FLOW GLOBAL LIMITED

DATA PRIVACY & PROTECTION POLICY

GLOSSARY

Consentmeans any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

“Database” means a collection of data organized in a manner that allows access, retrieval, deletion and processing of that data; it includes but is not limited to structured, unstructured, cached and file system type Databases.

“Data Processor” means a person or organization that processes Personal Data on behalf and on instructions of Flow Global or any of its subsidiaries.

“Data Subject”means any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

“Derived Data” means data which cannot be traced to an identifiable Customer or to an institution, that is derived by Flow (i) from Raw Data by applying mathematical models, aggregation or transformations of any kind to such data or (ii) by collecting data on use of Flow Platform. Flow shall be the exclusive owner of Derived Data.

“Flow” refers to Flow Global Ltd and all its subsidiaries including but not limited to Flow Uganda Ltd, Flow Rwanda Ltd, Flow Madagascar Ltd, Flow Peru Ltd and Matoke Technologies Ltd.

“Personal Data”means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.

“Processing”is any activity that involves use or retention of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasingordestroyingit. Processingalsoincludestransferringpersonaldatatothird parties

“Raw Data”means all data provided to Flow from the Customer or any other Institution, including Platform Data, database backups, direct database queries, extracted datasets in the form of spreadsheets, comma separated value documents, and other data transferred directly from the Customer via other mediums.

“Sensitive Personal Data” means data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information. Sensitive personal data can only be processed under strict conditions, and will usually require the express consent of the person concerned.

1. INTRODUCTION

As part of our operations, most specifically in the context of meeting regulatory requirements on customer due diligence (CDD)/know-your-customer (KYC), Flow Global Limited (“Flow”) collects and processes certain types of information (including but not limited to, name, telephone numbers, address, address, gender, photograph, ID card number, fingerprint, and signature etc.) of individuals that makes them easily identifiable. These individuals include customers, current, past and prospective employees, merchants, suppliers/vendors, customers of merchants and other individuals whom Flow communicates or deals with, jointly and/or severally (“Data Subjects”).

Safeguarding customers’ and other stakeholders' privacy is one of Flow’s core values. To this end, Flow implements measures included in this Policy and is firmly committed to complying with applicable data protection laws, regulations, rules and principles. This Data Privacy & Protection Policy (“Policy”) describes the minimum standards that must be strictly adhered to regarding the collection, use and disclosure of Personal Data and indicates that Flow is dedicated to processing the Personal Data it receives or processes with absolute confidentiality and security.

Failure to comply with the data protection rules and guiding principles set out in the relevant laws and regulations on data privacy and protection as well as those set out in this Policy is a material violation of Flow’s policies and may result in disciplinary action as required, including suspension or termination of employment or business relationship.

2. SCOPE

This Policy applies to all customers and employees of Flow, as well as to any external business partners (such as Partners, suppliers, contractors, vendors and other service providers) who receive, send, collect, access, or process Personal Data in any way on behalf of Flow, including processing wholly or partly by automated means. This Policy also applies to third party Data Processors who process Personal Data received from Flow.

This Policy applies to all forms of systems, operations and processes within the Flow environment that involve the collection, storage, use, transmission and disposal of Personal Data.

3. GENERAL PRINCIPLES FOR PROCESSING OF PERSONAL DATA

Flow is committed to maintaining the principles in the various applicable laws and regulations regarding the processing of Personal Data. Flow collects certain Personal Data like Name, Date of Birth, Gender, National ID, Shop’s GPS, Mobile Number, Address from the customers for the Know Your Customer (KYC) process.

To demonstrate this commitment as well as our aim of creating a positive privacy culture within Flow, we adhere to the following basic principles relating to the processing of Personal Data:

3.1 Lawfulness, Fairness and Transparency

Personal Data must be processed lawfully, fairly and in a transparent manner at all times. This implies that Personal Data collected and processed by or on behalf of Flow must be in accordance with the specific, legitimate and lawful purpose consented to by the Data Subject, save where the processing is otherwise allowed by law or within other legal grounds recognized in the relevant laws and Regulations of each country in which Flow Global subsidiaries operate.

3.2 Data Accuracy

Personal Data must be accurate and kept up-to-date. In this regard, Flow will:

a) make efforts to ensure that any data it collects and/or processes is accurate and not misleading in a way that could be harmful to the Data Subject;
b) make efforts to keep Personal Data updated where reasonable and applicable;
c) make timely efforts to correct or erase Personal Data when inaccuracies are discovered.

3.3 Purpose Limitation

3.3.1 Flow will process personal data based on any of the following grounds:

a) performing a contract or to enter into a contract with the data subject,;
b) Flow’s legitimate business interests, as long as these do not override the data subject’s rights and freedoms. For example, fraud prevention, security of our services, marketing, analysing and improving our services; or
c) complying with a mandatory legal obligation, for example, accounting, tax, money laundering, anti-bribery requirements.
d) Information is always classified as Confidential, Restricted, Internal, Public.

3.3.2 Flow will collect personal data relating to:

a) Demographic data on the customer (Name, Date of Birth, Gender, National ID, Shop’s GPS, Mobile Number, Address from the customers for the Know Your Customer (KYC) process;
b) employees and applicants for employment, including an employee’s job application, records of training, documentation of performance appraisals, salary increases, expense claims and other employment records (Employee Personal Data);
c) consumers (i.e. members of the public to whom we do not directly sell our products and services but who use, will use or are considering using a service which Flow will ultimately provide) and customer contacts (Customer Personal Data);
f) users of our websites or other related services provided by Flow (User Personal Data);
d) supplier contacts, industry professionals and other individuals who provide goods and/or services to the Flow (Supplier Personal Data).

3.3.3 Flow holds and processes Employee Personal Data for the following purposes:

a) administering and managing its employees;
b) administering employee benefits and entitlements;
c) protecting the legitimate interests of the Flow, including investigating acts or defaults; and
d) compliance with applicable laws, regulations and rules.

3.3.4 Flow holds and processes Customer Personal Data for the following purposes:

a) administering and managing our relationships with our consumers and customers, which may include:
  1. Provision of Float Advance (Credit) and other Flow products;
  2. dealing with enquiries, processing orders and providing the customer with products and services;
  3. taking the appropriate measures to take the appropriate payment from the customer; and
  4. providing updated information, such as changes to terms and conditions;
b) marketing and promoting our products and services and inviting customers to participate in market research;
c) any corrective action which may be required in respect of any of the products and services we supply;
d) improving and innovating our products and services which, for example, enables us to manage our business;
e) credit checks, fraud prevention, debt recovery and security purposes; and
f) compliance with applicable laws, regulations and procedural rules.
g) supplying marketing and promotional material (at the user’s express request) and advertising online;
h) administering and improving our websites and related purposes, (including collecting and analysing anonymous, de-identified and aggregate information); and
j) compliance with applicable laws, regulations, rules and best practice.

3.3.5 Flow holds and processes Supplier Personal Data for the following purposes:

a) administering the receipt of products and services from its suppliers;
b) administering and managing its relationships with its suppliers; and
c) compliance with applicable laws, regulations and rules.

3.3.6 Flow may share the personal data that it collects with its corporate affiliates and third parties operating on its behalf Flow will only share personal data with companies that are required to protect personal data in accordance with relevant laws, regulations and rules, and subject to any appropriate security measures and directions from the relevant Flow data controller, and in accordance with this policy.

3.4 Integrity and Confidentiality

3.4.1 Flow shall establish adequate controls in order to protect the integrity and confidentiality of Personal Data, both in digital and physical format and to prevent personal data from being accidentally or deliberately compromised.
3.4.2 Personal data of Data Subjects must be protected from unauthorized viewing or access and from unauthorized changes to ensure that it is reliable and correct.
3.4.3 Any personal data processing undertaken by an employee who has not been authorized to carry such out as part of their legitimate duties is unauthorized.
3.4.4 Flow Employees may have access to Personal Data only as is appropriate for the type and scope of the task in question and are forbidden to use Personal Data for their own private or commercial purposes or to disclose them to unauthorized persons, or to make them available in any other way.
3.4.5 The Human Resources Department must inform employees at the start of the employment relationship about the obligation to maintain personal data privacy. This obligation shall remain in force even after employment has ended.

3.5 Personal Data Retention

3.5.1 All personal information shall be retained, stored and destroyed by Flow in line with legislative and regulatory guidelines. For all Personal Data and records obtained, used and stored within the Company, Flow shall perform periodical reviews of the data retained to confirm the accuracy, purpose, validity and requirement to retain.

3.5.2 To the extent permitted by applicable laws, the length of storage of Personal Data shall, amongst other things, be determined by:

(a) the contract terms agreed between Flow and the Data Subject or as long as it is needed for the purpose for which it was obtained; or
(b) whether the transaction or relationship has statutory implication or a required retention period; or
(c) whether there is an express request for deletion of Personal Data by the Data Subject, provided that such request will only be treated where the Data Subject is not under any investigation which may require Flow to retain such Personal Data or there is no subsisting contractual arrangement with the Data Subject that would require the processing of the Personal Data; or
(d)whether Flow has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.

3.5.3 Flow will use all reasonable means to not keep any Personal Data in Flow’s possession where such Personal Data is no longer required by Flow provided no law or regulation being in force requires Flow to retain such Personal Data.

3.6 Accountability

3.6.1 Flow demonstrates accountability in line with the relevant laws and regulations by monitoring and continuously improving data privacy practices within Flow.

3.6.2 Any individual or employee who breaches this Policy may be subject to internal disciplinary action (up to and including termination of their employment); and may also face civil or criminal liability if their action violates the laws in place.

3.7 Third Parties

Flow may share the personal data that it collects with its corporate affiliates and third parties operating on its behalf. Flow will only share personal data with companies that are required to protect personal data in accordance with relevant laws, regulations and rules, and subject to any appropriate security measures and directions from the relevant Flow data controller, and in accordance with this policy

4. DATA PRIVACY NOTICE

4.1 Flow considers Personal Data as confidential and as such must be adequately protected from unauthorized use and/or disclosure. Flow will ensure that the Data Subjects are provided with adequate information regarding the use of their Personal Data as well as acquire their respective Consent, where necessary.

4.2 Flow shall display a simple and conspicuous notice (Privacy Notice) on any medium through which Personal Data is being collected or processed. The following information must be considered for inclusion in the Privacy Notice, as appropriate in distinct circumstances in order to ensure fair and transparent processing:

a) Description of collectible Personal Data;
b) Purposes for which Personal Data is collected, used and disclosed;
c) What constitutes Data Subject’s Consent;
d) Purpose for the collection of Personal Data;
e) The technical methods used to collect and store the information;
f) Available remedies in the event of violation of the Policy and the timeframe for remedy; and
g) Adequate information in order to initiate the process of exercising their privacy rights, such as access to, rectification and deletion of Personal Data.

5. CONSENT

5.1 Where processing of Personal Data is based on consent, Flow shall obtain the requisite consent of Data Subjects at the time of collection of Personal Data. In this regard, Flow will ensure:

a) that the specific purpose of collection is made known to the Data Subject and the Consent is requested in a clear and plain language;
b) that the Consent is freely given by the Data Subject and obtained without fraud, coercion or undue influence;
c) that the Consent is sufficiently distinct from other matters to which the Data Subject has agreed;
d) that the Consent is explicitly provided in an affirmative manner;
e) that Consent is obtained for each purpose of Personal Data collection and processing; and
f) that it is clearly communicated to in a simple language and understood by Data Subjects that they can update, manage or withdraw their Consent at any time.

6. DATA SUBJECT RIGHTS

6.1 All individuals who are the subject of Personal Data held by Flow are entitled to the following rights:

a) Right to request for and access their Personal Data collected and stored. Where data is held electronically in a structured form, such as in a Database, the Data Subject has a right to receive that data in a common electronic format;
b) Right to information on their personal data collected and stored;
c) Right to objection or request for restriction;
d) Right to object to automated decision making;
e) Right to request rectification and modification of their data which Flow keeps;
f) Right to request for deletion of their data, except as restricted by law or Flow statutory obligations;
g) Right to request the movement of data from Flow to a Third Party; this is the right to the portability of data; and
h) Right to object to, and to request that Flow restricts the processing of their information except as required by the law or Flow’s statutory obligations.

To opt out of marketing and unsolicited messages if any:

If anyone no longer wants to receive marketing messages from Flow, they can choose to opt out at any time. If they have previously opted in to receive personalized content based on how and where one uses Flow’s products and services, they can also opt out at any time. These are various ways to opt out:

a) Contact Flow customer services team via the email provided on the website.
b) Click the unsubscribe icon from Flow’s email or newsletters if they receive any.

7. TRANSFER OF PERSONAL DATA

7.1 Third Party Processor within a Country.

Flow may engage the services of third parties in order to process Personal Data collected by us. The processing by such third parties shall be governed by a written contract with Flow to ensure adequate protection and security measures are put in place by the third party for the protection of Personal Data in accordance with the terms of this Policy and the relevant domestic laws and regulations. Personal data may also be shared with law enforcement agencies where required by law to do so.

Where applicable, Flow will share personal information with:

a) Partners, suppliers or agents involved in delivering the products and services ordered or used. This will be done with the data subject’s consent.
b) Law enforcement agencies, government bodies, regulatory organisations, courts or other public authorities if we have to, or are authorized to by law.
c) A third party or body where such disclosure is required to satisfy any applicable law, or other legal or regulatory requirement e.g. to detect or prevent fraud or the commission of any other crime.
d) A merging or acquiring entity where Flow undergoes business reorganization e.g. merger, acquisition or takeover.

7.2 Third Party Processor outside a Country

Flow may engage the services of third parties outside the country in order to process Personal Data collected. The processing by such third parties outside a particular country shall be governed by the provisions of the relevant data protection laws of the Country where the data subject is domiciled as well as those of the country to which the data is being transferred. In so doing Flow will ensure the following is adhered to;

a) The Consent of the data subject is sought and obtained;
b) there are effective measures and safeguards put in place to protect the data being transferred such as encryption of data at rest and in motion, use of Virtual Private Network and any other appropriate security measure.
c) there are legitimate and justifiable reasons for the transfer of data to the third party processor.

8. DATA BREACH MANAGEMENT PROCEDURE

8.1 A data breach procedure is established and maintained in order to deal with incidents concerning Personal Data or privacy practices leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

8.2 All employees must inform their designated line manager or the Information Security & Compliance Officer as well as the Data Protection Officer of Flow immediately (within 72 hours) about cases of violations of this Policy or other regulations on the protection of Personal Data, in accordance with Flow Personal Data Breach Management Procedure in respect of any:

a) improper transmission of Personal Data across borders;
b) loss or theft of data or equipment on which data is stored;
c) accidental sharing of data with someone who does not have a right to know this information;
d) inappropriate access controls allowing unauthorized use;
e) equipment failure;
f) human error resulting in data being shared with someone who does not have a right to it;
g) hacking attack.

8.3 A data protection breach notification must be made immediately after any data breach to ensure that:

a) immediate remedial steps can be taken in respect of the breach;
b) any reporting duties to Supervisory Authority or any other regulatory body can be complied with,
c) any affected Data Subject can be informed and
d) any stakeholder communication can be managed.

8.4 When a potential breach has occurred, Flow will investigate to determine if an actual breach has occurred and the actions required to manage and investigate the breach as follows:

a) Validate the Personal Data breach.
b) Ensure proper and impartial investigation (including digital forensics if necessary) is initiated, conducted, documented, and concluded.
c) Identify remediation requirements and track resolution.
e) Coordinate with appropriate authorities as needed.
f) Coordinate internal and external communications.
g) Ensure that impacted Data Subjects are properly notified, if necessary.
h) Immediately the breach is detected it needs to be notified to the Supervisory Authority of that jurisdiction, Flow Global, the Data Protection Officer, Directors and any other designated Officer.

8.5 Flow is obligated to inform the individuals about the breach without undue delay if it is likely to result in a high risk to their rights and freedoms. Flow shall describe in clear and plain language the nature of the personal data breach, information and measures to mitigate its possible adverse effects.

The communication to the data subject referred to in paragraph 1 shall not be required if Flow has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.

9. DATA SECURITY

9.1 All Personal Data must be kept securely and should not be stored any longer than necessary. Flow will ensure that appropriate measures are employed against unauthorized access, accidental loss, damage and destruction to data. This includes the use of password encrypted databases for digital storage and locked cabinets for those using paper form.

9.2 To ensure security of Personal Data, Flow will, among other things, implement the following appropriate technical controls:

a) Industry-accepted hardening standards, for workstations, servers, and databases.
b) Full disk software encryption on all corporate workstation/laptops operating systems drives storing Personal and Personal/Sensitive Data.
c) Encryption at rest and in motion including key management of key databases.
d) Enable Security Audit Logging across all systems managing Personal Data.
e) Restrict the use of removable media such as USB flash disk drives.
f) Anonymization techniques on testing environments.
g) Physical access control where Personal Data is stored in hardcopy.

10. CHANGES TO THE POLICY

10.1 Flow reserves the right to change, amend or alter this Policy at any point in time. If we amend this Policy, we will provide you with the updated version.