Version 1.0.

Updated on 14 May 2024.

In this Privacy Policy, Pan-African Tiers Limited (hereinafter: "Tiers", "we", "our") shall inform you about the collection, use and processing of personal data when using our website https://tiers.app (hereinafter: "Website"), our blog https://blog.tiers.app (hereinafter: "Blog"), our web application (hereinafter: "Web App") and our mobile app (hereinafter: "App") and our social media pages (jointly: "Services"). We will explicitly point out in case any information of this Privacy Policy refers exclusively to any of our Services. For information related to the usage of cookies or similar technologies on our Website, Web App or App, please refer to the respective Website and App Cookie Policies in the Legal Documents section of your App or on our Website.

In this context, personal data means all detailed information about personal or factual circumstances of a specific or identifiable natural person, such as name, telephone number or address. We process your personal data either within our business relation if you are a Tiers customer or when you are visiting our Website for informative purposes, when you are interacting with our social media pages or if you get in touch with us. Furthermore, we process personal data coming from publicly accessible sources (e.g. records of debtors, trade registers, registers of associations, media, press, internet) whenever we have a legal ground that allows us to do so.

When using additional Tiers products or products of our business partners additional personal data might be collected, processed and stored. Please find details concerning the processing of additional data in the respective product category below.

The responsible entity for the collection, processing and use of your personal data is Pan-African Tiers Limited.

Tiers has appointed a Data Protection Officer, who is accessible via dpo@tiers.app.

You will find more detailed information regarding Tiers in the imprint.

Some of our data processing activities can be carried out by a third party on behalf of Tiers. Where processing of personal data is carried out on behalf of Tiers, we conclude a separate contract with the processor in accordance with The Data Protection Act, which came into force on 25 November 2019 and is the primary piece of data protection legislation in Kenya. The Act provides for the establishment of the Data Protection Office ('ODPC').

Our list of processors includes pure data processors, meaning technical service providers, which fall under the following categories:

- IT infrastructure and connection providers

- IT security providers

- Software and software maintenance providers, including for the provision of our App

- Back office management service providers

- Cloud infrastructure service providers

- Financial services, payments and transaction processing service providers

- Customer relationship management providers

- KYC (Know Your Customer) providers

- Customer support providers

- Fraud prevention service providers and identification service providers

- Payment cards service providers

- Account switching service providers

- Ad service providers

- Address verification providers

- Information/Documentation automation, management & destruction service providers

- Customer reach/impact assessment providers

- Consultancy companies

- Analytical software/platform providers

You will also come across specific data processors which are expressly indicated to you when you use our Services. We understand that these specific data processors can be of interest to you in case you want to exercise, before them, your rights in accordance with The Data Protection Act. These specific data processors are also mentioned in this Privacy Policy for each product or service.

Tiers can transmit your personal data to other entities such as other financial institutions, regulatory and supervisory authorities as well as public and governmental bodies and agencies, including the Central Bank of Kenya (CBK) among other entities, who will act as separate data controllers of your personal data, for the purposes of:

- Enforcement of claims and defence within legal disputes, based on the legitimate interest of Tiers of exercising its right of defence before courts/competent authorities;

- Complying with legal obligations regarding regulatory, tax and anti-money laundering reporting requirements;

- Fraud prevention, based on the legitimate interest of Tiers not to contract or provide services to any potential customer related to fraud;

- Preventing criminal acts, based on the legitimate interest of Tiers not to contract or provide services to any potential customer related to any crimes.

Tiers can transmit your data to external lawyers, advisors and consultants, who are separate controllers and bound to professional confidentiality, for the purposes described above.

Furthermore, Tiers will transmit your personal data to third parties, meaning other data controllers of your personal data, if that is triggered by you in the framework of the provision of our Services to you. Specific separate controllers will be indicated for each processing activity in more detail in the following sections of our Privacy Policy.

Additionally, we may be joint controllers together with the respective Social Media Network (as defined in section VII below), for specific processing activities. This is expressly indicated below together with information on the respective responsibilities of each controller, whenever applicable.

We process your personal data in accordance with The Data Protection Act, 2019 and any national legislation including but not limited to The National Payment System (NPS) Act, 2011 and Regulations (hereinafter: "Data Protection Regulations").

In compliance with such Data Protection Regulation, Tiers will only process your personal data if at least one of the following legal bases applies, as detailed in section III. below regarding our specific data processing activities:

- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Personal data is processed to conduct financial services and banking transactions in order to fulfil our pre-contractual and contractual obligations.

- The data subject has given consent to the processing of his or her personal data for one or more specific purposes. In case you gave your consent to the processing of your personal data for specific purposes, the processing is permitted on the legal basis of your consent. Your consent is revocable at any time, as described in section X, below.

- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. We process your personal data in order to pursue our legitimate interests or the legitimate interests of a third party, where those legitimate interests override any of your rights and the data processing activities are necessary to satisfy such legitimate interests. In such cases, we have carried out a legitimate interest assessment, where those legitimate interests, impact and guarantees have been analyzed. Those cases are the following:

- Improving our processes and service levels relating to the provision of banking services, based on the legitimate interest of Tiers of improving its internal processes and services offered to customers and improving the customer experience.

- Direct marketing for Tiers products and partnership offers, based on the legitimate interest of Tiers to inform customers about updates to existing products, the launch of new products as well as products which are offered together with partners, including marketing or market and opinion analysis.

- Improving the user experience for our Fan Page visitors on our Social Media Pages (as defined below in section VII.) in a target group-oriented manner and offering competitions and giveaways for marketing purposes on our Social Media Pages.

- Enforcement of claims and defence within legal disputes, based on the legitimate interest of Tiers of exercising its right of defence before courts/competent authorities.

- To ensure IT security, based on the legitimate interest of Tiers to ensure the security of the IT infrastructure used to provide its services and products.

- Fraud prevention, based on the legitimate interest of Tiers not to contract or provide services to any potential customer related to fraud.

- To prevent criminal acts, based on the legitimate interest of Tiers not to contract or provide services to any potential customer related to any crimes.

- Risk management within the Tiers Group, based on the legitimate interest of Tiers of managing the financial risk that it can take with regard to performing financial services.

- To conduct and produce anonymised statistical research and reports, based on the legitimate interest of Tiers to conduct research and analysis regarding the use customers make of the products and features provided by Tiers.

- Processing is necessary for compliance with a legal obligation to which the controller is subject Tiers is subject to several legal obligations as well as regulatory requirements which require Tiers to process personal data, including for purposes of verification of your identity and age, prevention of money laundering and fraud, taking part to judicial proceedings or as part of judicial and police activities, verification of your credit risk rating, control and reporting obligations based on provisions of the supervisory authorities, tax laws and risk assessment of Tiers. Such obligations derive from the applicable banking legislation and regulatory requirements, including from the Anti Money Laundering Laws, Laws on Countering of Terrorism Financing, Banking Laws, Tax Laws as well as other binding measures on financial matters.

1. Data Collection and Processing In Case of Opening and Using the Tiers Account

Personal data related to your identification, contact data, economic data and finance data will be processed by Tiers for the purpose of opening an account with Tiers (hereinafter: "Sign-up") and using the Services of Tiers. The legal basis of the processing of these data is The Data Protection Act. These data include the following personal data:

- First name and surname

- Date of birth

- Place of birth

- Nationality

- Email address

- Legal address

- Mobile telephone number

- Tax-ID and tax residence

- Occupation

- Gender

- Identification document including type of identification document, issue date, document number and issuing authority

- Data concerning your economic situation and your Tiers products and services usage history which are your account number, customer ID, card details, transaction details (card payment and banking transfer amounts and recipients) based on products and services contracted with Tiers.

Please note that it is not possible to open an account, if you do not provide your personal data as mentioned above.

In order to process transactions, Tiers receives personal data and transfers personal data according to the applicable legal and regulatory framework to payers, recipients and other financial institutions. The personal data received by other entities in this regard concerns your name and surname, including transaction details like the payment reference and registered accounts.

During the creation of your Tiers account we will need access to your geolocation upon your consent in the settings of your smartphone; you will find further information in the privacy policy of the operating system of your smartphone. The lawful basis of this processing is our legitimate interest in confirming that you are located in your country of residence in order for us to comply with our legal obligations related to fraud prevention. For more information on the legitimate interest as a legal basis for processing data, please see section II. above.

In addition, we might ask you to submit additional documents for verification. The lawful basis of this processing is The Data Protection Act as the processing is required to comply with legal obligations stemming from Anti Money Laundering and Countering of Terrorism laws.

What personal data we will be processing depends on the document we are requesting and receiving from you. Such documents can be a proof of residence (such as a gas, water or electricity bill less than 3 months old or a registration certificate), a proof of salary (such as an employment contract, salary statement or statement of assets and income; in case you send us one of the two latter ones, we ask you to please black out any data related to your religious beliefs and family status, if provided therein), your visa documentation or proof of study which states the reason why you live in the country indicated by you as country of residence, or a document attesting your source of wealth (contracts, bank statements, information around asset sales, capital gains or inheritance).

Once you send us any of the mentioned documents they will be assessed manually by Tiers to verify and confirm that we have all the data about you that we need in order to open your account with us or to allow you to continue using our Services. In case the information you sent us upon our request is not sufficient, we will reach out to you and ask you for more documentation, which is equally subject to the above mentioned.

2. Visibility as a Tiers Customer When Using Certain Tiers Features

In the context of using certain Tiers features like M-Pesa, Contacts, Request from friends, Transfer to a contact, Split the Bill or Money QR Code, we ask for your consent, to be visible to other Tiers customers as a Tiers customer. By granting Tiers permission to share your status as a Tiers customer, we can display this information to other Tiers customers, in the context of their use of certain Tiers features, if you are present on their mobile device’s contact list. You are then visible to your contacts if they are also customers of Tiers.

3. Data Processing Related to Using Tiers Features in Connection to Your Contacts

To facilitate your use of Tiers features in connection with your contacts, we will access your mobile device’s contact list and upload your contacts’ information to your Tiers account, based on your consent. This will include a regular sync with your mobile device to ensure your contacts’ information is up-to-date. You can withdraw or manage your consent at any time directly through your mobile device’s operating system. You will be able to see all contacts from your mobile device in your Tiers account, including which of them are also Tiers customers. We will store your contacts to make them available to you in your Tiers account and combine this data with other contact information you provide when using our services to make it easier for you to search and find your contacts in the context of a transaction and the use of other Tiers features. For these purposes, we rely on our legitimate interest, to provide you with improved service functionality and a better customer experience. For more information on legitimate interest as a legal basis for processing data, please see section II. above.

4. Data Transmission Within the Framework of Tiers Foreign Currency Transfers

In order to facilitate Tiers Foreign Currency Transfers, we collaborate with IntaSend Solutions Limited, ("IntaSend"). IntaSend facilitates transactions in foreign currencies with your Tiers account. Upon your request, the transfer amount is converted to the target currency and sent to the recipient’s bank account in the target country. For this purpose, we process and share with IntaSend your name, address, customer ID, birthdate, account number, as well as the timestamp of the transfer, payment reference text, source currency code, transfer amount in source currency, target currency code, exchange rate value, transfer amount in target currency, the recipient’s name and bank account number. IntaSend processes this data according to our instructions to facilitate the transfer, as our data processor. Your personal data is processed based on the execution of our agreement with you.

Additionally, we process your data as described above to comply with our legal obligations under applicable laws and regulatory requirements, as specified in section II, above. Furthermore, we process the data to detect and prevent fraud and criminal acts and to manage risks, based on our legitimate interests under The Data Protection Act. For more information on our legitimate interest as a legal basis for processing data, please see section II, above.

IntaSend also processes the data above as a separate data controller for their own purposes, namely satisfying their legal and regulatory obligations, such as anti-money laundering and banking sanction checks. For this purpose and upon a lawful inquiry by IntaSend, we may also share with IntaSend some additional information related to you, including the stated purpose of the transfer, source of funds, place of birth, phone number, email address, occupation, proof of address and data related to your identity verification process, including a copy of your identification document used when opening your Tiers account. IntaSend will retain your data, unless otherwise required to comply with applicable laws and regulations. You can find more information on IntaSend’s Privacy Policy.

5. Data Transmission in The Framework of Open Banking

To comply with a request to access your Tiers account for payment initiation services, account information services and confirmation on the availability of funds (hereinafter: "Open Banking Request"), your personal data is provided to authorized third party payment service providers. The personal data transmitted will include your account number and customer ID. We provide the personal data you request through a licensed third party described in this section on the basis that it is necessary to comply with our obligation under the applicable legal and regulatory framework to provide an interface for communication with licensed payment service providers of your choice and that it is necessary to perform our obligations under the Tiers account contract.

6. Data Processing In The framework of Tiers Savings Wallet

Tiers Savings Wallet offers you a way to save money. To enable the product, if you choose to open a Tiers Savings Wallet account, we process your name, legal address, identification document, tax identification number, tax residence, customer ID, device ID and mobile operating system. We also process data specifically related to your Tiers Savings Wallet account, which are the account number, status and account balance, and data related to your use of it, including transaction data, which consist of deposits and withdrawals, dates, amounts and, if applicable, recipients and senders. Moreover, we process applicable interest rates, amount of interest earned, applicable withholding tax and other tax related information. The legal basis for the data processing is the execution of our agreement with you. Additionally, we process data that you share with us about the expected monthly deposit amount and source of funds in order to conduct research and analysis regarding the use customers make of our products and features. In this case, we rely on the legal basis of our legitimate interests. For more information on legitimate interest as a legal basis for processing data, please see section II, above. We further process your data to comply with our legal obligations under applicable laws and regulatory requirements, based on The Data Protection Act, including the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA), enacted in 2009, and other binding measures related to financial matters, as well as to detect and prevent fraud and criminal acts and to manage risks, based on our legitimate interests under The Data Protection Act.

7. Data Transmission In The Framework of The Add Money Feature

The Add Money Feature provides an easy method for customers to add funds to their accounts instantly. IntaSend Solutions Limited. (hereinafter: "IntaSend") is providing the technical setup and integration with the relevant payment processors, as a processor. In order to be able to use the Add Money Feature, Tiers transmits information regarding payment details (cardholder name, email address, customer ID, order ID, bank account details, payment card details, card expiration date, CVC code, date, time and amount of transaction, merchant name/ID and location) to IntaSend. IntaSend will also process your data in order to fulfill its legal obligations, as a separate controller, like monitoring fraudulent payment transactions, know-your-customer obligations and anti-money-laundering screening. IntaSend and Tiers only exchange anonymized tokens and Tiers never sees or stores the details of the card used for the deposit. The usage of the Add Money Feature is entirely voluntary for eligible customers, as part of your contract with Tiers and the respective data processing is based on The Data Protection Act.

8. Data Processing In The Framework of The Insights Feature

The Insights feature is available within the App. The feature sorts your transactions/payments and visualizes your spendings in a variety of categories to offer you valuable insights on your spending behavior. In order to offer the Insights feature to you within the App, we process transaction data (i.e. data relating to the sender and recipient of transactions, such as the name of the retailer, amount of transitions, subject(hashtag of transactions) and data relating to certain actions by the user (i.e. hashtags created by the user for purposes of spending categorization), as part of your contract with Tiers and the respective data processing is based on The Data Protection Act.

9. Data Processing When Displaying In-App Updates

If you use the App, so-called in-App updates will be displayed. The purpose of the in-App updates is to inform you about the content of your contract, new functionalities of the App or App updates and releases and to give you tips for an optimized use of the App. We will process your user and transaction data (recent deposits, payments, withdrawals, friend referrals) in order to provide you with the relevant in-App updates. We process your data to the extent necessary to display relevant information about your contract with Tiers or the improved use or new functionalities in the App. In addition, the in-App updates may help you to find information about our new services and products related to the App. In order to display in-App updates relevant to you, we will process your user and transaction data (recent deposits, withdrawals, payments, friend referrals). We process your data within the scope of our legitimate interests in informing you about new services and products implemented in our App, as far as this is necessary to display our new features, services and products so you can use any of them if you are interested. For more information on the legitimate interest as a legal basis for processing data, please see section II, above.

10. Data Processing When Using The Help Center

When discussing any contractual matters (such as account related information or your transactions) with us on our Help Center or on our Website or within our App, your IP-address and the information you provide us in your chat communication will be collected and processed, to the extent this is necessary for Tiers to provide you the products and services under the contract between you and Tiers or any pre-contractual actions required by Tiers or as requested by you. In addition, we process your data within the scope of our legitimate interest in answering your general questions about our services and products and to help you find information about our new services and products related to the App, so you can use any of them if you are interested. For more information on the legitimate interest as a legal basis for processing data, please see section II, above.

11. Data Processing In The Framework of Informational Communication

We use informational emails, in-App updates and push notifications to inform you about transactions, withdrawals, and other relevant information related to your usage of our products and services. For some informational emails, in-App updates and push notifications we analyze your user behaviour (status of signup to Tiers, recent transactions, withdrawals, interaction with services offered such as friend referrals) to send you (additional) information about these processes via emails, in-App updates or push notifications. We will only send you these emails, in-App updates and push notifications based on your user behaviour if the processing is necessary for the performance of the contract or within the scope of our legitimate interests of informing you about transactions, withdrawals, and other relevant information related to your usage of our App, as far as necessary to provide such information, based on The Data Protection Act. For more information on the legitimate interest as a legal basis for processing data, please see section II, above.

12. Preparing Anonymised Statistical Datasets

We use your personal data to prepare anonymised statistical datasets about our customers’ spending patterns for forecasting purposes, refining product development and understanding consumer behaviour and assess our company’s performance. The reports are produced by using information about you and other customers, however, the information used is anonymised so that it is no longer personal data. You cannot be linked back as an individual within anonymised statistical data and you will therefore never be identifiable from it. We may share these datasets with third parties. This processing is based on Tiers’s legal obligations, in accordance with The Data Protection Act, or based on Tiers’s legitimate interest, under The Data Protection Act. For more information on the legitimate interest as a legal basis for processing data, please see section II, above.

13. Data Processing In The Framework of The Waiting Lists

When you ask us to add you to our waiting list for information on when we’re able to provide our banking services to you, the following data will be collected and processed so that we can inform you once we are able to offer you our services:

- Country of Residence

- Telephone number

- Email address

- Language selected by you when using our website

The legal basis of the processing of these data is The Data Protection Act. Please note that it’s not possible to include you in the waiting list if you do not provide us with the referred personal data. Based on your decision to be added to the waiting list, we will send you emails or SMS containing the following information:

Confirmation that you were successfully added to the waiting list

Information on products/services you may expect as a future Tiers customer in your market, once the launch is getting closer, so you can decide if you are still interested to sign-up

Notification that Tiers is available again soon, for example containing the envisaged launch date and information about how to sign up

Information containing a link to sign up for a Tiers account, once Tiers is available again.

14. Data Processing When Participating in In-App Surveys

When you share your feedback with us in the App by participating in surveys, on a voluntary basis, we process the information that is technically necessary to provide the survey function and enable us to display it to you (metadata). We process your data, as described, for the purpose of displaying surveys to you and obtaining your feedback, based on our legitimate interests, in accordance with The Data Protection Act. Depending on the survey, we may also process the content of your responses and, in particular, the information that you choose to share with us. Additionally, we may combine the data collected through the survey with other customer data that we process in the context of our contractual relationship with you, including your customer ID, date of account creation, age group, gender, country and city of residence. In this case, we will inform you accordingly in the respective information note at the beginning of the survey. We process your data, as described, for analysis purposes and to improve our products, processes and service levels, based on our legitimate interests, in accordance with The Data Protection Act. If you decide to share your feedback with us, we may anonymise the data obtained to create research reports and publications. This is done based on our legitimate interest to conduct and produce statistical research and reports and analysis regarding the use customers make of the products and features provided by Tiers, in accordance with The Data Protection Act. For more information on legitimate interest as a legal basis for processing data, please see section II. above.

15. Data Processing When Using The M-Pesa Payment Scheme

M-Pesa is a payment method that you can use to make transfers and payments through your Tiers App or Web App, for example in an online store or to transfer money to your friends. It facilitates a direct transfer from your Tiers account to that of a beneficiary (e.g. a merchant). The M-Pesa scheme is operated by Safaricom Limited, located at P.O Box 66827, 00800 Nairobi, Kenya (Safaricom), which provides the infrastructure and technical setup for the connection between the payment environment and your Tiers account. When you initiate an M-Pesa payment using your Tiers account, we process your name and phone number, data related to the M-Pesa transaction, which include amount, breakdown, type of transaction (i.e. online, in-store, customer-to-customer or QR), currency, transaction ID (a number used to identify an M-Pesa transaction executed by you), reference ID (a number used to identify the transaction authorisation request), status and period of validity (maximum authorisation time for an M-Pesa payment request), as well as a unique code to confirm that you have been recognised and authenticated when connecting to your Tiers account. Additionally, we process the name and ID of the M-Pesa payment beneficiary (e.g. a merchant), their bank ID, account number, as well as the merchant category code (if applicable). We further process data related to the device you used to make the M-Pesa transaction, namely device fingerprint. We process this data as a data controller to verify your identity and authenticate you as a Tiers customer and to enable your M-Pesa payment, based on the execution of our agreement with you as per The Data Protection Act. In this context, we collaborate with Safaricom, which acts as a data processor on our behalf. Safaricom also processes your data as a separate data controller for their own purposes. You can find more information about the processing of your data by Safaricom in the Safaricom Data Privacy Statement & Cookies Policy. We further process your data to detect and prevent fraud and criminal acts, including money laundering and terrorism financing, as well as to manage risks and for reporting purposes, based on our legitimate interests under The Data Protection Act. For more information on legitimate interest as a legal basis for processing data, please see section II, above. In addition, we process your data to comply with our legal obligations stemming from applicable laws and regulatory requirements, including anti-money laundering and tax laws as well as other binding measures related to financial matters, based on The Data Protection Act and The Proceeds of Crime and Anti-Money Laundering Act.

When sharing your ideas using the designated "Share your ideas" feature, we process the information that is technically necessary to enable the feature and display it to you, including app operating system (e.g. iOS, Android, Web), app language version (e.g. EN), app version, country, membership tier and time intervals since passing the KYC process. Additionally, we combine your ideas with data that we process in the context of our contractual relationship with you, including your app operating system, date of account creation (limited to month and year), app version and country of residence. We will not link your ideas to any direct identifiers, such as your customer ID, and the feedback you provide will not have any influence on our actions towards you. We merely link the data to your idea to better understand the context of your ideas, e.g. if it is something that is specifically interesting for a specific market or if the idea is linked to a specific usage period of our app. We process your data, as described, for research purposes to improve our products, processes and service levels, based on our legitimate interests, in accordance with The Data Protection Act. For more information on legitimate interests as a legal basis for processing personal data, please see section II. above.

Tiers is legally obliged to check your identity using a valid identification document within the framework of opening an account and to store specific information from the identification document. For this purpose, we offer you a liveness-detection photo (with the combination of photo and video).

Tiers will transmit personal data to its external service providers, as data processors, for the purpose of verifying your identity as required by law. Regarding the liveness-detection photo, we refer to our Terms and Conditions, which we provide you for your acceptance within the identification procedure. We will, after your authorization to do so directly on your device, access the camera of your end device and a photograph of you will be taken by yourself, as well as a video in which you will be requested to move, and the front and rear sides of your personal identification document or the principal page of your passport.

Your personal data is collected as proof of your eligibility to use our services, in accordance with our legal obligations and based on The Data Protection Act. In order to verify your identity by means of the photo and videos collected in the identification procedure and the identification document, we collect your consent and thus the processing is based on The Data Protection Act.

Please note that, since we are a company with fully remote communication with our customers, we can only offer a remote check of your identity and thus need your consent to proceed therewith.

Once you have completed this identification procedure your personal data will be retained as long as required by our legal obligations, based on The Data Protection Act.

On our Website, our Blog, as well as in our Help Center, we have share buttons linking to Facebook, YouTube, LinkedIn, TikTok and Instagram. These are not third-party plugins, and do not actively send or allow third parties to fetch personal data or any other sort of information whatsoever. The share buttons are hyperlinks that only redirect you to the respective website of the third party when clicked.

1. Marketing Emails

In our marketing emails, we inform you about our offers related to Tiers financial products and services, features and partnerships between Tiers and third parties (discount on third party products/services for Tiers customers), referral initiatives and we may ask for your feedback or opinion via surveys. If you would like to receive marketing emails, we require an email address from you. We will only send you marketing emails if you expressly consent to this as you open an account or in the settings of your app. Processing your data in order for us to send you marketing emails is based on your prior consent according to The Data Protection Act. In order to ensure that we only send you emails that are most relevant to you and correspond with your personal interests, we screen and analyze your user behavior by processing data related to your recent transactions, withdrawals, deposits, payments as well as friend referrals. You can revoke your consent to receiving marketing emails at any time. You can use the link provided at the bottom of every marketing email to revoke your consent. Once you created your account you can also give or revoke your consent to receive marketing emails via unsubscribe link in the email.

2. Marketing Push Notifications

In our marketing push notifications, we inform you about our offers related to Tiers financial products and services, features and partnerships between Tiers and third parties (discounts on third party products/services for Tiers customers), and we may ask for your feedback or opinion via surveys. Push notifications are messages you receive on your phone without a specific request and regardless of whether the App is open. We will only send you marketing push notifications if you expressly consent to this as you open an account or in the settings of your app.

Processing your data in order for us to send you marketing push notifications is based on your prior consent according to The Data Protection Act. In order to ensure that we only send you push notifications that are most relevant to you and correspond with your personal interests, we screen and analyze your user behaviour by processing data related to your recent transactions, withdrawals, deposits, payments as well as friend referrals. You can revoke your consent to receiving marketing push notifications at any time in the settings of our Tiers app.

3. Marketing In-App Updates

In our marketing in-App updates, we inform you about our offers related to Tiers financial products and services, features and partnerships between Tiers and third parties (discounts on third party products/services for Tiers customers), and we may ask for your feedback or your opinion via surveys. In-App updates are small sections within the App providing you with contextual and personalized information. In order to ensure that we only send you information that is most relevant to you and corresponds with your personal interests, we screen and analyze your user behaviour by processing data related to your recent transactions, withdrawals, deposits, payments as well as friend referrals and use this information for marketing in-App updates, based on our legitimate interest under The Data Protection Act to inform you about our offers related to Tiers financial products and services, features and partnerships between Tiers and third parties (discounts on third party products/services for Tiers customers), and ask for your feedback or your opinion via surveys. For more information on the legitimate interest as a legal basis for processing data, please see section II, above. Once you created your account you can object to the processing of your personal data to receive marketing in-App updates in the App settings.

4. Help Center

In our Help Center we inform you about offers related to Tiers financial products and services, features and partnerships between Tiers and third parties (discounts on third party products/services for Tiers customers), and we may ask for your feedback or your opinion via surveys. In order to ensure that we only send you information that is most relevant to you and corresponds with your personal interests, we screen and analyze your user behaviour by processing data related to your recent transactions, withdrawals, deposits, payments, as well as friend referrals and use this information for marketing information via our Help Center, when you are in contact with a customer service agent or our chatbot, based on our legitimate interest under The Data Protection Act to inform you about offers related to Tiers financial products and services, features and partnerships between Tiers and third parties (discounts on third party products/services for Tiers customers), and ask for your feedback or opinion via surveys. For more information on the legitimate interest as a legal basis for processing data, please see section II, above. Once you created your account you can object to the processing of your personal data to receive marketing messages when using our support chat in the App settings.

1. Tiers Social Media Pages

Tiers maintains publicly accessible social media pages on Facebook, Instagram, YouTube, LinkedIn and TikTok (hereinafter "Tiers Social Media Pages"; the networks jointly "Social Media Networks"). When visiting our Social Media Pages on the Social Media Networks, the networks collect personal data of you as an internet user.

a. Facebook

Facebook, a social media network operated by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (hereinafter referred to as "Meta"), provides us with usage statistics related to number of site visitors, demographics of site visitors, use of the individual functionalities. Meta compiles these statistics of personal data, which Meta collects when you visit our Facebook social media page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The lawful basis for this data processing is our legitimate interest, in accordance with The Data Protection Act. For more information on the legitimate interest as a legal basis for processing data, please see section II, above. We have no access to personal data that Facebook collects to compile these statistics and cannot link these statistical data to the profiles of our followers or individual users. In addition, Facebook uses cookies, which are stored on your device when you visit our Facebook social media page. This can apply even if you do not have a Facebook account or are not logged into your account while visiting our Facebook social media page. We have no access to personal data that Meta collects while using cookies. You can find details on the collection and storage of your personal data and on the type, scope and purpose of their use by Meta in Meta's Privacy Policy at: https://www.facebook.com/policy.php. We are joint controllers with Facebook for the processing of your personal data for this purpose. We have concluded an agreement with Facebook in regards to the joint controllership (in terms of The Data Protection Act).

You can find it at: https://www.facebook.com/legal/terms/page_controller_addendum.

Please find additional information at; https://www.facebook.com/legal/terms/information_about_page_insights_data.

b. Instagram

Instagram, a social media network operated by Meta, provides us with usage statistics related to user growth, user demography, use of the individual functionalities. Meta compiles these statistics of personal data, which Meta collects when you visit our Instagram social media page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The lawful basis for this data processing is our legitimate interest, in accordance with The Data Protection Act. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. We have no access to the personal data that Meta collects to compile these statistics and cannot link these statistical data to the profiles of our fans or individual users. In addition, Instagram uses cookies, which are stored on your device while visiting our Instagram social media page. This can apply even if you do not have an Instagram account or are not logged into your account while you are visiting our Instagram social media page. We don’t have access to personal data that Instagram collects while using cookies. You can find details on the collection and storage of your personal data and on the type, scope and purpose of their use by Instagram in Instagram's Privacy Policy at: https://help.instagram.com/519522125107875.

We are jointly responsible with Meta, as the operator of Instagram for the processing of your personal data for this purpose. We have concluded an agreement with Meta as the operator of Instagram in regards to the joint controllership (in terms of The Data Protection Act). You can find it at: https://www.facebook.com/legal/terms/page_controller_addendum.

Please find additional information at: https://www.facebook.com/legal/terms/information_about_page_insights_data.

c. YouTube

YouTube, a video hosting service operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as "YouTube") provides us with usage statistics related to user growth, user demography, use of the individual functionalities. YouTube compiles these statistics of personal data, which YouTube collects when you visit our YouTube page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The legal basis for data processing is therefore The Data Protection Act. For more information on the legitimate interest as a legal basis for processing data, please see section II, above. We have no access to the personal data that YouTube collects to compile these statistics and cannot link these statistical data to the profiles of our fans or individual users. In addition, YouTube uses cookies, which are stored on your device when you visit our YouTube social media page. This can apply even if you do not have a YouTube account or are not logged into your account while visiting our profile page. We have no access to personal data that YouTube collects while using cookies. You can find details on the collection and storage of your personal data and on the type, scope and purpose of their use by YouTube in YouTube's privacy policy at: https://policies.google.com/privacy?hl=en-US. We are jointly responsible with Google, as the operator of YouTube, for the processing of your personal data for this purpose (in terms of The Data Protection Act).

d. LinkedIn

LinkedIn, a social media network operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter referred to as "LinkedIn"), provides us with usage statistics related to user growth, user demography, use of the individual functionalities). LinkedIn compiles these statistics of personal data, which LinkedIn collects when you visit our LinkedIn page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The legal basis for data processing is therefore The Data Protection Act. For more information on the legitimate interest as a legal basis for processing data, please see section II, above. We have no access to the personal data that LinkedIn collects to compile these statistics and cannot link these statistical data to the profiles of our fans or individual users. In addition, LinkedIn uses cookies, which are stored on your device when you visit our page. This can apply even if you do not have a LinkedIn account or are not logged into your account while visiting our profile page. You can find details on the collection and storage of your personal data and on the type, scope and purpose of their use by LinkedIn in LinkedIn's privacy policy at: https://www.linkedin.com/legal/privacy-policy.

We are jointly responsible with LinkedIn for the processing of your personal data for this purpose. We have concluded an agreement with LinkedIn in regards to the joint controllership (in terms of The Data Protection Act). You can find it at https://legal.linkedin.com/pages-joint-controller-addendum.

e. TikTok

TikTok, a social media network operated by TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey St, Barbican, London EC1A 9HP, United Kingdom (hereinafter referred to as "TikTok"), provides us with usage statistics related to spend, reach, impressions, clicks, views and events and cost per event. TikTok compiles these statistics of personal data, which TikTok collects when you visit our TikTok social media page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The legal basis for data processing is therefore The Data Protection Act. For more information on the legitimate interest as a legal basis for processing data, please see section II, above. We have no access to the personal data that TikTok collects to compile these statistics and cannot link these statistical data to the profiles of individual users. We are joint controllers with TikTok for the processing of your personal data for this purpose. We have concluded an agreement with TikTok in regards to the joint controllership (in terms of The Data Protection Act). You can find it here for the purpose of analyzing interactions with our TikTok page: https://www.tiktok.com/legal/page/global/tiktok-analytics-joint-controller-addendum/en and here for the purpose of analyzing of interactions with ads that we post on TikTok: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms. Further information on how TikTok processes Personal Data, including the legal basis TikTok relies on and the ways to exercise Data Subject rights against TikTok, can be found in the relevant TikTok inventory privacy notice at: https://www.tiktok.com/legal/page/eea/privacy-policy/en.

f. Data processing by Tiers

If you use our Social Media Pages to contact us (e.g. by creating your own posts on our Social Media Pages or by tagging us, responding to one of our posts or by sending us private messages) we collect personal data that you provide to us. We only use such personal data for the purpose of communicating with you in order to provide the requested information. When you reach out to us regarding any contractual matters related to an account (such as account opening, account or transaction related information), the lawful basis for the data processing is The Data Protection Act. Otherwise the lawful basis for the data processing is our legitimate interest, in accordance with The Data Protection Act. Such data processing serves our legitimate interest in allowing us to communicate with you upon your inquiry and answer your request. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. We delete stored data when they are no longer necessary for this purpose or to comply with any applicable statutory requirements.

2. Social Media Competitions and Giveaways

When entering into competitions or giveaways published on our Social Media Pages, we process certain personal data related to you required for the administration and organisation of the competition or giveaway as well as potential announcements of winners. This includes your name, username and the content of the post(s) that you make in the context of promotion or giveaway, or any other data points provided by you in the course of your participation. Should you win a prize, we further process your email address to communicate with you (e.g. to deliver your prize) and your tax ID and address, for tax reporting purposes and we might use your data to announce you as the winner in our Social Media Pages. Where you participate and win in a competition or giveaway, the processing of your data is necessary for the performance of a contract, based on The Data Protection Act. Where we are legally obliged to process your personal data for tax reporting purposes, the lawful basis for this data processing is the compliance with our legal obligations, in accordance with The Data Protection Act. Otherwise the lawful basis for this data processing is our legitimate interest, based on The Data Protection Act. Such data processing serves our legitimate interest in offering competitions and giveaways for marketing purposes. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. Personal data collected as part of competitions and giveaways are solely processed for the purpose of selecting the winners and will be deleted within 4 weeks after the end of the competition or giveaway period. This does not apply with regards to winners. In that case, we delete stored data when they are no longer necessary for this purpose or to comply with any applicable statutory requirements.

3. Online Advertising

Online advertising helps us promote our products and services on the internet. In this context, we process personal data about your use of Tiers services to deliver personalised advertisements to you and other internet users online and to measure and optimise their performance. We only process personal data for online advertising purposes if you consent to such processing, in accordance with The Data Protection Act. You can revoke your consent at any time in the Tiers App. The data processing for online advertising purposes is described in more detail further down in each section.

a. Custom and lookalike audiences

We process your data to create so-called custom and lookalike audiences. Custom audiences consist of Tiers customers and internet users and are created to display personalised content to both groups. This permits us to exclude Tiers customers from the delivery of advertisements that we believe are not relevant to them. Lookalike audiences consist of internet users that share certain characteristics with Tiers customers, which enables us to define target groups that are more similar to Tiers customers than the average internet user and deliver more relevant advertisements to them. To create custom and lookalike audiences, we use the services of our Advertising Partners below:

- Google Ireland Ltd, Google Building Gordon House, 4 Barrow St, Dublin, Ireland ("Google");

- Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta").

For the purposes described above, we transfer your pseudonymised email address to Google and Meta. They then match this email address against a potential account you might have on their services. For this purpose, and regardless of whether the matching is successful or not, the data is retained by Google for up to 48 hours and by Meta for up to 8 hours, after which it is deleted. Google and Meta do not share these data with third parties.

b. Conversion tracking

We process your data to capture specific actions that take place inside the Tiers App and Web App, specifically the sign-up, acceptance of T&Cs, identification procedure of new customers and completion of a first transaction (so-called "conversions"). This enables us to measure and optimise the performance of our online advertisements and to deliver them to internet users that we infer are more likely to complete these conversions. For the purposes described above, we use the services of Google and Meta (as identified in the previous section). We transfer conversion data, including date and time, to Google and Meta together with the following personal data, which is transmitted with encryption: email address, first name, last name, phone number, gender, city, zip code and country of residence, IP address, customer ID and predicted customer lifetime value. These data points are associated with other personal data collected on our website. Google and Meta are able to associate these data with your account on their services, if existent. The data is deleted by Google after a maximum of 18 months and by Meta after a maximum of 2 years.

When discussing any contractual matters (such as account related information or your transactions) with us on the phone, the call between us will be recorded for security and evidence reasons. Our interest to be able to prove contractual inquiries as well as to prevent and detect fraudulent behaviour stipulates our legitimate interest to record calls in accordance with The Data Protection Act. This does not apply to calls aimed at clarifying general inquiries related to Tiers products and services. The call recordings will be retained as long as required for security and evidentiary purposes. The call recordings will be processed by our Interactive Voice Response (IVR) service provider who is processing personal data on behalf of Tiers. If we are required to do so, the recordings will be shared with the competent authorities, in accordance with the applicable law. If you do not wish to be recorded when calling us, please do contact us by email or through our Customer Chat for queries related to account related information or your transactions.

1. Your rights

You have the following rights concerning your personal data:

- right to revoke your consent according to The Data Protection Act, which is detailed in section IX.2, below;

- right of access according to The Data Protection Act, which means you can request information on whether your personal data is being processed by Tiers and information on the particular processing of personal data, at any time, along with a copy of the information processed. In no case this right covers the access to documents or the obtention of copies of such documents;

- right of rectification according to The Data Protection Act, which means you can request the rectification of your data when they are incomplete or inaccurate;

- right to erasure according to The Data Protection Act, which means you can request the deletion of your personal data when they are no longer required by Tiers for the purposes they were initially collected for, or when you understand they have been illicitly used. Tiers can reject your request, if the data is necessary to comply with a legal obligation, for public interest reasons or for legal actions;

- right to restriction of the processing according to The Data Protection Act, which means you can request the restriction of the processing of your personal data when it is legally permitted and, in particular, (i) while you challenge the accuracy of your data, (ii) when you request the restriction of your data because you believe the processing is unlawful, or (iii) when the data is no longer needed for the purposes for which it was collected but Tiers needs them for legal actions;

- right to object to the processing, which is detailed in section IX.2. below;

- right to data portability according The Data Protection Act, which means you can request Tiers to provide you personal data, in a structured, commonly used and machine-readable format and to transmit your data to another controller where the data processing is based on the consent, or on a contract and the processing is carried out by automated means;

- right to lodge a complaint with a supervisory authority according to The Data Protection Act, which means that you can complain before the supervisory authority if you consider that the processing of your personal data by Tiers infringes The Data Protection Act.

Without prejudice to section IX.2. below, please:

Exercise your right of access, right to erasure and right to object to the processing through our webform at www.tiers.app.

Please do not address your requests through a third party platform which requires us to get back to you through that same means, since we are not able to clearly identify you as a Tiers customer in such cases. Instead, please resort to the aforementioned ways of making use of your rights before Tiers.

2. Specifically, your right to revoke consent and right of objection

You can find below more details about your right to revoke consent and right of objection:

- Right to revoke your consent (in accordance with The Data Protection Act). You have the right to revoke your consent to the processing of your personal data at any time with effect for the future. In the event you revoke your consent, your personal data is not processed any longer, unless further processing can be based on a different legal basis for processing (excluding consent). The processing of your personal data remains justified until the date of your revocation.

- Right of objection (in accordance with The Data Protection Act). You have the right to object to the processing of your personal data, at any time. This does also include profiling. In case you object, your personal data is not processed any longer, except when we have legitimate reasons to continue the processing, which exceed your interests, rights and liberties or when the processing is necessary to enforce, exercise or defend legal claims. The processing of your personal data remains justified until the date of your objection. You can exercise your right to revoke your consent and your right of objection, as mentioned above, either via the specific means provided in our Web App or App, if applicable. You can exercise your right of objection also through our webform.

- Right of objection concerning data processing for direct marketing purposes. In some cases, we process your personal data for direct marketing purposes. You have the right to object to the processing of your personal data for direct marketing purposes at any time. This also applies to profiling, in case it is connected to direct marketing purposes. In case you object to the processing of your personal data for direct marketing purposes, your personal data is not processed any longer for this purpose. The processing of your personal data remains justified until the date of your objection. Via the communication settings of your App, you can easily exercise your objection right by using the opt out toggles provided.

We store and process your personal data only as long as it is necessary to perform our obligations under the agreement with you or as long as the law requires us to store it. That means, if the data is not required anymore for statutory or contractual obligations, your data will be deleted. This also occurs in case your onboarding process is not finalized with the opening of an account, and meanwhile there are still pending legal or security obligations to preserve your data. However, that rule does not apply, if its limited processing is necessary for the following purposes:

- Performing regulatory and tax retention periods, which relate to the applicable laws and complementary regulation. The applicable legal basis is The Data Protection Act.

- Keeping evidence in the context of statutory limitation periods. The applicable legal basis for this is The Data Protection Act.

Furthermore, whenever your consent is the legal ground to process your personal data, Tiers will store that data for as long as you do not revoke your consent or until your account is closed, whatever happens the latest.