Banque Thaler SA (hereinafter “Banque Thaler” or “we”) cares about the protection and confidentiality of your personal data and is committed to comply with data protection laws and regulations. The following information provides an overview of how we process your personal data and your rights under data protection laws and regulations. To the extent applicable, please forward this information to your current and future authorized representatives, any beneficial owners or holders of any right on the account(s) (e.g., power of attorney, information right).

Banque Thaler is the entity responsible for the processing of your personal data. For any question that you may have in connection with the processing of your personal data, you may contact your relationship manager with us or our Data Protection Officer at the following address:

BANQUE THALER SA

Data Protection Officer

Rue Pierre-Fatio 3

1204 Geneva Switzerland

Email: data-protection@banquethaler.com

Our representative in the European Union (“EU”) for data protection matters is:

Ludo WYNS

E-mail: ludo.wyns@llink.biz

The personal data we process may include (i) personal details (e.g. name, place of birth, date of birth, citizenship, address, telephone numbers, email addresses, family details, other KYC information) (ii) identification data (e.g. copy of passport or identity card, social security number, tax identification number) (iii) tax information (e.g. tax domicile and other tax-related documents and information) (d) professional information about you (e.g. job title, job experience) (iv) financial information (e.g. financial and credit history information, transaction data, bank details) (v) your investment profile and investment preferences (vi) records of phone calls between you and Banque Thaler (vii) details of interactions with you and the products and services you use (viii) cookie information (e.g. cookies and similar technologies on websites and in emails) (please also see our Cookie Policy). We collect and receive personal data (i) directly from you (e.g. when you are contacting us or sending us contractual documents or forms) (ii) indirectly from third parties or publicly available sources (e.g. commercial register, sanctions lists, press, media, internet)

We process personal data in accordance with the Swiss Federal Act on Data Protection (FADP), and, to the extent applicable, with the European General Data Protection Regulation (GDPR). Personal data that we process may also be subject to banking secrecy or other contractual or professional confidentiality obligations applicable to us. We process personal data for the following purposes (hereinafter the “Purposes”) and legal bases:

(a) for the performance of contractual obligations

We collect and process personal data as necessary for the performance of a contract to which you or a related person is a party, or to carry out pre-contractual measures that occur as part of a request, which includes in particular the following processing operations: (i) opening and management of an account and business relationship with us, (ii) the execution of transactions, (iii) the provision of investment advice as well as (iv) asset and portfolio management and the distribution of financial products.

(b) for compliance with a legal obligation or in the public interest

As a bank, we are subject to various legal obligations which require us to process and collect personal data, including in relation to accounting requirements, the provision of information about products and services, the prevention of money laundering activities, bribery, corruption, tax frauds as well as other frauds and crimes, the recording of phone conversations, the satisfaction of any requirements of cooperation with, or reporting to, any competent public prosecution, supervisory, administrative or tax authority or court, as well as the assessment and management of risks.

(c) for the purposes of safeguarding legitimate interests

When necessary, we process your personal data for the purpose of the legitimate interests pursued by us or a third party, if such processing does not unduly affect your interest or fundamental rights and freedoms. Examples include (a) the development of our business relationship with you (b) measures for the security of our properties and systems (c) the recording of phone conversations to verify instructions, improve the quality of our services or to safeguard our rights (d) the exercise or defense of actual or potential legal claims, or the conduct of investigations or similar proceedings (e) review and improvement of our internal processes and organization, including for the purpose of risk management (f) the evaluation of certain characteristics of data subject on the basis of automatic processing of personal data (profiling) (see also Section 7).

(d) on the basis of your consent

To the extent that the processing of your personal data requires that you give your prior consent thereto, we will ask for your consent in due time. Any consent granted may be revoked at any time. Please be advised that the revocation of your consent shall only have effect for the future. Any processing that was carried out prior to the revocation shall not be affected thereby.

The provision of personal data may be mandatory, for instance in connection with compliance with applicable laws and regulations. If the required data are not provided, this may preclude us from establishing or pursuing a business relationship or from rendering services to you.

Within Banque Thaler, every unit that requires your personal data to achieve the Purposes will have access to it. If necessary or useful to perform our services and achieve the Purposes, we may disclose or transfer your personal data to (i) public or governmental authorities, administrations or courts (e.g. financial market supervisory authorities, tax authorities, anti-money laundering authorities) or financial institutions (e.g. third party central depositories, brokers, exchanges, registers, third party banks, etc.) or (ii) third party service providers that process personal data on our behalf and/or to which we outsource certain tasks (outsourcing).

Personal data may be transferred to countries outside Switzerland if this is required for the execution of your orders or the fulfillment of our contractual obligations (e.g. payment and securities transactions), prescribed by law (e.g. reporting obligations under tax law), necessary to safeguard an overriding public interest, or if you have given us your consent.

As a matter of principle, we process and store your personal data as long as it is necessary in order to achieve the Purposes. We will delete or anonymise your personal data regularly once they are no longer necessary in order to achieve the Purposes, unless a further processing of your personal data is necessary for the following purposes: (i) compliance with longer records retention periods under applicable law or regulations and (ii) preservation of all forms of relevant information to exercise or defend

In some cases, we process your personal data automatically with the aim of evaluating certain personal aspects (profiling), in particular to provide you with targeted information and advice on our products or services or those of our business partners. We may also use technologies that allow us to identify the level of risks linked to a data subject or to the activity on an account. Furthermore, as a rule, we do not make decisions based solely on automated processing in order to perform our services. Should we do so, we shall comply with applicable legal and regulatory requirements.

Under GDPR, you have the right to (i) request access to, and receive copy of, your personal data (art. 15 GDPR), the right to request rectification of your personal data if they are inaccurate (art. 16 GDPR), the right to request erasure of your personal data when the processing is not or no longer necessary for the Purposes, subject to applicable retention records (art. 17 GDPR), the right to request a restriction of the processing of your personal data (art. 18 GDPR), the right to object to the processing of your personal data, in which case we will no longer process your personal data unless we have compelling legitimate grounds to do so (art. 21 GDPR) and if applicable, the right to receive your personal data in structured, commonly used and machine-readable format (data portability) (art. 20 GDPR). Furthermore, you have the right to complain to our Data Protection Officer and, if applicable, to lodge a complaint with a competent data privacy regulatory authority. In general, but subject to certain differences or exceptions, similar rights are also granted by the FADP.