Anti-Money Laundering, Combating the Financing of Terrorism (AML/CFT) and Sanctions Policy Statement

This statement represents a certification by nDigital Holding SPC (herein after referred as “Company”, “nDigital”) to its customers, partners, third parties regarding compliance with Anti Money Laundering and Combating Terrorist Financing (hereinafter collectively referred to as “AML/CFT”) regulations. nDigital is strongly committed to prevent the use of its products and services for money laundering or terrorist financing. Accordingly, the Company complies fully with all applicable anti-money laundering and terrorist financing laws and regulations in the jurisdictions in which it does business and standards relating to combating money laundering. Our procedures comply with applicable laws and regulations as well as the Financial Crime Regulation of the Central Bank of Bahrain (FC Module). We also monitor and adhere to other major international anti-money laundering recommendations and programs such as the Financial Action Task Force (FATF), the United Nations and European Union sanctions and the Office of Foreign Assets Control (OFAC) in addition to applicable local and international sanctions in our operating jurisdictions. Accordingly, nDigital takes all reasonable and appropriate steps to prevent persons engaged in money laundering or the financing of terrorists or terrorist operations, from utilizing nDigital’s products and services. AML/CFT COMPLIANCE PROGRAMME Key components of the AML/CFT Compliance program are enshrined within the Company’s integrated management system (IMS) which is certified to the ISO 9001 Quality Management System (QMS) and the ISO 27001 Information Security Management System (ISMS). The components are as follows:

• Board of Directors approved Policy and Procedures;
• Designated Money Laundering Reporting Officer (MLRO);
• AML/CFT Risk Assessment, System, Process and Controls;
• Sanction screening;
• Ongoing AML/CFT training; and
• Independent testing.

nDigital complies with local and international regulations on AML/CFT and Sanctions requirements and prohibits doing business with:

• Companies incorporated in or trading in a prohibited country;
• Individuals residing in a prohibited country; and
• Allowing transactions to occur in a prohibited country.

nDigital’ key principles of the policy are:

• nDigital has implemented a risk-based approach using policy, procedures, processes, system, and controls to identify, manage and mitigate money laundering and terrorism financing risk and customer identification and verification procedures in line with the legal and regulatory requirements;
• nDigital will carry out the necessary procedures to determine and verify the identity of the Ultimate Beneficial Owner and necessary Customer Due Diligence (CDD) and/or Enhanced Due Diligence (EDD) measures for customers flagged as High, Medium, and Low risk;
• nDigital has implemented Know Your Employee (KYE) program containing detailed screening, monitoring and Due Diligence requirements;
• nDigital will monitor customer transactions to identify unusual activity and will report such activity to the competent authority and has implemented technology system to comply with the sanctions compliance requirements relating to customers, linked persons, and counterparties in case of transactions;
• nDigital does not onboard customers who are PEPs as part of their digital individual customer onboarding process, as per restrictions set by the Central Bank of Bahrain;
• nDigital does not accept/ open anonymous accounts or accounts in fictitious names and does not accept/ establish correspondent banking relationships with shell banks;
• nDigital will comply with all legal and regulatory requirements relating to cross border transfers;
• nDigital will arrange ongoing training of employees with regard to AML/CFT issues and their responsibilities; and
• nDigital will maintain and comply with the legal and regulatory requirements relating to record retention period.

In providing this information, nDigital does not undertake any responsibility or liability with respect to AML/CFT compliance measures that your institution may be required to take under applicable legal and regulatory requirements. November 2021

nDigital Privacy Statement

nDigital Holdings SPC (“nDigital” or "we" or "us" or “our”) is committed to maintaining the confidentiality, integrity, and security of any information about our customers/ users (“you” or “your”). This Privacy Policy explains how and why we collect, store, and use your personal information (“Personal Data”) collected in connection with your use of our services including our website, mobile application or other digital channel operated by us (each a “Channel”). BY USING OR OPENING AN ACCOUNT OR SIGNING UP TO nDIGITAL PRODUCTS AND SERVICES, YOU AGREE TO BE BOUND BY THIS PRIVACY POLICY, AS IT MAY BE AMENDED FROM TIME TO TIME. 1. INTRODUCTION As both a controller and processor of Personal Data we respect the confidentiality and privacy of the individuals that use our Channels. This Privacy Policy describes what Personal Data we collect, how we use and share that information, and what choices are available to you about our use of the information. 2. WHY DO I NEED TO READ THIS POLICY? We will collect your Personal Data when you use:

• websites linked to our services including our website at www.ndigitalventures.com;
• mobile applications linked to our services directly or via Channels;
• when you register with us as a Business-to-Business (B2B) customer; or
• any of the services you can get access to through mobile applications or websites or other digital Channels.

When we say ‘Personal Data’, we mean information which can be used to personally identify you (for example, a combination of your name and address and identification documents). THIS POLICY CONTAINS IMPORTANT INFORMATION and explains what information we collect, how we use it, and your rights if you want to change how we use your Personal Data. Therefore, it is important for you to know your rights. If you have concerns about how we use your Personal Data, you can contact us at privacy@ndigitalventures.com 3. INFORMATION WE COLLECT We collect information about you from various sources and by various methods which may include information that you submit to us manually or information that we collect automatically. The Personal Data we collect about you includes information that we collect when we setup, administer, and manage our relationship with customers and users of our Channels. This information is used by us for different reasons in connection with the products and services you obtain from us and the Channels you use. For example, if you contact us via the Channel and submit your information to us, we will collect the information you provide; or, if you use the Channel we will track and monitor your visits and activities using cookies or other automated techniques. The table below explains what Personal Data we collect and use. Information you give us We collect information you provide when you:

• fill in any forms;
• correspond with us;
• register to use a Channel;
• open an account or use any of our services;
• take part in online discussions, surveys or promotions;
• speak with a member of our customer support team; or
• contact us for other reasons.

We will collect the following information:

• Personal details like full name, address, date of birth, place of birth;
• Contact details like email address, phone number, fax number, mailing address, residential address;
• Information about your identity, such as a copy of your ID document, biometric data and video and or selfie images;
• Information about your right to live in a particular country and your tax residency and tax identification number;
• Financial details, such as your employment status, employment information, details of source of income and source of wealth, information on monthly income;
• Details of your bank account, including the account number and IBAN;
• Information relating to transactions (such as type, dates, amounts, currencies, payer and payee details).

Information we get from external sources We collect Personal Data from third parties, such as Information & eGovernment Authority (IGA), credit-reference agencies, financial or credit institutions, official registers, and databases; We also screen data against fraud prevention agencies and KYC (Know Your Customer) and AML (Anti Money Laundering) service providers to fulfil our legal duties; If you are a B2B customer, we will need to confirm your identity as part of our KYC process. We will ask you to provide documents, and will also collect information from third parties, such as commercial registers, private company information databases for this purpose. Information from social media Occasionally, we will use publicly available information about you from selected social media websites or apps to carry out enhanced due diligence checks. Publicly available information from social media websites or apps may also be provided to or collected by us when we conduct general searches on you (for example, to comply with our anti-money laundering or sanctions screening obligations). If you are a B2B customer, we may collect information about you if you make it publicly available on social media websites or apps. We only do this as part of our B2B KYC checks. For example, if you have not yet set up a website for your business, we may need to look at information available on social media websites or apps to make sure your business is legitimate. Information from publicly available sources We collect information and contact details from publicly available sources, such as official public records, like Sijilat or UK Companies’ House, media stories, online registers or directories, and websites for enhanced due diligence checks, security searches, and KYC purposes for B2B customers. Please note that the above list is not exhaustive, and that nDigital may also collect and process Personal Data to the extent this is useful or necessary for the provision of our services, and to comply with regulatory requirements. Personal Data may be retained by us for the duration of a customer’s business dealings and beyond, in accordance with our legal and regulatory obligations, including but not limited to our record retention policy. 4. OUR REASONS FOR USING YOUR INFORMATION Bahrain’s Personal Data Protection Law (PDPL) states that we must have a lawful basis for using your Personal Data (See also Section 10 below). At least one of the following must apply: contractual or legal duty, legitimate interest, public interest, vital individual interest or consent. In this section we explain which one we rely on to use your data in a certain way. Keeping to our contracts and agreements with you or to enter into a contract with you for products, services and promotions. We use details about you to:

• consider your application.
• provide the services we agreed to in line with our terms and conditions.
• contact you about your account and other services you use if you get in touch, or we need to tell you about something.
• to provide information about products and services we provide and promotions that we or our affiliates and partners may offer.
• exercise our rights under contracts we have entered into with you.
• investigate and resolve complaints and other issues.

Legal obligations In some cases, we have a legal responsibility to collect and store your Personal Data (for example, under anti-money laundering laws we must hold certain information about our customers). We:

• confirm your identity when you sign up or get in touch.
• check your record at immigration and fraud prevention agencies.
• prevent illegal activities like money laundering, tax evasion and fraud.
• keep records of information we hold about you in line with legal requirements.
• adhere to banking laws and regulations (these mean we sometimes need to share customer details with regulators, tax authorities, law enforcement or other third parties).
• compare information we hold about your account with your tax residency information to make sure we do not have a reason to doubt it.

Legitimate interests We sometimes collect and use your Personal Data , or share it with other organisations, because we have a legitimate reason to use it and this is reasonable when balanced against your right to privacy. For example, we might share information with credit bureaus and fraud prevention agencies so we can benefit from up-to-date information when we make decisions about accounts. This helps us make responsible decisions and fight financial crime. Consent We will ask for your consent to:

• tell you about our products and services, and those of our partners by email or push notification if we think they are of interest to you. You can unsubscribe from these by email or via the Channels.
• share information about you with companies we work with when we need your permission.
• you do not have to share information about yourself if you do not want to. But if you do not, you may not be able to use some (or any) of our services.
• you make withdraw your consent at any time by providing 10 working day prior notice to the following email address: privacy@ndigitalventures.com. Please note that the withdrawal of consent may limit or prevent you access to or availability of services. Please also refer to section 12 and 14 for further information.

5. HOW WE USE THE INFORMATION WE COLLECT We may use the information we collect about you to:

• Provide, administer and communicate with you about products, services and promotions that we or our affiliates and partners may offer.
• Operate, analyse and improve our business including: developing new products and services; managing and improving our communications; measuring and validating the success of our promotional and marketing activity, producing data reports and analysis, and performing accounting and finance related activities.
• Enforce our terms and conditions and comply with legal and regulatory requirements, including industry standards and our internal policies.
• To set up, maintain, and administer the contractual relationship.
• To check your identity (as part of our KYC process) and decide whether or not to approve your application.
• To enable you to manage the customer account with us and to assist you to transact with us.
• To keep records of communications in order to evidence what has been discussed, keep a record of your instructions, and to prevent or detect crime.
• To record customer account activities where we have reason to believe that fraud or other crimes are being committed or where we suspect non-compliance with anti-money laundering regulations to which we are subject.
• To test the performance of our products, services, and internal processes to ensure that your Personal Data is only collected as needed and is held and processed securely.
• To comply with our regulatory obligations under any applicable regulatory regimes.

If we intend to use information collected about you in other ways that are not listed above, we will notify you at the time we collect the data or before we use it if it is already in our possession. WHO WE SHARE YOUR DATA WITH? We share your Personal Data only with companies that provide services to us. By companies we mean those that help us provide services you use and need to process details about you for this reason. We share as little information as we can and encrypt and/or make it impossible for you to be identified by the recipient where possible.

• Our affiliates; banking, financial-services, distribution and promotional partners; and payment networks, including Visa and Mastercard.
• Know Your Customer (KYC) service providers that help us with identity verification or fraud checks.
• Cloud computing power and storage providers like Amazon Web Services (AWS) and Microsoft Azure.
• Credit reference/ Fraud prevention agencies.
• Law enforcement and other external parties, i.e. regulator, external auditor.

7. DISCLOSURE OF INFORMATION We do not sell or otherwise share Personal Data we collect about you with third parties, except as described here or unless we notify you of our intention to do so at the time the data is collected or such later date, and obtain your consent. We may share information in any way necessary to comply with regulatory requirements, industry standards and our internal policies. This may include sharing the Personal Data we collect with regulators and external auditors. We also may share the information with service providers who perform services on our behalf or with clients that we provide services to as a data processor. We do not authorise service providers to use or disclose the information except as necessary to perform certain services on our behalf, and if our clients use or disclose data it will be as described here unless you are notified otherwise, and your consent is obtained. We require service providers and clients to safeguard the privacy and security of Personal Data and to meet the same standards of security and ethics as we do. If we are required to do so by law or legal process, we may disclose information about you to law enforcement authorities or other government officials, or when we believe disclosure is necessary to prevent financial loss, or in connection with investigations related to actual or suspected fraudulent or illegal activity. In the event we sell or transfer all or a portion of our business or assets the Personal Data that we collect will be transferred to whoever we sell or transfer our business to. In such an event, we will direct the transferee to use the Personal Data we have collected in a manner that is consistent with this Privacy Policy. Following such a sale or transfer, you may contact the entity to which we transferred your Personal Data with any enquiries concerning the use of any Personal Data that they hold. 8. YOUR RIGHTS AND CHOICES You have certain rights regarding the Personal Data we maintain about you. Accordingly, we offer you certain choices about what Personal Data we collect from you, how we maintain the accuracy of that information, how we use that information, and how we communicate with you. You may choose not to provide any Personal Data to us at all by not using the Channel or not submitting information to us. You may withdraw any consent you have provided to us, or object at any time on legitimate grounds, to us holding or using your Personal Data. If you choose to do so we will observe your choice going forward, and where necessary will withdraw our services in order to meet your request. You have the right to be provided with access to the Personal Data we maintain about you, and to update or correct inaccuracies. The right to access Personal Data may be limited in some circumstances by law or regulatory requirements that we must comply with. You have the right to inform us should there be any change in your Personal Data, such as your contact or residential address or employment details, etc. Please inform us without delay. To request a copy of the information that we hold about you, update your information, update your preferences or consent on how we use your information, or to ask us to remove your information, please contact us as specified below. 9. HOW WE PROTECT PERSONAL DATA We maintain administrative, technical and physical controls to protect the Personal Data we hold against accidental or unauthorised destruction, loss, alteration, access, disclosure or use. This includes the use of encryption and cyber security techniques on Channels, data servers, and databases. 10. BAHRAIN’S PERSONAL DATA PROTECTION LAW (PDPL) Bahrain enacted Law No. 30 of 2018 with respect to Personal Data Protection (Data Protection Law) on July 12, 2018 which came in effect August 1, 2019. Like the General Data Protection Regulation (GDPR), the PDPL imposes obligation of how businesses manage data, including ensuring that Personal Data is processed fairly that data owners are notified when their Personal Data is collected and processed, that collected Personal Data is stored securely and that data owners can exercise tier rights directly with the Business. nDigital Holdings is a data manager within the meaning of the PDPL and undertakes to hold any Personal Data provided by customers in confidence and in accordance with legislation. Customers have the right to lodge a complaint with the local data protection regulator if they are dissatisfied with the manner in which their Personal Data is used by us. For more information in respect of this PDPL or the way in which we use customers’ Personal Data, please contact us as specified below. 11. KEEPING YOUR PERSONAL DATA ACCURATE We will make reasonable efforts to maintain the accuracy of your information for as long as it is being used by us as set out in this Privacy Policy providing that you keep us up to date. It is your responsibility to notify us of any changes to your information or contact details as described in paragraph 8 so that we can continue to provide you with the best possible service. 12. CLOSING AN ACCOUNT Upon your request and provided that you do not have an outstanding balance due on your account, we will close your account as soon as reasonably possible, based on your account activity and in accordance with applicable product terms and conditions and Laws and Regulations. We do retain Personal Data from closed accounts to comply with law, prevent fraud, collect any amounts due/ owed, resolve disputes, troubleshoot problems, assist with any investigations, and take other actions otherwise permitted by law. 13. SECURITY We follow generally accepted physical, electronic, and procedural safeguards consistent with the Personal Data we process and maintain. We use various security measures to protect the information we collect including encryption, firewalls, and access controls and the security measures that we deploy are compliance with multiple international security standards including the Payment Card Industry Data Security Standards (PCI-DSS) and the ISO Information Security Management System (ISO27001). We also limit access to this information to authorized employees and providers who need to know that information. 14. RETENTION Your information may be retained by us on server computers that maybe located globally in accordance with applicable laws/ rules. Your information will be kept for a period of 10 years or as may be required under applicable law. The actual length of time we will retain your Personal Data is also affected by: (1) your use of the Channel; and (2) any legal or regulatory requirements we are subject to. 15. CHANGE OF PRIVACY POLICY Should we make any changes to this Privacy Policy in the future we will provide you with an opportunity to review the updated Privacy Policy on the applicable Channel and an opportunity to “opt-out” should you wish to do so. Please check the Channel from time to time to ensure that you are aware of our current privacy policy, understand and have accepted this Privacy Policy, and understand and have accepted the Terms and Conditions of use relating to the Channel. 16. HOW TO MAKE A COMPLAINT We regularly review our compliance with this Privacy Policy. If we receive a formal written complaint from you, we will contact you directly to address any of your concerns. We will cooperate with the appropriate governmental authorities to resolve any complaints regarding the collection, use, transfer or disclosure of information that cannot be amicably resolved between you and us. The products and services provided by NDIGITAL are governed by the laws of the Kingdom of Bahrain. Any dispute, controversy or claim arising out of or relating to this Policy or the breach, termination or validity thereof shall be finally settled accordingly to the Law. 17. CONTACT US If, at any time, you have questions, concerns or comments about this Privacy Policy, please feel free to contact us at privacy@ndigitalventures.com, or call our Compliance department on +973 1720 3000.

nDigital Holdings SPC Terms of Use

This website (“Website”) relates to the products and services of nDigital Holdings SPC (“we” or “us” or “our”), access to and use of the Website is provided us on the following terms: 1. By using the Website you agree to be bound by these terms, which shall take effect immediately on your access. If you do not agree to be bound by all of the terms please do not access or use the Website. 2. We may change these terms from time to time and so you should check the terms page on the Website regularly. Your continued use of the Website will be deemed acceptance of the updated or amended terms. If you do not agree to the changes, you should cease accessing or using the Website. 3. You agree to use the Website only for lawful purposes, and in a way that does not infringe the rights of, restrict or inhibit anyone else’s use and enjoyment of the Website. Prohibited behavior includes any activity that might disrupt the performance or accessibility of the Website; or the posting of inaccurate, misleading or offensive content to the Website. 4. All copyright, trade marks, design rights, patents and other intellectual property rights (registered or unregistered) in and on the Website and all content located on the site shall remain vested in us, and where applicable third parties. You may not copy, reproduce, republish, disassemble, decompile, reverse engineer, download, post, broadcast, transmit, make available to the public, or otherwise use the Website content in any way except for your own personal, non-commercial use. You also agree not to adapt, alter or create derivative works from any of the Website content except for your own personal, non-commercial use. Any use of the Website content other than normal browsing activity requires our prior written permission. 5. The names, images and logos identifying us or third parties and their products and services are subject to copyright, design rights and trademarks belonging to us and/or third parties. Nothing contained in these terms shall be construed as conferring any license or right to use any trademark, design right or copyright of ours or any applicable third party. 6. We are not responsible for the availability or content of any third party sites that are accessible through the Website. Any links to third party websites from the Website do not amount to any endorsement of that site by us and any use of that site by you is at your own risk. 7. The Website content, including information, names, images, pictures, logos and icons regarding or relating to us, our products and services or third party products and services is provided ‘as is’ and on an ‘as available’ basis. To the extent permitted by law, we exclude all representations and warranties (whether express or implied by law), including the implied warranties of satisfactory quality, fitness for a particular purpose, non-infringement, compatibility, security and accuracy. We do not guarantee the timeliness, completeness or performance of the website or any of the content. While we try to ensure that all content provided by us is correct at the time of publication no responsibility is accepted by or on behalf of us for any errors, omissions or inaccurate content on the website. 8. Nothing in these terms limits or excludes our liability for death or personal injury caused by our proven negligence. Subject to the foregoing, we shall not be liable for any of the following losses or damage (whether such damage or losses were foreseen, foreseeable, known or otherwise): (a) loss of data; (b) loss of revenue or profits actual or anticipated; (c) loss of business actual or anticipated; (d) loss of opportunity actual or anticipated; (e) loss of goodwill or injury to reputation; (f) losses suffered by third parties; or (g) any indirect, consequential, special or exemplary damages arising from the use of the Website regardless of the form of action. 9. We do not warrant that functions available on the Website will be uninterrupted or error free, that defects will be corrected, or that the Website or the server that makes it available are free of viruses or bugs. You acknowledge that it is your responsibility to implement sufficient procedures and virus checks (including anti-virus and other security checks) to satisfy your particular requirements for the accuracy and validity of data input and output. 10. If any of these terms are determined to be illegal, invalid or otherwise unenforceable by reason of the laws of any country in which these terms are intended to be effective, then to the extent and within the jurisdiction in which that term is illegal, invalid or unenforceable, it shall be severed and deleted from these terms and the remaining terms shall survive and continue to be binding and enforceable. 11. Our failure or delay to exercise or enforce any right in these terms does not waive our right to enforce that right. 12. These terms shall be governed by and interpreted in accordance with the laws of the Kingdom of Bahrain. The Courts of Manama, Kingdom of Bahrain shall have exclusive jurisdiction over any disputes in connection with these terms or access and use of the Website.