(for the use of the TBC Business mobile application)

Tashkent, Republic of Uzbekistan

1. General Provisions

This Privacy Policy (the “Policy”) defines the procedure and conditions for the collection, use,

storage, processing and protection of personal data, corporate data and technical data of users of

the TBC Business mobile application (the “Application”).

The Policy is developed in accordance with the legislation of the Republic of Uzbekistan, including

but not limited to the laws “On Personal Data”, “On Banking Secrecy”, “On Informatization”, and

other applicable regulatory acts.

This Policy does not constitute a public offer and does not regulate contractual banking services.

Issues related to banking products and services are governed by separate agreements concluded

between the Bank and the Client.

2. Data Controller

The data controller is:

JSCB “TBC Bank”

Address: 10B Fidokor Street, Mirzo-Ulugbek district, Tashkent, 100015

E-mail: contact@tbcbank.uz

Phone: +998 77 727 27 27

3. Scope of Application

This Policy applies to:

 legal entities acting through their directors or duly authorized representatives;

 individual entrepreneurs;

 authorized employees of Clients using the Application on behalf of a Client.

4. Definitions

Client – a legal entity or individual entrepreneur registered with the Bank and using the

Application.

User – an individual authorized by the Client (director, representative, employee) to access the

Application.

Personal Data – any information relating to an identified or identifiable individual (Users,

representatives, employees).

Corporate Data – information relating to the Client’s business activity, accounts, transactions,

documents and operations.

Device Data – technical and analytical data related to the device used to access the Application.

Processing – any operation performed on data, including collection, storage, use, transfer,

anonymization and deletion.

5. Categories of Data Processed

5.1 Personal Data

The Bank may process:

 full name;

 identification data;

 contact information;

 position and authority within the Client organization;

 authentication credentials (excluding passwords in plain form).

5.2 Corporate Data

The Bank may process:

 registration and constituent documents;

 banking and financial information;

 transaction data;

 operational and compliance-related information.

5.3 Device and Technical Data

For the purposes of information security and fraud prevention, the Bank may process the following

data related to the User’s device:

 device type, model and operating system;

 application version;

 IP address;

 session identifiers;

 language and regional settings;

 time zone;

 technical logs and security events;

 indicators of abnormal or suspicious activity.

Such data is processed exclusively for the purposes of:

 preventing unauthorized access to user accounts;

 detecting and preventing fraud, cyberattacks and misuse of the Application;

 ensuring integrity, stability and security of the Application;

 complying with regulatory and supervisory requirements.

The Bank does not use device data for profiling or marketing unrelated to security purposes.

6. Purposes of Data Processing

The Bank processes data for the following purposes:

 identification and authentication of Users;

 provision and maintenance of access to the Application;

 execution of banking and related services;

 compliance with legal and regulatory obligations;

 prevention of fraud, financial crime and unauthorized access;

 protection of the Bank’s and Clients’ legitimate interests;

 improvement of the Application’s functionality and security;

 communication with Clients and Users regarding service-related matters.

7. Legal Grounds for Processing

Data processing is carried out on the basis of:

 consent of the Client and/or User;

 necessity for the performance of contractual obligations;

 compliance with legal obligations of the Bank;

 legitimate interests of the Bank related to security, risk management and fraud prevention.

8. Data Storage and Protection

The Bank implements organizational, technical and legal measures to protect data from

unauthorized access, loss, alteration or disclosure.

Access to data is granted only to authorized employees and third parties strictly on a need-to-know

basis.

Data is stored for the period necessary to achieve the processing purposes or as required by law.

9. Data Transfer to Third Parties

The Bank may transfer data to third parties only in the following cases:

 to comply with legal and regulatory requirements;

 to payment systems, processors and IT service providers involved in the operation of the

Application;

 to government authorities in cases предусмотренных законом;

 to partners and contractors providing security, hosting and infrastructure services.

All third parties are required to ensure confidentiality and data protection at a level not lower than

that of the Bank.

10. Rights of Data Subjects

Users have the right to:

 receive information about the processing of their data;

 request correction or updating of inaccurate data;

 withdraw consent to data processing where applicable;

 request deletion of data if permitted by law.

Requests may be submitted via the contact details specified in Section 2.

11. Cookies and Similar Technologies

The Application may use cookies and similar technologies strictly for:

 authentication;

 session management;

 security monitoring;

 prevention of unauthorized access.

Cookies are not used for advertising or behavioral profiling.

12. Amendments to the Policy

The Bank reserves the right to amend this Policy at any time.

Updated versions are published via official channels of the Bank.

Continued use of the Application after amendments constitutes acceptance of the updated Policy.

13. Contact Information

For any questions regarding this Policy or data processing, please contact:

JSCB “TBC Bank”

E-mail: contact@tbcbank.uz

Phone: +998 77 727 27 27