MOKKA PRIVACY POLICY

Înapoi

This Privacy Policy sets out the rules for the processing of personal data of Users by the controller of such data Revo Technologies IFN S.A with its registered office in Romania, Bucharest, Calea Floreasca 169X, 2 nd floor, room 14, Commerce Registry number: J40/12941/2019; NIP (Tax Identification Number): 41699896; with the share capital amounting to: 950.000 RON entered into the register of lending institutions under number: RG-PJR-41-110356/28.08.2020 (hereinafter: "Revo”).

Revo offers financial services through the website available at www.mokka.ro and the mobile application called "Mokka".

The purpose of this Privacy Policy is to set out the rules for processing the Personal Data of Users who use the services provided by Revo pursuant to the Renewable Credit Limit Agreement and the Mokka Terms & Conditions.

Revo is committed to maintaining the highest standards for processing personal data in compliance with applicable laws, guidelines of regulators and good market practices. In particular, Revo complies with the general principles relating to the processing of personal data set out in Article 5 of GDPR.

Terms used in the Privacy Policy

Personal Data — any information about the User, a natural person, that identifies that person, or enables that person to be identified by Revo or recipients of Personal Data on the basis of a single identifier or on the basis of more than one piece of combined information about the person.

Provider — the entrepreneur cooperating with Revo, who is a retailer or service provider, making available the possibility to use Revo's services to purchase goods or services using funds from the Renewable Credit Limit Agreement.

Newsletter — information from Revo in electronic form about Services, Financial Services, promotions conducted by Revo through the Website, including in cooperation with Suppliers, without any obligations on the part of Revo with regard to the information contained therein.

Customer Profile — the User's personal account in the Service, which contains information about the Customer and his activities in the Service, and the Limit Agreement with attachments, and which enables the activities specified in point III. Mokka Terms & Conditions. The Customer Profile is made available to the User both through the Mokka Website and the Mokka Application.

Profiling — any form of automated processing of personal data, which consists in using personal data to evaluate certain personal factors relating to the individual, in particular to analyse or predict aspects relating to the individual's economic situation, personal preferences, interests, reliability, conduct, location or movement.

GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L 2016 No. 119, p. 1; correction Official Journal of the European Union L 2018 No. 127, p. 2)

Service — the "Mokka" online application system, made available by Revo on the website www.mokka.ro and in subdomains (“Mokka Website”), in the mobile application ("Mokka application") on the Providers' websites and on a mobile device located at a stationary point of sale of the Provider, used by the User to purchase goods from the Provider using funds from the Limit and, in case of the application on a mobile device located at a stationary point of sale of the Provider, also to return the goods with the appropriate settlement of the loan.

Mokka Application — a mobile application available through third party distribution platforms ("Application Stores"). The User may be required to register in advance with a given Application Store. Mokka has no influence on the collection, processing and use of personal data by the operators of individual App Stores.

Limit Agreement — Revolving Credit Limit Agreement concluded by Revo with the User under which the User may repeatedly make withdrawals for the purchase of goods or services, cash withdrawals or make credit card payments if issued, up to the amount of the available Limit, with the obligation to return along with the costs within the agreed period.

Financial Services — offered by Revo underthe Limit Agreement: withdrawalsforthe purchase of goods orservices from Suppliers, cash withdrawals to the User's bank account, credit card, as well as related additional services specified in the Limit Agreement.

Consumer Credit Act — 289/24.06.2004

Anti-Money Laundering Act — nr 129/11.07.2019

Accounting Act — nr. 82/01.06.1991

User — natural person who: has entered into a Limit Agreement with Revo, has created a Customer Profile in the Service, use the Service, has subscribed to the Newsletter or has contacted Revo using Personal Data by any of the available means of communication.

Personal Data processed by Revo and sources of their collection

A user who wishes to use Revo's lending services must create a Customer Profile and enter into a Limit Agreement with Revo. In order to do so, it is necessary for Revo to obtain the following personal data:

• first name and surname
• PESEL identification number
• series and number of the identity card
• e-mail address
• street name, street number, apartment number, postcode and town
• mobile phone number

If the User registers a Customer Profile:

• on Mokka Website
• on his/her own device using the Mokka Application

he/she provides the required Personal Data in the Service, whereby the User's address data are obtained by Revo from Providers, credit registers or business information bureaus.

In the case of using Revo services in the Supplier's stationary store, the User, after scanning the QR code, registers himself on his own mobile device, providing Personal Data in the form; if the User does not register on their own, they provide Personal Data on a mobile device operated by the Provider.

If the User makes a purchase in the Supplier's online store and selects the payment option from Revo, the User's Personal Data necessary to create a Customer Profile and make a decision on granting a Limit are provided to Revo by the Supplier in accordance with the Privacy Policy applicable to him.

Provision of the above data by the User is voluntary, but necessary in order to open a Customer Profile, conclude a Limit Agreement with Revo and apply for withdrawals from the Limit. The terms of creating, maintaining and deactivating a User's Customer Profile and the rules of operation of the Service are set out in the Mokka Terms & Conditions.

As a lending institution, Revo is an obliged institution within the framework of the Anti-Money Laundering Act and it is obliged to identify and verify the identity of the User. According to the AntiMoney Laundering Act, for the purposes of applying financial security measures, obliged institutions may process information contained in customers' identity documents and make copies of them. In order to fulfil the aforementioned obligations, Revo may, depending on the availability, use the following methods:

• verification of the Personal Data provided in external databases
• ID card verification with an active digital data layer (digital ID tool)
• execution by the User of a return verification transfer (so-called micro-payment); within the framework of this procedure Revo processes such Personal Data as name, surname, address and bank account number of the User
• verification by an external entity on the basis of the service of access to account information (logging into the User's on-line banking system)
• verification of the Personal Data against the details on the User's ID card when using Revo services in a stationary shop of the Provider

Revo may share some of the User's Personal Data or information about the device used by the User with entities cooperating with Revo to provide identification, detect abuse and cybercrime.

If the user applies for a Limit, Revo will, in accordance with the Consumer Credit Act, carry out a review of the user's creditworthiness on the basis of the user's consents and authorisations. For this purpose, Revo will collect, transfer and process Personal Data and information about the User regarding their current and expired payment obligations (including past due debts), payment history and financial situation. Entities with which Revo cooperates in this regard are:

• Biroul de Credit S.A.
• Agentia Nationala de Administrare Fiscala

The granting of the above consents and authorisations implies that the entities to which the Personal Data have been provided on this basis, become controllers of the Personal Data, next to Revo. Detailed information on the principles of processing Personal Data can be found on the websites of these entities.

Provision and processing of the above mentioned Personal Data is necessary in order to provide Revo's services electronically.

If the User agrees, Revo will inform business information bureaus about the User's payment obligations towards Revo, both existing at the time of granting the consent as well as those that may arise in the future (positive information on obligations).

Certain information and data of a technical, analytical or statistical nature are also obtained by Revo in an automated manner when the User uses the Service - details of which can be found in the Cookies Policy.

As part of maintaining the Customer Profile, performing the Limit Agreement and providing Financial Services to the User, Revo may process the following categories of Personal Data:

• name and surname (including middle name)
• PESEL registration number
• series, number, validity date of the ID card
• date of birth and age
• gender
• e-mail address
• street, house and flat number, zip code and city
• mobile phone number
• bank account number (in the event of applying for and granting the User a cash withdrawal from the Limit)
• computer network IP or data of a mobile device through which the User submits an application for a Financial Service
• information about the exposed political positions (if applicable)
• data on payment behaviour (if Revo obtains such data from the Supplier running the online store)
• data on credit obligations resulting from Financial Services
• data on financial obligations resulting from contracts with other entities, obtained by Revo in order to test the User's creditworthiness and credit risk
• identifiers such as credit card numbers, contract number
• information and data on the payment instrument used and the User's payment transactions provided by international payment organizations(in the case of issuing a credit card under the Limit Agreement)
• information and data about the User provided by debt collection companies cooperating with Revo (if debt collection activities are undertaken)
• tax and financial data, information on the economic situation (including income data, data on owned / held assets and data on payment behaviour)
• image (in copies of identity documents)
• voice in telephone calls and recordings of telephone conversations

In the case of using the Mokka Application, Revo may also process, in order to provide Financial Services and upon the consent of the User, the data on the User's location, contacts, messages, photo gallery, installed applications and content sent by the User to the Mokka Application obtained from the User's mobile device.

Purposes and basis of Personal Data processing

The purpose of this Privacy Policy is to set out the rules for processing the Personal Data of Users who use the services provided by Revo pursuant to the Renewable Credit Limit Agreement and the Mokka Terms & Conditions.

Personal Data processing period

Revo complies with the principle of storage limitation arising from the GDPR, according to which the storage of Personal Data in a form that allows the User to be identified, may take place for a period no longer than it is necessary for purposes for which the data are processed.

Revo processes Personal Data of the User for the duration of the maintenance of the Customer Profile and the validity of the Limit Agreement, and after deactivation of the Customer Profile and expiry of the Limit Agreement for archival purposes for the period required by law. If the User agrees, the Personal Data contained in the Limit Agreement and information on the performance of obligations under the Limit Agreement may be processed for the purpose of assessing creditworthiness, including analysis aimed at counteracting fraud, but not longer than for a period of 3 years, respectively after fulfilment of obligations towards Revo under the Limit Agreement, sale by Revo of receivables under the Limit Agreement or termination of the Limit Agreement. Personal Data collected in the process of applying for Financial Services may be processed by Revo on the basis of the User's consentin statistical analysis for 3 years. If there are claims against the User, Revo will process the User's Personal Data until the expiry of such claims or the period of limitation (as a rule 3 years, maximum 6 years).

Whenever the processing of Personal Data is based solely on the User's consent (e.g. processing for the purpose of sending the Newsletter), it shall be processed for the relevant purpose until the date of revocation (withdrawal) of that consent. Withdrawal of consent does not affect the lawfulness of processing, which was performed on the basis of this consent before such withdrawal.

Where the basis for processing of Personal Data is the legitimate interest of Revo, processing shall be carried out for the duration of such interest, except where such interest is overridden by the interests or fundamental rights and freedoms of the User which require protection of their Personal Data.

With regard to data processed in the Credit Bureau system, these are stored at Credit Bureau level and made available to participants for a period of 7 years from the date of registration.

Automatic Processing of Personal Data and Profiling

Revo processes Personal Data using also an automated decision-making process (i.e., without human involvement, using advanced algorithms). This procedure shall be used to assess creditworthiness and credit risk analysis and to prevent fraud. Automated decision-making allows for uniform application of the lending criteria, increases the chance that the amount of the Limit and withdrawals from the Limit will be appropriately matched to the User's repayment capacity, eliminates possible human error, and significantly speeds up the processing of the User's application.

The result of the automated analysis affects Revo's decision to grant or not to grant the Limit or to withdraw from the Limit or to grant an amount different from that requested. These decisions may only be taken on the basis of data concerning the User and relating to an obligation necessary in view of the purpose and nature of the loan.

Revo may also process Personal Data by profiling them in order to better match Financial Services to the User's needs or to propose new Revo products and services, including in cooperation with Suppliers, if he agrees to send the Newsletter. Profiling may be based in particular on the results of the User's creditworthiness test, his shopping preferences or location data (in particular, location data obtained from the User's mobile device using the Mokka Application).

To the extent that Personal Data is processed only in an automated manner, the User has the right to object to the decision made on this basis, receive appropriate explanations from Revo and human intervention in order to make a final decision.

Recipients of Personal Data

Revo transfers or may transfer Personal Data to the following categories of entities cooperating with Revo:

• Providers
• economic information bureaus and credit bureaus: Biroul de Credit S.A. and Agentia Nationala de Administrare Fiscala
• credit intermediaries cooperating with Revo
• entities cooperating in the verification of the identity and assessment of the User's creditworthiness
• entities cooperating in the detection of fraud and cybercrime
• entities cooperating in the field of direct marketing of Revo services and sending information to Users
• payment operators
• entities providing Revo with hosting (Service maintenance), legal, advisory, debt collection, analytical and IT services as well as User service

The basis for the processing of Personal Data by entities other than Revo is an agreement on entrusting processing concluded by Revo as the administrator with recipients as processors, or the consent of the User.

In addition, Revo will make Personal Data available at the request of authorised public authorities, in particular the President of the Office for Personal Data Protection, the President of the Office for Competition and Consumer Protection, the Financial Spokesperson, consumer spokespersons, or entities authorised under the Money Laundering Act, tax regulations or criminal law regulations.

Transfer of Personal Data outside the European Economic Area (to a third country)

Personal Data of the User will be transferred by Revo to cooperating entities outside the European Economic Area. The basis for such transfer is, in accordance with GDPR, appropriate contractual safeguards in the form of Standard Data Protection Clauses adopted by the European Commission in its decision of 5 February 2010. (2010/87/EU). When transferring Personal Data to the US, Revo will only transfer Personal Data to recipients that have been certified under the EU-US Privacy Shield program and are currently subject to the above Standard Clauses.

The above safeguards are intended to ensure that the third country recipient applies measures for the storage and processing of Personal Data with the same level of security that Revo provides in accordance with GDPR.

User rights

The User has the following rights according to GDPR:

1. The right of access to his/her Personal Data — i.e. to obtain confirmation from Revo as to whether or not the Personal Data of the User are being processed, and if this is the case, to obtain access to them and information on, inter alia about: the purposes of the processing, the recipients or categories of recipients, the rights to be exercised against Revo, automated decision-making, including profiling; if such a request is made, Revo shall provide the User with a copy of the Personal Data undergoing processing, for any subsequent copies Revo may charge a reasonable fee resulting from administrative costs; if the User requests a copy electronically and unless otherwise indicated, the information shall be provided in a commonly used electronic form.

2. The right to rectification of his/her Personal Data — i.e. to request Revo to immediately rectify Personal Data concerning the User that are inaccurate; taking into account the purposes of the processing, the User has the right to request that incomplete Personal Data be completed, including by providing an additional statement.

3. The right to erasure of his/her Personal Data (the right to be forgotten”) — i.e. to request immediate deletion of Personal Data concerning the User if one of the following circumstances applies:

   1. Personal Data are no longer necessary for the purposes for which they were collected or otherwise processed
   2. processing is unlawful
   3. the User has objected to the processing, until such time as it is ascertained whether the legitimate grounds on the part of Revo override the grounds of the User's objection

   The above entitlement does not apply to the extent that the processing of the Personal Data is necessary for compliance with a legal obligation requiring the processing under EU law or the law of a Member State to which Revo is subject, or for the establishment, exercise or defence of claims.

4. The right to restrict processing of his/her Personal Data — in cases where:

   1. The User questions the accuracy of the Personal Data, for a period of time allowing Revo to verify the accuracy of the data
   2. processing is unlawful
   3. the User has objected to the processing, until such time as it is ascertained whether the legitimate grounds on the part of Revo override the grounds of the User's objection
5. The right to portability of his/her Personal Data — to the extent that processing is carried out for the conclusion and performance of the agreement or on the basis of the User's consent, and to the extent that processing is carried out by automated means, the User has the right to receive the Personal Data provided by the User to Revo in a structured, commonly used and machine-readable format and to transmit such Personal Data to another controller; The User has the right to request that the Personal Data be transferred by Revo directly to another controller, where technically feasible.
6. The right to object to the processing of his/her Personal Data — to the extent that Personal Data are processed on the grounds of legitimate interest, in particular processed for the purposes of direct marketing, including Profiling, the User has the right to object to the processing of Personal Data by Revo for these purposes; however, Revo will still be entitled to process the Personal Data despite the User's objection if it demonstrates the existence of valid legitimate grounds for the processing, overriding the interests, rights and freedoms of the User, or grounds for the establishment, exercise or defence of Revo's claims; to the extent the Personal Data are processed solely by automated means, the User has the right to object to the decision taken on this basis, to receive adequate explanations from Revo and human intervention to make a final decision.
7. The right to withdraw consent to the processing of his/her Personal Data— where processing is based on consent given by the User, the User shall have the right to revoke (withdraw) his or her consent at any time, which shall result in the cessation of future processing, unless there is another basis for further processing within the specified scope.
8. The right to lodge a complaint with a supervisory authority — The User has the possibility to report complaints regarding Revo's processing of his/her Personal Data to the President of the Data Protection Authority.

The User may exercise his/her rights by sending a message or a scanned signed statement to: the email address: [email protected], or by regular mail to the following address: [email protected].

The right to withdraw consent: data subjects may at any time withdraw their consent to the processing of personal data processed on the basis of their consent. The withdrawal of consent shall not affect the lawfulness of data processing carried out before that moment.

The right to object to an individually automated decision.

This Privacy Policy is effective from the date of its publication on the Mokka Website.

Date of last revision of the Privacy Policy: 16.03.2022