UAB "Travel Union" Privacy Policy

UAB Travel Union - September 2020

Last updated on 10/20/2022

This privacy policy is made available to you by Travel Union UAB, at Saulėtekio alėja 17, Vilnius, Lithuania or on our website, hereinafter referred to as "TU" or "we". We comply with data protection legislation, such as the EU General Data Protection Regulation and local data protection and privacy rules, which govern the processing of personal data relating to you and give you various rights in relation to your personal data. In addition, we consistently follow industry best practices in data protection/privacy and guidelines from competent authorities. The purpose of this privacy policy is to inform you about how we will use your personal data that you provide to us through our mobile application (myTU App) in connection with the financial services offered by TU, as well as personal data submitted and/or collected through our other channels, use and transfer of personal data to third parties. We also inform you about your rights, according to the applicable data protection laws, related to the processing of your personal data. Before submitting personal data to us, we recommend that you read this privacy policy, which is also part of our terms of service.

If you have any questions about TU's privacy policy or would like additional information on how to exercise the rights set forth herein, you may contact TU's Data Protection Officer by email at dpo@mytu.co. Additional contact information is available on the TU WEB platform and mobile app.

1. What is personal data? Data security

We are committed to storing and processing your personal data in accordance with our legal obligations. TU strives to ensure appropriate technical and organizational measures to protect User data and provide transparent data protection rules. This privacy policy details the purposes for which we process your personal data, who we share it with, what rights you have with that data and anything else we think is important for you to know.

In this Privacy Policy, "Personal Data" means any information that you provide when you interact with us, such as through the TU mobile application, the Website, the website platform (for legal entities) or by calling us or contacting us through other customer service channels, or data collected about you through your myTU mobile app or website, and allow you to be personally identified directly (e.g. your name) or indirectly because the data refers to an identifier such as an identification number, location data, online identifier (e.g. phone number) that can be used identifying you as an individual. We may also collect personal data about you in other ways related to your TU account.

According to EU General Data Protection Regulation no. 2016/679 (GDPR), TU is the controller of your personal data. The data controller is the person who determines for what purposes and in what manner any personal data will be processed. Data controllers must establish GDPR-compliant practices and policies.

The personal data processing procedure carried out by TU can be described not only in this Privacy Policy, but also in the General Terms and Conditions of the Platform, Privacy Statements in the mobile application, Internal Data Processing Rules and the "Cookies" section of the Privacy Policy.

2. What data is stored and processed?

TU processes several categories of customer personal data. The personal data we collect can be divided into the following categories:

1. Identification information and other background verification data (of you or your representatives and the ultimate beneficial owner)

• Name; last name; gender; Identification number; date of birth; unique character sequence; type of personal document (name): passport or identity card; personal document number; date of issuance of personal document; the date of validity of the personal document; name and location of the institution issuing the personal document; country of origin/place of birth; citizenship; EU/EEA country residence permit number; EU/EEA residence permit issuance date; EU/EEA residence permit validity date; name and location of the institution that issued the residence permit in the EU/EEA country; residence for tax purposes; taxpayer code - TIN (if the country of residence is not Lithuania); details of the ultimate beneficial owner or the origin of funds (profession, work activity, description of professional activity, information on the main sources of income); a document confirming representation (e.g. power of attorney data); signature; the number of shares held; part of voting rights or share capital, name; scanned or photographed image of your face; the image you provide through the camera when you use our identification application.

2. Details of monetary transactions

• Such as currency, amount, place, date, time, IP address, name and surname of payer and recipient and registration information, messages and documents sent or received with payment, circulation of funds, countries of incoming and outgoing payments, account number, data about money, transactions, debts

3. Details about your activity in the mobile app

• Mobile app activity history, technical information, Internet Protocol (IP) address and location used to connect the device to the Internet, country you are browsing from, login information (such as login time), browser type and version, time zone setting, operating system and the platform and other technologies on the devices you use, the type of device you use, a unique device identifier, information about the purposes for opening an account, information about the customer's intentions regarding financial services.

4. Information about your activities on our website

• History of actions taken on our website, technical information including browser activity, Internet Protocol (IP) address and location used to connect your computer to the Internet, country from which you browse, browser type and version, time zone setting and location, operating system and platform, and other technologies in the devices you use, the type of device you use.

5. Details of existing bank account(s).

• Financial institution account number, IBAN number, payment card number.

6. Information related to legal requirements

• Data received from public authorities, data to enable the fulfillment of anti-money laundering requirements and to ensure compliance with international sanctions, including the purpose of the business relationship and whether you are a politically vulnerable person, and other data necessary for us to process in order to comply with a legal obligation " know your customer" (the data collected will vary depending on the customer's risk score). This information consists of: information about the financial situation (number of dependent family members, information about income stability, etc.); account numbers; data on monetary transactions; debts; answers to questions during KYC procedures; signature; information about suspicious transactions; in some situations, case information about (non)conviction statuses; information about sanctions applied; grounds for not starting or terminating the business relationship; in circumstances related to violations of the money laundering and/or terrorist financing regime, the reasons for not starting or terminating business relations; a copy of an identity document; a copy of the residence permit in the EU/EEA country; signature; information about important positions in society, participation in politics and information about contacts with politically open or important public positions (including positions, description of positions; name, surname, personal identification number, date of birth of a close family member, close helper, representative, final beneficiary , unique sequence of characters, address, phone, email address, position (job description)) and connection to a person involved in politics or important public office; information about relationships with legal entities (including investors).

7. Information related to the services provided

• information related to the services provided, their termination, suspension, any selected add-on packages

8. Contact information

• Phone number, email address, address (including city and country).

9. Contact details

• Content of email correspondence, web platform or mobile app, your choice of language for email communications, email marketing preferences.

10. Promotional and research data

• Data provided when you participate in any Company-sponsored promotion or surveys you complete, your marketing preferences, participation in a loyalty program.

11. Special category data

• Biometric data.

Sometimes we need to ask you for information to verify the source of your funds or to perform due diligence in accordance with our legal requirements (DD Information). This will depend on the situation and we will make it clear to you what information we require from you. For example, a copy of the shareholder agreement, copies of bank statements, etc.

We will collect any other personal data that you voluntarily provide to us if you interact with us, for example by correspondence (by telephone, email, post or social media) or by participating in competitions, promotions or surveys (Voluntary Information).

We collect technical information such as your IP address, browser type and version, browser activity, time zone setting and location, operating system and platform, and other technologies on the devices you use to access and use TU (Technical Information). This is done using cookies. You can find more information about how we use cookies in our cookie policy.

3. What do we use your personal data for?

We inform you that if the client does not provide personal data, when the processing of such data is necessary for the conclusion and fulfillment of the contract or is required by law, TU cannot provide services.

We will use your personal data for the following purposes:

1. To analyze the account registration application, set up and administer the account, allow access to the account. The legal basis of the purpose is your consent. Categories of personal data:

• Basic personal data;
• Contact information;
• Other necessary personal data (in order to assess the possibility of providing services).

2. Enter into a contract with you or take steps at your request prior to entering into a contract. The legal basis of the purpose is the performance of the necessary steps before the conclusion of the contract and/or the conclusion of the contract and legal obligations. Categories of personal data:

• Basic personal data;
• Identification and other background check data;
• Information related to legal requirements;
• Contact information;
• Other necessary personal data (in order to assess the possibility of providing services).

3. To perform the contract concluded with you, including (but not limited to) the provision of services, products and performance of obligations. The legal basis for the purpose is the performance of the contract and legal obligations. Categories of personal data:

• Basic personal data;
• Identification and other background check data;
• Data on monetary transactions;
• Details of your activity on the mobile app;
• Information about your activities on our website;
• Details of available bank account(s);
• Information related to legal requirements;
• Information related to the services provided;
• Contact information;
• Contact details;
• Other necessary personal data (in order to assess the possibility of providing services).

4. To fulfill our legal and regulatory obligations (e.g. the fulfillment of the obligations provided for in the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania and other fraud and crime prevention purposes) and risk management obligations. The legal basis for the purpose is legal obligations. Categories of personal data:

• Basic personal data;
• Identification and other background check data;
• Data on monetary transactions;
• Details of available bank account(s);
• Information related to legal requirements;
• Information related to the services provided;
• Contact information;
• Contact details;
• Other necessary personal data (in order to assess the possibility of providing services).

5. To verify your identity. The legal basis of the purpose is your consent. Categories of personal data:

• Special category data.

6. To verify your age and determine whether special data protection arrangements apply to children. The legal basis for the purpose is legal obligations. Categories of personal data:

• Basic personal data;
• Identification and other background verification data.

7. Take steps to detect and prevent fraud or other illegal activity, resolve disputes with you, or assert, enforce and defend legal claims. The legal basis for the purpose is contract performance, legitimate interest and legal obligations. Categories of personal data:

• Basic personal data;
• Identification and other background check data;
• Data on monetary transactions;
• Details of your activity on the mobile app;
• Information about your activities on our website;
• Details of available bank account(s);
• Information related to legal requirements;
• Information related to the services provided;
• Contact information;
• Other necessary personal data (in order to assess the possibility of providing services).

8. Administer our mobile app or web platform and perform internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes. Improving the web platform or mobile app to ensure content is delivered in the most efficient way, to keep our mobile app or web platform safe and secure. The legal basis of the purpose is a legitimate interest. Categories of personal data:

• Basic personal data;
• Contact information;
• Information about your activities on our website;
• Details of your activity on the mobile app.

9. Conduct direct marketing. The legal basis of the purpose is your consent. Categories of personal data:

• Basic personal data;
• Contact information;
• Details of monetary transactions.

10. To contact you with transactional and service communications (including direct messages) to obtain feedback. The legal basis of the purpose is your consent. Categories of personal data:

• Basic personal data;
• Contact information;
• Detailed information about your activity in the mobile app;
• Contact details;
• Other necessary personal data (in order to assess the possibility of providing services).

11. To enable you to participate in interactive features of our Services (conduct and allow participation in contests, promotions and surveys to promote and improve our business). The legal basis of the purpose is your consent and legitimate interest. Categories of personal data:

• Basic personal data;
• Contact information;
• Contact details;
• Other necessary personal data (in order to assess the possibility of providing services).

Please note that if you choose to use your device's biometric identification (ie fingerprint, facial recognition, etc.) to log into your account instead of a password, we will receive confirmation from your device vendor as to whether the biometric information matches or not, but we will never be able to review or have a copy of your biometric information. We will use this verification to log into your account if there is a match.

We do not process special categories of data relating to your health, ethnicity or religious or political beliefs, unless required by law or in certain circumstances where, for example, you disclose such data when using the Services (e.g. payment details).

If you provide us with personal data about other people (such as your spouse or family) or ask us to share their personal data with third parties, you confirm that you have brought this Privacy Policy to their attention in advance.

We may also use your personal data to send you information about our products and services or products or services of third parties, if you have consented to this. You may opt-out and if you do not wish to receive this information please update your preferences through the Services or contact us in one of the ways described in Section 7.

4. How is my personal data collected?

Every time you interact with us (for example, by registering on a mobile app, by phone, in-app support chat or through a third-party provider, by posting a comment on our blog on social media, by signing up for our newsletter), we may collect and process the personal data that you provide to us. We need most of the information we collect from you to perform our contract with you and/or comply with our legal obligations. This means that if you refuse to provide us with any information we request, we may not be able to provide you with the TU services.

We may also receive your personal data from third parties:

• we may receive personal data from third parties, such as public or private registries and databases. This includes information that helps us verify your identity, if applicable, information about your spouse and family, and information related to your transactions;

• from time to time we will use publicly available information about you from publicly available sources (such as media, online registries and directories) and websites for enhanced due diligence checks, security searches and other purposes related to customer due diligence processes;

• we may receive personal data from a third party that is associated with you or cooperates with us, such as business partners, subcontractors, service providers, merchants, etc.;

• we may receive personal data from banks or other financial institutions, if personal data is received during payment transactions;

• we may receive personal data from other entities with whom we cooperate.

5. Our means of identification

In order to verify your identity, we use the services provided by our partner Ondato (hereinafter - Ondato). The service provider takes a photo or video of your face and ID, which you provide through the mobile application or dedicated website, using the camera. For more information about Ondato, please read their privacy policy.

The "Ondato" solution is used to compare live photos or videos of you and your personal identification document in order to fulfill legal obligations (e.g. to fulfill obligations under the Law on Prevention of Money Laundering and Terrorist Financing and Other Frauds of the Republic of Lithuania). and crime prevention purposes) and risk management obligations.

The result of the facial likeness (match or non-match) will be stored for as long as verification is necessary and for the period required by anti-money laundering laws.

We ensure that the verification of your face likeness is a process of comparing the data obtained during the verification, ie it is a one-time authorization of the user to compare the person's photos with each other. Your face template is not created, saved or stored.

When using Ondato services, personal data is used to determine your identity, because Ondato confirms the identity of the person in the personal document and the identity of the person captured in the photo. This process will allow us to more accurately verify your identity and make the process faster and easier to complete. If you are not satisfied with this method of identification, you can contact us by email at support@mytu.co for another way to identify you.

6. What if you want to receive the newsletter, special offers and direct marketing messages?

If you provide your contact information and special consent to us (for example, when you join our service or sign up for our newsletter via our website platform or mobile app), we may use this Personal Data to send you our newsletters and details of other special offers that may be of interest to you based on your previous interactions with us.

If you sign up for our newsletter through our website, you only need to provide your email address. When you sign up for our newsletter through our website, you will receive an email asking you to reconfirm your wish to be contacted (double opt-in). Any additional information is voluntary and will only be used to personalize the newsletter.

By submitting your email address and subsequent confirmation via double opt-in, you agree to receive our newsletter. You can withdraw your consent and opt out of receiving the newsletter at any time by clicking on the unsubscribe link in each newsletter. In addition, you also have the option to unsubscribe in your personal profile under "data protection". If you have further objections, please contact us using the contact details at the end of this policy. We also include web beacons in our HTML email newsletters to count how many newsletters (or certain articles, links, etc.) have been reached, and on the TU website platform to count users who have visited those pages.

If you have consented to us doing so, we will use your email address, telephone number and/or postal address (depending on the marketing method(s) you have chosen) to send you direct marketing communications about our products and services, and our group companies. We will obtain your consent in a way that complies with data protection laws, we will ask for your express consent. You always have the right to opt out of receiving direct marketing communications. If you wish to do so, please follow the instructions in each marketing communication to unsubscribe.

We use your Personal Data to send newsletters, special offers and direct marketing messages.

You can opt-out of direct marketing communications at any time in your user account by contacting support@mytu.co or via the TU app.

7. What do you need to know about the "Contact Us" function on our platform?

You can contact us through our website platform or mobile app, using the "Contact Us" feature, or through TU Customer Service. To contact us, you must provide the following information:

• Full name;
• Your phone number and email address;
• Your request;

Any additional information provided is voluntary. We use your information to respond to your request.

Please note that TU encourages contact via mobile app chats, website chats or a dedicated email address: support@mytu.co.

8. TU Blog

On our blog (including social media and website) we may publish articles about banking, financial technology and travel. The blog will allow for public comments. Once the features are available, if you leave a comment, it will be published with the corresponding blog post and your username. Posting comments on our blog is completely voluntary.

When you comment on a blog post, we collect and store the following personal data:

• Name
• Website URL

We use this personal data to post comments on the blog page.

9. When may your data be shared with third parties?

TU Services Related to Third Party Providers.

Your personal data may be shared:

• with service providers in our payment network to enable you to load funds, make and receive transactions and withdraw funds; these providers include banks, payees, alternative payment providers, our card issuer, card processor and card manufacturer;
• with third-party service providers who provide us with various services to run our business; this includes our IT and hosting service providers, cloud storage providers, email platforms, card access rights providers (which host your credit/debit card information), our communications management system, providers of sanctions monitoring and transaction monitoring services, credit information agencies (to carry out credit checks), URL tracking service providers, our facial recognition technology providers and messaging/communications providers;
• to regulatory authorities and fraud prevention agencies where we are required to share personal data pursuant to legal or regulatory obligations;
• other third parties, such as the police or other competent authorities, when we need to respond to ad hoc data sharing requests. In such circumstances, we will only share personal data if we are legally permitted to do so and the sharing is reasonable;
• to third parties when we intend to enter into a transaction for the sale of a business and/or to carry out our legal and/or financial due diligence prior to entering into such transaction.
• with the companies of Our group; to enter into and perform our contract with you or to the extent that you have consented, such as sharing data. This includes verifying your identity, accepting payments and communicating with you.

Below you will find our most important partners with whom we share your personal data:

• Ondato – This company provides identity verification services to us;
• Salv - this company provides us with inspection and monitoring services;
• Decta - This company provides us with payment card production and processing services.

We will not transfer your personal data to third-party recipients unless you consent to such data transfer or such transfer is permitted by applicable law.

10. Where is your data stored?

Our cloud storage provider stores personal data in the EU and EEA, so your information is normally stored in this area. We do not transfer data to third parties. If information is transferred outside the EU/European Economic Area, we will ensure that appropriate safeguards are in place. If your Personal Data is transferred to a country that is not subject to the EU Commission's eligibility decision, the data is adequately protected in accordance with standard contractual terms approved by the EU Commission, the relevant Privacy Shield Certificate or third-party binding rules.

11. When your data is processed through social media

We use the following social media plugins on our website: Facebook, Twitter, LinkedIn, Instagram. The plug-ins can be identified by the social network buttons marked with the logo of the respective social network provider.

We installed these plugins using the so-called 2-click solution. This means that when you browse our website, the providers of these social media plugins will not initially collect personal data. Only by clicking on one of the plug-ins will your Personal Data be transferred: After activating the plug-in, the data is automatically transferred to the respective plug-in provider and stored by them (in the case of US providers, your Personal Data will be stored in the US).

We have no influence on the collected data and the data processing operations performed by the providers, nor do we know the full scope, purposes or retention periods of data collection.

You can find information about the purpose and scope of data collection and their processing by the plug-in provider in the respective data protection policies of these providers, where you will also find more information about your rights and privacy protection options.

Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA: https://www.facebook.com/privacy/explanation

Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy.

Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA: https://help.instagram.com/155833707900388

LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA: http://www.linkedin.com/legal/privacy-policy.

12. YouTube Video Integration

We have added a link to our YouTube channel on our website. The videos will be stored at http://www.YouTube.com, operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. Your personal data will not be transferred to YouTube unless you play videos. We have no influence on this data transfer. More information about the processing of personal data in accordance with YouTube's privacy policy can be found at https://www.google.com/intl/lt/policies/privacy/

13. What do you need to know about cookies?

TU uses cookies to maintain and improve the operation of the TU mobile app and WEB platform. Information about the use of cookies can be found in the Cookie Privacy Policy.

Cookies are small text files that a web server sends to your web browser and stores locally on your computer. The cookie allows the server to uniquely identify the browser on each page. Cookies do not harm your computer and do not contain viruses. We use the following categories of cookies on our website:

Category 1: Strictly necessary cookies

These cookies are necessary for you to move around the website and use its functions. Without these cookies, the services you have requested, such as remembering login data or reserving the data provided, cannot be provided.

Category 2: Performance cookies

These cookies collect information about how people use our website. For example, we use Google Analytics cookies to help us understand how users enter, navigate or use the TU Web Platform and highlight areas for improvement, such as page navigation, ordering experience, and marketing campaigns. The data stored by these cookies never shows any personal data from which your personal identity can be determined.

Category 3: Functional cookies

These cookies remember your choices, such as the country you are visiting our website from, language and search parameters such as number of guests, length of stay, etc. They can then be used to provide you with an experience that is more in line with your preferences and makes your visits more customized and enjoyable.
You can enable or disable cookies by changing the settings in your browser/mobile app. You can also find out how to do this and find more information about cookies at www.allaboutcookies.org. However, if you choose to disable cookies in your browser, you may not be able to perform certain activities on our websites or access certain parts of them properly.

14. We use Google Analytics

Our website uses Google Analytics, which is a web analytics service provided by the third-party provider Google, Inc. ("Google"). Google Analytics is used to evaluate your use of our website, to prepare reports on website activity and other services related to website activity and internet usage. The information generated by the cookie about your use of the website is usually transmitted to Google and stored on servers in the USA. This transfer is subject to the Google Privacy Shield Certificate and the separate data processing agreement we have concluded with Google: https://support.google.com/analytics/answer/6004245?hl=de&ref_topic=2919631
(information about Google Analytics and data privacy).

15. What security measures ensure compliance with data protection?

We strive to maintain appropriate security standards and have implemented strong technical and organizational measures to protect your Personal Data in accordance with the latest technologies, in particular to protect data from loss, falsification or access by unauthorized third parties. When transmitting highly sensitive Personal Data over the Internet, we use only encrypted transmission routes and comply with the Payment Card Industry Data Security Standards (PCI DSS), which is a set of policies and procedures designed to optimize security. Once we receive your personal data, we will use strict procedures and safeguards to prevent unauthorized access. Third parties (ie external companies) provide us with data processing services and are therefore obliged to comply with our data privacy rules. External service providers are supervised by a data protection officer to ensure compliance with these rules.

16. How long do you store my personal data?

We will retain your personal data for as long as it is necessary for the purposes for which your data was collected and processed, including the purposes to comply with legal, regulatory, tax, accounting or reporting obligations. This means that we store your data as much as it is necessary to provide the services and as much as required by the storage requirements in laws and regulations. If the legal acts of the Republic of Lithuania do not provide for the applicable data storage term, we determine it, taking into account the legal purpose of data storage, the legal basis and the principles of legal personal data processing.

The conditions for the storage of personal data for the purposes of personal data processing specified in this privacy policy are as follows:

• while your consent is valid, if there are no other legal requirements that must be met when processing personal data;

• in the case of concluding and executing contracts - until the contract concluded between you and us is valid and up to 10 years from the end of the relationship between you and us;

• personal data collected in fulfillment of obligations under the Law on Prevention of Money Laundering and Terrorist Financing are stored for up to 8 (eight) years in accordance with the procedure established by the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania. The storage period can be extended for a period of no longer than 2 (two) years, if there is a reasonable request from the competent authority;

• Your personal data submitted through our website or by e-mail are stored as long as necessary to fulfill your request and support further cooperation, but no longer than 6 months from the last day of communication, if there are no legal requirements to keep them longer.

In cases where data storage terms are specified in legal acts, legal acts apply.

We may store your personal data for a longer period when:

• it is necessary for us to defend against existing or threatened claims or to enforce our rights or to properly resolve a dispute, complaint or claim;

• there is a reasonable suspicion of illegal activity;

• required by applicable law;

At the end of the storage period, we will delete and/or reliably and irrevocably depersonalize your data as soon as possible, within a reasonable time required to perform such an action.

17. What rights do you have?

You have a number of rights under data protection law. These rights and how you can exercise them are described in this section. We may need to ask you for proof of your identity in order to respond to a request to exercise any of the rights set out in this section, and we may also need to ask you to provide more information, such as helping us locate your personal data to which your request relates.

TU respects the customer's rights to access, manage and control personal data processed by TU. Upon receipt of a customer request to exercise any of the rights listed below, TU will review the customer's request and provide a response promptly and in any event within one month of receipt of the request. This term may be extended if the client's request is complex or due to the volume of received requests, TU cannot prepare a response within the previously set deadline. In such a case, TU informs the client about the extension of the deadline for preparing a response to the client's request and indicates a specific deadline for preparing the response.

We may refuse to comply with your request if an exception set out in the GDPR applies and/or a restriction on the implementation of data subjects and/or your request is manifestly unreasonable or disproportionate. If we refuse to comply with your request, we will give you the reason for such refusal in writing.

When we collect and use your data, you have the right to:

• The right to be informed. You have the right to receive clear, transparent and easily understandable information about how we use your personal data.
• The right to access your information. You have the right to request that we send you a copy of all personal data we hold about you (subject to certain exceptions).
• The right to an electronic copy of your information. You can also ask us to send you the mandatory account information we have about you in a standard electronic format or ask us to transfer that data to a third party if you wish and if it is technically possible for us to do so.
• The right to object to us processing your information. You have the right to object to us processing any personal data we process where we rely on legitimate interests as a legal basis for processing (as set out in section 3). Your objection must be based on reasons relevant to your particular situation.

If you make a request to exercise your right to object, if we have compelling legitimate reasons to continue processing your personal data, we may continue to do so. Otherwise, we will stop processing your personal data.

However, if you object to us using the personal data we need to provide the services, we may have to close your payment account because we will not be able to provide the services.

• The right to ask us not to advertise to you. You can ask us not to send you direct marketing. You can do this by following the 'unsubscribe' instructions in any marketing emails.
• The right to request the correction of inaccurate data. You have the right to ask us to correct inaccurate data we hold about you. If we are convinced that the new data you have provided is accurate, we will correct your personal data as soon as possible.
• The right to request that your data be deleted. You have the right to ask us to delete your personal data in certain circumstances, for example, if we have processed your data unlawfully or if we no longer need the data for the purposes specified in this privacy policy.
• The right to restrict the processing of your data. You can ask us to restrict the processing of your personal data in certain circumstances, for example if you believe that the personal data is inaccurate and we need to check its accuracy, or if we no longer need the data but you require us to keep it in order to exercise your rights.

Restricting your personal data means that we only store your personal data and do not further process it unless you consent, or we need to process the data to make a legal claim or to protect a third party or the public.

• Right to withdraw your permission. If you have given us your consent to use your personal data, you can withdraw your consent at any time. It is lawful for us to use your personal data until you withdraw your consent.

18. How can I contact your data protection officer?

If you have any further questions about your personal data that has been stored with us, or if you would like to exercise your rights, please contact our Data Protection Officer using the contact details below:

• dpo@mytu.co ; tel. +37060351528;

Please note that every data subject has the right to file a complaint with the supervisory authority regarding an alleged violation if the data subject believes that the processing of Personal Data related to him/her violates the GDPR.

An authorized person can submit a request on behalf of the client, if a valid power of attorney is attached to the request.

19. What should I do if I have a complaint?

We take great care to ensure that we protect our customers' personal data in accordance with our legal obligations. If you are not satisfied with how you believe we have processed your personal data, please contact us using the contacts above and we will do our best to resolve your complaint.

If you believe that we have not been able to resolve your complaint, you can complain to the supervisory authority responsible for such a complaint in accordance with GDPR Article 77 in Lithuania: State Data Protection Inspectorate, A. Juozapavičiaus str. 6, 09310 Vilnius, Lithuania, ada@ada.lt

You can apply for a complaint according to the complaint handling procedure established by the State Data Protection Inspectorate, which you can find by clicking on the following link: https://vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas.

More information and details about the procedure for submission of data subject requests can be found in the Data Subject Request Procedure and the Detailed Data Subject Rights Policy.

20. Updates and what to do if the policy changes?

This privacy policy may be updated periodically. Any changes we make will be posted on the TU website. We will also notify you by email if any significant changes are made. We encourage you to check for any changes we have made at https://mytu.co/legal-documents?document=PP.

Last updated on 10/20/2022

Original version: 2020-09-06