Privacy Notice

1. Our commitment

At Montelux, the protection of your personal data is fundamental to the trust you place in us. This Privacy Notice explains, in clear and concrete terms, what personal data we collect about you, why we collect it, how we use and protect it, and the rights you can exercise at any time.

The same Montelux standards apply globally. Where local laws impose additional or specific obligations, those are set out in the regional sections below.

This Notice is designed to comply with:

• the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”), the e-Privacy Directive (2002/58/EC), the Lithuanian Law on the Legal Protection of Personal Data, and the supervisory guidance of the Bank of Lithuania and the State Data Protection Inspectorate (VDAI), in the European Union and EEA;
• the Personal Information Protection and Electronic Documents Act (“PIPEDA”), applicable Ontario consumer and privacy law, and the supervisory guidance of the Office of the Privacy Commissioner of Canada (“OPC”), in Canada.

This Notice applies to all individuals whose personal data we process in connection with our services, whether you are an individual client of Montelux, a person connected to a corporate client of Montelux, a payment counterparty, or simply a visitor to our website.

Specifically, this Notice covers:

• individual clients and prospective individual clients;
• directors, officers, beneficial owners, authorised representatives, signatories, and other natural persons connected to our corporate clients (including SMEs, multi-entity groups, and enterprise clients) and prospective corporate clients;
• payment counterparties, natural persons who send funds to, or receive funds from, our clients through our services;
• contacts of our corporate clients and prospective clients (e.g. finance, accounting, or operational contacts);
• visitors to our website and recipients of our communications.

Where our client is a legal entity, the entity itself is not protected by data protection law, but the natural persons connected to that entity are. This Notice explains how we handle their personal data alongside the personal data of our individual clients.

The Montelux group's holding company, Montelux Group S.à r.l. (Luxembourg, RCS B301478), operates the Site but does not collect or process any personal data. All personal data collection and processing is carried out by the relevant operational Montelux entity, which acts as the independent data controller / accountable organisation for the personal data of its own clients and prospects.

Personal data is allocated to the relevant operational entity based on your jurisdiction and the service concerned: Montelux Finance UAB for clients and prospects in the EU/EEA, and Montelux Payments Ltd for clients and prospects in Canada. Personal data is processed on infrastructure dedicated to that entity, and is not pooled or shared between entities except where strictly necessary and lawful (see Section 5).

2. The personal data we collect

The categories of personal data we collect depend on your relationship with us. We only collect what is necessary for the purposes set out in Section 3.

• Identification and contact data. Full name, date and place of birth, nationality, residential and business address, government-issued identification (passport, ID card, residence permit), tax identification number, e-mail address, telephone number, signature.
• Corporate-relationship data (for individuals connected to our corporate clients). Role within the entity (director, officer, beneficial owner, signatory, authorised user, operational contact), shareholding or voting rights, scope of authority, and supporting documentation evidencing your link to the entity (extracts from commercial registers, beneficial ownership registers, board resolutions, powers of attorney, mandates).
• Professional and economic data. Employment status, employer name, occupation, source of funds, source of wealth, expected transaction volumes, business activity, ownership and control structure (for legal entities and beneficial owners).
• Financial and transactional data. Account numbers, IBANs, payment card details, transaction amounts, currencies, dates, counterparties, narrative, FX conversion data, and balances held in your Montelux wallet. For payment counterparties, we process the personal data necessary to execute the payment (name, account details, address, and any information included in the payment instruction).
• Compliance and screening data. Information collected to meet our obligations under anti-money laundering, counter-terrorist financing, and international sanctions law, including PEP status, adverse media findings, sanctions screening results, KYC/KYB documentation, transaction monitoring alerts and the underlying analyses, suspicious activity reports filed with competent authorities, and risk assessment outcomes.
• Technical and behavioural data. IP address, device identifiers, browser type, operating system, log data, geolocation (where lawful), cookies and similar technologies, authentication data, session records, fraud-prevention signals (including device fingerprinting, behavioural signals, and velocity checks), and recordings of communications with our teams.
• Communications data. Content of e-mails, secure messages, in-app chat conversations, support tickets, and call recordings exchanged with our teams, including for quality, training, regulatory record-keeping, and dispute-resolution purposes.
• Marketing and preference data. Marketing preferences, communication consent records, engagement with our communications (opens, clicks), and responses to surveys or feedback requests.
• Data processed on behalf of our corporate clients (unregulated services). For our unregulated services, Montelux simply provides the tool. The data belongs to the corporate client, who decides how it is used. We only process it on their instructions, under an agreement that meets the requirements of the GDPR or PIPEDA, as applicable. If your data is handled in this context, please refer to the privacy notice of the relevant corporate client.
• Sensitive / special categories of data. We do not seek to collect sensitive personal information (such as health, biometric, or political data). Where such data is incidentally provided (for instance, in identity documents containing biometric features) we process it only to the strict extent necessary, with appropriate safeguards.

3. Why we process your data

We process your personal data for the following purposes:

Region-specific legal bases and consent rules are set out in Section 9.

4. Where your data comes from

We collect personal data:

• directly from you, when you apply for our services, use your account, contact our teams, or visit our website;
• from your authorised representatives, employer, accountant, or other persons acting on your behalf;
• from public registers (commercial registers, beneficial ownership registers, sanctions and PEP lists, court records);
• from regulated third-party providers we engage for KYC, identity verification, fraud prevention and AML screening;
• from payment scheme operators, correspondent banks, and partner institutions involved in executing your transactions;
• from cookies and similar technologies, in line with our Cookie Notice.

5. Who we share your data with

We share personal data only with parties who have a clear and lawful reason to receive it. These include:

• Members of the Montelux group, where strictly necessary for service delivery, internal administration, or group-wide risk and compliance management, and subject to appropriate intra-group safeguards;
• Banking and payment partners that execute your transactions, including correspondent banks and other regulated payment institutions;
• Regulated service providers assisting with KYC, identity verification, fraud prevention, sanctions and PEP screening, transaction monitoring, and AML reporting;
• Technology providers supplying our core banking, CRM, communications, cloud-hosting, and cybersecurity infrastructure;
• Professional advisors (auditors, lawyers, tax advisors) bound by duties of confidentiality;
• Public authorities and regulators, including financial supervisors, tax authorities, courts, and law-enforcement bodies, where we are legally required or permitted to disclose information.

We do not sell your personal data and we do not share it for third-party advertising purposes.

6. International data transfers

Personal data collected by each Montelux entity is processed on infrastructure dedicated to that entity and is not transferred between entities.

Some of our service providers (KYC verification, payment partners, etc.) may process limited personal data outside your home jurisdiction. Where this happens, we put in place appropriate safeguards to ensure your data continues to benefit from a comparable level of protection. Region-specific transfer rules are set out in Section 9.

7. How long we keep your data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal obligations.

After the applicable retention period, personal data is securely deleted or irreversibly anonymised.

8. How we protect your data

We have implemented technical and organisational measures designed to safeguard the confidentiality, integrity, and availability of your personal data, including:

• encryption of data in transit and at rest;
• strict access controls, multi-factor authentication, and the principle of least privilege;
• segregation of production, testing, and development environments;
• continuous monitoring, intrusion detection, and incident-response procedures;
• regular penetration testing, vulnerability scans, and independent security audits;
• staff training on data protection, information security, and AML/CFT;
• contractual safeguards with all processors, including audit rights and breach-notification obligations.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected individuals, within the timeframes prescribed by applicable law.

9. Region-specific information

9.1 Additional information for EU/EEA clients

If you are a client of Montelux Finance UAB, the GDPR applies to the processing of your personal data.

• Controller: Montelux Finance UAB, Žalgirio g. 88-101, LT-09303 Vilnius, Lithuania.
• Data Protection Officer: Montelux Finance UAB has appointed a Data Protection Officer in accordance with Article 37 GDPR. The DPO can be contacted at dpo@montelux.com, or in writing at the address of the Controller, marked for the attention of the DPO.

Legal bases under Article 6 GDPR

Where we rely on legitimate interest, we have carried out a balancing test to ensure your rights and freedoms are not overridden. You may request a summary of that assessment at any time by writing to our DPO.

Where we rely on consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.

Your rights

You have the right to:

• access your personal data and obtain a copy;
• request rectification of inaccurate or incomplete data;
• request erasure (“right to be forgotten”), where the legal conditions are met;
• request restriction of processing;
• object to processing based on legitimate interest, including direct marketing;
• request data portability for data you have provided to us, where processing is based on consent or contract;
• withdraw consent at any time, where processing is based on consent;
• not be subject to a decision based solely on automated processing producing legal effects on you (Article 22 GDPR).

Automated decision-making

Certain compliance and fraud-prevention checks involve automated processing (for example, sanctions screening, transaction monitoring, and risk scoring). These tools support human decision-making; they do not, on their own, produce legal effects on you within the meaning of Article 22 GDPR. Where automated decisions producing legal or similarly significant effects are involved, we will inform you, explain the logic in meaningful terms, and provide you with the opportunity to contest the decision and obtain human review.

International data transfers

Your personal data is primarily processed within the EEA. Where we transfer data outside the EEA, we rely on:

• a European Commission adequacy decision for the recipient country; or
• the European Commission's Standard Contractual Clauses, supplemented where necessary by additional technical, contractual, and organisational safeguards in line with the Schrems II ruling; or
• a derogation under Article 49 GDPR.

A list of recipient countries and the safeguards in place is available on request from our DPO.

Lodging a complaint

You may lodge a complaint with the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, L. Sapiegos g. 17, 10312 Vilnius, ada@ada.lt) or with the supervisory authority of your habitual residence or place of work.

Response times

We will respond to rights requests within one month, with a possible two-month extension for complex requests, in accordance with Article 12 GDPR.

9.2 Additional information for Canadian clients

If you are a client of Montelux Payments Ltd (Canada), PIPEDA and applicable Ontario law govern the processing of your personal information.

• Accountable organisation: Montelux Payments Ltd, 18 King Street East, Toronto, Ontario, Canada.
• Privacy Officer: privacy.ca@montelux.com.

Consent

We collect, use, and disclose your personal information with your consent, except where law permits or requires otherwise. Consent may be express or implied, depending on the sensitivity of the information and the reasonable expectations of the individual. Where we rely on implied consent (for example, for routine processing necessary to provide our services), the purposes are set out in this Notice and at the point of collection.

You may withdraw consent at any time, subject to legal and contractual restrictions and on reasonable notice. Withdrawing consent may affect our ability to provide certain services to you.

Your rights

You have the right to:

• access your personal information held by us and obtain information about how it has been used and to whom it has been disclosed;
• request correction of inaccurate or incomplete information;
• challenge our compliance with PIPEDA's principles by contacting our Privacy Officer;
• withdraw consent, subject to legal and contractual restrictions.

We will respond to access requests within 30 days, with a possible extension where permitted under PIPEDA.

International data transfers

Personal information held by Montelux Payments Ltd may be processed by service providers located outside Canada, including in the European Union and other jurisdictions. While transferred, your personal information remains subject to PIPEDA and may also be subject to the laws of the receiving jurisdiction, including lawful access requests by foreign authorities. We use contractual and technical safeguards to ensure a comparable level of protection.

A list of jurisdictions where your information may be processed is available on request from our Privacy Officer.

Lodging a complaint

If you believe we have not handled your personal information in accordance with PIPEDA, please contact our Privacy Officer first. If your concern is not resolved, you may file a complaint with:

• the Office of the Privacy Commissioner of Canada (OPC), 30 Victoria Street, Gatineau, Quebec, K1A 1H3, www.priv.gc.ca; or
• where applicable, the Information and Privacy Commissioner of Ontario.

• Privacy contact: privacy.ca@montelux.com.

10. Cookies and similar technologies

Our website uses cookies and similar technologies for authentication, security, performance, and analytics purposes. Detailed information, including the categories of cookies, their purpose, and how to manage your preferences, is set out in our Cookie Notice.

11. Children

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently done so, please contact the relevant Privacy contact in Annex A.

12. Updates to this Notice

We may update this Notice from time to time to reflect changes in our practices, technologies, legal obligations, or supervisory expectations. The version in force is the one published on our website, with the date of last update shown at the top of this document. Material changes will be communicated to clients through appropriate channels in advance of taking effect.

Annex A. Montelux entities and contact details