Act - Personal Data Protection Act of the Republic of Estonia;

Close relative - Close relative a relative with a family relation up to second degree, including civil law partnership partner, with a shared household for at least one last year;

Collateral provider - a natural person (aged 18) or legal entity, which provides the collateral, which may be mortgage, commercial pledge, or guarantee, in order to secure the Project owner’s liabilities arising from the loan agreement, who may be a guarantor, pledgor or mortgagor;

Company - FUNDAUS OÜ, registration number: 14643807, legal address: Harju maakond, Tallinn, Kesklinna linnaosa, Tartu mnt 6-10, 10145, being the Controller;

Connected person - any natural person closely connected to the Customer or the Collateral provider, i.e., Beneficial Owner, representative, member of ownership structure, management board member or director;

Consent - a consent given by the Data subject to process its Data;

Controller - a natural person or legal entity or other body that determines the purposes and means of the Processing;

Customer - Project owner or Investor;

Data - any information related to an identified or identifiable natural person;

Data breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Data transmitted, stored or otherwise processed;

Data Protection Inspectorate (DPI) - state authority of the Republic of Estonia, responsible for monitoring of application of the GDPR;

Data subject - an identified or identifiable natural person, whose Data is gathered and handled by the Company;

Due diligence - research of the Data subject either in compliance with the requirements of the binding legislation or in order to ascertain its trustworthiness;

Erasure - the Data deletion and destruction process in result of which the Data cannot be restored;

Fundroom - the Investor’s personal page on the Platform;

GDPR - GDPR Regulation (EU) 2016/679 of the European Parliament and of the Counsel of 27 April 2016on the protection of natural persons with regard to the processing of personal Data and on the free movement of such Data, and repealing Directive 95/46/EC (General Data Protection Regulation);

Information source - available public sources (internet, company registers, social networks, mass media etc.);

Investor - Investor a natural person (aged 18) or a legal entity, who receives the Services and grants loans to the Project owner via the Platform;

Joint controller - the Controller, who determines the purposes and means of the Processing jointly with the Company;

Joint controllers - two or more Controllers, which jointly determine the purposes and means of the Processing;

Member state - a country being a member of the European Union;

Platform - electronic system, used by the Company and by the Customers for provision and use of the Services;

Policy - this Privacy policy;

Processing - any operation or set of operations which is performed on the Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Processor - a natural person or legal entity, which processes the Data on behalf of the Company for its defined purposes;

Project owner - a legal entity whom the Company provides Services of financing its projects with the Invetors’ funds via the Platform;

Related party - a natural person, who owns share capital, whole or partially, or has voting rights, in the Company;

Recipient - any natural or legal entity, the Processor, Joint controller, the Third party and any other natural or legal person whom the Data is transferred or otherwise disclosed. State authorities which may receive the Data in the framework of a particular inquiry in accordance with Union or Member state law shall not be regarded as the Recipient;

Request - a written request submitted to the Company by the Data subject with a purpose to execute the rights in relation to its Data processed by the Company or the Joint controller;

Response - the Company provided response on the Request;

Services - Crowdfunding services provided by the Company;

Staff - employees of the Company;

Third party - Third party a natural person or legal entity other than the Data subject, Controller, Processor, and persons which, under the direct authority of the Company or Processor, are authorized to process the Data.

Website - www.fundaus.com

You - Data subject

The Data processing principles, which are defined by requirements of the GDPR, apply only to a natural person. Therefore, purpose of the Policy is to inform natural persons, being the Customers, Collateral providers, or Connected persons, on the main the Data processing principles and the Data protection measures, which are carried out by the Company.

Upon acceptance of the Policy, you agree with the Data processing principles and give the Company the Consent and entrustment to process the Data. When the Policy is accepted by you or on behalf of you, the Company receives an entrustment to process the Data provided and is indemnified against any claims related to this issue.

The Company regularly reviews and amends the Policy in case of such necessity. Despite a reference to the Policy can be made in the Service agreements, which may be concluded by the Company, this Policy does not form a part of any such agreement. Therefore, the Policy can be amended at any time, when the Company considers it necessary. The Company will notify you on the Policy updates and provide the amended version of the Policy to you by publishing on the Website.

The Company is the Controller of the Data gathered, handled, and processed in order to provide you the Services.

The Company strictly follows the Data minimization principle, gathering only the necessary Data from the categories listed below:

Identification data
name, surname, personal identification number, date of birth, residence, or seat address.

Identification documents data
copy of identification document with information on its number, issuance and expiry dates, issuance authority and photo image of the holder.

Due diligence data
including, but not limited with, information regarding ownership or management membership, economic activity, information whether the person is a politically exposed or sanctioned person, tax residence address. The Company may also require an information regarding criminal convictions or offences, but these categories of the Data can be received directly from you.

The Fundroom data
information related to creation of the Fundroom, authorisation and activities therein, including logins, IP-addresses, etc.

Financial data
information regarding performed transactions, accounts with the banks or payment institutions.

Contact data
information regarding residence or seat address, e-mail address, and phone number.

The Company processes the Data for the following purposes:

Identity verification
to ascertain and verify identity of the Customers and Collateral providers, to perform Due diligence, conclude contracts and to provide the Service.

Support of the Fundroomto create and maintain the Fundroom of the Investor, created on the Platform, and to support its functioning.

Performance of Due diligenceto perform research of the Customer or the Collateral provider either in compliance with requirements of the Estonian and European Union legal enactments related to prevention of money laundering and terrorist financing activities or to ascertain its trustworthiness for a purpose to decide on whether to provide the Services to it.

Reminders and notifications
to remind about uncompleted creation of the account with the Platform, to notify on the changes in provided Services and other changes that might affect rights or obligations of the Customer.

Sending information
to communicate with the Customers for commercial, marketing, and other purposes.You can refuse communication for the defined purpose by informing the Company via e-mail.

Conclusion of contracts
To conclude the Contracts related to the Services provided and to the Company’s activities

Enforcement of contractual obligations
to fulfil obligations in accordance with the terms and conditions of the concluded contracts.

Enforcement of statutory obligations
to perform accounting and to fulfil other obligations arising from requirements of legal regulation of the Republic of Estonia or European Union.

The Company processes the Data only for the purposes, which are listed above and only if at least one of the following grounds for the Processing occurs:

• the Consent is received from the Data subject (by itself or on behalf of it);

• requirements of the concluded agreements;

• requirements of the legal enactments;

• necessity of protection of interests of the Company.

The Company receives the Data either directly from you or obtain the Data from other reliable available information sources.

The Company may disclose the handled Data to the Processors or to the Third party, if it is necessary for provision of the Services, support of the Company’s business activity or is in the interests of the Customers. The Data transfer is performed only within the European Union and only to the Processors or the Third parties, who provide sufficient guarantees and ensure appropriate measures related to the Data protection in accordance with the GDPR.

The Company may entrust the Processing of the Data to the following categories of the Processors:

Payment service provider – for opening accounts for the Customers and processing payments related to the Services;

Legal service provider – for provision of legal support to the Company;

IT service provider – for supporting functioning of the Platform and ensuring the Data security;

Other outsourcing service providers - in case of such necessity.

You have the following rights in relation to the Data:

You are entitled to:

- obtain information on whether the Data is being processed and what categories of the Data is being processed;

- obtain information on source from which the Data is obtained (if it is not obtained form the Data subject);

- receive an access to the processed Data;

- receive additional information on categories, purposes, and retention of the processed Data;

- receive information on enterprises to whom the Data is transferred.

You are entitled to request prompt rectification of the inaccurate Data and completing of the incomplete Data. However, the Company verifies whether the Data the Request is about is incorrect and misleading, making appropriate rectification and completing only in case, when such necessity has been proven. The Company also can ask You to submit supplementary statement confirming the reasons of the Request.

You are entitled to request prompt erasure of the Data, which is in mandatory for the Company only if one of the following conditions exist:

- purpose of the Processing is reached and the Data is no longer necessary;

- the Consent is withdrawn;

- You object to the Processing;

- the Data is processed unlawfully;

- the Data must be erased in compliance with legal obligation.

You are entitled to restrict the Processing until the legitimate grounds of the Processing do not override Your legitim interests and when:

- the accuracy of the Data is contested until it is verified;

- the Processing is unlawful;

- the Data is no longer necessary for the defined purposes;

- the Data is no longer necessary for the Company, but is required by You for protection of the legal interests.

You are entitled to receive information on each enterprise and person who was informed on the Data rectification or erasure or restriction of the Processing upon the Request.

Right to portability

You are entitled to receive the Data and transfer them to another Controller insofar the Data has been provided based on the Consent. When the Request is about the transfer of the Data directly to another Controller, the Company will ask You to verify the correctness of the Data to be transferred. This right is not applicable to the Data created by the Company itself.

You are entitled to withdraw the Consent at any time. However, when the Company’s actions of the Processing are limited, the Company cannot guarantee due provision of the Services.

if You consider that the rights listed above are violated within the Processing or the Data breach is detected, You are entitled to complain the Estonian Data Protection Inspectorate https://www.aki.ee/en/ 39 Tatari Street, 10134, Tallinn, Estonia, telephone (from abroad add +372) 627 4135, [email protected]

If you have any questions or concerns regarding the Data handled by the Company, you can submit the Request using an e-mail [email protected].

The Company has appointed the Data Protection Officer, which is involved in implementation and observance of the legal requirements related to the Data Processing within the Company.

In order to contribute prompt and efficient processing of the Request please include in it at least the following information about you:

- Clearly specified right to be exercised;

- Full name and identification information of you;

- Full name and identification information on representative (where relevant);

- Preferable form of communication (by email or by post);

- E-mail or post address for communication.

If the Request is submitted by an authorized representative, please, provide authorization rights proving document.

After the Company have received the Request, it identify the Data subject comparing identification data (name, surname, date of birth or identification number and contact details) indicated in the Request with identification data the Company has at its disposal and previously received. The Company also ascertains whether a submitter of the Request is entitled to submit it and, when the Request is submitted by an authorized representative, the Company verifies its authorization.

The Company will provide You with a response within a month after the Request has been received. However, that period may be extended by two further months where necessary, if the complexity and number of the Requests do not allow the Company to observe one month time limit. The Company will inform You if the period of a response is extended and the reason of such delay.

A response for the Request is provided in electronic form unless You have required another way of communication.

Execution of Your rights related to the Data protection is free of charge, but the Company can demand compensation for any reasonable costs associated with dealing with the obviously ungrounded Requests.

The Data is retained in compliance with the time limits defined by the purposes the Data has been collected for and requirements of the legal enactment applicable to the Company’s business activity.

However, the Data storage time limits are strictly limited and continuously monitored by the Company in order to ensure erasure of the Data in appropriate way after their expiry.