Principles of personal data processing

Who is the controller of your personal data?

The service provider is Investown Technologies s.r.o., ID: 086 67 144, with its registered office at Inovační 122, Hodkovice, 252 41 Zlatníky-Hodkovice, registered in the Commercial Register of the Municipal Court in Prague, Section C, File 322874 (hereinafter referred to as”Company”), which is the controller of the Users' personal data listed below.

The company has appointed a data protection officer.

‍

What personal data do we work with?

As part of the provision of the Services, we, as the controller, have the right to process your personal data to the extent set out below:

• Users' identification data (in particular, first and last name, date of birth or birth number, permanent or other residence);
• Users' contact details (e-mail address, mobile phone number, bank account, variable symbol of Clients assigned by the Company, contact address);
• Clients' login details (email address and, if applicable, password, stored in encrypted form using a one-way hash function);
• information on the financial situation of the Clients in the framework of the assessment of the suitability of services;
• information about the location of Clients;
• the history of Clients' transactions in the Investment Wallet (data on deposits, withdrawals, amounts invested, income received and fees charged);
• the history of the Client's movements on the Platform (for example, data on visited pages and actions on the Site, including data on used HW and SW equipment and Internet connection of the Client), which are necessary for the fulfillment of the contract and for the protection of the Company's legitimate interests in the event of legal disputes;
• data necessary to comply with the obligation to identify and control Users under the Act on certain measures against the legalization of proceeds of crime and terrorist financing (for example, copy of identity card, photo of Client, information about source of income, purpose of trade, status of politically exposed person, place of birth)

‍

On what legal basis do we process your personal data?

We are entitled to process your personal data on the basis of the following legal titles:

• if this is necessary for the performance of the contract,
• if necessary to comply with our legal obligations (for example, from the Accounting Regulations or the Act on Certain Measures against the Legalization of Proceeds of Crime and the Financing of Terrorism),
• if necessary for the purposes of our legitimate interests (or the legitimate interests of a third party), unless such interests are overridden by your fundamental rights
• further, if necessary to protect your vital interests (or the vital interests of someone else), and/or
• if it is in the public interest or for official purposes.

In connection with the sending of commercial communications, we process your personal data on the basis of consent, which you have the opportunity to give us at the time of registration. Consent is valid for the duration of your contractual relationship with us, unless you exercise your right to withdraw consent. Consent settings for each category of messages can be done in your account on our website or in the mobile application, where you can give consent even after registration or withdraw it.

‍

Who processes your personal data?

Your personal data is processed by the Company as the controller of personal data, to the extent necessary for the provision of the Services and the fulfilment of legal obligations. Furthermore, these are entities that provide various services to the Company as processors of your personal data to the extent necessary to fulfill the purpose of the service provided (”Processor“). The Controller carries out certain processing actions of your personal data to the Processor only for the purposes specified in this document, always on the basis of a contract with the Processor and in accordance with the legal regulations.

In particular, the Company uses the following categories of Processors:

• companies providing services enabling online authentication of Clients, e.g. Veriff OÜ or ProFisms, s.r.o.;
• companies providing cloud storage services, e.g. Amazon Web Services, Inc.;
• companies providing services enabling electronic communication with the Company, e.g. Intercom, Inc., Ontraport Inc. or OneSignal, Inc.;
• companies providing services enabling the distribution of marketing materials, e.g. Bloomreach B.V.;
• possibly other categories of Processors in the field of providing IT services.

By registering on the Platform through the Company's partner, you also consent to the transfer of your personal data to these third parties in order to process them to provide the agreed service. In particular, these may be business partners and financial advisors through whom you have registered on the platform.

The recipients of personal data may also be public authorities, upon request or legal obligation of the Company. This may be, in particular, the Czech National Bank, the Financial Analytical Office or law enforcement agencies.

‍

Why do we work with your personal data?

To be able to perform the following activities:

• provision of services to Users;
• promotion and improvement of the Company's services (informing about news and sending newsletters);
• protection of the Company's rights in the event of a dispute with the User or with another person;
• fulfilment of legal obligations applicable to the Company by law (in particular identification and control of the User according to the AML Act).

Your personal data are not subject to any decision by the controller based solely on automated processing, including profiling, which could have legal effects for you or would similarly significantly affect you (e.g. in the form of a risk of negative impact on the protection of your rights and legitimate interests).

‍

How long will we work with personal data?

We always process personal data for a period related to the specific purpose of processing, for the period necessary to fulfill the purpose of processing or for the period required by binding legal regulations.

The duration of the processing of personal data for the purposes of personal data processing determined as the period:

• for the provision of services for the duration of the contract and 3 years after the termination of the contract;
• to send newsletters, or other commercial communications and marketing materials as long as we have your consent to such processing;
• in order to protect the legitimate interests of the Company for 10 years from the termination of the contract, or in justified cases longer, in particular in cases of resolution of a complaint, complaint or litigation or proceedings before a public authority concerning a particular User;
• for the purposes of fulfilling our obligations under the Act on Certain Measures Against the Legalisation of Proceeds of Crime and Terrorist Financing for 10 years, as long as the legal obligation to which we are bound to comply (including statutory archiving deadlines) lasts.

‍

Where do we work with your personal data?

The processing of personal data by the controller and its Processors also takes place outside the EU.

If we transfer personal data outside the EU to third countries or international organisations, their protection will be ensured according to standard contractual clauses adopted in accordance with the mechanisms set out in the General Data Protection Regulation (GDPR).

‍

What rights do you have in relation to the processing of your personal data?

The data protection legislation guarantees you various rights in the area of personal data protection. To the extent guaranteed by the data protection regulations — in particular the General Data Protection Regulation (GDPR) — you have the following rights:

• the right to access your personal data (i.e. information about which specific personal data we work with and how we process it);
• the right to restrict the processing of your personal data (that is, although we will not delete the personal data yet, but we will not process it again without your consent, until the request for restriction is resolved);
• the right to rectification and erasure of your personal data (always if the legal conditions for this are met);
• the right to object to processing based on the legitimate interest of the controller;
• the right to have your personal data transferred to another controller directly by the Company, if such data have been processed automatically and on the basis of consent or performance of a contract in connection with the provision of the Service.

To exercise any of these rights or in case of further questions regarding the processing of personal data by our company, please contact our Data Protection Officer at the email address dpo@investown.cz.

If you believe that we are violating the law by processing your personal data, you can lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection, headquartered in Pplk. Sochora 27, 170 00 Prague 7, website www.uoou.cz.

This Policy is issued in electronic form and can be accessed on the Company's website. This policy can also be accessed via a link on the Investown Platform within the registration process.

With this paragraph, the conditions shall take effect on March 18, 2025.