FINLEAP FINANCIAL SERVICES (PRIVATE) LIMITED

DISCLOSURE STATEMENT AND PRIVACY POLICY

The “Daira” online digital lending Daira is owned and operated by Finleap Financial Services (Private) Limited, a company incorporated under the provisions of the Companies Act, 2017, holding CUIN 0249962 (hereinafter referred to as “Finleap”), having its registered office at Daftarkhwan Vanguard, 5A Constitutional Avenue, Sector F-5/1, Islamabad. Finleap is engaged in the business of providing micro and nano-loans to its customers in Pakistan through the “Daira” Daira (hereinafter referred to as the “Daira”).

Finleap is committed to protecting and respecting your privacy. This Privacy Policy has been formulated to assist you to understand how your personal information will be collected, stored and processed by Finleap when you login to Daira.

All users or customers of Daira are advised to read and understand this Privacy Policy carefully, as by accessing Daira you agree to be bound by the terms of this Privacy Policy and consent to the collection, use, disclosure, safe storage and protection of your personal information by Finleap in accordance with this Privacy Policy, or any changes made hereto.

This Privacy Policy is subject to change or modification from time to time without prior notice. We will notify you of any material change to this Privacy Policy by posting a notice on Daira's homepage for a reasonable period of time following such update or by sending an email to the email address associated with your user account. It is advised that you regularly review our Privacy Policy as available on Daira to keep up to date with any changes made.

References below to “you” or “customer” shall mean any visitor, user, business partner, agent, supplier, vendor or customer of Finleap and shall include a “User”. References to “we” or “us” shall mean Finleap.

1. When this Privacy Policy applies

1.1. This Policy applies when you access, sign-up, provide information, upload or supply documents or otherwise use or subscribe to Finleap's products, services, applications, websites or networks, all of which are subject to the terms of this Privacy Policy. This includes data, video, advertising, internet and other products, services and applications.

1.2. This Privacy Policy also applies to you and anyone who uses our products or services under your account, except where we identify that a separate privacy policy or terms and conditions apply. You are responsible for making sure you understand this Privacy Policy.

1.3. You must agree to and be willing to accept the terms of this Privacy Policy before you may visit or use Daira, or any products or services offered therein.

1.4. This Privacy Policy and any additional terms of use apply to you even if you are not our customer and you interact with us as part of running our business, such as by:

a. accessing any of our products or services accessible through Daira;

b. when using any of our products or services;

c. generally enquiring about our services or products.

d. when entering any promotion;

e. when calling our help desk; or

f. when you download Daira, or sign-up or create an account on Daira.

1.5. If you need to give us personal information about someone else in relation to our products and services, this Privacy Policy will also apply.

1.6. Depending on the product or services, you may also receive service-specific and/or region-specific terms. You will be legally bound by both this Privacy Policy and the service/region specific term to the extent that you have accepted them when signing up to any service or product; therefore, you are required to read these terms carefully.

1.7. It is your responsibility to ensure that all personal data submitted to Finleap are correct. You are responsible for maintaining the accuracy and completeness of personal data and keeping the data up-to-date.

2. What Information We Collect

2.1. Finleap is committed to protecting all Personal Information (defined below at clause 2.2) of its employees, customers, business partners, suppliers, contractors and other parties that Finleap will engage with.

2.2. To this end, Finleap hereby formulates uniform practices and procedures for the collection, recording, consolidation, update, disclosure, storage, access, transfer, retention, destruction and for the fair, proper and legal processing of your Personal Information. The terms of this Privacy Policy apply to all persons whose Personal Information is processed by Finleap through Daira.

“Personal Information” means any information that can be used by itself to uniquely identify, contact, or locate a person, or can be used with information available from other sources to uniquely identify an individual, such as personal information that you provide when you make any request, use our services, set up a user account or otherwise interact with us or provide information, which includes your name, father's name, mother's name, CNIC, passport number or any other personal identification number, mailing/home address, e-mail address, phone/mobile number, home country, occupation, educational background, and zip/postal code, SIM card, age, gender, username, password and other registration information (such as the security questions and answers we have on your account), personal description and photograph.

2.3. Only after obtaining your additional explicit consent, we may collect some other personal information about you. For example, the information within text messages in connection with the loan, which may be stored and analyzed; such as One-Time-Password (OTP) auto-fetching, or SMS alerts sent by Finleap, your reference contacts in the loan application may be collected for risk control purposes; your location information (IP address, longitude and latitude information) may be collected for anti-fraud purposes. Finleap may associate any category of information with any other category of information and will treat the combined information as personal data in accordance with this Privacy Policy for as long as it is combined.

2.4. When you use Daira, we store your Personal Information, which is obtained through your express consent to this Privacy Policy, which, once collected is clearly displayed on Daira to be solely accessible to the user. This allows us to provide services and features that cater to your needs and customizes Daira to make your experience more efficient and easier. More importantly, we will collect Personal Information from you that we believe is necessary to achieve the purposes stated in this Privacy Policy. In general, when browsing Daira, you are not required to provide any Personal Information. However, when creating an account on Daira, you must provide us with certain basic information required to provide customized services.

2.5. We collect information when you register with us via the Daira by creating an account or when you respond to advertisements or posts on Daira, including information and data provided by you when filling in the forms as part of any advertisement or post, or on Daira, and information and data provided in the course of any correspondence with us (for example, by e-mail or chat or helpline).

2.6. We collect and upload a list of account information recorded by the user account management center on your device, such as your Gmail/Facebook/email account name and account type. We will save this account information in our system database for creation of your user account. We will use this information in order to monitor your use of Daira for AML and CFT purposes, as and when deemed necessary by Finleap.

2.7. We collect information and data you provide when you register to use any products or services via Daira, download or register the same, subscribe to any of our services (such as applying for a loan), search for a product, service or application, share data via Daira, enter a competition, promotion or survey, and when you report a problem with Daira or our services, through a mode of communication available on Daira.

2.8. Finleap and its authorized third-parties may also collect, store and process personal information such as password, financial information (details of bank account, credit card, debit card, or other payment instrument details) and other relevant information in order to enable us to more effectively market and provide our products, services and for use of our Daira.

2.9. We may also collect your information from outside sources like credit reports, marketing mailing lists, and commercially available geographic and demographic information.

2.10. We may collect information when you install or uninstall Daira to avail any products or services. Such product or service may contain a unique application number or when such a product or service searches for automatic updates, that number and information about your installation, for example, the type of operating system, may be sent to us.

2.11. If you, another user or any third party sends us a private letter or email or communication about your activities or posts on Daira, we will collect this information in a file specific to you.

2.12. Reference Contacts: Subject to your prior express consent, we shall collect information of your reference contacts when you enter the details of the reference contacts on Daira, in order to verify details provided by you during the loan application process. Risk analysis requires this information to allow us to test reliable references to prevent fraud and track collections.

2.13. Each time you visit Daira, we may, in addition to the above, collect the following information:

a. Non-personal information, including but not limited to, a customer's Internet Protocol (IP) address, operating system, browser type, and internet service provider. This type of information does not identify the visitor or customer personally.

b. Technical information, including the type of mobile device you use, unique device identifiers (for example, your device's IMEI, serial number, SSAID, AAID), operating system information, SDK version information, and operator name, information about the SIM card used by the device including SIM serial number and SIM slot, mobile network information, your device operating system, the type of browser you use, or your device's location, time zone setting (device information), Wi-Fi information and list of installed applications such as App name, App package name, App installation time (in order to identify and analyze your behavior and risk across multiple loans to assess whether the loan can be processed, helping prevent fraud).

c. We require camera access in order to enable you to take personal selfies for photo verification and KYC purposes. We will also seek permission to access the mobile camera so you are able to click on the photos of your KYC files and other necessary documents and upload the same application during your loan application process.

d. Details of your use of Daira including, but not limited to traffic data, location data, weblogs and other communication data (log information).

e. Finleap may also use GPS technology or other location services to determine your current location (location information) for credit modeling and anti-fraud purposes.

2.14. We collect information about your device to provide automatic updates and add-ons. In addition, this information provides us with valuable feedback about your identity as the device owner and your device behavior, thereby allowing us to improve our services and provide you with an enhanced customized user experience.

2.15. The information collected by Daira and how it is used depends on how you manage the privacy controls on your device. When you install Daira, we will store the information we collect through a unique identifier bound to the device you use.

2.16. You agree that Finleap may collect, store and process all of the information mentioned above which we may collect as part of your interaction with Finleap, including third-party supplied information. By using Daira, customers hereby agree and consent to the collection, and use of the personal information for any of the products or services that we offer, and consent to our collection of any changes or updates to such information.

3. What we use the information for

3.1. Information collected by us (or where applicable and necessary, the parties stated at clause 3.3) shall be used exclusively in connection with providing you with financial services via Daira. In this regard:

3.1.1. We shall use the information to determine whether or not to provide a financial service or product to you, the amount of such exposure and the terms and conditions applicable to such services or product.

3.1.2. We access, store and use the information we collect from you to provide our services and develop new products. We use personal information to provide the services you request in order to customize your user experience and improve our services. If we intend to use your personal information to promote any products to you, we will provide you with the ability to opt-out of such uses.

3.1.3. Subject to your consent, we may share your personal information with other partners, as described in this Privacy Policy, when services are provided by partners authorized by us. In addition, we may share personal information with our affiliates and subsidiaries subject to your consent.

3.1.4. We use your information to power our services and to improve your experiences and interaction with Finleap. We use your information to provide, support, improve, protect, analyze and bill for our products and services; to communicate with you about your service, products or applications; to market our products and services; to detect and avoid fraud; for advertising; and for research purposes.

3.1.5. We may use information we collect from you when you purchase a product or service from us, sign up for our newsletter, respond to a survey or marketing communication, surf the or Daira, if you register for an online account with us, download and register on one of our apps or use certain other site features in the following ways:

a. personalize your experience and to allow us to deliver the type of content and product offerings in which you are most interested;

b. improve our /app in order to better serve you;

c. allow us to better service you in responding to your customer service requests;

d. administer a contest, promotion, survey or other site feature;

e. ask for ratings and reviews of services or products; and

f. follow up with them after correspondence (live chat, email, phone inquiries, or WhatsApp, either directly with the user or with and through an authorized person of reference whose information has been provided by the user to Finleap). The said modes of communication will be conducted exclusively through official channels, and all such communications shall be duly recorded.

3.2. This means we may:

a. record details about the products and services you use or order from us;

b. send you product or service-information messages (we may send you messages to confirm your order and tell you about any changes that might affect your service, like when we have infrastructure work planned or need to fix something);

c. let you create and log in to the online user accounts;

d. charge you and make sure your payment reaches us; and

e. give information to someone else (if we need to for the product or service you've ordered) or to another communications provider if you're buying some services from them and us.

3.3. In addition, we use the following information to provide products and services and manage your account:

a. your contact details and other information to confirm your identity and your communications with us. This includes your Personal Information and other relevant credentials;

b. your payment and financial information;

c. your communications with us, including emails, webchats and phone calls. We will also keep records of any settings or communication preferences you choose; and

d. information from cookies placed on your connected devices that we need so we can provide a service.

4. When we may disclose information to third parties

4.1. We may disclose some or all of the data we collect from you when you download or use Daira to connect to mobile wallet providers, credit bureaus, duly licensed lenders or other partner financial institutions. We may, with your consent, disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, and any agents or counsels of Finleap.

4.2. We may also use a third-party payments services provider or payments processing company to process payments and repayments, transfer money to your operative user account, process other payments, and to provide additional products and services, and may therefore disclose your information to such third-party payments services provider.

4.3. We may disclose your personal information to any local or international law enforcement officers or competent regulatory or governmental agencies or a court of competent jurisdiction, in good faith belief that such disclosure is reasonably necessary to enforce any terms and conditions and/or this Privacy Policy, to assist in the prevention, detection, investigation or prosecution of criminal activities or fraud.

4.4. We shall use your data for the purposes of compiling statistic relating to our user base or financial product or services and may disclose such information to any third party for such purposes, provided that such information will always be anonymous.

4.5. We may use other third-party companies to monitor site traffic, which may, in some instances, store customer information. Where we use another organization, we still control your personal information and we have strict controls in place to make sure it's properly protected.

4.6. We may also disclose or transfer your personal information to third parties in the event that:

a. Finleap is involved in a merger, bankruptcy, acquisition, reorganization, liquidation, or sale of assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;

b. Finleap or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets;

c. Finleap is under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.

4.7. We may also disclose such information in order to enforce any Finleap terms and other agreements or to investigate potential breaches; report defaulters to any credit bureau or for the purpose of publishing statistics relating to the use of Daira, in which case all information will be aggregated and made anonymous.

4.8. We may use your Personal Information or any other information obtained as stated in this Privacy Policy in order to contact you via telephone, email, Whatsapp/messenger, SMS or other available means.

5. Tracking and Cookies

5.1. “Cookies” are small text files transferred by a web server to users' hard drive and thereafter stored on their computer. The types of information a cookie collects include the date and time users visited, their browsing history, preferences, and username.

5.2. Finleap may use Cookies to manage our users' sessions and to store preferences, tracking information, and language selection. Cookies may be used whether customers register with us or not.

5.3. In some instances, our third-party service providers may use cookies on Daira. We cannot control or access cookies used by third-party service providers. This Privacy Policy covers only Cookies used by us, and not any Cookies used by third parties.

5.4. Customers may have the ability to either accept or decline the use of Cookies on your computer, whether registered with us or not. Typically, you can configure your browser to not accept Cookies. However, declining the use of Cookies may limit your access to certain features of Daira. Cookies helps us to provide you with a good experience when you use Daira and also allows us to improve Daira.

5.5. We will not use Cookies for any purposes not stated in this Privacy Policy. You can clear all the Cookies stored on your computer, and most web browsers provide the option of blocking Cookies. However, by doing so, you have to change the user settings every time you visit our website.

5.6. In addition to Cookies, we may also use other similar technologies on our Daira such as web beacons and pixel tags. For example, when you receive an email from us, it may contain a click-through URL that links to our web page. If you click the link, we will track your visit to help us learn about your preferences for products and services and improve our customer service. A web beacon is a transparent graphic image embedded in a website or application or in an email. We use pixel tags in emails to find out whether an email has been opened. You can unsubscribe from the mailing list at any time if you do not want to be tracked in this manner. By using our Daira and consenting to this Privacy Policy, you consent to the use of Cookies, web beacons and pixel tags as described above.

5.7. We retain above information to resolve necessary disputes, provide support to users, and resolve issues permitted by law

6. Changes to User Information

You can choose to edit/modify or delete/withdraw any your own personal information submitted on or for use of Daira at any time. Please note that deleting or withdrawing information may affect the services we provide to you. If there is any change in personal information made by you, you must provide supporting documents related to the change of personal information for verification by Finleap.

7. Security Practices and Safety Precautions

7.1. We adopt reasonable security practices and procedures, to include, technical, operational, managerial and physical security controls in order to protect your personal information from unauthorized access, or disclosure while it is under our control. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential.

7.2. The data and information we collect from you may be transferred to, and stored at, a destination, i.e. it is encrypted and stored on the Finleap server. The staff members at the destination may be engaged in the fulfillment of your requests. By submitting your personal information, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

7.3. Our security practices and procedures limit access to personal information on need-only basis. Further, our employees are bound by code of conduct and confidentiality policies which obligate them to protect the confidentiality of personal information.

7.4. We maintain the security of our Daira, however, for reasons outside of our control, security risks may still arise. Any personal information transmitted to us or from our online products or services will therefore be your own risk. However, we will use all reasonable efforts to ensure the security of your information. We observe reasonable security measures to protect your personal information against hacking and virus dissemination.

7.5. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our Daira, you are responsible for keeping this password confidential. We maintain the security of our Daira, however, for reasons outside of our control, security risks may still arise. Any personal information transmitted to us or from our online products or services will therefore be your own risk. However, we will use all reasonable efforts to ensure the security of your information. We observe reasonable security measures to protect your personal information against hacking and virus dissemination or prevention of unauthorized access, to the extent reasonably practical..

7.6. You agree that Finleap or any of its affiliates, associated or related entities, employees, directors, shareholders, agents, counsels or representatives etc. shall have no liability towards you in case of any unintended security breach which results in unauthorized access to, or disclosure of, your information. You agree to waive, to the fullest extent permitted by law, all of your rights to seek damages or otherwise hold Finleap and its related entities liable for any security breach resulting in disclosure or unauthorized access to your information.

8. Privacy Control and Permissions

8.1. Regarding the information we collect and how it is collected, you have specific choices that may control what information we collect after using your device. For example, you can modify the permissions on your Android or iOS device to access camera or audio permissions or delete your account on Daira. You can also delete content from our servers, subject to applicable laws, by requesting us via email at CustomerServicePK@Finleap.com.pk.

8.2. Once you have deleted your account, you will no longer be able to use the services via Daira. Finleap reserves the right to retain your personal information in accordance with relative applicable laws and regulations for a retention period required by the laws. Upon the expiration of the retention period, we will remove or anonymize your personal information.

8.3. To the extent required by applicable law, you may (i) have the right to access certain personal data we maintain about you, (ii) request that we update or correct inaccuracies in that data, (iii) object or restrict to our use of your personal data, and (iv) ask us to delete your personal data from our database. To exercise these rights, please write to our data protection officer on:

Data Protection/Privacy Officer

Finleap Financial Services (Private) Limited

Email: CustomerServicePK@Finleap.com.pk

8.4. Your written request may be required for security. When you object to, or restrict our use of your personal data, this may affect the services we provide to you. We may decline the request if we have reasonable grounds to believe that the request is a fraudulent, unfeasible or may jeopardize the privacy of others.

9. Link to other websites or applications

Daira contains links to other websites or applications not owned or managed by Finleap. These other websites or applications may collect your personally identifiable information. We are not responsible for the privacy practices or content of these linked websites or applications and only deal with the disclosure and use of the information we collect through Daira as stated in this Privacy Policy. Kindly ensure to review privacy policies of websites or applications that you visit which have been linked on the Finleap to ensure safety of your personally identifiable information.

10.Your Consent to the Collection, Use and Disclosure of Information

10.1. By using Daira and/or by providing your information, you agree to the collection and use of the information you disclose or that generated as a result of your use of our service on the or Daira in accordance with this Privacy Policy, including but not limited to your consent to the collection, use, sharing and disclosure in accordance with this Privacy Policy your message. If we decide to change our Privacy Policy, we will post these changes on Daira so that you can always know what information we collect, how we use it, and under what circumstances we disclose it.

10.2. By providing us with your contact information, including home or mobile phone number, we obtain your permission to contact you or the authorized person whose details have been provided by you to Finleap through SMS, manual or pre-recorded voice messages and automatic dialing technology, WhatsApp, email, live-chat, and post, for all purposes that are not prohibited by applicable laws. Message and data rates may apply. The purpose of the call and information includes; suspected fraud or identity theft; obtaining information; transactions or services of your account; collecting your account or collecting accounts that are in arrears. The rights granted to us in this section are extended to our company's affiliates, subsidiaries, agents, suppliers, ultimate holding company or its subsidiaries.

11.Exercise Access, Rectification, Cancellation and Opposition (“ARCO”) Rights

11.1. To the extent required by applicable laws, you have the right to access your personal information collected and the details of their treatment, as well as to rectify them if they are inaccurate or cancel their use through a written request addressed to the following email address CustomerServicePK@Finleap.com.pkor by submitting a letter within the office facilities of Finleap during office hours on working days, said requirements will be attended on priority basis. Please note that deleting or withdrawing information may affect the services we provide to you. If there is any change in personal information made by you, you must provide supporting documents related to the change of personal information for verification by Finleap.

11.2. To exercise ARCO rights, an application must contain and accompany the following:

a. The full name of the user, address and email account or any means to communicate the response to the request.

b. The documents that prove the identity or, where appropriate, the legal representation of the user.

c. The clear and precise description of the Personal Information on which you wish to exercise any ARCO Rights.

d. In the case of requesting a rectification, the documentation that supports the requested rectification must be attached.

e. Finleap reserves the right to request additional information and/or documentation to that mentioned in order to meet the request.

11.3. Finleap will not be obliged to delete any personal information when (i) it is necessary for performing the contract obligations, (ii) it is subject to the applicable laws, (iii) it is necessary to comply with an obligation legally acquired by the user.

11.4. You may also at any time oppose the processing of data that is not essential for the legal and/or commercial relationship that you establish with Finleap, which you may do through the procedure indicated here.

11.5. In the processing of your personal information, it is primarily anticipated that its protection is against any damage, loss, alteration, destruction, and against any unauthorized use, access or treatment.

11.6. Subject to applicable laws, you have the right to withdraw your consent to the collection, storage, processing and disclosure of your information at any time, provided that you have no obligation pending towards Finleap. By withdrawing your consent, you will no longer be eligible to use Daira or maintain a user account with Finleap. You can also withdraw your consent for further collection of this information at any time by logging out and uninstalling the Finleap mobile or other applications from your device.

11.7. We process your personal data based on your consent. However, withdrawal does not affect the legitimacy and effectiveness of how we process your personal data based on your consent before the withdrawal is made; nor does it affect any data processing based on another justification other than your consent.

12. Protection of Minors

We place great value on the protection of minors' personal information. As required by applicable laws and regulations, any user under the age of 18 should be banned to use our service. As the parent or statutory guardian of a minor, it is your responsibility to prohibit your child from using our service. Otherwise, all legal consequences are borne by yourself.

13. Disputes

With respect to any disputes regarding this Privacy Policy including but not limited to any provisions related to indemnification, limitation of liability relating to damages, choice of law and dispute resolution forum, we ask you to first submit any such complaints directly to us the relevant customer services desk or helpline.

14. Contact Us

You may contact us with any questions, comments, requests, or feedback regarding this Privacy Policy through the website: www.finleap.com.pk or via e-mail: CustomerServicePK@Finleap.com.pk. Our contact information is as follows:

Company name: Finleap Financial Services (Private) Limited

Trade name: Daira

Contact us by email: CustomerServicePK@Finleap.com.pk

Business hours: 09:00 - 18:00 - Monday to Friday