Privacy Statement

UAE Exchange is an international organisation providing diverse financial services. Working with some of the largest banks and non-banking financial companies, UAE Exchange has established one of the largest remittance networks in the industry.

UAE Exchange Centre Co. Bahrain W.L.L. ("UAEX") is the Data Manager of Personal Data collected in the Kingdom of Bahrain through its branches and digital channels. We are registered at P.O. Box 1825, Manama Center, Manama, Bahrain.

UAEX respects your privacy and is committed to maintaining the confidentiality and security of the Personal Data of its existing, prospective and former customers and beneficiaries ("Data Owners" or "you"). This Privacy Statement informs you about how we process Personal Data, how we look after it and tells you about your rights with respect to your Personal Data. UAEX encourages you to review this Privacy Statement and become familiar with it.

You are entitled to object to UAEX's processing of your Personal Data in certain circumstances, for example, if you no longer want to be contacted by us for marketing purposes. To exercise this right, or for more information, please contact us using the details below.

3.1 What does Personal Data mean?
Personal Data means any information related to an identifiable individual, or an individual who can be identified, directly or indirectly, particularly through his/her personal ID number, or one or more of his/her physical, physiological, intellectual, cultural or economic characteristics or social identity, such as name, address, telephone number and e-mail address.

UAEX collects Personal Data from Data Owners mainly through its branches, UAEX's websites, and third parties or publicly available sources. For more information on these sources of Personal Data, please refer to the sections below.

Where UAEX needs to collect Personal Data by law or under the terms of a contract we have with you, and if you fail to provide that Personal Data, UAEX may not be able to fulfil our contractual obligations (e.g. a money remittance) and we may have to cancel the services you requested.

3.2 Personal Data collected by UAEX
To provide the services requested by UAEX customers, UAEX collects the following Personal Data through its network of branches and Online Money Transfer platforms (OMT):

• Full Name (sender and recipient of the transaction)
• Address (sender and recipient of the transaction)
• Nationality (sender and recipient of the transaction)
• Telephone, including mobile (sender and recipient of the transaction)
• Relationship between sender and recipient of the transaction
• E-mail
• Age
• Gender
• Birth Place
• Labour details
• Origin of the financial resources
• Financial background
• Identification document (e.g. National ID, Driving License, Passport)
• Bank Statements
• Transaction amounts
• Bank account details
• Credit / Debit card numbers
• Marketing & other Contact Preferences

As a financial institution, UAEX has certain obligations with regards to identity verification, fraud prevention and other similar security purposes. To ensure compliance with those obligations, certain of the Personal Data described above may be collected from, or verified against, third party sources such as government agencies and consumer reporting agencies. For identity verification purposes, senders and recipients of money transfers may be required to produce valid identification or approval to verification by other means before releasing funds.

3.3 Personal Data collected by UAEX websites
At its websites, UAEX collects aggregated user data (i.e. information that cannot be used to identify you), Personal Data that Data Owners voluntarily provide, and Personal Data collected by the use of cookies (as explained in the next section).

3.3.1 Definition and usage of cookies
A "cookie" is a small piece of information that is stored on your device (such as your computer) and which records the way that you use a website so that, when you revisit that website, UAEX can provide tailored options based on the information that has been collected from your last visit. Cookies can also be used to analyse traffic and, in some cases, to provide you with tailored advertising and marketing.

Following are the broad categories of cookies used on UAEX websites:

• Essential cookies: These cookies make UAEX website operation work and therefore they cannot be turned off or rejected. These cookies do not gather any information about you and do not have the ability to remember how you have used our website;
• Performance cookies: UAEX use these cookies to help analyse how its website is used and to improve its performance. For example, UAEX use them to understand where visitors to the UAEX site are based, how many people visit the website and which sections of the website are the most used;
• Functionality Cookies: These cookies allow UAEX website to remember if you have previously visited the UAEX site or the choices you made (e.g. language preferences) to provide a more personalised online experience.
• Third-Party cookies: These cookies collect information from your device and perform tasks that analyse behaviour and collect other information, such as demographics. These cookies may be used to provide you with personalised advertising.

3.3.2 Third Party Marketing Cookies and Social Advertising
UAEX has relationships with online advertisers and social media networks. These partners use cookies and similar technologies for marketing purposes and may serve you with targeted advertising about UAEX services while you are on their website or mobile applications. You can choose to decline the Third-Party Cookies that enable this type of marketing at any time by not accepting the cookies when visiting UAEX websites. We encourage you to learn more about how companies use advertising on social media and how to adjust your marketing preferences by reading their privacy statement.

3.3.3 How to manage cookies
Our Performance, Functionality and Third-Party cookies are not strictly necessary for our website to work but will provide you with a better browsing experience. You can delete or block these cookies, but if you do this, you may have to manually adjust some preferences every time you visit our website and some features of the site may not work as intended. Most internet browsers are initially set up to automatically accept cookies, however you can decide at any time what type of cookies you want to accept. You can change the settings on your browser to block cookies or to alert you when cookies are being sent to your device.

3.4 Personal Data collected by UAEX through Social Media
UAEX may process anonymized data derived from Data Owners' publicly available social media resources for statistical purposes. Although anonymized data may be derived from your Personal Data, it is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. We may also process Personal Data derived from publicly available social media resources that Data Owners make available when interacting with us including: Facebook, Twitter, YouTube, LinkedIn, Instagram, Google+, Pinterest, Weibo and WeChat. Such Personal Data may include but is not limited to:
- Public Social Media Profile Name
- E-mail
- Mobile number
- Photograph
- Region
- UAEX related posts (e.g. Mentions & Hashtags) - Complaints/queries.

Personal Data will be processed by UAEX only if and to the extent that at least one of the following applies:

Contract
UAEX may process Personal Data as required to ensure we comply with our contractual obligations towards Data Owners.

Compliance with Legal Obligations
UAEX may process Data Owners' Personal Data when necessary to comply with a legal obligation, e.g. Anti-Money Laundering screening and reporting requirements and where required to comply with court order or judicial proceedings.

Legitimate Interest UAEX may process Data Owners' Personal Data in pursuance of its legitimate business interests where such processing is necessary, and our interests does not conflict with the fundamental rights and freedoms of the Data Owner. E.g., our legitimate business interests may include communication with our customers in relation to requested transactions, pursuit of customer care initiatives, internal record keeping purposes and fraud prevention.

UAEX generally uses Personal Data from Data Owners for providing a service. This may include the following:

• Authorising and processing Data Owners' transactions, including effecting and administering money transfers and ensuring proper payment to the designated recipient of funds.
• Monitoring and improving our services including websites/mobile apps and its content.
• Sending information to Data Owners about UAEX products and services.
• Customer care initiatives to improve UAEX services.
• Meeting legal, regulatory, self-regulatory, risk management, fraud prevention and security requirements, which may include (among other measures) verifying the identity of the sender and recipient of funds and checking identities against money laundering, terrorist financing or similar watch lists established by regulatory agencies or similar bodies. For identity verification purposes, senders and recipients of money transfers may be required to produce valid identification or consent to verification by other means before releasing funds.
• Maintaining business and transaction records for reasonable periods, and generally managing and administering UAEX business.
• Meeting insurance, audit and processing requirements.
• Otherwise as permitted or required by law.

To carry out the processing activities established in this Privacy Statement, UAEX may disclose Personal Data relating to its Data Owners to:

• Data Processors: UAEX may share Personal Data with third-party service providers ("Data Processors"), including affiliates of UAEX performing services on UAEX behalf, for example: information technology, data hosting, marketing, customer care, fraud prevention, etc. UAEX takes steps to ensure that Personal Data that is processed by Data Processors is protected and not used or disclosed for purposes other than as directed by UAEX.
• Third Party Data Managers and Joint Managers: UAEX may share Personal Data with third parties acting independently from UAEX as may be required about the services provided to Data Owners, for example: any intermediary banks or other financial institutions involved in the transaction of UAEX services.
• Successors: if UAEX is purchased by/sold to a third party, Personal Data held by UAEX will be transferred to the successor entity.
• Relevant Authorities: UAEX may disclose Data Owners' Personal Data as necessary to meet legal and regulatory requirements. This may include disclosure of Personal Data to government authorities, for example, in compliance with suspicious activity reporting requirements under anti-terrorism, anti-money laundering and similar laws and regulations.

In connection with providing services to its customers, UAEX may transfer Personal Data to destinations outside of the Kingdom of Bahrain. When transferring Personal Data outside the Kingdom, UAEX ensures that security measures and appropriate safeguards are put in place to protect the Personal Data and to ensure that all transfers comply with applicable data protection law. For example, UAEX has appointed a Data Protection Supervisor to ensure that Data Owners' Personal Data is treated in consistent with the data protection law, ; UAEX relies on the Personal Data Protection Authority's 'sufficiency listing' in respect of certain territories (Article 12 , Personal Data Protection Law) to transfer Personal Data outside the Kingdom lawfully; For executing a contract between the Data Owner and UAEX, or undertaking preceding steps at the Data Owner's request for the purpose of concluding a contract; for executing or concluding a contract between the Data Manager and a third party for the benefit of the Data Owner.

Data Owners have certain rights with respect to their Personal Data. In summary, these are:

• To be informed: Data Owners have the right to receive certain information about how their Personal Data is processed. Therefore, we are providing you with this Privacy Statement.
• Access: Data Owners have the right to access and receive a copy of their Personal Data.
• Rectify: Data Owners have the right to correct their Personal Data when inaccurate.
• Erasure: Data Owners have the right to request deletion of their Personal Data in certain circumstances.
• Restriction of processing (blocking): Data Owners can restrict or limit the way that UAEX processes their Personal Data in certain circumstances.
• Right to object: In some circumstances, Data Owners have the right to object to UAEX's data processing activities, for example, if the Data Owner does not want to be contacted by UAEX for marketing purposes.
• Approval (Consent): If UAEX relies on consent to process Personal Data, Data Owners have the right to withdraw their approval at any time by contacting us using the details below.

Data Owners are also entitled to lodge a complaint with a regulatory authority, in the jurisdiction where they live or work or where they consider UAEX is processing their Personal Data unlawfully. We would, however, appreciate the chance to deal with your concerns before you approach the regulator, so please contact us in the first instance. For more information on your rights, please contact us using the details below.

If you wish to exercise any of your rights, or if you have any queries or suggestions about this Privacy Statement, you can contact UAEX and our Data Protection Supervisor at: data.privacy@uaeexchange.com.

The processing of your Personal Data for direct marketing purposes is in our legitimate business interest. UAEX employs a strict policy against sending communications if you opted-out from them. Please note that UAEX will continue to send administrative communications (i.e. Transaction Notifications) if you opt out from Marketing/Customer Care communications. UAEX may also contact Data Subjects in response to their inquiries, to provide services at the Data Subjects' request and to manage their requirements.

You may want to discontinue receiving marketing information from UAEX. While this may mean that you will not receive product or service information of interest to you, UAEX respects your wishes not to be informed directly of these promotions or product introductions.

You may inform UAEX at any time that you want to opt-out of these communications by following the opt-out links on any marketing message sent to you or by contacting us. Where you opt out of receiving these communications, this will not apply to Personal Data provided to us because of services provided to you or other transactions.

UAEX websites and emails may contain links to various other websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our website, we encourage you to read the privacy statement of every website you visit.

UAEX takes all reasonable steps to ensure that all Personal Data collected through its branches and websites is treated securely and in accordance with this Privacy Statement and strict data protection standards.

In general, the period for which UAEX retains Data Owners' Personal Data is aligned with UAEX's data retention obligations under anti-money laundering laws, i.e. five years. In all cases, UAEX only retains Personal Data for as long as is necessary for the purposes described in this Privacy Statement. When determining the appropriate retention periods, UAEX will consider different factors, including: contractual obligations and rights; our legal obligations (for example, anti-money laundering laws); statute of limitations under applicable law; potential disputes; guidelines issued by relevant data protection authorities; and UAEX's legitimate business interests. UAEX securely erases Personal Data once it is no longer needed.

UAEX reviews and updates this Privacy Statement from time to time. We encourage Data Owners to periodically review this Privacy Statement to make sure they are aware of the latest version. If we make any material changes, we will bring this to your attention.