1. Introduction

Get Disco Ltd (hereinafter, "Disco") is the owner of the website www.getdisco.com ("Website"). Disco is committed to protecting the privacy of all users of the Website and complying with the applicable data protection legislation.

This Privacy Policy sets out the terms that shall govern how Disco collects, processes and stores Users' data, and informs Users about their privacy rights.

This Privacy Policy must be read together with and is incorporated in the General Terms and Conditions (https://getdisco.com/terms-conditions) of Disco Services. The Privacy Policy may be updated from time to time; the most recent version is available on Disco Website. Users are advised to review the Privacy Policy and its updated versions carefully.

2. Scope

The Privacy Policy applies to the use of Website and any Services provided by Disco. When User visits and/or browses this Website, register Disco Account or use Disco Services, Disco processes User's data as the data controller. Disco aims to collect and process only data strictly necessary in the context of its relations with the users/visitors of the Website and/or Disco Services, in order to provide Services and/or information for specific and legitimate purposes.

The Privacy Policy provides the following information:

- What personal data Disco collects;

- How Disco uses personal data;

- Who personal data may be shared with;

- What rights users have in connection with their personal data.

3. General Provisions

The Privacy Policy is addressed to the users of the Website and/or Disco Services ("data subjects").

Personal data (also, "personal information", "information", "data") refers to information that identifies a User or may identify a User (e.g. name, address, identification number).

Processing of personal data refers to actions such as collecting, handling, storing and protecting personal data.

Website and Disco Services may contain links or lead to third party websites (including, but not limited to, merchants' websites) with their own data protection and privacy policies, different from this Privacy Policy. User must review such third party privacy policies and make sure that the provisions therein are acceptable to User. Disco does not accept any responsibility for the content and privacy provisions of any third party websites.

Disco may revise or update this Privacy Policy from time to time. In such a case, Disco will make the most recent version of Privacy Policy available on Website, informing Users accordingly by displaying in the updated version and relevant date of update. Users are advised to visit Disco Website frequently to consult Privacy Policy in its most recent version.

4. Personal Data

Use of Disco Website, setting up of Disco account and provision of Disco Services are conditional on provision of the information requested by Disco, including personal data of data subjects (Users). Personal data is collected and processed pursuant to the following legal obligations:

- For the purpose of establishing business relations and providing Disco Services to Users. Establishment of business relations for provision of services and for the performance of contractual obligations between both parties (Disco and Users) requires provision of certain personal data;

- Under the legal obligations deriving from AML legislation and other legal acts. In order to be able to use Disco Services, including applying for and receiving the Virtual Card, Disco is required to identify User, verify User's identity and perform due diligence, as well as to fulfil the legal obligations.

User may decline to provider personal data to Disco, provided however, that in case User chooses not to provide information that is necessary for provision of Disco Services, such User shall not be able to use Disco Services.

Disco collects personal data from the following sources:

Submitted Data. This refers to data provided by User during setting up of the Disco account and providing information for issuing of a Virtual Card, and during the use of Disco Services. The data may be submitted via the forms provided on Website and within Disco account, via email, or via other means of communication. By submitting personal data to Disco, User acknowledges that Disco may use this data in accordance with this Privacy Policy.

In order to set up Disco account, User will be required to provide basic information about him/herself, including name, email address, mobile phone number, and payment information (valid debit/credit card details). The foregoing information is collected for the purpose of authenticating the User's identity, register Disco account and use Disco Services.

At the time of application for issuing Virtual Card, depending on the User's account level with varying spending limits, User will be required to provide:

- For Level 1 account User will be required to provide: full name, date of birth, email address, mobile telephone number;

- For Level 2 account User will be required to provide: full name, date of birth, email address, mobile telephone number, proof of residence, and government-issued ID.

After registering Disco account and/or applying for Virtual Card, Disco may request User to verify the information provided, or provide additional information (if necessary for issuing and use of Virtual Card, for example).

Data collected in course of use of Disco Services or Website. This data may include:

- Payment and transactions data

- Profile and usage data (such as data when User connects to Disco account, visit merchants' websites, make purchases using Disco Services, and may include data on how User uses the services). Disco may collect data from devices User uses to connect to Disco account and Services, such as computers and mobile phones, such as User's IP address and using cookies (please refer to the Cookie Policy).

Data collected from third parties. In order to facilitate Disco Services, Disco may obtain personal data about Users from third parties. Disco may lawfully obtain from other entities such as service providers, information aggregation agencies, public authorities, persons that refer User to Disco, Disco affiliated companies.

5. Types of Data Collected

Various types of personal data are collected and processed in the context of the relationship arising between User and Disco and according to Services used. Indicatively, the following are examples of categories and types of personal data may be processed:

Individual personal information. E.g. Name, previous names, data and place of birth, language, if User holds prominent public functions (PEPs).

Individual personal contact details. E.g. Residential address, email address, telephone number, other contact details.

Identity information. E.g. Passport, National ID card, Nationality, Utility bill, other proof of residence.

Authentication data. E.g. login credentials.

Communications. E.g. Personal data that User may provide by filling in forms or by communicating with Disco (e.g. in emails, or via other electronic channels).

Transactional and other/documents information. E.g. Data arising for the purchases and payment transactions for purchases at merchants' websites using Disco Services (including data such as date, time, amount, currencies, location information and details of merchant associated with the transaction), details arising from contractual obligations between Disco and Users.

Location and technical information. E.g. Location data (for example, at the time of login or a purchase transaction); technical information from devices and technology used by User, IP addresses and device information, visitor's information and similar information collected automatically.

Consents. E.g. Any permissions or consent given to Disco by User.

6. Purposes for which Disco uses personal data

Disco processes User's data with the data minimization principle in mind. Disco aims to limit the processing of User's data and the type of data processed to strictly the data needed for a lawful reason. Disco uses data inter alia to:

- Verify User's identity (e.g. authentication, AML and fraud prevention purposes);

- To provide Disco Services (e.g. setting up of User account, collecting data for issuing of a Virtual Card, provide Discount on purchases and other Disco Services);

- Perform obligations under Disco T&C (https://getdisco.com/terms-conditions) and EULA (https://getdisco.com/eula);

- Maintain communication with Users and provide Users with information and updates;

- Provide User support and handle User inquiries or complaints;

- To enforce internal procedures and protective measures against fraud or risk;

- For internal operational support and administrative purposes (e.g. product/services development or improvement, quality management);

- Obtain reports regarding problems with Website or Services;

- General administrative functions (e.g. maintenance of Disco's internal records necessary for keeping up-to-date information, general record-keeping);

- Statistics and analytics for internal purposes and improvement of Services and Website;

- Compliance with the legal obligations;

- Enforcing or protecting the rights of Disco or its affiliates;

- Ensuring security.

7. Aggregated and Anonymized Data

Anonymization means converting personal data of an individual into anonymized data so that it does not identify the individual (User) and does not allow such individual to be identified through its combination with other data.

Disco may collect, process, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data does not identify the individual, either directly or indirectly. Without prejudice to the provisions of this Privacy Policy, Disco may use anonymized and aggregated data to improve the quality of Disco Services, develop new features, services and for research purposes.

8. Legal bases for processing

When Disco processes User's personal data, Disco will rely on one of the processing legal bases below. Disco may process User's personal data for more than one legal basis depending on the specific purpose for which Disco is using the data.

(a) Performance of a contractual obligations. This is when processing of personal data is needed in order to perform the obligations under the T&C (https://getdisco.com/terms-conditions). This is also processing in the course of the application to be able to complete acceptance process of User and to be able to commence provision of Services under T&C.

(b) Legal obligation or for public interest. This is when Disco is required to process User's personal data to comply with a legal obligation.

(c) Legitimate interests. Where necessary, Disco may process personal data where there is a legitimate interest for Disco or a third party in pursuing commercial and business interests, except where such interests are overridden by User's interests, fundamental rights and freedoms.

(d) User's consent. In particular circumstances, Disco may ask User for specific permission to process personal information for specific purposes. User's data will be processed in this way if User agrees to this. Where the legal basis is the consent provided by User, User may withdraw his/her consent any time. The revocation of User's consent will not affect the legality of the data processed prior to the revocation.

9. With whom User's data is shared.

Disco functions receive User's personal data in the context of Disco Services and operations.

This is required in order to provide carry out requests and provide Services, and to perform Disco's contractual and legal obligations.

Disco will not share personal data with third parties unless this is necessary for the legitimate business needs, to carry out requests, provide services and/or as required or permitted by law. Third parties under these circumstances include:

(1) Service providers. Disco will disclose personal data to third party partners and service providers (processors) so they can process it on Disco's behalf where required. These service providers are required to provide sufficient assurances in accordance with data protection law. (e.g. being bound contractually to confidentiality and data protection obligations). Disco will only share personal data necessary for them to provide their services. For example, Disco will shall User's data with the Issuer for the purpose of issuing a Virtual Card. The Issuer will process User's personal data for the performance of its contractual obligations, for the performance of the legal obligations (including under AML laws, Laws on provision of e-money and payment services and other legal acts).

(2) Auditors, advisors and consultants. Disco may disclose personal data for purposes and in the context of audits, to legal and other advisors, in order to investigate security issues, risks, complaints etc.

As such, personal data may be transferred and disclosed to:

- Money laundering and fraud prevention aggregation/agencies, compliance/verification services and risk prevention services. This is required in order to verify User's identity, ensure protection against fraud, confirm eligibility for Disco Services.

- Banks (or other credit or financial service institutions, including the Issuer), and similar institutions. These enable Disco to provide Services.

- Data management, storage, archiving, cloud storage service providers;

- Companies assisting with provision of Services (e.g. technological services, solutions, support such as support/maintenance/development of IT applications, technology, website management, telephony/SMS services);

- Customer support service providers and marketing service providers;

- Administrative service providers;

- Auditing and accounting services and consultants;

- External legal advisors.

- Regulatory authorities, law enforcement, courts. Disco may disclose personal data to comply with applicable legislation, regulatory obligations, to respond to requests of regulatory authorities, government and law enforcement agencies, courts and court orders in the UK/EEA/Internationally.

(3) Disco may also disclose User's data in circumstances such as the following:

- If Disco is under a duty to disclose or share personal data in order to comply with any legal or regulatory obligation or request;

- In order to apply or enforce the Terms and Conditions or any other agreement in place in the context of the relationship between Disco and User and to investigate potential breaches;

- If Disco or substantially all of its assets are acquired by a third party, in which case personal data held by it about its Users will be one of the transferred assets.

10. Transfers outside the EEA or to international organisations

User's personal data may be transferred to third countries (outside the EEA) or to international organizations if the transfer is necessary and has a legal basis as described in this document. Such transfers take place for example:

- When necessary to carry out and in the context of transactions (e.g. card transactions, payment orders to third countries, through correspondent bank in third country);

- Under applicable law;

- On the basis of User's instructions or consent;

- In the context of data processing undertaken by third parties on Disco behalf. (e.g. the data may also be processed by staff operating outside of the EEA who work for Disco or for one of our third party service providers or Disco affiliated companies. Such staff may be performing technical duties and support, duties related to processing of User's orders, provision of support services etc.).

The processors (or controllers) in third countries in this case shall be either approved by the European Commission as providing adequate level of data protection or shall be have in place appropriate safeguards with the level of data protection in the EU. Disco aims to take all steps reasonably necessary to ensure that User's data is treated securely and in accordance with this Privacy Policy (e.g. requirement to observe privacy standards equivalent to Disco's, maintaining security standards and procedures to prevent unauthorised access, use of technology such as encryption and firewalls) to protect the security of data in transit and at rest).

11. Information on Data Security Privacy

Disco has in place internal procedures for secure processing of personal data in order to protect data from unauthorised access, loss, misuse, alteration or destruction. Disco uses its best efforts to limit access to personal data to persons on a need to know basis, and that persons who have access are required to maintain its confidentiality. However, security cannot be absolutely guaranteed against all threats despite our best efforts. Transmission of information via the internet is not completely secure. Disco cannot guarantee the security of data transmitted via email, to Website or online resources; such transmissions are at User's risk. User is responsible for keeping the User credentials secure and confidential and not to disclose them to any persons.

12. Data Subject Rights

As data subjects, Users have the following rights afforded under data protection law in respect of the personal data, which Disco holds as a controller. Users should note that the rights are not absolute and may be limited due to a legal basis replied upon by us to process User's data.

As the majority of processing Disco performs is a consequence of legal obligations, some of the rights may be limited by the legal and regulatory requirements or legitimate interests.

Right of access: right to obtain a copy of User's personal data. User can request a copy of the personal data retained and a confirmation from Disco whether personal data is processed or not.

Request correction of incorrect personal data. User can request a correction of incorrect or incomplete data kept by Disco. In such a case, Disco may need to verify the accuracy of the data Disco has and data provided and take steps to correct its records.

Object to the processing of personal data. User can object to the processing of personal data by Disco and request us to stop using the data in certain circumstances such as:

- Processing is conducted on the lawful ground of legitimate interest or of serving the public interest; however User objects on grounds relating to User's particular situation. In such a case, Dosisco may continue processing if Disco demonstrates that it has compelling legal grounds for processing which override User's rights or that processing is necessary to establish, exercise of defend a legal claim. User should note that despite the objection, Disco may continue to use User's personal data. This will be in cases where processing is required in compliance with legal obligations (the requirements of legal obligations to process and retain data will supersede any right to objection.).

- Processing is conducted for marketing purposes. In certain circumstances, if User objects to the processing of certain personal data, Disco may not be able to provide Services and may need to terminate provision of services.

Right to erasure ("to be forgotten"). User can request erasure of User's personal data (depending on the circumstances and agreements in place) where:

- Processing is no longer required for the reasons the data was collected or processed;

- Disco is relying on consent as a legal basis, and User withdraws the consent;

- User has objected to the processing of data;

- The data has been unlawfully processed (i.e. breach of legal basis requirement).

- Required by law.

Disco may continue to retain User's data if another legitimate reason for doing so exists. Disco's requirements to comply with legal obligations (record-keeping requirements in particular) to process and retain certain data will supersede any right to erasure requests, and Disco may also continue to retain/use User's data if another legitimate reason for doing so exists (for exercise of legal claims and or serving in the public interest).

Restriction of processing of personal data. User can request that Disco restricts /suspends the use of personal data if:

- User requested that Disco verifies the accuracy of personal data it has;

- Processing is unlawful but User does not request its erasure;

- Processing and retention of data is no longer needed by Disco, but User wishes that Disco retains it as this data is required by User to establish, exercise or defend a legal claim;

- User have objected to the processing of data and is waiting for verification on Disco's overriding legitimate interest.

In some cases restriction might prevent Disco from performing its obligations under the contractual relationship with User. In such event, Disco will notify User accordingly.

Withdrawal of consent. If Disco is relying on the lawful basis of User's consent (i.e. Disco requested and User provided his/her consent), User can withdraw such consent at any time. Disco may continue to process User's information if another lawful basis exists for doing so. If Disco is unable to provide User with Services due to the withdrawal of consent, Disco will inform User accordingly.

Data portability. User can request from Disco to provide personal data to User directly in an easily re-used format or to a third party if technically possible. This right applies only to personal information provided by User to Disco for the performance of contractual relationship with Disco, or which Disco processes based on User's consent. This right may not be fully applicable in cases where the processing is done due to a legal obligation of Disco.

13. Exercising data subject's rights

Users are advised to contact Disco directly at contact details indicted below to exercise User's rights or if User has any questions about the use of personal data. hello@getdisco.com

User may be subject to identification procedures and measures in order to ensure that no personal data is disclosed to unauthorized persons. Disco may also request additional information/clarifications to process User's request as rapidly and efficiently as possible.

All requests must be made in English in a comprehensive manner, and contain a clear description of the object of the request. Disco will not be able to process requests which are incomprehensive or in languages other than English.

Disco will not normally charge User a fee to access his/her personal data (or exercise other rights). Disco may charge a fee where User request is clearly unfounded, excessive or repetitive.

Disco aims to satisfy all legitimate requests within one month of receipt or to inform User of refusal, or of an extension period of up to three months to satisfy User's request. Disco will notify User appropriately if the request requires more than one month to fulfill, depending on the complexity of User's request and volume of data associated with it.

In case User has any complaints about the use of personal data, exercise of User's rights, User is advised to notify and/or file a complaint with Disco directly at the contact details indicated below. hello@getdisco.com Disco will immediately investigate and inform User in regards to the complaint.

Complaints must be made in English in a comprehensive manner, and contain sufficient details and a clear description of the complaint. Disco will not be able to process requests which are incomprehensive or in languages other than English.

© 2021 Get Disco LTD