MidChains FZE Group and its wholly owned subsidiaries (collectively referred to as “MidChains”, “we”, “us”) take data protection and privacy responsibilities seriously. This Privacy Policy explains how we collect, use and share personal information in the course of our business activities, including:
(a) What personal information we collect and when and why we use it;
(b) How we share personal information within MidChains, with third parties and
regulators;
(c) Using cookies and other technologies;
(d) Carrying out direct marketing;
(e) Transferring personal information globally;
(f) How we protect and store personal information;
(g) Legal rights available to help manage your privacy; and
(h) How you can contact us.

In this Privacy Policy, we use the term “Client” or “you” to refer to any client of MidChains. This term includes clients who are individuals, as well as any individuals authorised to access services offered by MidChains on behalf of individual or corporate

clients, such as employees and contractors. The term also refers to individuals connected to our corporate clients whose personal information we may collect and process in order to provide our services, for example company directors and shareholders.

MidChains has the discretion to update this Privacy Policy at any time. When we do, we will post a notification on our Website. Where changes to this Privacy Policy will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights (e.g. to object to the processing).

1.WHAT PERSONAL INFORMATION WE COLLECT AND WHEN AND WHY WE USE

1.1 MidChains collects information about you if you:
(a) register with or use our Website or online services;
(b) are a private client;
(c) represent one of our institutional clients;
(d) work with us as a service provider; or
(e) visit a MidChains office or register to attend a MidChains event.
1.2 Personal information we collect will fall within one of the below:
(a) Your name and how to contact you — basic information about you, including your
signature;
(b) Identification data including unique descriptors — Government issued identifiers,
other unique identifiers such as date of birth, and personal descriptors that might
identify you;
(c) Financial and transactional — financial information about you, transactional
information and credit information, account authentication details;
(d) Contractual details — information collected as part of the products and services we
provide you;
(e) Socio-demographic — includes details about your work or profession, nationality,
education;
(f) Technical information — details about your devices and technology that you use to
access our services, including IP address;
(g) Behavioural — information about how you use our products and services;
(h) Location — data we receive about where you are;
(i) Communications — information we capture through your communications with us,
e.g. telephone conversations, emails and instant messaging;
(j) Publicly available information — details that are in public records and information
about you that is openly available on the internet; or
(k) Sensitive categories of data — the law and other regulations treat some types of
personal information, including personal information relating to health and criminal
convictions and offenses as special and affords them additional protections. We will
only collect and use these types of data if the law allows us to do so.
1.3 Personal information we collect will be used for one or more of the following
services:
(a) To manage your relationship with MidChains
(i) To manage our relationship with you or your business, for example how to best
contact you;
(ii) To develop new ways to meet our clients’ needs and to grow our business, for
example by seeking client feedback or sharing market research;
(iii) To develop and carry out marketing activities in order to keep our clients informed
about our products and services; or
(iv) To develop and manage our brand.
(b) To administer the products and services we deliver
(i) To make and manage client payments;
(ii) To manage fees, charges and interest due on client account;
(iii) To collect and recover money that is owed to us; or
(iv) To exercise our rights set out in agreements or contracts.
(c) Crime prevention and detection
(i) To detect, investigate, report, and seek to prevent fraud, financial crime and antimoney laundering, for example through know-your-customer checks, AML screening
and other identity checks; or
(ii) To comply with other laws and regulations that apply to us.
(d) To protect our brand, our business and our clients’ interests
(i) To manage risk for us and our clients;
(ii) To respond to complaints and seek to resolve them;
(e) To comply with all applicable laws, law enforcement and regulatory requirements;
(i) To protect our IT systems, network and infrastructure; or
(ii) To run our business in an efficient manner, for example managing our financial
position, planning, corporate governance or audit.
1.4 The lawful basis on which we will collect and use this data will include:
(a) Legitimate interests — our use of your personal information is in our legitimate
interest as a commercial organization to provide services to our clients, provided our
use is proportionate and respects your privacy rights, where we rely on our legitimate
interest, we will tell you what that interest is. Our legitimate interests include:
(i) Working out which of our products or services might interest you and telling you
about them;
(ii) Seeking your consent when we need to contact you;
(iii) Keeping our records up to date and honouring your communication preferences;
(iv) Ensuring we are able to effectively and efficiently meet our contractual obligations;
and
(v) Complying with regulatory requirements.
(b) Consent (where required by law) — you have provided your consent to us using
personal information, for example if you have agreed to receive marketing
communications.
(c) Contractual obligation — our use of personal information is necessary to fulfil a
contract we have with you or to take steps to enter into a contract with you, for example
when you ask us to provide you with a product or service.
(d) Legal obligation — our use of your personal information is necessary to comply
with a legal obligation that we have, for example where we are required to report to tax
authorities.
(e) Public interest — our use of your personal information is required for regulatory
reasons that are in the public interest, for example to prevent and detect financial crime.
1.5 How we share personal information within MidChains, with third parties, and with
regulators.
We may share your information in the manner and for the purposes described below:
(a) Within MidChains, where such disclosure is necessary to provide you with our
services or to manage our business;
(b) With third parties who help manage our business and deliver services. These third
parties have agreed to confidentiality restrictions and use of any personal information
we share with them or which they collect on our behalf solely for the purpose of
providing the contractual service to us. These include IT service providers;
(c) With agencies and organizations working to prevent fraud in financial services;
(d) With our regulators;
(e) To comply with all applicable laws, regulations and rules, and requests of law
enforcement, regulatory and other governmental agencies;
(f) We may share in aggregate, statistical form, non-personal information regarding
the visitors to our website, traffic patterns, and website usage with our business
partners, affiliates or advertisers; and
(g) MidChains may, in the future, sell or otherwise transfer some or all of its assets to a
third party. Your personal information, technical information about your device or
browser or other anonymous information we obtain from you via the website may be
disclosed to any potential or actual third-party purchasers of such assets or may be
among those assets transferred.

2. USING COOKIES AND OTHER TECHNOLOGIES

We use cookies, web beacons and similar technologies (“Cookies”) to track information
provided to us by your browser and by our software application when you use our
websites. A Cookie is a small piece of information that a website stores on the web
browser on your device and can later retrieve. Session Cookies are temporary and will
expire at the end of a browser session, when you leave a website. Persistent Cookies,
in contrast, remain in the Cookie file of your browser even after you leave a website and
after the browser is closed. A Cookie will not contain information that will enable us to
contact you via telephone, email or other means. Our websites are not currently configured
to respond to “do not track” signals or similar mechanisms.

3. THIRD PARTY WEBSITES

Our website contains links to third party sites (including social media bookmarking
buttons that enable you to share certain content from our website). Although some of
the entities controlling these websites are under contract with us, not all of them are, so
we advise you to familiarise yourself with the individual privacy and cookie notice and
other terms for each linked website prior to submitting your personal data. We are not
responsible for and do not have control over their terms of use or privacy notices, have
not reviewed them and we do not accept liability with respect to the content of these
websites or how they use Cookies and handle your personal information.

4. CARRYING OUT DIRECT MARKETING

4.1 We may use personal information to let you know about MidChains products and
services that we believe will be of interest to you. We may contact you by email, post, or
telephone or through other helpful channels that we think you may find helpful. In all
cases, we will respect your preferences for how you would like us to manage marketing
activity with you.
4.2 To protect your privacy rights and ensure you have control over how we manage
marketing with you:
(a) We will take steps to limit direct marketing to a reasonable and proportionate level
and only send you communications which we believe may be of interest or relevance to
you; and
(b) You can ask us to stop direct marketing at any time. You can ask us to stop
sending email marketing by following the `unsubscribe’ link you will find on the email
marketing messages we send you.

5. CHILDREN’S PRIVACY

We do not accept users under the age of 21 and no part of our website is structured to
attract anyone under 21. In the event that we learn we have inadvertently collected
personal information from an individual under the age of 21, we will take reasonable
steps to delete that information. If you believe that we might have any information from
an individual under 21, please contact us at [email protected].

6. TRANSFERRING PERSONAL INFORMATION GLOBALLY

6.1 Your personal information may be transferred to, stored or processed in the United
Kingdom, United States, Switzerland, Japan, the United Arab Emirates or any other
country or jurisdiction in which MidChains or its service providers maintain facilities or
conduct business activities. This may include a country and jurisdiction that does not
have the same data-protection laws as your jurisdiction. For EEA and UK residents,
your personal information may be transferred to a country that is not regarded as
ensuring an adequate level of protection for personal information under European Union
law.
6.2 MidChains will take appropriate steps to ensure that transfers of personal
information are in accordance with applicable law and carefully managed to protect your
privacy rights and interests. To this end:
(a) Transfers within MidChains will be covered by an agreement entered into by
members of MidChains which contractually obliges each member to ensure that
personal information receives an adequate and consistent level of protection wherever it
is transferred within MidChains; and
(b) Where we transfer your personal information outside MidChains, or to third parties
who help provide our products and services, we obtain contractual commitments from
them to protect your personal information.
6.3 You have a right to contact us for more information about the safeguards we have
put in place to ensure the adequate protection of your personal information when this is
transferred as mentioned above.

7. HOW WE PROTECT AND STORE PERSONAL INFORMATION

7.1 We have implemented and maintain a comprehensive information security program
with written policies and procedures designed to protect the confidentiality and integrity
of personal information. The information security program contains administrative,
technical and physical safeguards, appropriate to the type of information concerned,
designed to:
(a) Maintain the security and confidentiality of such information;
(b) Protect against any anticipated threats or hazards to the security or integrity of
such information;
(c) Protect against unauthorised access to or use of such information that could result
in substantial harm; and
(d) Ensure appropriate disposal if such information.
7.2 The security of your personal information also depends in part on the security of the
devices you use to communicate with us.
7.3 We will store your personal information for as long as is reasonably necessary for
the purposes for which it was collected. In some circumstances we may store your
personal information for longer periods of time, for instance where we are required to do
so in accordance with legal, regulatory, tax, accounting or necessary technical
requirements.
7.4 In specific circumstances we may store your personal information for a longer
period of time so that we have an accurate record of your dealings with us in the event
of any complaints or challenges, or if we believe there is a prospect of legal claims
relating to your personal information or dealings.

8. LEGAL RIGHTS AVAILABLE TO HELP MANAGE YOUR PRIVACY

8.1 Under applicable law, and subject to limitations and exceptions provided by law, if
you are located in the EEA or UK, and in certain other jurisdictions, you may have
certain rights in relation to your personal information, these include:
(a) To access personal information — you have a right to request that we provide you
with a copy of your personal information we hold and you have the right to be informed
of:
(i) The source of your personal information;
(ii) The purposes, legal basis and methods of processing;
(iii) The data controllers identity; and
(iv) The entities or categories of entities to whom your personal information may be
transferred.
(b) To rectify or erase personal information — you have a right to request that we rectify
inaccurate personal information. We may seek to verify the accuracy of the personal
information before rectifying it. You can also request that we erase your personal
information in limited circumstances where:
(i) It is no longer needed for the purposes for which it was collected;
(ii) You have withdrawn consent, where the data processing was based on consent);
(iii) Following a successful right to object;
(iv) It has been processed unlawfully; or
(v) To comply with a legal obligation to which [MidChains] is subject.
(c) We are not required to comply with your request to erase personal information if the
processing of your personal information is necessary:
(i) For compliance with a legal obligation; or
(ii) For the establishment, exercise or defence of legal claims.
(d) To restrict the processing of your personal information — you can ask us to restrict
your personal information, but only where:
(i) The accuracy is contested, to allow us to verify its accuracy;
(ii) The processing is unlawful, but you do not want it erased;
(iii) It is no longer needed for the purposes for which it was collected, but we still need it
to establish, exercise or defend legal claims;
(iv) You have exercised the right to object and we are considering your request.
(e) We can continue to use your personal information following a request for
restriction:
(i) Where we have your consent;
(ii) To establish, exercise or defend legal claims; or
(iii) To protect the rights of another natural or legal person.
(f) To transfer your personal information — you can ask us to provide your personal
information to you in a structured, commonly use, machine-readable format, or you can
ask to have it transferred directly to another data controller, but in each case only
where:
(i) The processing is based on your consent or on the performance of a contract with
you; and
(ii) The processing is carried out by automated means.
(g) To object to the processing of personal information – you can object to any
processing of your personal information which has our legitimate interests as its legal
basis, if you believe your fundamental rights and freedoms outweigh our legitimate
interests. If you raise an objection, we have an opportunity to demonstrate that we have
compelling legitimate interest which override your rights and freedoms.
(h) To object how we use your personal information for direct marketing purposes —
you can request that we change the manner in which we contact you for marketing
purposes. You can request that we not transfer your personal information to any
unaffiliated third parties for the purposes of direct marketing or any other purposes.
(i) To obtain a copy of personal information safeguards used for transfers outside
your jurisdiction — you can ask to obtain a copy of, or reference to, the safeguards
MidChains FZE (DWTCA)
under which your personal information is transferred outside of the European Union. We
may redact data agreements to protect commercial terms.
(j) To lodge a complaint with your local supervisory authority — you have a right to
lodge a complaint with your local data protection supervisory authority if you have
concerns about how we are processing your personal information. We ask that you
please attempt to resolve any issues with us first, although you have a right to contact
your supervisory authority at any time

9. PROCESSING YOUR REQUEST

9.1 We may ask you for additional information to confirm your identity and for security
purposes, before disclosing the personal information requested to you.
9.2 We reserve the right to charge a fee where permitted by law, for instance if your
request is manifestly unfounded or excessive. You can exercise your rights by
contacting us. Subject to legal and other permissible considerations, we will use
reasonable efforts to honour your request promptly (and within any time period required
by applicable law) or inform you if we require further information in order to fulfil your
request.
9.3 We may not always be able to fully address your request, for example if it would
impact the duty of confidentiality we owe to others, or if we are legally entitled to deal
with the request in a different way.

10. YOUR ACCEPTANCE OF THESE TERMS

If you do not agree to this policy, you should not use the Website.

11. VARA ADDENDUM

We are committed to working with you to obtain a fair resolution of any complaint or
concern about privacy. If, however, you believe that we have not been able to assist
with your complaint or concern, you have the right to make a complaint to the UAE Data
Office using their website.

12. CHANGES TO OUR PRIVACY POLICY

We may occasionally update this Privacy Policy to reflect changes in our practices.
When we post modifications to this Privacy Policy, we will revise the “Last Updated”
date at the top of this web page.
We encourage you to periodically review this page for the latest information on our
privacy practices.

13. HOW YOU CAN CONTACT US

The primary point of contact for all issues arising from this Privacy Policy, including
exercising your rights described above is our Data Protection Officer. MidChains’s Data
Protection Officer, can be contacted by email; [email protected]