MIS Connect Privacy Policy

Welcome to the MIS Connect Privacy Policy ("Policy"). MIS Connect is a regulated entity in the Kingdom of Saudi Arabia that enables Clients to access Open Banking services—specifically Account Information Services and Payment Initiation Services (AIS/PIS). We empower financial and non-financial participants to deliver tailored solutions powered by transactional and personal data, while upholding the highest standards of personal data protection. MIS Connect respects your privacy and is committed to protecting your personal data. This Policy explains how we look after your data when you visit our website or use our services, your privacy rights, and how the law protects you. This website is not intended for children, and we do not knowingly collect data relating to children. This Policy describes the practices of MIS Connect and its affiliates ("MIS Connect," "we," "us," or "our") and the privacy rights of users of MIS Connect services ("you") regarding our collection, use, storage, sharing, and protection of personal information. It applies to the MIS Connect website and all related sites, applications, services, and tools (collectively, the "MIS Connect Services"). By signing up for, accessing, or using MIS Connect Services, you accept this Policy. We may amend this Policy at any time by posting a revised version on our website. The revised version will take effect as of the effective date shown at the top. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy. It is important that you read this Policy together with any other privacy or fair‑processing notices we may provide on specific occasions when we collect or process personal data, so that you understand how and why we are using your data. This Policy supplements other notices and is not intended to override them.

1.1 MISCo or the Company: MIS Connect, its affiliates, and subsidiaries. 1.2 Client or End-User: A site visitor, an individual customer, a corporate customer (e.g., bank, merchant, fintech), or any user of the Company's products and services. 1.3 Staff or Applicant: Any individual holding (or applying for) an employment contract with MIS Connect (part-time or full-time). 1.4 Developer: An entity or individual accessing or using MIS Connect's Developer Portal. 1.5 Developer Portal: The development and sandbox environment provided by MIS Connect. 1.6 Data Subject: Any Client, End-User, Staff, or Applicant who owns the data. 1.7 Data Provider: Data Subjects collectively who provide their personal data to MIS Connect consensually. 1.8 Services: Account Information Services (AIS), Payment Initiation Services (PIS), and Developer Portal services.

This Policy applies to all processing activities carried out by MIS Connect in connection with MIS Connect Services. By using the Services, you acknowledge that you have read and understood this Policy.

3.1 MIS Connect may change, modify, or update this Policy at its sole discretion, as permitted by applicable laws and regulations. 3.2 Unless otherwise indicated, amendments take effect immediately upon publication on MIS Connect's website.

4.1 We process information lawfully, fairly, and transparently, and only collect data needed to provide the Services. 4.2 For legitimate purposes, we will: not use information in ways with unjustified adverse effects; be transparent about uses and notices; handle information as reasonably expected; and not commit any unlawful act with collected information.

We collect personal data from: ASPSPs for AIS/PIS End-Users; KYB/documents/emails/project execution/third-party sources for Clients; newsletter/contact forms for website visitors; recruitment/performance processes for employees; social media/portals/email/careers page for Applicants; and registration for Developers. We also use data to: manage/develop/operate/improve/deliver/maintain/protect Services; communicate; monitor trends/usage; enhance safety; verify identity and prevent fraud; verify accounts and records; satisfy regulatory requirements; and manage data repositories.

We will not retain personal data longer than necessary. Retention considers: contractual obligations; legal obligations and statutory periods; withdrawn consent (where applicable); legitimate interests; fraud/risk management; potential disputes and guidance; and data location requirements (Data Providers' data held in their country of residence; employees/applicants' data in the Kingdom of Saudi Arabia).

Data may be shared with Clients for AIS/PIS; with companies involved in mergers/asset sales/financing/liquidation/bankruptcy/acquisitions; to comply with legal obligations; to protect rights/property/safety; with restrictions under KSA data protection law; and with third parties for employee processing and with affiliates for admin/accounting/reporting.

We implement security programs aligned with industry standards and require vendors to do the same; maintain defenses against cyberattacks; acknowledge services may experience faults; investigate, notify, and remedy/compensate if a breach occurs; and maintain confidentiality and secure processing including access, storage, dissemination, and destruction.

We will promptly notify Clients of any breach/hack/leak/cyberattack and take necessary measures; process information with appropriate technical and organizational measures; and never request sensitive data via SMS or social networks—contact will be via provided details in suspected/actual fraud or security threats.

Rights—subject to law—include: right to be informed; right of access; right to object to processing (including direct marketing and harmful processing); right to rectification/blocking/erasure; right to opt out; right to complain; right to amend/complete/update data. To exercise rights, email compliance@misconnect.sa. Requests are free of charge and handled within no more than 30 working days. Requests may be rejected if misused or where restriction is necessary to protect individuals under KSA law.

By using the Services, subscribing to the newsletter, or applying for a job, Data Providers consent to receive communications (emails, newsletters, advertisements). We may use trusted third parties for direct marketing with confidentiality/security safeguards. You may opt out at any time subject to notifying MIS Connect.

- Clients (Bank/Merchant/FinTech): KYB/on-boarding, incorporation docs, shareholder IDs, contacts, financial statements, supporting docs — for due diligence and legal compliance. - AIS End-Users: account details (balances, statements, transactions, beneficiaries, standing orders), personal/contact data, IDs — to deliver AIS. - PIS End-Users: transaction details (merchant ID, payee/payer bank, IBAN, reference ID, amount, account names, IDs, status) shared with merchant/payee; CX data (journey, location, device, IP, carrier, OS); personal/contact data — to deliver PIS and analytics. - AIS/PIS complaints/rights: name, email, supporting docs — to investigate and resolve. - Developer Portal: sign-up (email, names, company, phone opt.); registration (company, contact, contract email, account email, sandbox client ID, logo, beneficiary account & name (for PIS), merchant category (for PIS), maximum transaction limit (for PIS)) — to enable seamless use. - Website visitors: name, business email, job title, company, industry, country, phone opt., message — to provide updates, share with Sales, record preferences and feedback. - Employees (recruitment): CV/application/cover letter/interview data; data created during recruitment; criminal checks; special-category data; marital/visa; health; immigration — for contracts, legal obligations, legitimate interests, suitability for regulated roles, disputes, legal advice, fitness to work, adjustments, equal-opportunity monitoring, and permitted employment rights/obligations.

• Compliments/complaints/rights: complaint@misconnect.sa • Employees/Applicants: hr@misconnect.sa