detect and respond to any suspicious behavior.

• 5. Reporting Suspicious Activity: Procedures are in place for reporting suspicious activity both internally and to the relevant law enforcement authorities, as required by law.

• 6. Record-Keeping: YoWealth maintains appropriate records for the minimum prescribed retention periods, in accordance with regulatory requirements.

• 7. Employee Training: All relevant staff members undergo regular training and awareness-raising sessions on AML procedures to ensure that everyone is informed and compliant.

• 
  

As part of our commitment to preventing money laundering, YoWealth has developed these AML systems and procedures to meet the highest standards of regulatory compliance.

Sanctions Policy

YoWealth prohibits transactions with individuals, companies, or countries that appear on prescribed sanctions lists. We screen against sanctions lists from the United Nations, European Union, UK Treasury, and the US Office of Foreign Assets Control (OFAC) in all jurisdictions where we operate.

Automated Decision Making

YoWealth uses semi-automated processes, including screening Know Your Customer (KYC) and Anti-Money Laundering (AML) data provided by you. These screenings help us determine whether we are legally allowed to offer you our services. Any automated screening matches are manually reviewed by our compliance team. The compliance analyst will assess the cases and determine whether they should be cleared or escalated to the MLRO for further action.

Third-Party AML-KYC Compliance

At YoWealth, we may engage third-party providers to process personal data on our behalf, specifically for Anti-Money Laundering (AML) and Know Your Customer (KYC) purposes. When this occurs, we enter into a separate contract with these providers known as a Data Processing Agreement (DPA). This agreement ensures that the third parties comply with relevant data protection regulations and guarantees the implementation of appropriate technical and organizational measures to safeguard your rights.

Each third-party provider has its own privacy policy, which you can review below:

• Privacy Notice | Sumsub
• Privacy Policy | Incode
• Privacy Statement | Fourthline
• 
  

For KYC purposes, depending on your country of residence and the type of document you provide, the following personal data may be processed by one of the above third-party providers. This will be done based on your explicit, informed, and unambiguous consent, given freely.

Addendum 5 - Country-Specific Derogations

Section 1 - South Africa Derogations

In addition to the provisions outlined in previous sections, if South African data protection law, namely the Protection of Personal Information Act No. 4/2013 (POPIA), applies, the following definitions and differences should be noted:

1. The following terms are used in addition to the relevant terms in Section 1, Chapter 1, of the POPIA:

• a. Biometrics refers to a personal identification technique based on physical, physiological, or behavioral characteristics, including blood typing, fingerprinting, DNA analysis, retinal scanning, and voice recognition.

• b. Consent means any voluntary, specific, and informed expression of will by which permission is granted for the processing of personal information.

• c. Security Compromise is understood as a data breach and must be notified to the data subject and the regulator "as soon as reasonably possible."

• d. Operator refers to a person who processes personal information on behalf of a responsible party based on a contract or mandate, without being under the direct authority of that party.

• e. Responsible Party refers to any public or private body, or any other person, who determines, alone or with others, the purpose and means for processing personal information (equivalent to a data controller).

• f. Person includes both natural and legal persons.

• g. Personal Information refers to information about an identifiable, living, natural person, and where applicable, an identifiable existing juristic person. This includes, but is not limited to, the following:

• • i. Details about race, gender, sex, pregnancy, marital status, nationality, ethnicity, social origin, color, sexual orientation, age, physical or mental health, well-being, disability, religion, beliefs, culture, language, and birth.

  • ii. Information related to education, medical history, financial status, criminal background, or employment history.

  • iii. Any identifying information such as numbers, symbols, email addresses, physical addresses, phone numbers, location data, online identifiers, or any other specific assignments tied to an individual.

  • iv. Biometric data such as fingerprints, facial recognition, or other forms of identification.

  • v. Personal opinions, views, or preferences.

  • vi. Correspondence sent by the individual that is private, confidential, or that could reveal confidential content if further disclosed.

  • vii. Opinions or views from another person about the individual.

  • viii. The person’s name, especially if it appears alongside other personal information, or if its disclosure could reveal further information about the individual. This may include sensitive personal data, such as:

  • 1. Religious or philosophical beliefs, race or ethnic origin, trade union membership, political views, health or sex life, or biometric data of an individual.

  • 2. Information related to the criminal behavior of an individual, including:

    • a. Allegations of any offense committed by the individual.
    • b. Any legal proceedings related to an offense allegedly committed by the individual, or the resolution or outcome of such proceedings.
    • 
      

  2. In terms of data subject rights, the right of access may be subject to reasonable costs when detailed information about processing is requested.

  3. Under South African law, there are various ways to notify individuals of security compromises, including posting a notice on the website or through media channels.

  4. Any communication with the supervisory authority will be directed to the information regulator.

  5. Additionally, YoWealth will comply with the codes of conduct set by the regulator, as well as any relevant reports that serve as guidance.

  6. Data subjects' rights can be exercised under the same conditions outlined in this Privacy Notice, unless national law provides different requirements for protecting the data subject.

  7. In the case of conflicting laws, any legal exceptions arising from national regulations will take precedence (e.g., response time for Data Subject Access Requests). If national law does not address certain aspects, the provisions in this Privacy Notice will apply.

Section 6 – Argentina

1. In relation to activities carried out in Argentina, the following definitions apply according to Law 25,326, the Personal Data Protection Law (PDPL):

• a. Personal data refers to information of any type related to individuals or legal entities, whether identified or identifiable.
• b. Data dissociation is understood as data anonymization.
• c. Data owner is the same as the data subject.
• d. Person responsible for a data file, register, bank, or base is referred to as the data controller.
• e. Data user is referred to as the data processor.
• 
  

2. Under Argentine law, sensitive data may only be processed with the data subject's consent. However, other personal data may be processed based on legal or contractual obligations, or if obtained from publicly available sources.

3. It's important to note that the PDPL allows processing of personal data without consent in certain cases, specifically for basic information such as name, national identity document number, tax or social security identification number, occupation, phone number, date of birth, and domicile.

4. For customers protected under the PDPL, Xapo will adhere to the following timelines upon receiving your request:

• a. Right of access: within 10 calendar days
• b. Right to rectification and erasure: within 5 business days
• 
  

5. The supervisory authority to contact for exercising your rights under the PDPL is the Agency for Access to Public Information (Agencia de Acceso a la Información Pública).

6. Regarding data transfers from Argentina, Xapo is permitted to transfer personal data to jurisdictions that are signatories of international treaties to which Argentina is a party, or to territories for bank/stock exchange transactions. Both Gibraltar and Argentina are signatories to Convention 108 (Convention for the Protection of Individuals with Regard to the Processing of Personal Data), meaning similar privacy standards are applied in both jurisdictions.

Section 7 – Mexico

1. Regarding activities in Mexico, in compliance with the Federal Law on the Protection of Personal Data Held by Private Parties ("the Law"):

• a. Data owner refers to the data subject.
• b. Any reference to "days" shall be interpreted as working days.
• 
  

2. It’s important to note that Mexico is one of the countries that accepts tacit consent. According to Article 8 of the law, tacit consent is implied if the data owner does not object after the privacy notice has been made available to them. In addition to this, personal data can be processed based on legal obligation, contractual obligation, or if obtained from unrestricted public access sources.

3. However, for the processing of sensitive data, Xapo will only do so with explicit consent, certified through authentication mechanisms like electronic signatures.

4. For customers protected by this law, Xapo will respond to your data subject request within 20 business days. Requests are generally free of charge, except for fees related to shipping or copying/providing your data in alternative formats. However, as per Article 35 of the law, if you make a request within a period of 12 months, Xapo may charge for this operation, but not more than three times the current minimum wage in Mexico City, unless there are material changes to this notice that lead to new requests.

5. Regarding data transfers from Mexico, Xapo is allowed to process data in jurisdictions that are signatories to international treaties Mexico is a part of. Both Gibraltar and Argentina are signatories to Convention 108 (Convention for the Protection of Individuals with Regard to the Processing of Personal Data), meaning similar privacy standards apply. Additionally, such transfers are permissible when necessary for the performance of a contract concluded in the interest of the data subject.

6. For exercising your rights under the law, you may contact the National Institute for Transparency, Access to Information, and Personal Data Protection.

Addendum 6 - Xapo Credit Limited Particularities

DATA PROCESSING
Xapo Credit Limited collects the personal data listed in Section 2 of this Notice to assess whether you meet the eligibility criteria established by law for granting the credit you have applied for. This data collection is necessary to fulfill our obligations under the contract you wish to enter into upon your request to initiate the process. Xapo Credit Limited will only use the data collected directly from you.

DATA RETENTION
Data retention will be managed in accordance with Addendum 3 of this Notice.

PROFILING
As a regulated consumer credit and moneylending financial institution, Xapo Credit Limited is obligated by the Financial Services (Consumer Credit) Act 2011 to conduct creditworthiness screening before granting you credit. As part of this, we will carry out profiling activities using the personal data you provide during the application process. This allows us to make a lawful, informed, fair, transparent, and appropriate decision regarding your eligibility. Please note that decisions are made automatically based on automated checks in line with creditworthiness criteria. The automated decision-making process is based on our pre-contractual obligations initiated by you during the application process. However, you have the right to request human intervention, express your point of view, and challenge the decision as per Article 22 (2)(a) and (3) of the GDPR.

DATA SHARING
INTERNAL
There may be occasional transfers of data between Xapo Credit Limited, Xapo Bank Limited, and Xapo VASP Limited. These transfers are documented and safeguarded by the Intra-Group Data Transfer Agreement. This internal agreement ensures that common data protection standards are followed, which apply universally to all signatory entities. Therefore, personal data shared within the group is considered internal sharing and not with external third parties. These internal transfers will occur regularly for purposes such as creditworthiness assessments, decision-making, contract generation, and performance. Only the personal data listed in Section 2 of this Notice will be involved in these processing activities.

For more details about our AML and KYC obligations and processes, please refer to Addendum 5.

EXTERNAL
Xapo Credit Limited will share your personal data with third parties when necessary for contract fulfillment, legal obligations, or based on a justified and documented legitimate interest. This will only occur as outlined in Addendum 2.

In cases where you fail to meet your contractual obligations, Xapo Credit Limited may allow professional service providers, such as debt collectors or lawyers, to access your personal data.