TRODFIN PRIVACY NOTICE

This privacy notice (“notice”) explains the types of personal data we collect and how we use and share it. It also tells you about your rights and the choices you can make about how we process your personal data.

1. PERSONAL DATA WE COLLECT ABOUT YOU

Personal data, or personal information, means any information about an identified or identifiable individual. It can include data that you provide to us (such as your name, address or contact details) and data that we collect about you during your interaction with our services (such as device information, IP address, etc.). It does not include anonymous data, which cannot be linked back to an individual.

2. INFORMATION YOU GIVE US

Information we hold about you will often be information you provided to us directly. For example, when you sign up for a Trodfin service or take part in online discussions or promotions, you provide certain data that’s necessary to your experience. This includes:

Contact details: your name, email address, postal address, and phone number

Personal details: date of birth, passport number or other form of identification information including national identification number (such as your MyKad in Malaysia), tax residency, tax reference number, proof of address, and proof of residency

Financial information: When you apply for card issuance services through our platform, you may provide income information, employment details, and other financial data required by our card issuer partner for credit assessment purposes

The content of your communications with us: emails, telephone call recordings and online chat messages

Information about your personal circumstances: information that could make you susceptible to harm or in need of extra care to meet our regulatory obligations to support vulnerable customers

If you fail to provide any information which we tell you is needed to meet legal requirements, it might affect our ability to provide our services to you.

You can ensure that your contact details are current, complete and accurate by logging into your account and updating them at any time in account settings.

If you provide personal data about anyone other than yourself, including a payment counterpart, a friend you have recommended, someone you wish to (or have) set up Group Spending with, individuals in your phone book contact list, or any other person who has a relevant relationship with Trodfin (a “connected person”), you confirm that you have their agreement or are otherwise entitled to provide this information to us. That includes bringing this notice to their attention if legally necessary.

3. INFORMATION WE COLLECT ABOUT YOU FROM YOUR USE OF OUR SERVICES

This includes:

Information about your devices: details of the internet protocol (IP) address used to connect your device to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, the type of device you use, whether your device uses a virtual private network (VPN), a unique device identifier (for example, your device’s IMEI number, the MAC address of the device’s wireless network interface, or the mobile phone number used by the device), mobile network information, your mobile operating system, and the type of mobile browser you use

Information about how you are using our Websites or App: details of the products you viewed or searched for, page interaction information, and, if you’ve installed the app, installed applications on your mobile device that have remote access permissions

Behavioural biometrics: details of the way you login and interact with our website or app such as typing cadence, keystroke, touch and mouse behavior to support the detection of fraudulent and suspicious attempts to access your Account. This data is used solely for fraud prevention and account security purposes

Information stored on your device: including your contact list if you give us access to your phone book

4. INFORMATION WE RECEIVE FROM OTHER SOURCES

This includes:

Information from connected persons: if you are a “connected person”, then someone may provide your personal data to us. For instance, if you’re a payment beneficiary, data could include name, account details, email, and additional verification information if necessary for fulfilling our legal obligations or requested by the recipient bank

Advertising networks, analytics providers, and search information providers: may provide us with information about you, including confirmation of how you found our website

Information from fraud prevention agencies and government or private databases: In some jurisdictions, we may check the information you have provided to us with government or private identity record databases, fraud prevention agencies, other private entities, or with credit reference agencies to confirm your identity and to combat fraud

Information from publicly available sources: We may collect information from publicly available sources, such as media stories, online registers or directories, and websites for enhanced due diligence checks, and KYC purposes

Information from card issuer partners: If you apply for a credit card through our platform, the card issuer may provide us with limited information about your application status (approved/rejected) for account management and service improvement purposes. We do not receive detailed information about your card usage, transactions, or account balance unless specifically required for dispute resolution or regulatory compliance

5. INFORMATION FROM SOCIAL NETWORKS

• If you log into our services using your social network account (including Apple ID, Facebook, or Google) we will receive the information that is necessary for us to authenticate your access, such as your profile and email address, in accordance with the social network’s privacy policy.

• When visiting our social network pages, the social media networks (such as Facebook or Instagram) collect personal data about you that they compile into statistics. While we can view these aggregated statistics, we cannot access the underlying personal data or link it to specific individuals or followers.

• We also collect information about you when you use our social network pages (such as Instagram, or LinkedIn) to contact us by creating your own post, tagging us, commenting on our posts, or sending us private messages.

• Occasionally, we’ll use publicly available information about you from selected social media networks or media to carry out enhanced due diligence checks.

6. WAYS WE USE YOUR INFORMATION

Legal basis: We will only use your personal data when the law allows us to. In most cases, our legal basis will be one of the following:

Legal obligation: where we have a legal obligation to process your personal data to comply with laws and regulations

Legitimate interests: where we have a legitimate reason to process your personal data that is reasonable when balanced against your rights and interests (for example, to understand how our services are used and to improve them)

Consent: where you have given us your consent to process your data

Performance of contract: where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract

Substantial public interest: where we process sensitive or special category data (revealing or relating to someone’s health, ethnicity, political views, religious beliefs, sexual orientation, or other protected characteristics) and that processing is in the substantial public interest (for example, to support vulnerable customers)

7. PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

The ways we plan to use your personal data, along with the corresponding legal bases, are described below.

7.1 To ensure account safety, including protecting you from fraud

We process personal data:

• To prevent, detect, or protect against actual or suspected fraud, unauthorized transactions, claims, liability, and financial or other crimes. In some cases this may include collecting behavioral biometric data (typing patterns, mouse movements, touchscreen interactions). For example, if you change the phone number linked to your account or to recover access to your account. To keep our anti-fraud measures effective, we can’t always share all the details about how we prevent fraud.

Legal basis: Legitimate interests (fraud prevention), Legal obligation (anti-money laundering compliance)

7.2 To facilitate card issuance services

We may process your personal data:

• To share with our licensed card issuer partners when you apply for a credit card through our platform
• To facilitate the card application process, including identity verification and credit assessment
• To communicate with you about your card application status
• To maintain records of card referrals for business and regulatory purposes

Legal basis: Performance of contract (to provide the card referral service you requested), Consent (where you explicitly agree to share your data with the card issuer), Legitimate interests (to operate our card referral partnership program)

7.3 Compliance with legal and regulatory obligations protecting our business and enforcing our rights

We may process your personal data:

• To comply with legal and/or regulatory requirements, including to respond to requests from public and government authorities, possibly outside your country of residence, upon demonstration of lawful authority

• If you use our Assets product, to comply with our obligations to determine your tax status and compliance with associated tax regulations

• To prevent, detect, or protect against actual or suspected fraud, unauthorized transactions, claims, liability, and financial or other crimes, including conducting or co-operating with investigations of fraud or other illegal activity where we believe it is reasonable and appropriate to do so

• To take steps to allow us to recover or limit damages that we may sustain

• To allow a third party or a financial institution to recover funds that were transferred incorrectly due to error or fraud

• To verify information you provide to us, and to enforce our Customer Agreement with you

• To investigate, manage, and resolve complaints

• To prevent and manage incidents of abusive or aggressive behaviour towards our employees

Legal basis: Legal obligation, Legitimate interests (protecting our business and customers)

7.4 Maintaining and improving our services

We may process your personal data:

• To administer our services and for internal operational, planning, audit, troubleshooting, data analysis, testing, research, statistical, and survey purposes

• To undertake system or product development, including helping third party suppliers improve the services they provide to us

• To improve our services and to ensure that they are presented in the most effective manner

• To provide customer support and respond to your inquiries

Legal basis: Legitimate interests (improving our services), Performance of contract

8. COOKIES

Our website and app use small files known as cookies, along with similar technologies like pixel tags and web beacons. These help us distinguish you from other users, see how you use our site and products while providing you with the best experience. They also enable us to improve our services and make sure that the ads you see online are more relevant to you and your interests. For more information about the cookies and technologies we use, as well as their purposes, please visit our Cookie Policy at www.trodfin.com/cookie-policy or contact us at privacy@trodfin.com.

We also use pixels or web beacons in some of our emails to help us understand whether our email was delivered and opened, and whether links within the email were clicked. We use this information to measure the performance of our email campaigns, and to help us improve our future email communications.

9. SHARING YOUR PERSONAL DATA

We may share your personal data with third parties in the following circumstances:

9.1 Card Issuer Partners

When you apply for a credit card through Trodfin, we share your personal information with our licensed card issuer partner. This includes:

Card Issuer Partner: [CARD ISSUER NAME TO BE INSERTED]
Registered Address: [CARD ISSUER ADDRESS TO BE INSERTED]
Website: [CARD ISSUER WEBSITE TO BE INSERTED]

Data Shared: Name, contact details (email, phone, address), identification documents (MyKad/passport), date of birth, financial information (if provided for credit assessment), employment details, and other information required for card application processing.

Purpose: To process your card application, verify your identity, assess creditworthiness, and issue the card.

Legal Basis: Performance of contract and consent.

The card issuer is an independent data controller for the personal data they collect and process. Their use of your data is governed by their own privacy policy, which you should review when applying for a card at [LINK TO PARTNER’S PRIVACY POLICY]. They are responsible for:

• Processing your card application
• Operating and managing your card account
• Providing customer support for card-related issues
• Complying with their own data protection obligations

9.2 Service Providers

We work with third-party service providers who process personal data on our behalf to help us deliver our services. These include:

• Payment processors and payment gateway providers
• Cloud hosting and data storage providers
• Customer support and communication platforms
• Identity verification and KYC service providers
• Fraud detection and prevention services
• Analytics and marketing service providers

All service providers are required to maintain appropriate security measures and process your data only as instructed by Trodfin.

9.3 Legal and Regulatory Authorities

We may share your data with law enforcement, regulators, government agencies, courts, or other third parties where we believe it’s necessary to comply with applicable laws or regulations, or to exercise, establish, or defend our legal rights.

9.4 Business Transfers

If Trodfin is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any such change in ownership or control of your personal data.

10. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to and processed in countries outside of Malaysia, including to our card issuer partners, service providers, or cloud storage facilities that may be located in other jurisdictions.

When we transfer your data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by relevant data protection authorities
• Ensuring third parties are in jurisdictions with adequate data protection laws
• Implementing appropriate technical and organizational security measures

Specifically for card issuance services, your data may be transferred to [COUNTRY WHERE CARD ISSUER IS LOCATED] for processing by our card issuer partner.

If you would like more information about international data transfers, please contact us at privacy@trodfin.com.

11. BEHAVIORAL BIOMETRIC DATA

We collect behavioral biometric data (such as typing patterns, mouse movements, and touchscreen interactions) for fraud prevention and account security purposes. This data:

• Is used solely for authenticating your identity and detecting fraudulent access attempts
• Is encrypted and stored securely
• Will be retained for 90 days after your last login or account closure, whichever is earlier
• Does not include facial recognition, fingerprints, or other physical biometric identifiers

You can opt-out of behavioral biometric data collection by contacting privacy@trodfin.com, though this may affect our ability to protect your account from unauthorized access.

Legal basis: Legitimate interests (fraud prevention and account security), Consent (where required by local law)

12. DATA RETENTION

We will retain your personal data only for as long as is necessary to fulfill the purposes for which we collected it. We retain different types of data for specific periods:

• Account information: 7 years after account closure (regulatory requirement under Bank Negara Malaysia guidelines)
• Transaction records: 7 years after transaction date (tax and audit compliance under Income Tax Act 1967)
• Communication records (emails, chat logs): 3 years after last contact
• Marketing consent records: Until you withdraw consent, then 1 year for record-keeping purposes
• Behavioral biometric data: 90 days after last login or account closure, whichever is earlier
• Fraud investigation data: 10 years (legal requirement for financial crimes under Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001)
• Card application records: 7 years after application date (regulatory requirement)
• Identity verification documents: 7 years after account closure or application rejection

These periods may vary based on applicable laws in your jurisdiction or specific regulatory requirements.

We will always delete data that is no longer required by a relevant law or jurisdiction in which we operate. We do this automatically, so you don’t need to contact us to ask us to delete your data. Deletion methods include shredding, destruction and secure disposal of hardware and hard-copy records, and deletion or over-writing of digital data.

13. DATA BREACH NOTIFICATION

In the event of a data breach that affects your personal information, we will notify you within 72 hours of becoming aware of the breach, in accordance with applicable data protection laws including the Personal Data Protection Act 2010 (Malaysia).

Notifications will be sent to your registered email address and may include:

• The nature of the data breach
• The categories and approximate number of individuals affected
• The types of personal data affected
• The likely consequences of the breach
• The measures we have taken or propose to take to address the breach
• Contact details for further information and assistance
• Steps you should take to protect yourself

We will also notify the Personal Data Protection Commissioner and other relevant authorities as required by law.

14. HOW WE PROTECT YOUR PERSONAL INFORMATION

We take the safeguarding of your information very seriously. The transmission of information via the internet is not completely secure. Although we do our best to protect your personal data, we cannot guarantee the security of your data during transmission. Any transmission is at your own risk. Once we have received your information, we use strict procedures and security features to ensure it stays secure, including:

• Communications over the internet between you and Trodfin systems are encrypted using TLS 1.3 or higher with strong asymmetric encryption. This makes it unreadable to anyone who might be listening in

• We update and patch our servers in a timely manner following industry best practices

• We run a Responsible Disclosure and bug bounty program to identify any security issues in Trodfin services

• Our technical security team proactively monitors for abnormal and malicious activity in our servers and services using 24/7 security operations

• When information you’ve given us is not in active use, it is encrypted at rest using AES-256 encryption

• We implement multi-factor authentication (MFA) for administrative access to systems containing personal data

• Regular security audits and penetration testing are conducted by independent third parties

• All employees undergo security awareness training and sign confidentiality agreements

We restrict access to your personal information to those employees of Trodfin who have a business reason for knowing such information and third party service providers’ processing data on our behalf. All Trodfin employees who have access to your personal data are required to adhere to this notice and all third-party service providers are requested by Trodfin to ensure appropriate safeguards are in place. In addition, contracts are in place with third-party service providers that have access to your personal data, to ensure that the level of security and protective measures required in your jurisdiction is in place, and that your personal data is processed only as instructed by Trodfin.

15. YOUR RIGHTS

Under the Personal Data Protection Act 2010 (Malaysia) and other applicable laws, you have the following rights:

15.1 Right of Access: You have the right to request a copy of the personal data we hold about you. You can make this request by contacting privacy@trodfin.com. We may charge a nominal fee (not exceeding RM10) for processing your request.

15.2 Right to Correction: You have the right to request correction of any inaccurate or incomplete personal data we hold about you. You can update most information directly through your account settings or by contacting us.

15.3 Right to Withdraw Consent: Where we process your data based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

15.4 Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another service provider where technically feasible.

15.5 Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

15.6 Right to Object: You have the right to object to processing of your personal data where we are relying on legitimate interests as the legal basis and there is something about your particular situation that makes you want to object.

15.7 Right to Erasure: In certain circumstances, you have the right to request deletion of your personal data. However, this right is not absolute and may be limited by legal retention requirements.

15.8 Right to Lodge a Complaint: If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Personal Data Protection Commissioner of Malaysia at:

Personal Data Protection Department
Ministry of Communications and Digital
Level 5, Block D1, Kompleks D
Pusat Pentadbiran Kerajaan Persekutuan
62530 Putrajaya, Malaysia
Email: pdp@kkmm.gov.my
Website: www.pdp.gov.my

To exercise any of these rights, please contact us at privacy@trodfin.com with your request. We will respond within 21 days as required by the Personal Data Protection Act 2010.

16. CHILDREN’S PRIVACY

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you are under 18, please do not use our services or provide any personal information to us.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@trodfin.com, and we will take steps to delete such information from our systems within 14 days.

17. AUTOMATED DECISION-MAKING

We may use automated decision-making processes, including profiling, for the following purposes:

• Fraud detection and prevention: We use automated systems to analyze your account activity and detect unusual patterns that may indicate fraudulent activity.

• Credit assessment for card applications: Our card issuer partners may use automated credit scoring systems to assess your credit card application. You have the right to request human review of any automated decision that significantly affects you.

If you wish to contest an automated decision or request human review, please contact us at privacy@trodfin.com.

18. MARKETING COMMUNICATIONS

We may send you marketing communications about Trodfin services, special offers, or partner services (including card issuer offers) if you have:

• Consented to receive marketing communications, or
• Purchased or used our services and have not opted out of marketing

You can opt out of marketing communications at any time by:

• Clicking the “unsubscribe” link in any marketing email
• Adjusting your communication preferences in your account settings
• Contacting us at privacy@trodfin.com

Please note that even if you opt out of marketing communications, we will still send you transactional emails related to your account and services.

19. THIRD-PARTY LINKS

Our website and services may contain links to third-party websites, including our card issuer partners’ websites. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal data to them.

20. CHANGES TO OUR PRIVACY POLICY

To keep up with changing legislation, best practice, and changes in how we process personal information, we may revise this notice at any time. In the case of significant or material changes to this notice, we will:

• Notify you by email at least 30 days before the changes take effect
• Display a prominent notice on our website and app
• Request your consent where required by law

The “Last Updated” date at the bottom of this notice indicates when it was last revised. We encourage you to review this notice periodically to stay informed about how we protect your personal data.

21. CONTACT

If you have any questions, comments or requests about this notice, please contact us at:

Trodfin Sdn. Bhd.
Data Protection Officer
Email: privacy@trodfin.com
Support Email: support@trodfin.com
Website: www.trodfin.com

Mailing Address:
[INSERT COMPANY REGISTERED ADDRESS]

For data protection matters specifically, you can also contact our Data Protection Officer at:
Email: dpo@trodfin.com

We will respond to all privacy-related inquiries within 21 days as required by the Personal Data Protection Act 2010 (Malaysia).

Last Updated: [11.13.2025]