Privacy Policy relating to Personal Data of DANA Users (“Privacy Policy”) This Privacy Policy applies to services provided by PT Espay Debit Indonesia Koe (otherwise known as “EDIK”, “we”, “our” or “us”) and sets out how we may collect, use and disclose your “personal data”, “personally identifiable information” or other personal information (collectively, “Personal Data”) in connection with your access to and use of the DANA application (“Dana App”). As more fully described in the Terms and Conditions for DANA User (“Terms and Conditions”), DANA App is an integrated life-style services app designed by EDIK for users. The DANA App provides a gateway for registered users of DANA App to participate in a variety of activities, including interacting with friends, accessing information and making payments. The DANA App is provided free of charge for registered users. Anyone who does not have an account can sign up for an DANA Account (“DANA Account”) with EDIK. From time to time, it is necessary for you to provide us with Personal Data in connection with your access to and use of the DANA App. By agreeing to the Terms and Conditions or by continuing to access or use the DANA App, you will be deemed to have agreed to and been notified of the terms of this Privacy Policy concerning the collection, use, process, storage, transfer and disclosure of your Personal Data as set out in this Privacy Policy. If you do not supply such Personal Data to us, it may result in us being unable to provide you with the services in the DANA App or to comply with any laws or guidelines issued by regulatory or other authorities. In this Privacy Policy, the word “including” shall not be limiting. A. COLLECTION OF PERSONAL DATA We may obtain your Personal Data from various sources (e.g. from you or through third parties), including: 1. Information obtained (directly or indirectly) about your computer, mobile device or other item of hardware through which you access and use the DANA App (including your IP address, geographical location, browser/platform type and version, internet service provider, operating system, referral source/exit pages, length of visit/usage, page views and any search term you use) (“Device Information”). 2. Information obtained (directly or indirectly) when you register with DANA Account as a user of the DANA services, including your name, date of birth, address, telephone number and email address (“Registration Information”). 3. Information obtained (directly or indirectly) during your use of the DANA Account, including your bank account numbers, billing and delivery information, transaction data, credit/debit card numbers and expiration dates and other information from checks or money orders (“Account Information”). 4. The above Device Information, Registration Information and Account Information or other information may be accessed or collected (automatically or manually) at the time during your registration with DANA Account as a user of the DANA services and/or during the course of your use of the DANA App and DANA Account. The above information obtained by us may constitute your Personal Data. We have taken steps to ensure that we do not collect more information (whether or not such information constitutes Personal Data) from you than is necessary for us to provide you with our services, to perform the functions set out Part B of this Privacy Policy, to protect your DANA Account, comply with our legal obligations, protect our legal rights, and to operate our business. B. USE OF PERSONAL DATA We may use the Personal Data that we obtained about you for the following purposes: 1. Verifying your eligibility to use any of the features and functions of the DANA App. 2. Processing your registration with DANA Account as a user of the DANA services and maintaining and managing your registration. 3. Providing you with services and related customer services regarding the use of your DANA Account, including, working in collaboration with DANA to facilitate the settlement of purchase price for goods and services, shipping and related services for purchases, charge-backs, sending notices about your transactions, and responding to your queries, feedback, claims or disputes. 4. Improving and expanding our offerings by way of research and development of new functions of the DANA App or other new products and services that we may offer from time to time. 5. Performing research, statistical analysis or surveys, whether orally or in writing, in order to manage and protect our business including our information technology infrastructure, to measure the performance of the DANA App and other services we offer and to ensure your satisfaction with our services. 6. Analyzing trends, usages and other behaviors (whether on an individualized or aggregated basis), which helps us better understand how you and our collective user base access and use the DANA App and the underlying commercial activities conducted, including for purposes of improving our services and responding to customer queries and preferences. 7. Subject to having obtained your consent in accordance with applicable law and as contemplated in section D below, we may provide direct marketing information to you relating to services offered by us and our affiliates and selected third parties using your Personal Data to contact you, including by telephone, text (SMS), email, post and fax. 8. Managing risk, performing creditworthiness and solvency checks, or assessing, detecting, investigating, preventing and/or remediating fraud or other potentially prohibited or illegal activities and otherwise protecting the integrity of our information technology platform. 9. Detecting, investigating, preventing or remediating violations of the Terms and Conditions, any applicable internal DANA services policies, relevant industry standards, guidelines, laws or regulations. 10. Making such disclosures as may be required by any law or regulation of any country applicable to us or our affiliate, government official or other third party, including any card association or other payment network. Disclosures may also be made pursuant to any subpoena, court order or other legal process or requirement in any country applicable to us or our affiliate (including anti-money laundering and counter-terrorist financing reporting requirements). 11. Making any disclosure to prevent any harm or financial loss, to report any suspected illegal activity or to deal with any claim or potential claim brought against us or our affiliates. 12. Enabling any due diligence and other appraisals or evaluations for actual or proposed merger, acquisition, financing transactions or joint ventures. 13. Any other legitimate business purposes, such as protecting you and other users of the DANA App from losses, protecting lives, maintaining the security of our systems and products, and protecting any of our other rights and/or properties. We also may use your Personal Data in other ways for which we provide specific notice at the time of collection or for which you have subsequently consented. C. DISCLOSURE OF PERSONAL DATA Your Personal Data held by us will be kept confidential but we may provide such information to the following parties for the purposes set out in B.1 to B.13 above: 1. DANA Account and other DANA services wholly or partly owned group companies. 2. Any agent, contractor or third party service provider that we work with in providing you with our services, including for fraud prevention, bill collection, data entry, database management, promotions, marketing, customer service, technology services, products and services alerts and payment extension services. 3. Entities with whom we maintain business referral or other commercial arrangements, including third parties and entities belonging to EDIK. 4. Merchants and other organizations, such as card associations, payment networks or financial institutions, to whom or through which payments are made using the DANA Account, or such other entities to enable your use of the DANA App. 5. Third party financial institutions, banks, collection agents and credit agencies. 6. Third party marketing service providers. 7. Professional advisers, law enforcement agencies, insurers, government and regulatory authorities or any other organizations to which EDIK is under an obligation to make disclosure under the requirements of any applicable law, regulation or commercial arrangement, including arrangements with any card association or payment network. 8. Entities involved in any merger, acquisition, financing transaction or joint venture with us. D. DIRECT MARKETING As specified at B.7, EDIK may wish to use your Personal Data in direct marketing activities and will at such future point in time obtain your consent with respect to the contemplated scope and manner for such direct marketing activities. Where you provide such subsequent consent, then please note that: 1. Certain Personal Data obtained by us from time to time may be used in direct marketing. 2. We may market to you goods and services which we believe may be of relevance to you for which your subsequent consent will be specifically obtained. This may include goods and services that are offered by us, any of our affiliates, our business partners or selected third parties, including any payment and financial products. 3. We may provide your Personal Data to certain third parties for use by them in marketing their own goods and services, including (i) our affiliates, (ii) business partners and (iii) other third parties. 4. Your consent to the use of your Personal Data for direct marketing purposes will be solicited by way of an opt in check box or other positive indication of no objection. 5. If at any time you do not wish us to continue to use or provide to other persons your Personal Data for use in direct marketing as described above and in the relevant consent, then you may exercise your “opt-out” right by notifying us. E. SECURITY MEASURES AND RETENTION We take all reasonable steps, including technical, administrative and physical safeguards to help protect your Personal Data that we process from loss, misuse and unauthorized access, disclosure, alteration and destruction. We will retain and procure our service providers to retain your Personal Data only for so long as is necessary for the purposes set out in this Privacy Policy and in accordance with the Privacy Policy and all applicable regulatory requirements. For registered users of the DANA Account, your Registration Information and Account Information (if any) can be viewed and edited in the DANA App through your account with DANA, which is protected by a password or PIN code. We recommend that you do not divulge your password or PIN code to anyone. Our personnel will never ask you for your password in an unsolicited phone call or in an unsolicited email. If you share a computer with others, you should not choose to save your log-in information (e.g., user ID and password) on that shared computer. F. THIRD PARTY SERVICES AND WEBSITES The DANA App may provide links to other websites and services (including apps operated by third parties) for your convenience and information. These services and websites may operate independently from us and may have their own privacy notices or policies, which we strongly suggest you to review before you use any of their services or conduct any activities on those websites. To the extent that any linked websites you visit are not owned or controlled by us, we are not responsible for their contents, their privacy practices and the quality of their services. G. CHANGES TO THIS PRIVACY POLICY We reserve the exclusive right to change, amend or revise this Privacy Policy from time to time. H. STOP TO RECEIVE E-MAIL We have a policy to opt in or out of the database. If you would like to stop receiving emails from us, please click the unsubscribe link included with each e-mail. I. MISCELLANEOUS 1. This Privacy Policy shall be subject to, governed, and implemented according to law of the Republic of Indonesia. 2. In case of dispute in the interpretation and implementation of this Privacy Policy, you and EDIK agree to resolve the same by deliberation. If no agreement can be reached through the deliberation, then the dispute shall be resolved at District Court of Central Jakarta. 3. This Privacy Policy is made in Bahasa Indonesia and English. In the event of an inconsistency between the English version and the Bahasa Indonesia version, the Bahasa Indonesia version shall prevail. 4. We do not guarantee the security of our database and we also do not guarantee that the data you provide will not be detained/interrupted while it is being sent to us. Any transmission of information by you to us is at your own risk. You may not disclose your password to anyone. No matter how effective a technology is, there is no impenetrable security system. J. ACKNOWLEDGEMENT By using the DANA App, you acknowledge that you have read and understood this Privacy Policy and agree to the use, processing and transfer of Personal Data as set forth in this Privacy Policy. K. FURTHER INFORMATION Where you have the right under the Privacy Policy to access or correct your Personal Data or exercise of any “opt-out” right or if you wish to contact us, please do so by contacting the Customer Service by the following means: PT Espay Debit Indonesia Koe (DANA) Gd Capital Place Office Office Tower Lantai 18 Jalan Jend. Gatot Subroto Kav 18, Jakarta Selatan 12710 Operating hours: Mondays – Fridays, at 08.30 – 17.00 Phone: +622127933690 and +622127933622 Email: [email protected]