Mainframe Finance AG, a company incorporated under the laws of Switzerland, registered with the Swiss Commercial Register under number CHE-472.429.137, with its registered seat at Dammstrasse 16, 6300 Zug, Switzerland (Mainframe, Company, we, us, or our), respects your privacy and is committed to protecting your Personal Data.

This Privacy Policy explains how we collect, use, store, disclose and otherwise process Personal Data in connection with your access to and use of the Mainframe Platform, including our website, interfaces, software, APIs, compliance tools, onboarding processes and related services.

Mainframe operates as a financial intermediary within the meaning of the Swiss Anti-Money Laundering Act (AMLA) and is a member of VQF, a self-regulatory organisation recognised by FINMA for AMLA supervision purposes.

This Privacy Policy forms an integral part of the Mainframe Terms and Conditions.

Please read this Privacy Policy carefully before using the Platform or providing any Personal Data to us.

IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, YOU MUST NOT ACCESS OR USE THE PLATFORM OR PROVIDE PERSONAL DATA TO US.

1. DEFINITIONS AND INTERPRETATION

1.1. Definitions. In this Privacy Policy, unless the context otherwise requires, the following terms shall have the meanings set out below:

“Mainframe”, “we”, “us”, “Company” - means Mainframe Finance AG, a company incorporated under the laws of Switzerland, registered with the Swiss Commercial Register under number CHE-472.429.137, with its registered seat in Zug, Switzerland.

“Client”, “User”, “you” - means any natural or legal person that accesses or uses the Platform and has accepted the Terms.

“Platform” - means the Mainframe technology platform, including any website, interface, software, APIs, infrastructure or tools made available by Mainframe through which Clients may access and interact with Third-Party Providers.

“Account” - means the user account established with Mainframe for the purpose of accessing the Platform.

“Instruction” - means any instruction, order, request or action submitted by the Client (or an Authorised Person) through the Platform in connection with Third-Party Services.

“Client Assets” - means any fiat funds and Digital Assets attributable to a Client, whether held directly or indirectly through Third-Party Providers, including on a segregated, omnibus or hybrid basis.

“Digital Assets” - means cryptocurrencies, tokens, stablecoins and other blockchain-based digital representations of value supported by the Platform.

“Third-Party Provider” - means any independent third party whose services may be accessed via the Platform, including but not limited to exchanges (CEXs or DEXs), OTC counterparties, banks, payment institutions, wallet or custody infrastructure providers, compliance providers, or other service providers.

“Terms” - means the Mainframe Terms of Service governing access to and use of the Platform, as amended from time to time.

“Annexes” - means any policies, disclosures or documents incorporated into the Terms, including this Privacy Policy.

“Personal Data” - means any information relating to an identified or identifiable natural person. Where the Client is a legal entity, this Privacy Policy applies to Personal Data relating to its directors, officers, employees, representatives, beneficial owners, Authorised Persons and other individuals connected with the Client.

“Processing” - means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer or deletion.

1.2. Consistency with Terms. This Privacy Policy shall be read together with the Terms. In the event of any inconsistency, the Terms shall prevail in relation to commercial and contractual matters, while this Privacy Policy shall prevail in relation to the processing of Personal Data, subject always to mandatory applicable law.

2. PRIVACY NOTICE

2.1. Nature of this Policy. This Privacy Policy is provided for information purposes and explains how Mainframe processes Personal Data in connection with the Platform and Platform Services.

2.2. Acknowledgment. By accessing or using the Platform, you acknowledge that you have been informed of the processing activities described in this Privacy Policy. Except where expressly stated, Mainframe does not rely on your consent as the primary legal basis for processing Personal Data.

2.3. Use of the Platform. If you do not wish your Personal Data to be processed as described in this Privacy Policy, you should not access or use the Platform. However, certain processing may continue where required or permitted by applicable law, including AMLA, sanctions, regulatory, tax, accounting, legal or evidentiary obligations.

3. PERSONAL DATA COLLECTED

3.1. General scope of Personal Data. In connection with your access to and use of the Platform and Platform Services, Mainframe may collect, receive, generate and otherwise process Personal Data relating to you.

3.2. Categories of Personal Data. Without limitation, Personal Data may include the following categories:

(a) Identity and Registration Data; including, without limitation:
- full name;
- date and place of birth;
- nationality;
- residential address;
- email address;
- telephone number;
- Account identifiers and authentication data;
- information relating to Authorised Persons.

(b) AML, KYC and Verification Data; including, without limitation:
- government-issued identification documents (passport, identity card, residence permit, driver’s licence);
- proof of address;
- corporate and ownership documentation;
- beneficial ownership and control structure information;
- source of funds and source of wealth information;
- business activity and regulatory status;
- sanctions, PEP and adverse media screening data;
- risk classification and compliance assessments;
- enhanced due diligence materials; and
- any other information required under applicable AML, sanctions or regulatory obligations.

(c) Transaction and Platform Data; including, without limitation:
- Instructions submitted via the Platform;
- transaction history and records;
- wallet addresses and blockchain identifiers;
- balances and internal attribution records relating to Client Assets;
- trading, exchange, OTC, DEX or DeFi interaction data;
- fee records and execution-related data;
- timestamps, logs and metadata relating to Platform usage.

(d) Technical and Usage Data; including, without limitation:
- IP address;
- device identifiers;
- browser type and version;
- operating system;
- API usage data;
- session logs;
- system logs and security logs;
- clickstream and usage behaviour;
- cookies and similar technologies.

(e) Communication Data; including, without limitation:
- email communications;
- support requests;
- correspondence and messages;
- complaints and enquiries;
- any information provided in communications with Mainframe.

(f) Data from Third-Party Providers; including, without limitation, data received from:
- identity verification providers (e.g. SumSub);
- digital asset infrastructure providers (e.g. Fireblocks);
- banking and payment providers (e.g. BCB Group);
- exchanges, OTC counterparties and liquidity providers;
- blockchain analytics and compliance providers;
- public registries, regulators and authorities.

3.3. Sources of Personal Data. Mainframe may collect Personal Data directly from the Client, from Authorised Persons, from Third-Party Providers, from public sources, and through the use of the Platform.

3.4. Data aggregation and generation. Mainframe may combine Personal Data obtained from different sources and generate additional data, including risk scores, compliance assessments and internal records.

3.5. Expansion of data categories. The categories of Personal Data collected may be updated where necessary for legal, regulatory, operational, compliance or risk management purposes, provided that such processing remains compatible with this Privacy Policy and applicable data protection law.

3.6. Consequences of non-provision. Where the Client fails to provide Personal Data requested by Mainframe, Mainframe may refuse onboarding, restrict access to the Platform, or suspend or terminate the Account.

4. PURPOSES OF PROCESSING

4.1. General purposes. Mainframe processes Personal Data for the purposes described in this Clause and for purposes compatible with such purposes in accordance with applicable data protection laws.

4.2. Specific purposes. Without limitation, Personal Data may be processed for the following purposes:
(a) to provide access to the Platform and administer the Account;
(b) to transmit, route and facilitate Client Instructions to Third-Party Providers;
(c) to interact with Third-Party Providers in connection with Platform Services;
(d) to perform onboarding, identification, KYC, KYB and AML checks;
(e) to identify beneficial owners, Authorised Persons and related parties;
(f) to conduct sanctions screening, PEP checks and adverse media checks;
(g) to monitor transactions, blockchain activity and Client behaviour;
(h) to assess, manage and mitigate legal, regulatory, operational and financial risk;
(i) to prevent, detect and investigate fraud, money laundering, terrorist financing, sanctions evasion and other unlawful activity;
(j) to comply with AMLA, sanctions regimes, regulatory requirements and obligations imposed by competent authorities or Third-Party Providers;
(k) to report to regulators, supervisory authorities, law enforcement or other competent bodies;
(l) to enforce the Terms and protect Mainframe’s rights and interests;
(m) to maintain internal records, logs, audit trails and compliance documentation;
(n) to operate, maintain, monitor, secure and improve the Platform;
(o) to perform system testing, analytics, performance monitoring and infrastructure management;
(p) to communicate with the Client, including for operational, compliance and administrative purposes;
(q) to calculate, charge and collect fees;
(r) to comply with legal, tax, accounting and reporting obligations; and
(s) for any other purpose compatible with the purposes described in this Policy and permitted under applicable data protection law;
(t) to apply control measures, restrictions, suspensions or freezes on Accounts or Client Assets where required under AML/CTF laws, sanctions regimes or regulatory obligations.

4.3. No limitation of purposes. Mainframe may process Personal Data for additional purposes only where such purposes are compatible with those described above and permitted under applicable data protection laws.

4.4. Regulatory override. Notwithstanding any other provision of this Policy, Mainframe may process Personal Data:
(a) without prior notice;
(b) without additional consent; and
(c) for additional purposes where disclosure is restricted or not required under applicable law,
where required or permitted under applicable law, regulation, sanctions regime, regulatory request, Third-Party Provider requirement, or Mainframe’s internal compliance policies implemented for the purposes of complying with such obligations or managing related legal, regulatory, compliance, security or financial crime risks.

4.5. No obligation to notify. Mainframe may limit the information provided to the Client regarding specific processing activities or purposes where such limitation is permitted or required under applicable law, including AML/CTF and regulatory obligations.

5. SOURCES AND METHODS OF COLLECTION

5.1. General collection framework. Mainframe may collect, receive, generate and otherwise obtain Personal Data from multiple sources and through various means in connection with the Platform and Platform Services.

5.2. Categories of data sources. Without limitation, Personal Data may be obtained:
(a) directly from the Client, including where the Client:
- creates or maintains an Account;
- submits any Instruction;
- completes onboarding, KYC or AML procedures;
- uploads documents or provides information; or
- communicates with Mainframe;

(b) from Authorised Persons or representatives of the Client, including directors, officers, employees, agents or beneficial owners;

(c) through the use of the Platform, including via:
- system logs;
- authentication processes;
- API interactions;
- session data;
- cookies and similar technologies;
- security and monitoring systems;

(d) from Third-Party Providers, including, without limitation:
- identity verification providers (e.g. SumSub);
- digital asset infrastructure providers (e.g. Fireblocks);
- banking and payment providers (e.g. BCB Group);
- exchanges, OTC counterparties, liquidity providers and DeFi interfaces;
- blockchain analytics and compliance providers;

(e) from blockchain networks and distributed ledger systems, including publicly available transaction data, wallet activity and on-chain analytics;

(f) from public sources, including:
- corporate registries;
- sanctions lists;
- regulatory databases;
- court records;
- publicly available information;

(g) from regulators, authorities and financial institutions, including:
- supervisory authorities;
- law enforcement agencies;
- banks and payment providers;
- counterparties involved in transactions;

(h) from third parties involved in transactions or investigations, including where Personal Data is provided in connection with compliance checks, disputes, recalls or regulatory requests.

5.3. Data aggregation and enrichment. Mainframe may combine Personal Data obtained from different sources and may generate additional data, including internal records, risk scores, compliance assessments and behavioural analysis.

5.4. Ongoing and continuous collection. Personal Data may be collected on a continuous and ongoing basis throughout the Client relationship, including before onboarding, during use of the Platform and after termination, where necessary.

5.5. Indirect collection and absence of notice. Where permitted by applicable law, Personal Data may be collected indirectly, including from Third-Party Providers, public sources, regulators, authorities or blockchain networks. Mainframe may limit or delay notice where required or permitted under AML/CTF, sanctions, regulatory or law enforcement obligations.

6. DATA RETENTION

6.1. General retention principles. Mainframe retains Personal Data for as long as necessary for the purposes set out in this Policy and the Terms, including for legal, regulatory, compliance, operational and risk management purposes.

6.2. Regulatory retention. Personal Data relating to onboarding, identification, beneficial ownership, transactions, Instructions and Client activity shall be retained for at least ten (10) years following termination of the business relationship or completion of the relevant transaction, in accordance with Swiss AMLA requirements.

6.3. Extended retention. Mainframe may retain Personal Data for a longer period, including beyond any statutory minimum retention period, where Mainframe reasonably considers such retention necessary for:
- compliance with applicable laws, regulations or regulatory expectations;
- cooperation with regulators, supervisory authorities or law enforcement;
- prevention, detection or investigation of fraud, financial crime or unlawful activity;
- management of legal claims, disputes or investigations;
- enforcement of the Terms or protection of Mainframe’s rights;
- audit, accounting and internal record-keeping purposes;
- risk management, internal controls and compliance monitoring; or
- operational, technical or business continuity purposes.

6.4. No obligation to delete upon request. To the maximum extent permitted by applicable law, Mainframe may refuse deletion requests where retention is required or permitted under applicable law, including AMLA and other regulatory obligations.

6.5. Post-termination retention. Personal Data may continue to be retained and processed after closure of the Account or termination of the relationship, including for compliance, fraud prevention, re-onboarding controls, internal records and regulatory purposes.

6.6. Archiving and restriction. Personal Data that is no longer actively required may be archived, restricted or otherwise retained in systems with limited access, rather than deleted.

6.7. Technical and system data. System logs, security logs, analytics data and technical records may be retained for the period necessary to ensure security, integrity, auditability and proper functioning of the Platform, in accordance with Mainframe’s internal retention policies and applicable law.

6.8. No guarantee of deletion timelines. Mainframe does not guarantee immediate deletion where retention is required or permitted by applicable law, backup cycles, archival systems, technical limitations or regulatory obligations.

Retention periods are determined in accordance with applicable law and internal policies, taking into account legal, regulatory and operational requirements.

7. ROLES IN DATA PROCESSING

7.1. Controller. Mainframe Finance AG acts as controller in respect of Personal Data processed in connection with onboarding, AML/KYC/KYB procedures, sanctions screening, account administration, transaction monitoring, compliance, record-keeping, security and operation of the Platform.

7.2. Third-Party Providers. Third-Party Providers may act as independent controllers or processors depending on their role, services and contractual arrangements. Where Third-Party Providers act as independent controllers, they determine their own purposes and means of processing and process Personal Data under their own privacy policies and legal obligations.

7.3. Processors. Where Third-Party Providers or service providers process Personal Data on behalf of Mainframe, Mainframe will use appropriate contractual arrangements where required under applicable data protection law.

7.4. No joint controllership unless stated. Unless expressly agreed or required by applicable law, Mainframe does not act as a joint controller with Third-Party Providers.

8. LEGAL BASIS FOR PROCESSING

8.1. Applicable framework. Personal Data is processed in accordance with applicable data protection, financial and regulatory laws, including, where applicable:
(a) the Swiss Federal Act on Data Protection (FADP);
(b) the EU General Data Protection Regulation (GDPR); and
(c) any other applicable laws, regulations or regulatory requirements.

To the extent the GDPR applies, Personal Data may be processed in accordance with applicable GDPR requirements. The GDPR applies only to the extent it is applicable to Mainframe’s processing activities under its territorial scope, including where Mainframe offers services to individuals in the EEA or monitors their behaviour within the EEA.

8.2. Legal bases for processing. To the extent required by applicable law, Personal Data is processed on one or more of the following legal bases:

(a) Performance of a contract. Processing is necessary for the performance of the Terms or to take steps at the request of the Client prior to entering into the Terms, including the provision of Platform Services.

(b) Compliance with legal and regulatory obligations. Processing is necessary to comply with legal and regulatory obligations, including obligations arising under AMLA, sanctions regimes, financial regulations and requirements imposed by competent authorities.

(c) Legitimate interests. Processing is necessary for the purposes of the legitimate interests pursued by Mainframe, including, without limitation:
- operating and maintaining the Platform;
- ensuring security and integrity of systems;
- preventing fraud, financial crime and misuse;
- managing legal, regulatory and operational risk;
- enforcing the Terms and protecting Mainframe’s rights;
- improving services, infrastructure and performance;
- complying with contractual, operational and compliance requirements of Third-Party Providers, including banks, payment providers, exchanges, OTC counterparties and infrastructure providers.

Where required, Mainframe performs a balancing test to ensure that such legitimate interests are not overridden by the rights and freedoms of the data subject.

(d) Consent (where applicable). Where required by applicable law, Personal Data may be processed based on the Client’s consent. Where processing is based on consent:
- consent may be withdrawn at any time;
- withdrawal does not affect prior processing; and
- processing may continue on other legal bases where applicable.

8.3. Regulatory priority. To the maximum extent permitted by applicable law, processing based on legal and regulatory obligations shall prevail over any other legal basis, including consent.

8.4. No reliance on consent. The Client acknowledges that, due to the nature of the Platform and applicable regulatory requirements, the processing of Personal Data is generally not based on consent and may continue irrespective of any withdrawal of consent.

8.5. No limitation of legal bases. Mainframe may rely on any legal basis available under applicable data protection law, provided that the relevant processing is compatible with this Privacy Policy or otherwise permitted by applicable law.

9. PERSONAL DATA SHARING

9.1. General disclosure framework. Mainframe may disclose, transfer or otherwise make available Personal Data to third parties where it considers such disclosure necessary or appropriate in connection with the Platform, Platform Services, legal obligations, regulatory requirements, operational needs or risk management.

9.2. Categories of recipients. Without limitation, Personal Data may be disclosed to:

(a) Third-Party Providers, including:
- identity verification providers (e.g. SumSub);
- digital asset infrastructure providers (e.g. Fireblocks);
- banking and payment providers (e.g. BCB Group), including, where required, full KYC/KYB documentation, identity verification data and transaction-related information provided to banking and payment providers;
- exchanges, OTC counterparties, liquidity providers and DeFi interfaces;
- blockchain analytics and compliance providers;

(b) Financial institutions and counterparties, including banks, payment institutions, liquidity providers and any party involved in a transaction, settlement or transfer;

(c) Regulators and authorities, including supervisory authorities, law enforcement agencies, courts, governmental bodies and self-regulatory organisations (including VQF);

(d) Service providers and infrastructure providers, including:
- cloud providers (e.g. AWS);
- IT, cybersecurity and hosting providers;
- analytics and monitoring providers;
- professional advisers (legal, tax, audit);

(e) Affiliates, group entities, contractors and personnel of Mainframe, on a need-to-know basis;

(f) Third parties involved in compliance, investigations or disputes, including where disclosure is necessary for fraud prevention, enforcement, legal proceedings or regulatory cooperation.

9.3. Regulatory and compliance disclosures. Personal Data may be disclosed:
- without prior notice to the Client; and
- without additional consent,
where required or permitted under applicable law or as described in Clause 4.4 (Regulatory override).

Mainframe may be prohibited from informing the Client of such disclosures.

9.4. No limitation of recipients. Mainframe may disclose Personal Data to additional categories of recipients where such disclosure is necessary for the purposes described in this Policy and is permitted under applicable law.

9.5. No sale representation. Mainframe does not sell Personal Data in the ordinary course of business. However, Personal Data may be disclosed, transferred or otherwise made available as described in this Policy.

9.6. Third-party responsibility. Mainframe does not control independent processing activities of Third-Party Providers acting as separate controllers. Where Mainframe engages processors to process Personal Data on its behalf, Mainframe will use appropriate contractual arrangements as required under applicable data protection law.

9.7. Cross-border disclosures. Personal Data may be disclosed to recipients located in Switzerland, the EEA, the United Kingdom and other jurisdictions where Mainframe or its Third-Party Providers operate, subject to the international transfer safeguards described in Clause 10 where required by applicable data protection law.

10. INTERNATIONAL DATA TRANSFERS

10.1. General framework. Personal Data may be transferred, disclosed, stored or otherwise processed outside Switzerland where this is necessary for the purposes described in this Privacy Policy and permitted under applicable data protection law.

10.2. Cross-border processing. Personal Data may be processed in Switzerland and in the European Economic Area, including Germany. In particular, AMLA/KYC records are primarily stored in Switzerland, while certain operational databases and infrastructure may be hosted in the European Economic Area, including AWS infrastructure located in Frankfurt am Main, Germany.

Personal Data may also be processed in other jurisdictions where Mainframe or its Third-Party Providers operate, in accordance with applicable data protection laws and subject to appropriate safeguards or legal transfer mechanisms where required.

10.3. Transfers to Third-Party Providers. Personal Data may be transferred to Third-Party Providers located in different jurisdictions, including where such transfer is necessary for:
- onboarding and identity verification;
- interaction with Third-Party Providers;
- execution, trading, custody infrastructure or settlement;
- compliance, sanctions screening and monitoring;
- provision of Platform Services; or
- operational, technical or infrastructure purposes.

10.4. Legal basis for transfers. Where required under applicable law, Mainframe will ensure that international transfers are subject to appropriate safeguards, including:
(a) transfers to jurisdictions recognised as providing an adequate level of protection under Swiss law;
(b) standard contractual clauses or other contractual safeguards recognised by the FDPIC or under Swiss data protection law, including EU Standard Contractual Clauses with Swiss-specific amendments where required;
(c) other legally recognised transfer mechanisms; or
(d) statutory exemptions or derogations where applicable. Mainframe may also rely on any derogation or exemption available under applicable law.

Upon request, Mainframe may provide information on the applicable safeguards for international transfers to the extent required by applicable data protection law and subject to legal, regulatory, security and confidentiality restrictions.

10.5. Regulatory override. Notwithstanding any other provision of this Policy, Personal Data may be transferred:
- without prior notice;
- without additional consent; and
- to the extent permitted under applicable law,
where required or permitted under applicable law or as described in Clause 4.4 (Regulatory override).

10.6. Protection in third countries. Where Personal Data is transferred to a jurisdiction that does not provide an adequate level of data protection, Mainframe will implement appropriate safeguards or rely on a statutory exemption or derogation available under applicable law. Nothing in this Clause limits Mainframe’s obligations under mandatory Swiss or applicable data protection law.

11. DATA SECURITY

11.1. Security framework. Mainframe implements technical, organisational and administrative measures designed to protect Personal Data against unauthorised access, loss, misuse, alteration or disclosure.

11.2. Nature of security measures. Such measures may include, without limitation:
- access controls and authentication mechanisms;
- encryption of data in transit;
- system monitoring and logging;
- internal policies and procedures;
- vendor and infrastructure controls;
- periodic review of security practices.

11.3. No guarantee of security. To the maximum extent permitted by applicable law:
- no system, platform or transmission of data is completely secure;
- Mainframe implements appropriate technical and organisational measures in accordance with applicable data protection laws but does not guarantee absolute security, integrity or availability of Personal Data; and
- Personal Data may be subject to unauthorised access, loss or breach despite the measures implemented.

11.4. Third-party and infrastructure risk. Personal Data may be processed, stored or transmitted through Third-Party Providers and infrastructure systems.

Mainframe does not control and is not responsible for:
- the security measures of Third-Party Providers; or
- failures, breaches or vulnerabilities in external systems, including any resulting loss, damage, unauthorised access, disclosure or compromise of Personal Data, to the maximum extent permitted by applicable law, except to the extent such loss, damage or breach is directly caused by Mainframe’s failure to comply with mandatory applicable data protection law.

11.5. Client responsibility. The Client is responsible for maintaining the security of its Account credentials, devices, systems and access methods.

Mainframe shall not be liable for any Loss arising from:
- compromised credentials;
- unauthorised access; or
- failure by the Client to implement appropriate security measures.

11.6. Security incidents. In the event of a security incident, Mainframe may take any action it considers appropriate, including investigation, mitigation, restriction of access, reporting to authorities or cooperation with Third-Party Providers.

Mainframe will notify the Client of a security incident only where required by applicable law.

11.7. No obligation to adopt specific measures. Mainframe is not obliged to implement any specific security technology, protocol or standard unless required by applicable law.

11.8. Data breach notification. In the event of a personal data breach, Mainframe will assess its notification obligations under applicable data protection laws. Where required under Swiss law, Mainframe will notify the FDPIC as quickly as possible if the breach is likely to result in a high risk to the personality or fundamental rights of the affected individuals. Where required under applicable law, Mainframe will also inform affected data subjects.

Mainframe will document personal data breaches and related assessments in accordance with applicable internal and legal requirements.

Where a processor engaged by Mainframe becomes aware of a personal data breach affecting Personal Data processed on behalf of Mainframe, Mainframe will require such processor to notify Mainframe without undue delay.

12. DATA SUBJECT RIGHTS

12.1. General rights. Subject to applicable law, the Client may have certain rights in relation to Personal Data, including:
(a) the right to request access to Personal Data;
(b) the right to request correction or update of inaccurate Personal Data;
(c) the right to request deletion of Personal Data;
(d) the right to withdraw consent, where processing is based on consent;
(e) the right to request restriction of processing; and
(f) the right to object to certain types of processing;
(g) the right to lodge a complaint with a competent data protection authority, including the Swiss Federal Data Protection and Information Commissioner (FDPIC), where applicable;
(h) where applicable under the GDPR, the right to data portability; and
(i) where applicable, the right to lodge a complaint with a competent supervisory authority in the European Union or the United Kingdom.

12.2. Limitations and restrictions. The rights set out in this Clause are subject to limitations and restrictions under applicable law.

To the maximum extent permitted by applicable law, Mainframe may:
- refuse, restrict or delay any request;
- provide partial or redacted information; or
- continue processing Personal Data notwithstanding any request,

where necessary for:
- compliance with AMLA, sanctions or regulatory obligations;
- fraud prevention, detection or investigation;
- legal claims, disputes or enforcement;
- internal compliance, audit or risk management purposes;
- protection of Mainframe’s rights, interests or obligations; or
- compliance with requests from regulators, authorities or Third-Party Providers.

12.3. Limitations on deletion. Personal Data will not be deleted where retention is required or permitted under applicable law, including AMLA, sanctions, regulatory, tax, accounting, legal or evidentiary obligations.

Requests for deletion may be refused in whole or in part where permitted by applicable law.

12.4. Withdrawal of consent. Where processing is based on consent:
- consent may be withdrawn at any time;
- withdrawal does not affect prior processing; and
- processing may continue on other legal bases.

12.5. Statutory limitations. The Client acknowledges that, due to the nature of the Platform and applicable regulatory requirements, and subject always to mandatory applicable law:
- certain rights may be restricted or limited in accordance with applicable law, including AML/CTF and regulatory obligations;
- requests may be refused, restricted or delayed where permitted by applicable law; and
- access to information may be limited, withheld or subject to redaction, where necessary to comply with legal, regulatory or compliance obligations.

12.6. Exercise of rights. Requests may be submitted using the contact details provided in this Policy.

Mainframe may require verification of identity before processing any request.

12.7. No obligation to provide detailed explanations. To the maximum extent permitted by applicable law, Mainframe may limit the level of detail provided in responses where:
- such information is not required to be disclosed; or
- disclosure may interfere with legal, regulatory or compliance obligations.

13. THIRD-PARTY WEBSITES AND SERVICES

13.1. External links and integrations. The Platform may contain links to, or integrations with, third-party websites, platforms, protocols or services operated by Third-Party Providers.

13.2. Independent third-party control. Such third parties operate independently and under their own legal, technical and operational frameworks.

Mainframe does not control and is not responsible for:
- the content, availability or security of such third-party websites or services;
- the processing of Personal Data by such third parties; or
- their compliance with applicable data protection laws.

13.3. Client responsibility. The Client is solely responsible for reviewing and understanding:
- the terms and conditions; and
- the privacy policies
of any third-party website, platform or service prior to use.

13.4. Data disclosure through third-party interaction. Where the Client interacts with Third-Party Providers through the Platform, Personal Data may be transmitted to such third parties as described in this Policy.

Such processing is carried out under the terms and policies of the relevant Third-Party Provider.

13.5. No endorsement or liability. The inclusion of any third-party link or integration does not constitute:
- endorsement;
- recommendation; or
- approval
by Mainframe.

To the maximum extent permitted by applicable law, Mainframe shall not be liable for any Loss arising from the use of or reliance on third-party websites or services.

14. COOKIES AND SIMILAR TECHNOLOGIES

14.1. What are cookies. Cookies are small text files stored on a user’s device when accessing the Platform. They enable systems to recognise the device, maintain session integrity and support the technical operation of the Platform.

14.2. Use of cookies. Mainframe uses cookies and similar technologies for:
- authentication and session management;
- security, fraud prevention and system integrity;
- operation, functionality and performance of the Platform.

Mainframe may also use analytics or performance-related technologies where necessary to monitor and improve the Platform.

Where required under applicable law, including in the European Economic Area or the United Kingdom, Mainframe will obtain consent for the use of cookies or similar technologies that are not strictly necessary.

14.3. Types of cookies. The Platform may use:
- session cookies, which are deleted when the browser is closed; and
- persistent cookies, which remain on the device for a limited period depending on their function.

14.4. Third-party technologies. Where the Client interacts with Third-Party Providers through the Platform, such providers may use their own cookies or similar technologies.

Mainframe does not control and is not responsible for such third-party technologies or their data processing practices.

14.5. Client controls. The Client may manage or disable cookies through browser settings.

Disabling cookies may affect the availability or functionality of the Platform.

14.6. Strictly necessary cookies. To the extent permitted by applicable law, cookies used by Mainframe are considered strictly necessary to the extent they qualify as such under applicable law.

15. AMENDMENTS

15.1. Right to amend. Mainframe may amend, update or modify this Policy at any time. Any updated version will be made available on the Platform and will indicate the date of the latest revision.

15.2. Effect of amendments. The updated version will apply from the date indicated in the updated Policy, subject to any notice requirements under applicable law.

15.3. Notice of amendments. Mainframe may notify Clients of material amendments by email, Platform notification or other appropriate means where required by applicable law or where Mainframe considers such notice appropriate.

15.4. Client responsibility. The Client is responsible for reviewing this Policy periodically and ensuring familiarity with its current version.

16. CONTACT

16.1. Contact details. For any questions, requests or communications relating to this Policy or the processing of Personal Data, you may contact Mainframe using the following details:

Mainframe Finance AG
Dammstrasse 16
6300 Zug
Switzerland
Email: compliance@mainframe.finance

16.2. Data protection contact. Where required by applicable law, requests relating to Personal Data may be directed to Mainframe’s designated contact for data protection and compliance matters.

16.3. Requests and identification. Mainframe may require the Client to verify their identity before processing any request relating to Personal Data.

Mainframe may refuse or delay responses where:
- identity cannot be verified;
- the request is excessive or unfounded; or
- restrictions apply under applicable law or regulatory obligations.

16.4. Representatives. Where Mainframe is required under applicable data protection law to appoint a representative in the European Union, the United Kingdom or any other jurisdiction, the relevant contact details will be made available through the Platform or upon request.