Privacy Policy

PIER 5 S.A. de C.V. (hereinafter, the "Company"), with address at Darwin 74, Interior 301, Colonia Anzures, Alcaldía Miguel Hidalgo, C.P. 11590, Mexico City, Mexico, hereby publishes this Privacy Notice, for the purpose of using and protecting the Personal Data of its Users in our possession, and regulating its legitimate, controlled, and informed treatment, to ensure privacy and the right to self-determination and in compliance with applicable legal provisions regarding the protection of Personal Data, such as the Federal Law for the Protection of Personal Data in Possession of Private Parties (LFPDPPP).

To this end, the Company hereby provides the following information:

For everything related to the processing and protection of your Personal Data, you may contact us by sending an email to the following address: privacy@arqfinance.com.

1. Purpose of Use of Your Personal Data

The personal information you provide to us will be used for the following primary purposes:

• The fulfillment of the contractual relationship arising from the request and/or contracting of our products or services.

• To verify, confirm, and validate your identity.

• To integrate your identification file and transaction history.

• To contact you in case of unusual activity, to respond to assistance requests or when required by any applicable law or authority.

• To manage, operate, and supervise the services provided by the Company.

• Audit processes by competent authorities.

• To comply with notices provided for the prevention of money laundering with respect to vulnerable activities.

Your Personal Data may be used for the following secondary purposes:

• To send you offers of services provided by the Company.

• To prepare customer profiles to offer products and services.

• Share some of your contact data, in anonymized form, with digital advertising platforms for the purpose of excluding the Company's active users from advertising campaigns, thereby avoiding unnecessary spending on targeted advertising. You may object to this sharing at any time by disabling the personalized ads option in the application or by contacting us through the channels indicated in this Policy.

If you do not wish your Personal Data to be processed for these secondary purposes, you may at any time notify us, object to, or revoke your consent; these actions shall not be grounds for denial of service provision.

2. Personal Data to Be Collected

Paternal surname, maternal surname, and name or names; country of birth, nationality, sex; date of birth; residential address in the country of residence and if you have an address in national territory, it shall also be collected, comprised of the name of the street, avenue or thoroughfare in question, duly specified; exterior number and, if applicable, interior number; neighborhood or subdivision; city or town, state, province, or similar political division as applicable; postal code and country; occupation, profession, activity or line of business of the customer; Unique Population Registration Key (CURP), Federal Tax Registry (RFC); telephone number; email address; Standardized Banking Cipher (CLABE) at the Financial Institution corresponding to the User's name. Additionally, official identification documents and their data (issuing authority and number) shall be requested, and if applicable, digitized proof of address to verify the veracity of the provided data.

3. Sensitive Personal Data

The Company will not request sensitive Personal Data, which according to Article 3, Section VI of the LFPDPPP are: those Personal Data that affect the most intimate sphere of its holder, or whose misuse could give rise to discrimination or entail serious risk to such holder. In particular, data that may reveal aspects such as racial or ethnic origin, present and future state of health, genetic information, religious, philosophical and moral beliefs, union affiliation, political opinions, and sexual preference are considered sensitive.

4. Transfer of Personal Data

The Company may disclose or transfer your Personal Data upon request of the competent authority or in any other cases established in Articles 10 and 37 of the LFPDPPP, for which the consent of the data subject is not required, in accordance with the LFPDPPP and its Regulations.

Furthermore, the Company may share your Personal Data with:

1. Companies belonging to the Company's Corporate Group. That is, any affiliate, subsidiary or holding company of the company or any other related company.

2. Providers that provide services to the company for the maintenance or fulfillment of the contractual relationship with its Users.

3. Risk management providers, information security providers, specialized software providers necessary for the fulfillment of the contractual relationship that binds us with our Users, specialized fraud prevention software providers and similar.

4. Digital advertising platforms, for the secondary purpose described in Section 1, always in anonymized form prior to transfer.

Data may only be shared with third parties that comply with the purposes established in this notice. It should be noted that the Company will not sell, cede or transfer your Personal Data to third parties outside the company, its affiliates, subsidiaries and related parties, without your prior consent, with the understanding that the data recipient will assume the same obligations that correspond to the Company.

5. Security Measures to Protect Personal Data

Your Personal Data will be protected under strict confidentiality, and to prevent any damage, loss, alteration, destruction or unauthorized or improper use or disclosure, we have implemented physical, technical, and administrative security measures in accordance with the Federal Law for the Protection of Personal Data in Possession of Private Parties and its Regulations.

The User may revoke consent, limit the use that you may have given us for the processing of your Personal Data, and object to the use of your Personal Data for secondary purposes. However, it is important that you understand that in not all cases we will be able to attend to your request or cease use immediately, as it is possible that due to some legal obligation we must continue processing your Personal Data. Similarly, it should be considered that for certain purposes, the revocation of consent will mean that we cannot continue providing the service you requested, or the termination of your relationship with us.

To revoke your consent or limit the use of your Personal Data, you must submit your request to the following email address: privacy@arqfinance.com, which must contain the following requirements: (i) name of the data subject, their address and email or other means to communicate the response; (ii) documents certifying your identity or corresponding legal representation; (iii) clear and precise description of the Personal Data or purposes for which the right of revocation or opposition is exercised; and (iv) any other element that facilitates the location of the Personal Data.

6. ARCO Rights and Revocation of Consent

To the extent permitted by applicable regulations, you have the right to know what Personal Data we store, what we use it for, and the conditions of use that the Company gives them, likewise, you have the right to request the rectification of your personal information if it is outdated, inaccurate or incomplete, to have us delete your Personal Data from our records or databases when you consider that it is not being used in accordance with the principles, duties, and obligations provided for in the regulations, as well as to object to the use of your Personal Data for specific purposes. All of the foregoing known as ARCO Rights.

You have the right to request at any time access, rectification, cancellation or opposition with respect to the Personal Data that concerns you, unless it is not applicable under the applicable regulations, in which case we will inform you.

To exercise any of the ARCO Rights, the customer must submit the respective request to the following email address: privacy@arqfinance.com; Said request must contain the following requirements: (i) name of the data subject, their address and email or other means to communicate the response; (ii) documents certifying your identity or corresponding legal representation; (iii) clear and precise description of the Personal Data with respect to which the corresponding right is exercised; and (iv) any other element that facilitates the location of the Personal Data. The customer has the obligation to comply with the pertinent requirements for the exercise of their ARCO Rights. In the case of Rectification requests, the data subject must also indicate the modifications to be made and provide documentation supporting the request.

The Company will communicate to the data subject, through the email address indicated for this purpose, the determination adopted regarding your request, within a maximum period of twenty days from the date of its receipt. If the request is admissible, it will be made effective within a period of fifteen days from the date the response is communicated. These periods are extendable only once for an equal period, provided the circumstances of the case justify it. In the case of requests for access to Personal Data, delivery will be made after verifying the identity of the applicant or the legal representative, as applicable.

7. Use of Cookies, Web Beacons or Any Other Similar or Analogous Technology

"Cookies": Defined as programming information contained in a text file that is saved in your Internet browser or elsewhere on your hard drive. You can manage the acceptance of cookies directly in your browser preferences, keeping in mind that if you decide to block them, you may not be able to access the content of our application. The Company may use cookies to distinguish your browser from others in our application, as well as to collect statistics about them.

"Web beacons": The Company may use tracking technologies such as "web beacons" to collect data about your visits to the mobile application; Similar to "cookies", they are small electronic images embedded in web content or email messages, which are normally not visible to users and allow us to generate nearly personalized content to offer you a better experience when using our application.

Through cookies and web beacons, the Company will not collect Personal Data.

Biometric Data: In the process of opening accounts remotely, we may collect and use information that identifies you through an image taken from the device you use to access our services. For more information, please consult the terms and conditions of our products and services.

8. Changes to the Privacy Notice

The Company may modify, change, and/or update this Privacy Notice resulting from new legal requirements; from our own needs regarding the products or services we offer; from our privacy practices; from changes in our business model, or for other reasons. We commit to keeping you informed about any changes that may occur to this Privacy Notice, through our application or by email.

The User has the obligation to frequently review the policies to become aware of modifications. The changes to this Privacy Notice will become effective ten days after its publication; within the five days following its publication, the User must manifest whether they do not agree with them via email, and if so, service provision will be suspended. After said period, it will be understood that the User accepts the modifications to the Privacy Notice.

9. Acceptance

This Privacy Notice is subject to the express consent of the data subject, which constitutes a legal agreement between the User and the Company. The use of the Company's services will be considered as the express manifestation of the client's will and agreement with this Privacy Notice, without excluding that there may be an additional express form of manifesting the client's will.

10. Authority

The competent authority regarding the protection of Personal Data in Mexico is the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI). If you believe your rights are being violated, you may contact INAI for more information and assistance in this regard.

11. Request Data Deletion

You have the right to delete your account with the Company whenever you wish. To delete your account, open the "profile" section and select "Personal Data". At the bottom of the section, you will see an option to "close account". Tap this button and you can confirm that you wish to close your account.

Data classified as restricted or confidential will be securely deleted when no longer necessary. The Company will evaluate data and external provider deletion practices in accordance with the Third-Party Management Policy. Only third parties that comply with the Company Inc. requirements for secure data deletion for the storage and processing of restricted or confidential data will be used. The Company will ensure that all restricted and confidential data are securely deleted from company devices before or at the time of their deletion. Confidential and restricted printed materials will be shredded or otherwise destroyed using a secure method.

Personally Identifiable Information (PII) will be collected, used, and retained only for as long as the company has a legitimate business purpose. PII will be securely deleted and destroyed upon contract termination in accordance with company policy, contractual commitments, and all applicable laws and regulations. PII will also be deleted in response to a verified request from a consumer or interested party when the company does not have a legitimate business interest or other legal obligation to retain the data.

Appendix B - Data Retention Matrix

Last updated: May 16, 2024