Privacy Policy arvy App

Our privacy policy describes what personal data arvy AG collects, processes, uses and stores about you when you use the arvy app. Personal data is any information relating to an identified or identifiable natural person. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

Your personal data will only be transferred to third parties if this is necessary for the purpose of contract processing, if you have given your prior consent, or if legal provisions permit or require this. We would like to point out that data transmission over the internet (e.g. when communicating by email) may be subject to security vulnerabilities. It is not possible to completely protect data from access by third parties. This policy may be updated at any time, in which case we will always inform you of any changes. The current version of the privacy policy is available on our website at https://arvy-preview.aramiko.ch/privacy-policy-arvy-app/

1. Responsible body

The collection, processing and use of personal data collected from you when using the arvy app is carried out by:

arvy AG, Claridenstrasse 36, 8002 Zurich, Switzerland ("arvy"),

Email:hello@arvy-preview.aramiko.ch

You can find more information about arvy in the legal notice on our website.

2. Scope of application and delimitation

This privacy policy applies only to the use of the arvy app and therefore

in particular not for:

• visiting and using the arvy website (further information on data protection in connection with the use of the arvy website can be found in the applicable privacy policy on our website);
• personal information that may be collected and stored in the context of announced recordings of telephone conversations with our employees in order to comply with our legal obligations or for business purposes of arvy;
• other websites to which you are redirected via a link.

3. Legal basis for data processing

We collect, process and use your personal data lawfully and in good faith. Depending on the purpose of the respective data processing, arvy processes your personal data on the following legal bases:

3.1 Contractual obligations

arvy's first priority is to process personal data in the context of initiating or executing contracts with customers, in particular to manage, operate, maintain and improve the arvy app and the services offered on it.

3.2 Legal obligations

arvy must comply with applicable laws and may be required to disclose, report or hand over your personal data due to a legal obligation or an official order.

3.3 To protect legitimate interests

Where necessary, arvy processes your personal data beyond the actual fulfilment of the contract in order to protect its own legitimate interests or the legitimate interests of third parties, e.g. for the monitoring and control of money laundering and other operational risks, for planning, product development and statistical purposes, for marketing and

Market research purposes in order to provide appropriate information about the arvy range of services and to protect and secure arvy's claims in the event of claims against arvy or arvy's customers, as well as to protect the safety of customers and employees.

3.4 Consent

For other processing purposes beyond the actual fulfilment of the contract, the processing of your personal data may be based on your consent, which you can revoke at any time.

4. What personal data does arvy use?

arvy strives to store only as much data about you as is necessary to offer you the full range of functions with the highest possible level of security. In order to offer you the contractual scope of use, arvy collects, stores, processes and uses personal data. Your personal data will only be passed on to third parties if we are obliged to do so by law, if you have given your prior consent, or if these third parties can assert a legitimate interest. Additional offers that require further processing of your personal data require your explicit consent.

4.1 Login to the arvy app

To log in to the arvy app (after registering via arvy and opening an account with Hypothekarbank Lenzburg), you must enter your mobile phone number, email address and password.

4.2 Identification with fingerprint and facial recognition

4.3 Data collection and processing when opening and using the arvy portfolio and concluding the asset management agreement

Master data: For the purpose of opening the arvy portfolio with Hypothekarbank Lenzburg AG, using the services of arvy and concluding the asset management agreement, the following personal data is collected, used, processed and stored during onboarding:

• Title
• First and last name
• Date of birth
• Gender
• Marital status
• Email address
• Nationality
• Residential address
• Mobile phone number
• Beneficial ownership
• Tax domicile and US tax liability
• Audio and video recordings for identification purposes
• Copy of identification document
• Type of identification document
• Date of issue
• Expiry date
• ID number
• Payment account

Termination: If you terminate your arvy account with Hypothekarbank Lenzburg, customer data will remain stored with arvy for 10 years in order to prevent misuse and in accordance with regulatory requirements. By properly uninstalling the arvy app, all data generated locally on your device by the app will be deleted. At the customer's request, we will then delete all personal data (name, address, transactions, etc.) from productive systems, to the extent permitted by law. For unstructured data, such as tickets with questions about a technical problem or data that has been backed up, arvy cannot guarantee complete deletion.

Notifications: When using the arvy app, you can activate the "Notifications" function to receive the latest information about arvy. This function uses the Apple Push Notification Service (APNS) from Apple Inc. ("Apple") or the Google Cloud Messaging Service (GCM) from Google Inc. ("Google"). If you would like further information on how this works, please contact the respective provider of this function. arvy will send you a corresponding notification depending on your device's operating system. In any case, the notification will be transmitted in encrypted form.

4.4 Identification procedure

Hypothekarbank Lenzburg and arvy are legally obliged to verify your identity when you open an account by checking a valid identity document and storing certain details from the identity document. To this end, we offer you an online identification option that is carried out in accordance with the criteria of FINMA Circular 2016/7 "Video and Online Identification" ("FINMA RS") of the Swiss Financial Market Supervisory Authority FINMA ("FINMA").

Online identification is carried out by Hypothekarbank Lenzburg. To this end, it relies on the services of Intrum AG (hereinafter referred to as "Intrum AG"), a company based and operating in Switzerland. Identity verification is carried out, among other things, by means of electronic copies of identification documents transmitted via encrypted channels. Arvy transmits the type of identification document (passport or ID card, nationality) to Intrum AG. Intrum AG assigns a transaction number to this data. For the further implementation of online identification, a secure connection is established between Intrum AG and your device, which enables the necessary digital verification of the identification features. In order to carry out this digital verification, the app must be able to access the rear and front cameras of your device so that photos (as well as a continuous video) of you, the front and back of your ID card and, if applicable, your foreigner's ID card can be taken. These photos, the video and the personal data collected are transmitted by Intrum AG to Hypothekarbank Lenzburg and on to arvy. During the online identification process, Hypothekarbank Lenzburg must verify the authenticity of the identity card or passport you have presented. To this end, Intrum AG's software electronically checks the integrity of the identity document and its optical security features in accordance with regulations. If the security features are not clearly recognisable or if there are other anomalies, a Hypothekarbank Lenzburg employee may subsequently carry out a manual check of the photos taken.

Customer support: arvy uses the Intercom and Pipedrive systems to provide customer support. In order for arvy to provide you with the best possible assistance, the following information may be stored for the sole purpose of providing support services: surname, first name, email address. The data stored in this way is stored in a data centre in the European Union in accordance with the applicable data protection regulations. Arvy stores the correspondence between you and our customer support team, regardless of whether we communicate by email, chat or telephone, so that we can better assist you with future enquiries. Questions asked via the Apple App Store or Google App Store, social media such as LinkedIn or Twitter can also trigger a ticket and be stored via Intercom's software.

5. What data does the arvy app create?

Usage data: arvy collects, processes, uses and stores data generated when using the arvy app in order to improve the user experience and prevent misuse. In particular, this includes the IP address, screen resolution and operating system of the device used to access the app, the date and time of access, the duration of the visit and the content accessed during a visit (collectively referred to as "usage data"). "Invite friends": arvy offers you the option to invite your friends to join arvy. If your personal invitation code was entered during registration, the names of the inviter and invitee can be displayed to each other (e.g. in an email). To this extent, you agree to the transfer of your personal data to the invitee or inviter and release arvy from its confidentiality obligations to this extent.

6. Does arvy use non-personal/anonymous data?

Non-personal/anonymous data, such as statistics about the device you use, cannot be used to identify you personally. We use such data to continuously optimise the performance and range of services offered by the arvy app.

7. What does arvy do to protect your personal data?

Communication between arvy and Hypothekarbank Lenzburg is fully encrypted using the standardised TLS/SSL protocol. Security: All data is exchanged via an interface layer based on a secure application programming interface (API) provided by Hypothekarbank Lenzburg or arvy. All bank data is stored in the data centre of Hypothekarbank Lenzburg or Swiss data centres. These are ISO2700l-certified. We are subject to the Swiss Data Protection Act and take appropriate technical and organisational security measures to protect your personal data from unauthorised access and misuse.

8. How are third-party services used?

Just like banks, we also rely on third-party services, such as our data centre. Your personal data is always protected in all cases. Third-party providers: In order to use technical or organisational services from third parties that we need to fulfil the purposes stated in this privacy policy or our other business activities, personal or other data of users may be stored in the systems of such service providers, which are stored in a data centre in Switzerland certified according to ISO27001 standards, but also personal data stored in Pipedrive's customer support systems in accordance with the applicable data protection regulations in a data centre in the European Union. Our service providers are subject to the respective data protection laws and are also contractually obliged to process personal data exclusively on our behalf and in accordance with our instructions. We oblige our service providers to comply with technical and organisational measures that ensure the protection of personal data.

9. What about analytics services and tracking technologies?

In order to enable statistical analysis of your usage behaviour, arvy uses carefully selected analysis services and tracking technologies. The data collected in this way is anonymised. Only information about how the arvy app is used is recorded, e.g. page views and loading times, but never any personal or customer-identifying data or content. The data collected in this way is used exclusively for troubleshooting and optimising the customer experience.

10. What about emails?

In every email we send you, you have the option to unsubscribe from further product information or emails – with the exception of emails that are necessary for the customer relationship or its termination. You can do this either directly in the footer of the email or, if this function is not available, by contacting our customer support. For the purpose of sending emails, arvy stores your email address, first name and chosen language, as well as customer segment attributes if required, with our email delivery service provider. An appropriate level of data protection is contractually guaranteed by this service provider.

11. Will my personal data be transferred abroad?

Personal data is transferred outside Switzerland if it is

necessary for the provision of services (e.g. for identification purposes), required by law (e.g. in the context of automatic information exchange) or with your consent. arvy ensures (e.g. through the use of appropriate data protection agreements) that the recipients of personal data guarantee an adequate level of data protection. In the context of providing customer support, all personal data, as described in section 4, is stored via the Pipedrive systems in accordance with the General Data Protection Regulation (GDPR) in a data centre in the European Union.

12. Duration of storage of personal data

Arvy processes and stores your personal data for the duration of the entire business relationship (from initiation, account opening to contract termination and beyond, in accordance with legal storage and documentation requirements. It is possible that personal data may be retained for the period during which claims can be asserted against our company and insofar as we are otherwise legally obliged to do so or legitimate business interests require it (e.g. for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted

or anonymised.

13. How can I find out more?

Duty to provide information: Upon request, arvy will provide you with information about all personal data stored about you, recipients or categories of recipients who have received personal data about you from us, and the purpose of storage. If the personal data stored about you is incorrect, please contact customer support so that we can correct it immediately, or, if the functionality exists, adjust the personal data yourself directly in the arvy app. You also have the right to block, delete or destroy this data. Legal restrictions remain reserved. If you have given your consent to the use of data, you can revoke this at any time with effect for the future. Revoking your consent may result in our services no longer being available to you without restriction or in the termination of the user relationship.

Customer support: For help using the arvy app or for general questions about this privacy policy and data protection at arvy, you can contact our support team at any time at hello@arvy-preview.aramiko.ch or by post at arvy AG, Claridenstrasse 36, 8002 Zurich, Switzerland.

14. Entry into force

This privacy policy comes into force immediately. arvy reserves the right to make changes to the privacy policy at any time. These will be communicated to customers by email or notification in the app and are deemed to have been approved if no objection is made within 30 days. If no objection is made within this period, which begins upon receipt of the email/notification, the amended privacy policy shall be deemed to have been agreed and accepted.