DEFINITION OF PERSONAL INFORMATION

We collect your Personal Information as may be applicable. Your Personal Information that we collect may either be Basic Personal Information and/or Special Category Information:

Basic Personal Information is any information from which the identity of an individual can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify an individual like name, date and place of birth, nationality, present and permanent address, specimen signature, authentication information or biometrics (fingerprint, face recognition, palm print, etc.), source of fund/income, name of employer or self-employment business, contact details such as telephone number, mobile number and email address, user credentials like username and password (login password and/or payment password), mother's maiden name, information about the device you use to interact with us, and identity supporting documents such as photo and valid identification cards.

Special Category Information is any information that falls under the category of personal information with higher security impact as described in applicable privacy law. This information includes but not limited to: marital status, cardholder data(CVV/CVC, Expiry Date), tax returns, individual government issued numbers, information on IDs issued by private entities duly registered with Department of Trade and Industries (DTI) and the Securities and Exchange Commission (SEC), and student IDs for those who are not yet of voting age (below 18 years old), and geolocation.

PURPOSE OF COLLECTING PERSONAL INFORMATION

It is important that we collect, use, process and analyze your personal information to comply with the requirements of the law and legal process, such as a legal and regulatory obligations to Bangko Sentral ng Pilipinas (BSP) and Anti-Money Laundering Act (AMLA), or to prevent imminent harm to public security, safety, or order.

Also, we collect your Personal Information, without limiting the generality of the purpose, to facilitate your transaction needs and avail of our products and services.

Please see below other purposes of collecting your personal information:

1. To create and manage your account and to ensure your fair and lawful use of platform's products and services;

2. To facilitate your transaction based on your preferences and needs from our products and services;

3. To communicate relevant advisories that might enhance your end-user experience and information on offers and promotions for our services and from our business partners;

4. To send relevant advertisements from SpeedyPay, from our business partners and third-party service providers;

5. Generate information to conduct statistical and analytical review for research and marketing purposes, for customer care and aftersales services, and other similar purposes;

6. To provide your information to the Credit Information Corporation in accordance to Republic Act no. 9510, otherwise known as the Credit Information System Act;

7. To share your information with third-party service providers for which you sign-up;

8. To implement measures to prevent money laundering, fraud and identity theft.

We will ask for your consent before we use or process your Personal Information when required by our Data Privacy Policy and the law for any other purpose.

SpeedyPay collect information of the device you use to access our Products and Services in order to safeguard and secure your account as part of our risk management and fraud prevention, to customize our services and to enhance and improve your end-user experience.

Please see below the following device information we collect:

a. Operating system, hardware and software versions, available storage space, browser type and installed applications;

b. Device IDs and other unique identifiers;

c. Nearby WiFi access points, hotspots and cell towers;

d. Mobile network operator or Internet service provider, Time Zone, IP Address, connection speed and information about any devices that are nearby or on your network;

e. Phonebook, contacts, and SMS.

The above information are automatically collect by our servers when you access the mobile App, such as your native actions that are integral to the App and actions taken when processing transactions like allowing access to your phonebook or contact directory. As such, we may also request access to your device's phonebook or contact directory in order to process your transaction. All information shared in the mobile app are collected and stored in our servers with a strict security preventing unauthorized access by any third party not part of our organization. If you wish to change our access or permissions, you may do so on your device's settings.

PRODUCTS AND SERVICES

We collect and process your personal information to have an access with the following products and services we are offering through our Mango e-Wallet platform:

PRODUCTS

o e-Mango Card (physical close loop card)

o e-Mango VISA Card (physical card- BancNet activated)

o Mango e-Wallet mobile application (virtual)

SERVICES

o Account Maintenance including change in account information, contact details and user credentials (user name, login password and/or payment password)

o Cash-In/Cash-Out service (CICO)

o Purchase in store or online

o Bills Payment to various merchants either in private or public entities.

o Send Money (Mango e-Wallet to Mango e-Wallet transfers or Mango Wallet to other eWallet provider transfers)

o Send Voucher/Redeem Voucher (Mango e-Wallet to Non Mango e-Wallet transfers)

o Bank Transfer

PROCESS OF COLLECTING PERSONAL INFORMATION

1. Know-Your-Customer (KYC)/ Identification Data: refer to Personal Data and Sensitive Personal Data we collect when you sign up or register to our products and services such as full legal name, gender, date of birth, nationality, civil status, permanent address, present address, tax identification number and other government-issued identification numbers, mobile number, home number, office contact details, company name, job position or rank, office address, source of funds, gross annual income, and such other information necessary to conduct due diligence and comply with BSP rules and regulations.

2. Biometric Data: upon your express consent and subject to limitations imposed by law, datarocessed for customer verification using: (1) facial recognition technology; (2) liveness detection mechanism; (3) fingerprint recognition applications.

3. Transactional Data: linkable information to your Personal Data such as (1) bank account number, deposits, withdrawals, such other transfers made to or from your account, and details about them such as reference number, place and time these were made; (2) information when you contact us through our official channels such as branches, contact centers, web and mobile platforms; (3) card account number as well as purchases or transactions using your card; and (4) other forms of customer account number, payments, and transactions you have with us.

4. Financial Data: information about the value of your property and assets, your financial history and capacity, and other financial products and services you have with us.

5. Behavioral Data: this refers to your online behavior, customer segment, usage of our products and services, internet protocol address of your devices used to access our applications, interests and needs you share with us, and customer behavior we collect as part of due diligence, to prevent fraudulent conduct, and comply with banking rules on anti-money laundering, terrorism financing, and tax fraud.

6. Audio Visual Data: for security and improvement of our services, we process audio and video recordings of your interactions with us and surveillance videos at branches and automated teller machines, subject to limitations imposed by law.

7. Sensitive Personal Data: we may require the following Sensitive Personal Data upon your express consent: (1) your religion when you apply for insurance products with us; (2) for customer verification, your government-issued identification numbers or cards such as passport or driver's license ID; or (3) any information that is necessary, incidental to contractual agreement or in connection with a requested product or service.

8. Children's Data: we may collect information about children if they have opened an account with us with parental consent or if you provide us in relation to a product or service you signed up with us (i.e. when you register children as beneficiary to an insurance product or trust service with us). The foregoing data are collectively referred to as "Customer Data " or "Personal Information".

SHARE YOUR INFORMATION WITH THIRD PARTY

We value and respect your privacy as an end-user of our platform, Mango e-Wallet. We are committed to protect your privacy and to be transparent with the way we handle your personal information. We may need to disclose or share some of your personal information that you have provided to us with our accredited Third-Party service providers, who we engage with to support our business. SpeedyPay, Inc ensure that the Accredited Third-Party service providers are bound by obligations to keep your Personal Information confidential and to use them only for purposes for which we disclose it to them and this provision is included on the Data Sharing section of their agreed contractual arrangement with us that can demonstrate sufficient organizational, physical, and technical security measures to protect your Personal Information. Accredited Third-Party service providers are always subject to the SpeedyPay, Inc's Information Security Policies and applicable privacy laws of the Republic of the Philippines, Data Privacy Act of 2012 and its implementing rules and regulations.

We will never disclose your personal information to Third-Parties which are not part of our organizations, accredited agencies including their sub-contractors or business partners that act as our service providers and/or contractors except in the special circumstances where you have given your consent, and as described in this Data Privacy Policy.

We and our Accredited Third-Parties service providers may share your Personal Information to regulatory government agencies where we are bound to comply with reportorial and information submission requirements.

We may also disclose your Personal Information to our Third-Party Affiliates and Partners for marketing research and other specified legitimate purposes only after obtaining your consent on such sharing of information.

You are hereby consent that your Personal and Special Category Information may be collected, deposited, kept, transferred, processed, or otherwise dealt with in another jurisdiction which may be outside of the Philippine jurisdiction where Mango e-Wallet, its subsidiaries and affiliates, and third party partners may maintain their facilities and resources, in providing the Mango e-Wallet Services.

When you consent to the processing of your Customer Data with us, you also agree to help us comply with our statutory and contractual obligations with other financial institutions. We may also share your Customer Data externally with our partners, upon your consent, for value added services you may find useful and relevant on top of your account with us. For contractual and value-added service data sharing agreements, we employ standardized model clauses as recommended by National Privacy Commission to ensure data protection of Customer Data. Below are the disclosures required by the government entities, other regulatory authorities and financial institutions:

a. Bangko Sentral ng Pilipinas (BSP), Anti-Money Laundering Council (AMLC)

a. We are subjected to mandatory disclosures to the AMLC under Republic Act No. 9160 or the Anti-Money Laundering Act of 2001, as amended, when there is probable cause that the deposits or investments involved are in anyway related to unlawful activities or money laundering offenses.

b. BSP mandates disclosures and reporting in compliance with its issuances for the protection of the integrity of the EMI sector.

b. Bureau of Internal Revenue (BIR)

a. We may conduct random verification with the BIR in order to establish authenticity of tax returns submitted to us.

b. BIR may inquire into e-Wallet accounts of the following: a) a decedent in order to determine his gross estate; b) a taxpayer who has filed an application to compromise his tax liability on the ground of financial incapacity; and c) a taxpayer, information on whose account is requested by a foreign tax authority.

c. Judicial and Investigative Authorities

a. We may be mandated to disclose certain Customer Data upon service of legal court orders (i.e. unexplained wealth under Section 8 of RA No. 3019) or express legal request from police, public prosecutors, courts, or dispute resolution providers allowed by law.

b. In these cases, we would notify you of the disclosure to the requesting government authority, subject to limitations imposed by law.

d. Other Regulatory Authorities

a. Regulatory authorities when such other persons or entities we may deem as having authority or right to such disclosure of information as in the case of regulatory agencies, government or otherwise, which have required such disclosure from us and when the circumstance so warrant.

e. Financial Institutions

a. To fulfill payments and services, we may have to share your information with correspondent banks, network payment processors (i.e. Visa, Mastercard, American Express, JCB), stockbrokers, fund managers, or portfolio service providers.

b. We disclose your Personal Data with insurers, insurance brokers, or providers of deposit or protection against all kinds of risks.

c. For purposes of consumer reporting, account updates and fraud prevention, we may share your data with reference.

f. Value Added Services

a. With your express consent, we may disclose your Customer Data to our partners who collaborate with us to provide services to you and provide joint communications that we hope you find of interest.

b. Through our digital channels, you may instruct other mobile financial technology applications to retrieve your account information, initiate payments or cash-in from your account with us via our Application Programming Interface (API) facility.

STORAGE, PROTECTION AND RETENTION OF YOUR PERSONAL INFORMATION

We strictly enforce our Data Privacy Policy within the organization, accredited agencies including their sub-contractors and business partners that act as our service providers and/or contractors. When there is a need for us to store your Personal Information with a third party information storage providers, we use contractual arrangements to ensure that those providers take appropriate measures that are aligned with our Data Privacy and Information Security Policies.

We ensure that we have implemented appropriate technological, physical and organizational privacy and security measures that are designed to secure and protect your information from unauthorized access, use, alteration and disclosure and to maintain confidentiality and integrity in retaining and processing of your Personal Information.

DATA STORAGE.

a. We store Customer Data in secure and encrypted eWallet-managed environments, devices, and media. For third-party managed environments such as cloud service providers, we employ BSP sanctioned security protocols and procure BSP approval prior deployment

b. We store physical copies of documents containing your Customer Data in physical secure vaults.

DATA ACCESS.

a. Customer Data can only be accessed by authorized personnel on a role-based manner following the proportionality principle that authorized personnel can only access the Customer Data they need for their role and purpose in the company.

DATA USE.

a. Customer Engagement

a. We use your contact details with us to communicate with you about your relationship with us. We may ask for feedback, surveys or polls about our products and services.

b. We may send you email or mobile notifications, telephone calls, or newsletters about product and services enhancements and account security reminders.

c. You have the right to opt out from this form of communications with you or choose another means for which we can contact you.

b. Marketing

a. We may use your information for us to send out campaigns of commercial products and services we hope you find interesting, relevant, and useful.

b. We want to establish a more personalized relationship with you by providing you offers that would suit your lifestyle and needs.

c. We perform data analysis on results of our marketing campaigns to measure their effectiveness and relevance.

d. You have the right to withdraw your consent or unsubscribe from receiving personalized offers.

c. Due Diligence and Regulatory Compliance

a. We may use Customer Data to evaluate your eligibility for eWallet products and services.

b. We use your account details when you instruct us to make a payment or fulfill an investment order.

c. We process Customer Data in compliance with legal obligations and statutory requirements by BSP, and other regulatory agencies.

d. Business Insights

a. We perform data analysis and reporting based on your Customer Data and how we operationalize to aid our management make better decisions.

b. We analyze your behavioral data, your interactions with our products and services, and our communications with you to aid us understand the areas for improvement and development.

c. We analyze transactional data performed through our third-party service providers and partners in order to determine how we can jointly improve our products and services for you.

e. Data Quality

a. We shall process your Customer Data in compliance with the data quality standards imposed by BSP. We may obtain additional information about you from government institutions to improve the quality of your Customer Data with us. We may contact you to ensure accuracy and integrity of your information in our data processing systems.

f. Protection and Security

a. We process Customer Data for your account protection against cybercrime, identity theft, estafa, fraud, financial crimes such as money laundering, terrorism financing, and tax fraud.

b. We use your Personal Data such as name, age, nationality, IP address, home address, and other Transactional Data to conduct profiling for detection of suspicious activity on your account.

c. We may employ artificial intelligence and machine learning in real-time detection of suspected fraudulent activities on your account.

d. We may reset your password or temporarily hold your eWallet account to protect you from detected suspected fraudulent activities.

DATA RETENTION.

a. Pursuant to BSP Regulations, retention period for your registration and transaction records shall be five (5) years from the date of your registration and transaction except where specific laws and/or regulations require a different retention period, in which case, the longer retention period is observed.

b. For financial data and documents which indicate taxable transactions, data shall be preserved for ten (10) years per BIR Regulation.

c. We keep your data as long as it is necessary: a) for the fulfillment of the declared, specified, and legitimate purposes, or when the processing relevant to the purposes has been terminated; b) for the establishment, exercise or defense of legal claims; or c) for legitimate business purposes, which shall be in accordance with the standards of the eWallet industry.

DATA DISPOSAL.

a. Your Personal Information will be destroyed in irretrievable and unusable form in adherence with our physical and/or technical information security measures when retention is no longer required.

We also implement Information Security Policy as follows:

1. We keep and protect your information using a secured server behind a firewall encryption and security controls;

2. We strict access to your information only to qualified and authorized personnel who hold your information with strict confidentiality;

3. We undergo regular audit and rigorous testing of our infrastructure's security protocols to ensure your information is always protected;

4. We let you update your information securely to keep our records accurate;

5. We implement processes to secure and protect the privacy of personal information being shared with service providers, both local and overseas;

6. We keep your information only for as long as necessary for the fulfillment of the purpose for which the information was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law, rules and regulations; and up to 5 years after account closure to comply with the requirements of Bangko Sentral ng Pilipinas (BSP) and to adhere with Anti-Money Laundering Act of 2001 (RA 9160).

7. We will destroy your Personal Information in adherence with our physical and/or technical information security policy when retention is no longer required with respect to existing laws, rules and regulations;

8. We promptly notify you and the National Privacy Commission, when sensitive personal information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person.

OWNER'S RIGHTS FOR THEIR PERSONAL INFORMATION

You, as the owner of the Personal Information, have certain rights under the Data Privacy Act of 2012, which includes:

1. Right to object to process your Personal Information;

2. Right to access your Personal Information;

3. Right to modify any inaccurate Personal information;

4. Right to suspend, withdraw or order the blocking, removal, or destruction of your Personal Information in our processing systems upon discovery and substantial proof that your Personal Information is no longer necessary for the purpose/s for which it was collected, and for such other cases provided in the Data Privacy Act of 2012, however, we will have to retain your account information in our systems in compliance with the retention period as prescribed in the " "STORAGE, PROTECTION AND RETENTION OF YOUR PERSONAL INFORMATION" " section of this Data Privacy Policy, as prescribed by another law, i.e. Anti-Money Laundering Act of 2001 (RA 9160);

5. Right to file a complaint with the National Privacy Commission should you feel that your personal information has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy rights have been violated;

6. Right to claim damages in case of inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your personal information;

We will process all your requests for access or correction to your Personal Information unless there are practical, contractual, and legal reasons that would prevent us from doing so. You have the right to ask for copy of any Personal Information we hold about you, as well as to ask for it to be corrected if you think it is wrong.

You may also get in touch with our Data Privacy Officer through the contact details provided in our website (www.e-mango.ph), should you feel that there has been mishandling or misuse of your Personal Information, or that any of your data privacy rights have been violated.

We welcome your feedback and wish to assist you on your Data Privacy needs and concerns, you can reach us through: dpo@e-mango.ph (Data Privacy Officer).