Privacy Statement

1. Data Controller

Dino International IP Ltd ("Dino", "we", "us", "our") is the data controller of your personal data for the purposes of Regulation (EU) 2016/679 of the European Parliament and of the Council (the "General Data Protection Regulation" or "GDPR").

Our contact details are:

Dino International IP Ltd
Address to be confirmed at launch
Email: privacy@dinocard.com

This Privacy Statement explains how we collect, use, share, and protect your personal data when you use the Dino application and related services.

2. Data We Collect

We collect the following categories of personal data:

• Identity data: full name, date of birth, gender, nationality, government-issued ID details (for identity verification)
• Contact data: email address, phone number, home address
• Financial data: transaction summaries, account balance information, payment references (detailed transaction data is held by our regulated financial partners)
• Device & technical data: IP address, device identifiers, operating system, browser type, app version
• Usage data: how you interact with the app, feature usage, click paths, session duration
• Communications data: records of correspondence with our support team
• Marketing preferences: your opt-in/opt-out choices for promotional communications

3. Legal Basis for Processing

We process your personal data under the following legal bases as set out in Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b)): to provide you with the Service, manage your account, process transactions, and respond to your requests
• Legal obligation (Art. 6(1)(c)): to comply with applicable anti-money laundering (AML), know-your-customer (KYC), counter-financing of terrorism (CFT), and other regulatory requirements
• Legitimate interests (Art. 6(1)(f)): to prevent fraud, ensure platform security, improve our services, and carry out internal analytics — where these interests are not overridden by your rights and freedoms
• Consent (Art. 6(1)(a)): for marketing communications and non-essential cookies, where you have given us your explicit consent

4. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure, including:

• Encryption in transit: all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: personal and financial data stored on our systems is encrypted using AES-256
• Access controls: access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based access controls and audit logging
• Vulnerability management: regular security assessments, penetration testing, and patch management

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (Article 33 GDPR), and where required, notify you directly without undue delay (Article 34 GDPR).

5. Your Rights

Under the GDPR, you have the following rights in respect of your personal data:

• Right of access (Art. 15): to obtain a copy of the personal data we hold about you
• Right to rectification (Art. 16): to have inaccurate or incomplete data corrected
• Right to erasure (Art. 17): to request deletion of your data in certain circumstances ("right to be forgotten")
• Right to restriction of processing (Art. 18): to limit how we process your data in certain circumstances
• Right to data portability (Art. 20): to receive your data in a structured, commonly used, machine-readable format
• Right to object (Art. 21): to object to processing based on legitimate interests, including profiling
• Rights related to automated decision-making (Art. 22): not to be subject to solely automated decisions that significantly affect you, without human review

To exercise any of these rights, please contact us at privacy@dinocard.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection supervisory authority.

6. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal obligations:

• Account data: for the duration of your relationship with us and for 5 years after account closure
• Transaction records: 5 years from the date of the transaction, in line with PSD2 and AML obligations
• Application and server logs: 13 months on a rolling basis
• Marketing communications data: until you withdraw your consent or opt out

After the applicable retention period, data is securely deleted or anonymised.

7. Third-Party Sharing

We share your personal data only in the following circumstances:

• Regulated financial partners: with the licensed financial institutions providing payment accounts, cards, and related services through the Dino platform, as necessary to provide those services
• KYC/AML providers: with identity verification and fraud prevention service providers for regulatory compliance purposes
• Cloud sub-processors: with cloud infrastructure and technology vendors that process data on our behalf under appropriate data processing agreements (DPAs)
• Analytics: anonymised and aggregated usage data may be shared with analytics partners; this cannot be used to identify you
• Legal requirements: where required by law, court order, or a competent regulatory authority

We do not sell your personal data to third parties. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Cookies

We use cookies and similar tracking technologies on our website:

• Strictly necessary cookies: essential for the site to function correctly (e.g., security tokens, session management). These do not require your consent.
• Analytics cookies: used to understand how visitors use our site (e.g., pages visited, time on site). These require your consent and are only placed if you opt in via our cookie preference centre.
• We do not use advertising, tracking, or third-party behavioural cookies.

You can manage your cookie preferences at any time through our cookie preference centre, accessible from the footer of our website, or by adjusting your browser settings.

9. Data Protection Contact

If you have any questions or concerns about how we handle your personal data, or wish to exercise your data subject rights, please contact our data protection team:

Email: support@dinocard.com
Post: Data Protection, Dino International IP Ltd, address to be confirmed at launch

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your country of residence.

10. Updates to This Statement

We may update this Privacy Statement from time to time to reflect changes to our practices, technology, or applicable law. If we make material changes, we will notify you by email at least 30 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this statement was last revised. Previous versions of this Privacy Statement are available on request by contacting privacy@dinocard.com.