Personal Data Protection Policy

1. General Provisions

1.1. This policy (hereinafter referred to as "the Policy") establishes the basic rules for processing the personal data of data subjects and other information related to such data, including data collection, tracking/recording, organization, and storage. It also outlines the scope, purpose, and source of personal data processing, data recipients, and other important conditions that apply during the use of JSC Hash Bank's banking services.

1.2. JSC Hash Bank, in accordance with applicable legal requirements, ensures the confidentiality of personal data and implements appropriate technical and organizational measures to safeguard it from unauthorized access, disclosure, accidental loss, alteration, destruction, or any other illegal actions.

1.3. By accessing or using the information and/or services available on JSC Hash Bank's website, data subjects confirm that they have read and understood this Policy and that the conditions described herein are clear to them, and they agree to abide by them. Furthermore, upon the data subject's registration in the JSC Hash Bank system and commencement of service usage, this Policy becomes an integral part of the Banking Services Terms and operates in conjunction with them.

1.4. This document is intended for:

1.4.1. Clients of JSC Hash Bank (including potential, existing, and/or former clients).

1.4.2. Legal representatives or contact persons of clients.

1.4.3. Any individual connected to JSC Hash Bank and/or expressing interest in a specific product or service.

1.4.4. Any other individual with whom JSC Hash Bank does not have a direct connection, yet whose information processing is necessary for banking activities or product improvement.

2. Definition of Terms

For the purposes of this document, the subsequent terms have the following definitions:

2.1. Personal data - any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, including by his/her name, surname, identification number, location data and electronic communication identifiers, or by physical, physiological, mental, psychological, genetic, economic, cultural or social characteristics.

2.2. Biometric data - data processed using technical means and related to the physical, physiological or behavioural characteristics of a data subject (such as facial images, voice characteristics or dactyloscopic data), which allow the unique identification or confirm the identity of that data subject.

2.3. Data subject - any individual whose data is processed by the Bank.

2.4. The Bank — JSC Hash Bank

Legal form: Joint stock company;

Identification number: 405555359;

Physical address:  Georgia, Tbilisi city, Vake district, Vazha-Pshavela avenue, No. 71, Office No. 21, 4th floor, Block I, Number 11,10.

Registration/licensing form at the National Bank of Georgia: Commercial bank;

Registered address: Georgia, Tbilisi city, Vake district, Vazha-Pshavela avenue, No. 71, Office No. 21, 4th floor, Block I, Number 11,10;

Contact phone number: 2 801 177.

2.5. Identification and verification - involve two processes as defined by the legislation of Georgia: a) Obtaining identification data that enables tracing and distinguishing one person from another (identification); and b) Obtaining information or documentation about the person that enables verifying the accuracy of the person's identification data (verification).

2.6. Public Service Development Agency - legal entity of public law operating within the governance sphere of the Ministry of Justice of Georgia, specifically known as the Public Service Development Agency.

2.7. National Agency of Public Registry - legal entity of public law operating within the governance sphere of the Ministry of Justice of Georgia, specifically known as the National Agency of Public Registry.

2.8. Revenue Service - legal entity of public law within the governance sphere of the Ministry of Finance of Georgia, specifically known as the Revenue Service.

2.9. Credit Information Bureau - an entrepreneurial entity that collects, stores, processes, and issues credit information about individuals and other entities. This can also mean an entrepreneurial entity that collects, processes, and issues credit information about individuals and other entities.

The table below provides a detailed description of the process of personal data processing by the Bank.

Objective, purpose, and necessity of data processing

The Bank processes the personal data of the data subject solely for legally permissible purposes and within their appropriate scope.

Data may be processed by the Bank for various purposes, including:

·  Client identification/verification, conducting one-time transactions, providing banking services (such as opening an account, processing payment operations, opening a deposit, etc.), or fulfilling the Bank's obligations defined by the law.

As an accountable entity operating in accordance with the legislation of Georgia, the Bank is obligated to ensure the identification/verification of individuals before establishing a business relationship with them or conducting one-time transactions. Additionally, while providing services, the Bank is required to request additional information, evaluate it, and store it within the time limits established by law.

For this purpose, the Bank processes personal data in accordance with legal requirements that pertain to:

• • Establishing and verifying/confirming the identity of the client.
  • Drawing up and executing a contract with the client or taking further actions based on the client's request.
  • Transfer of funds and, as per legislation, provision of necessary information related to the transfer/accompanying the transfer.
  • Complying with ‘Know Your Customer’ (KYC) requirements.
  • Continuous and periodic monitoring of client activity.
  • Risk assessment.
  • Updating customer data to ensure accuracy/correctness.
  • Anti-money laundering; prevention of terrorist financing; fraud prevention, detection, investigation; reporting of such activities/attempts; financial sanctions against clients or politically exposed persons (PEPs).
  • Ensuring proper risk management and organization management.
  • Offering and improving banking services (including changes in terms and conditions and introducing new or additional products).

This involves:

• • Analysis of credit and/or transaction history
  • Statistical data analysis
  • Analysis of payments/transfers
  • Income analysis
  • Spending behavior analysis, etc.
  • Making data available to the regulator or other supervisory body and audit companies, as required by law.
  • Preparing various reports, studies, and/or analyses.
  • Ensuring data security.
  • Delivering correspondence or sending messages to the data subject as necessary.
  • Fulfilling contractual obligations by the Bank and/or by the data subject in a complete and timely manner.
  • Conducting marketing activities with the consent of the data subject, including offering various products/services periodically and developing/planning marketing strategies.
  • Protecting the Bank's legitimate interests and/or legal rights.

Personal data types processed by the Bank

The Bank processes the following personal data on the grounds and in the cases specified in this document:

Identification data:

Name, surname, date of birth, personal number, identity and/or citizenship document data, sex, citizenship, place of birth, address (registration and actual), ethnicity, photograph, taxpayer identification number, sample signature, and others.

Contact information:

Address (legal and actual), e-mail, phone number, etc.

Information about marital status, family members:

Marriage certificate, identification and documentary data of family members, information about family members and contact persons, information about a person's death and death certificate, etc.

Financial and other information:

Information about a person's economic and financial situation, information related to their transactions and accounts, credit history and creditworthiness, information about overdue payments, financial products, income, property, payments and/or transfers made (including where and when a specific transaction was made), information about a person's job/profession, citizenship, education, social status, income, etc.

Contractual information:

Information about the services and products provided by the Bank.

Data collected during communication:

Data obtained by e-mail, telephone (including audio recordings), chat, social media, or other communication channels.

Public data:

Information obtained from public sources (including lists of sanctioned, politically active persons, terrorists and other types of lists).

Data created by the bank:

Data created as a result of analysis of data about the client by the Bank (e.g., data about customer behavior, preferences, risk rating, etc.).

Data about the user's device:

IP address, cookies, application logs, behavioral data, location information, etc.

Special category of data processed by the Bank

Information about the individual's health status, administrative detention, convictions, accusations, and other related information.

Biometric data processed by the Bank

As part of the identification/verification process, the Bank processes the following biometric data using technical means:

·  Audiovisual recordings

·  Voice biometric data

·  Biometric characteristics of behavior

·  Photographs, etc.

Data collection sources

·  Data subject's application (in any form) to the Bank to receive the Bank's services/products and undergo the identification/verification process, whether in electronic or other forms.

·  Usage of the Bank's services/products.

·  Utilizing the Bank's and/or its subcontractor's payment channels and/or using the services of the Bank's outsourcing service provider.

·  Accessing the bank's official website and its features (e.g.,  chat) by the data subject.

·  Public sources and third parties, in the presence of a relevant legal basis and necessity, based on the consent of the data subject (e.g., Credit Information Bureau, Revenue Service, Public Service Development Agency, National Agency of Public Registry, and others).

Bases for personal data processing

The Bank processes personal data in a legal, fair manner and in a way that is transparent for the data subject (except in cases established by law). This processing is conducted without compromising the individual's dignity, is done only in cases permitted by law, and is carried out only to the extent necessary to achieve the relevant legitimate purpose.

The bases for processing include:

·  Voluntary consent of the data subject to process personal data for one or more specific purposes.

·  Fulfillment of obligations assumed by the transaction concluded with the data subject or entering into a transaction at the data subject's request.

·  Legal basis provided for by legislation, including fulfilling obligations imposed on the Bank by law.

·  Reviewing the data subject's application (including electronic applications) for banking services or service provision.

·  The necessity to protect the legal interests of the Bank or third parties.

·  Data being publicly available or made publicly available by the data subject.

·  Processing special categories of data is carried out only with the data subject's written consent.

·  Processing biometric data is carried out when it is necessary for specific business activities, to protect an individual's safety and property, or to prevent the disclosure of confidential information.

Sharing Information with third parties

In compliance with legal or contractual obligations and with a relevant legal basis, personal data may be shared with third parties, including but not limited to:

·  Representatives/legal representatives of the data subject.

·  Parties involved in the transaction.

·  Certain bodies as defined by legislation.

·  Credit Information Bureau, Revenue Service.

·  Service providers, including but not limited to: The Bank's external auditors, consultants, advisors, courier and research organizations, IT service providers (e.g., cloud infrastructure services) and/or other persons/entities with similar functions.

·  Other financial organizations (e.g., correspondent banks, intermediary banks for international transfers, investors, Visa, Mastercard, etc.).

·  The Bank's partners providing services to the Bank, including outsourcing providers, and/or assisting in providing payment/financial services to customers (e.g., United Financial Corporation, Apple Pay, GPay, card instrument providers, etc.).

·  Other third parties with the consent of the data subject.

Transfer of personal data to another state

The Bank may share the data subject's data with another state if there are grounds for data processing provided by the Law of Georgia "On Personal Data Protection" and if appropriate guarantees of data protection and protection of the data subject's rights are provided in the respective state.

If the transfer of the data subject's data occurs in a country where there are no adequate data protection guarantees, the Bank ensures the signing of an agreement on the transfer of personal data. This agreement ensures the proper protection of the client's personal data in accordance with the requirements stipulated by the law.

To properly protect personal data, the Bank checks whether third parties have adopted appropriate organizational and technical measures for data protection before transferring the personal data of the data subject to them.

Personal data storage period

The Bank stores personal data according to the following criteria:

·  In accordance with the terms defined by the legislation of Georgia — during the entire service period and for 15 years after the completion of the service.

·  Alternatively, for a duration necessary to achieve the specific purpose of processing, as outlined within the service provision and/or contractual agreement.

Data processing by an authorized entity

To facilitate customer identification/verification, the Bank utilizes technical resources provided by Identomat Inc. (SR 20204194256, 7977895, registered in Delaware, USA).

This software is designed to verify the authenticity of individuals. In particular, it captures a video and a dynamic selfie to establish the client's identity. As part of this process, the software processes identification documents and biometric photographs, ensuring the authenticity of these documents and verifying their accuracy against reliable and independent sources.

A contractual agreement has been established with the software supplier. This agreement is in full compliance with Georgian legislation, including personal data protection laws.

Data security

Processed data about the data subject is stored in compliance with legislative requirements.

The Bank has implemented organizational and technical measures to address potential threats associated with data processing. These measures include data pseudonymization, data access tracking, and various information security mechanisms (such as confidentiality, integrity, and availability).

Measures are in place to protect personal data against loss, unauthorized processing, including unauthorized destruction, deletion, alteration, disclosure, or use.

Access to personal data is restricted according to the roles of the Bank's employees. The Bank also actively prevents, detects, and addresses instances of unauthorized personal data processing by its employees, including by educating employees about data security.

All Bank employees involved in personal data processing or with access to such data are required to strictly protect the secrecy and confidentiality of personal data without exceeding the scope of their authority. This obligation extends beyond their period of employment, in accordance with relevant legislation and internal organizational policies (including those outlined in their employment contracts).

3. Cookies

3.1. During your visit to the Bank's website, the Bank continuously strives to improve service quality and user experience. As part of this process, the Bank collects visitor records, commonly referred to as cookies.

3.2. Cookies are used to personalize, improve, and safeguard the visitor's experience while using the website. Specifically, they aim to simplify navigation, present information in desired formats, improve search parameters, ensure secure user authentication, facilitate marketing efforts, optimize web page design, and better adapt to user preferences.

3.3. Through cookies, the following information is gathered: the operating system version, device model, unique device identifiers, duration of website visits, accessed page details, navigation history, browser information, actions performed on the Bank's website, the user's geolocation data and language preferences.

3.4. When utilizing the Bank's mobile and Internet banking services, the data subject's device ID, model, brand, name, OS version and bank application version will be accessible to Google Analytics and similar Firebase programs.

3.5. When visiting the Bank's website, visitors/clients have the option to agree or disagree to the use of cookies, except for cookies that are strictly necessary for enabling various functions on the Bank's website and ensuring its proper operation. They are stored on the visitor's computer, mobile phone, or other device used to visit the website and remain valid for a limited period of time.

4. Data Subject Rights

4.1. The data subject is entitled to:

4.1.1. Receive information regarding the processing of their data, including details such as the processed data themselves, purpose and legal basis of processing, data collection source, and data transfers.

4.1.2. Access their stored data in the Bank and obtain copies of documents/records containing personal data as per the procedures outlined by Georgian legislation and after payment of the Bank's fee.

4.1.3. Request correction, updating, or completion of inaccurate, erroneous, or incomplete data.

4.1.4. Request the termination of data processing or the erasure or destruction of processed data under specific conditions, namely:

4.1.4.1. when the data subject withdraws their consent that was the sole basis for processing;

4.1.4.2. when data processing is no longer necessary for its initial purpose; or

4.1.4.3. when processing is unlawful.

4.1.5. Request data blocking in the following circumstances:

4.1.5.1. the validity or accuracy of the data is disputed;

4.1.5.2. data processing is illegal, but the data subject does not wish for them to be deleted and requests only their blocking.

4.1.5.3. the data are no longer necessary for their processing purpose, although the data subject requires them for legal proceedings;

4.1.5.4. a request for termination of data processing, erasure, or destruction is under consideration;

4.1.5.5. there is a necessity to store data for evidential purposes.

4.1.6. Withdraw/refuse consent for data processing at any time and request deletion of processed data based on that consent. The Bank will cease data processing and delete the processed data unless another legal basis for data processing exists.

4.1.7. If data processing is based on the data subject's consent and it is technically feasible, request data portability, i.e., to receive personal data provided to the Bank in a structured, usable, and electronic format or have them transferred to another data processor.

4.1.8. Demand human involvement in decisions made by automated means if such decisions significantly affect the data subject's legal, financial, or other rights, unless automated processing is consented to, contractually required, or mandated by law.

4.1.9. In case of violation of data subject rights, to lodge a complaint with the Bank's data protection officer, personal data protection service, and/or the court.

5. Limitation of Data Subject Rights

5.1. The rights of the data subject as mentioned above may be restricted if their exercise poses a threat to:

5.1.1. State security, information security, cybersecurity, and/or defense interests.

5.1.2. Public safety interests.

5.1.3. Crime prevention, investigation, criminal prosecution, and administration of justice.

5.1.4. Interests related to significant financial or economic matters (including monetary, budgetary, and tax issues), public health, and social security of the country.

5.1.5. Detection of violations of professional, including regulated profession, ethical norms by the data subject and holding them accountable.

5.1.6. Rights and freedoms of the data subject and/or other individuals, including freedom of expression.

5.1.7. Protection of state, commercial, professional, and other legally protected secrets.

5.1.8. Substantiating a legal claim or objection.

5.2. The Bank applies measures to restrict data subject rights only to the extent necessary and proportionate to the purpose of the restriction.

6. Bank Contact Information

6.1. Bank Identification Code: 405555359.

6.2. Registered Address: Georgia, Tbilisi city, Vake district, Vazha-Pshavela avenue, No. 71, Office No. 21, 4th floor, Block I, Number 11,10.

6.3. Website Address: www.hashbank.ge.

6.4. For inquiries regarding personal data, the data subject can contact the Bank via the following e-mail address: [email protected] or through the ChatBot integrated on the Bank's website and/or the Bank's official Facebook page.

7. Amendments and Additions

7.1. The Bank is authorized to make changes and additions to this document periodically.

7.2. Any updates to the document, along with the date of modification, will be posted on the Bank's website.