PRIVACY POLICY / DATA PROTECTION

PRIVACY POLICY / DATA PROTECTION Last updated: [27.02.2026] 1. Who are we? Aiffin is a simplified joint-stock company (SAS) registered in France, with its registered office at 10 rue de la Bourse, 75002 Paris, registered with the Paris Trade and Companies Register. Aiffin provides: • A digital solution accessible via www.aiffin.com and associated application interfaces (the “Platform”), enabling professional clients to apply for long-term vehicle leasing contracts (LLD) and related services (the “Services”). • An informational website presenting our activities and partnership solutions. For the purposes of applicable data protection regulations, including Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act, Aiffin acts as the data controller. You may contact our Data Protection Officer (DPO): Email: dpo@aiffin.com Address: Aiffin – DPO, 10 rue de la Bourse, 75002 Paris 2. Scope of this Policy This Policy applies to: • Professional clients requesting or using our long-term leasing (LLD) services • Prospects interacting with us (contact forms, referrals, partnerships) • Visitors to our website • Guarantors or representatives of professional clients Our services are strictly intended for professionals. We do not target consumers. 3. Personal Data We Collect 3.1 Data collected directly from you When you use our Platform, we may collect: Identification data Name, date and place of birth, identity document, biometric verification data (Face ID), company registration details, information relating to the legal representative. Contact data Email address, phone number, postal address. Professional and company-related data Company registration number (SIREN/SIRET), legal form, business sector, financial statements, invoices, vehicle selection details. Financial data Bank transaction data via open banking (read-only access), IBAN, transaction history, cash flow information, public financial data of the company. Technical data IP address, device information, browsing data via cookies. Communications Exchanges with our teams, communications with customer support, documents provided. 3.2 Data collected from third parties We may collect data from: • Open banking providers operating under PSD2 regulations • Public registers (INSEE, Infogreffe, etc.) • Anti-fraud and anti-money laundering (AML) service providers • Insurance partners • Dealerships and vehicle distribution partners This data is used exclusively to assess eligibility, manage contracts, comply with legal obligations, and improve our risk management models. 4. Purposes and legal bases We process your data for the following purposes: Purpose Legal basis Account creation and management Performance of a contract Eligibility assessment and risk scoring (OrbitScore) Execution and management of LLD contracts Performance of a contract AML/CFT checks Legal obligation Fraud prevention and security monitoring Legal obligation / Legitimate interest Customer support Performance of a contract Statistical analysis and product improvement Legitimate interest Marketing communications Consent or legitimate interest Regulatory reporting Legal obligation When processing is based on consent, you may withdraw it at any time. 5. Automated Decision-Making As part of our onboarding and credit assessment process, Aiffin uses automated decision-making systems, including our proprietary risk model (“OrbitScore”). These systems assess eligibility based on: • Company data (legal form, age, sector) • Financial activity and transaction patterns • Risk indicators and fraud signals • Consistency between declared activity and observed cash flows • Repayment performance history These decisions may produce legal effects or similarly significant effects (e.g., approval or rejection of an LLD contract). In accordance with Article 22 of the GDPR, you have the right to: • Request human intervention in relation to an automated decision • Express your point of view • Contest the decision You can exercise these rights by contacting dpo@aiffin.com. 6. Data Sharing Your data may be shared with: • IT and cloud service providers (hosting, OCR, infrastructure) • Open banking providers • Insurance partners • Dealerships and vehicle suppliers (for contract execution) • Legal advisors, accountants, and auditors • Security Trustee entities (where applicable) • Regulatory authorities (ACPR, TRACFIN, judicial authorities) We never sell your personal data. 7. Data Security We implement appropriate technical and organizational measures, including: • Encrypted storage (AES-256 or equivalent) • Secure HTTPS communication • Access control and authentication mechanisms (including 2FA) • Regular penetration testing • Environment segregation • Role-based internal access restrictions Open banking access is strictly read-only. 8. International Transfers Data is primarily processed within the European Union. If data is transferred outside the EU, appropriate safeguards are implemented in accordance with the GDPR (Standard Contractual Clauses or adequacy decisions). 9. Data Retention We retain data only for as long as necessary: • Contractual data: duration of the contract + 5 years • Accounting and tax data: 10 years • AML/CFT documentation: in accordance with applicable regulatory requirements • Marketing data: 3 years from the last contact • Inactive accounts: deleted after 2 years of inactivity 10. Your Rights In accordance with the GDPR and French law, you have the following rights: • Access your data • Rectify inaccurate data • Request deletion (subject to legal obligations) • Restrict processing • Object to processing • Data portability • Withdraw your consent • Define post-mortem instructions regarding your data You can exercise your rights by contacting: dpo@aiffin.com or by mail: Aiffin – DPO 10 rue de la Bourse 75002 Paris You may also lodge a complaint with the CNIL (www.cnil.fr). 11. Cookies We use cookies and similar technologies to: • Enable authentication • Improve user experience • Produce anonymized usage statistics • Measure performance Cookies are stored for a maximum period of 13 months. You can configure your browser to refuse cookies at any time. 12. Hyperlinks Our website may contain links to third-party sites. We are not responsible for their privacy practices. We encourage you to review their policies before providing any personal data. 13. Use of Data for AI and Machine Learning Aiffin may use certain data collected in the course of providing its Services to develop, train, test, and improve its proprietary models for risk assessment, fraud detection, and asset valuation, including artificial intelligence and machine learning systems. These processing activities are based on Aiffin’s legitimate interest in improving the accuracy, security, and performance of its Services. Where possible, data used for model training is aggregated or pseudonymized. No automated model training involves the sale of personal data to third parties. If external technology partners are involved in the development or hosting of these models, they act strictly as data processors under written data processing agreements compliant with Article 28 of the GDPR and are subject to strict confidentiality and security obligations. Under no circumstances is personal data used for unrelated commercial purposes.