PERSONAL DATA PROCESSING POLICY

4. Below are the main terms used in this Policy:
— "Data Controller" means Tiger Trade Capital AG with its office at Bahnhofplatz, 6300 Zug, Switzerland, which arranges for and conducts Personal data processing and defines purposes of the Personal data processing, the scope of Personal data to be processed, and actions/operations to be carried out with Personal data;
— "Website" means internet Website located athttps://www.tiger.com/.
— "PD Regulations" mean any regulations adopted in pursuance of such law, General Data Protection Regulation, or any other applicable laws governing the protection of personal data;
— "Personal data processing" means any action/operation or a set of actions/operations with personal data carried out with or without the use of any automation tools; a list of actions carried out by the Data Controller with Your personal data is given in clause 14 below;
— "Personal data" means any information directly or indirectly related to an identified or identifiable individual (personal data subject), i.e., information that directly identifies You (such as Your name or email address) and information that does not identify You directly, but may be used in one way or another for identification (e.g., Your mobile device details);
— "You" or "Website User" mean any individual using the Website.

5. The Data Controller shall provide unrestricted access to this Policy by posting its current version in the Privacy Policy section in the Website, and a hard copy of the same shall be kept in the Data Controller's office and may be provided to You at Your request or otherwise under the PD Regulations.

6. This Policy shall be revised or updated if the Data Controller's data processing procedures are modified, or the PD Regulations are amended.

7. The Data Controller will process Your personal data in accordance with the procedures stipulated by the PD Regulations on a fair and lawful basis.

8. The Data Controller will process Your personal data strictly for the purposes defined in this Policy and such processing will be limited to the attainment of such specific, pre-defined, and lawful purposes. The Data Controller undertakes not to allow any personal data processing that is inconsistent with the purposes for which such data is collected as listed in this Policy. The personal data that the Data Controller collects in the Website is not excessive relative to the declared purposes for which the same is processed.

9. The Data Controller will store Your personal data in a form that makes it possible to identify You as a personal data subject for no longer than the purposes of personal data processing require unless the PD Regulations require otherwise. Unless the PD Regulations require otherwise, the Data Controller will destroy Your personal data once these purposes are achieved or if processing is no longer necessary, Your personal data will be deleted. If any personal data is found to be inaccurate or unlawfully processed, it will be blocked, updated, or deleted in accordance with clause 29 of this Policy.

10. The Data Controller will process Your personal data solely and exclusively subject to there being legal reasons under the PD Regulations, and such legal reasons are as follows:

— Your consent for personal data processing with respect to marketing and research activities between the Data Controller and You (such as promotion of Tiger.com products or other marketing interaction and studies);
— Your consent for personal data processing with respect to Your personal data shared through the Website or otherwise;
— compliance with applicable laws, including, without limitation, those that assign the Data Controller's functions, powers, and duties;
— exercise of rights and legitimate interests of the Data Controller or third parties in compliance with the PD Regulations.

11. This Policy describes procedures used by the Data Controller to process personal data of the Website Visitors.

12. When You use the Website as a Website Visitor, the Data Controller collects data passively. The content, purposes, and scope of personal data collected in such event is further described in clauses 14 and 15 of this Policy.

13. Also, if You contact the Data Controller using the contact form on the Website or, in accordance with clause 3 of this Policy, the Data Controller will also process personal data You share, which may include Your name, email address, telephone number, message subject and body, and other data shared by You. The Data Controller will use such data to process Your query (e.g., to respond to Your questions or requests, e.g., to send You requested documents or information).

14. The Data Controller will use personal data shared by the Website Visitors for the following purposes:

— to administer and protect our business and this Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
— to deliver relevant Website content and advertisements to You and measure or understand the effectiveness of the advertising we serve to You;
— to use data analytics to improve our Website, products/services, marketing, customer relationships and experiences; and
— to make suggestions and recommendations to You about goods or services that may be of interest to You.

15. To collect the Website browsing and user behavior data, such technologies as cookies (browser cookies and Flash cookies) and web beacons are used on the Website. The Data Controller and third-party vendors, acting under an agreement with the Data Controller, passively collect and use data variously, including:

— Via a browser: certain data is collected by most browsers, e.g., Your Media Access Control (MAC) address, computer type and operating system version, Internet browser type and version, and Visitor location. The Data Controller may collect such information as, for example, Your device type and identifier, if You access the Website from a mobile device. Such information is shared with the Data Controller when a Visitor accesses the Website.
— Using Cookies: Cookies are small text files stored on Your computer. Cookies allow the Data Controller to collect such information as the browser type, time spent on the Website, web pages viewed, and language preferences. For visitors in Europe and the UK, we will request consent to use non-essential cookies, such as analytical cookies, and these will not be placed unless and until consent is provided by You.
The Data Controller and third-party vendors use this data to improve the Website operation, ensure security, facilitate browsing, display information more efficiently, and customize Your experience of using the Website.
The Data Controller also uses cookies to identify Your computer or device which makes it easier for You to use the Website.
Also, the Data Controller uses cookies to collect the Website statistics and analytics for ongoing improvements of its design and functionality, to better understand how individual visitors use the Website, and to assist in addressing any issues of concern (including for the Data Controller's arrangements with third parties). Specifically, the Data Controller uses Google Tag Manager. Third-party vendors of the Data Controller, and, in particular, Google Display Network, may use cookies for online advertising purposes. Your relationships with such third-party vendors are governed by terms of use of such third-party vendors (https://policies.google.com/technologies/ads?hl=en-US).
If You share any information from the Website on any social media, such social media cookies may also be used.
You may disable cookies following the appropriate instructions of Your browser. To learn more about cookies, please go towww.allaboutcookies.org.
If You disable cookies, certain Website features may work incorrectly.
— IP address: IP address is a numerical label Your Internet provider assigns to Your computer automatically. The IP address is identified and logged in the Data Controller's server files each time a Website Visitor accesses the Website; web pages viewed, and time spent on the Website are also logged. Collection of IP addresses is a common Internet practice with many websites collecting such data automatically. The Data Controller uses IP addresses for such purposes as, for example, to assess the Website traffic, for server diagnostics and Website administration.
— Device Information: The Data Controller may collect Your mobile device data, e.g., the unique device identifier.

16. This Policy applies to collection, recording, classification, capture, storage, revision (updating, modification), retrieval, use, transfer (sharing, accessing), cross-border transfer, blocking, deletion, and destruction of personal data collected by the Data Controller on the Website with the use of automation tools. The source of Your personal data is You. We do not collect personal data about You from a third-party.

17. The Data Controller processes Your personal data automatically without making any decisions that have any legal implications or otherwise affect Your rights and legitimate interests based solely on personal data automated processing.

18. The Data Controller will ensure that databases used for collection, recording, classification, capture, storage, revision (updating, modification) and retrieval of personal data are in compliance with the PD Regulations.

19. The Data Controller will keep Your personal data collected on the Website confidential.

20. The Data Controller may delegate the processing of Your personal data to a third party, subject to the PD Regulations.

21. The Data Controller will transfer Your personal data collected on the Website in the following events:

— You have authorized such transfer;
— such transfer is required to achieve any purposes of an international treaty or a law, or to fulfil and discharge any functions, powers, and duties of the Data Controller under applicable laws; or
— such transfer is required to perform an agreement to which You are party.

22. The Data Controller will share personal data collected on the Website only if the Data Controller has entered into an agreement with the recipient of personal data under which such third party receiving personal data from the Data Controller undertakes to keep personal data confidential and to adhere to the personal data processing principles and rules defined by the PD Regulations and agreement with the Data Controller.

23. The Data Controller will share personal data (including by cross-border transfer to countries that do or do not provide an adequate level of protection of personal data subjects' rights) with the following third parties:
— affiliates of the Data Controller;
— third-party vendors of such services as Website hosting and administration, data analytics, infrastructure maintenance, IT services, services delivered by email or regular mail, audit services, and other services, if such data is needed for such persons to be able to provide the same; and
— in the event of restructuring, merger, sale, creation of a joint venture, or winding up of the Data Controller, transfer of its assets or shares in full or in part (including in connection with bankruptcy or court proceedings).

24. The Data Controller will share personal data collected on the Website within the scope which the Data Controller may in its discretion deem necessary or appropriate:

— to effectively achieve purposes listed in clause 14 above;
— pursuant to requirements of the laws applicable to the Data Controller;
— to protect the Data Controller's and its affiliates' business;
— in response to requests from the government authorities;
— to facilitate any court proceedings; or
— to protect Your rights and rights of the Data Controller, confidentiality, security, or property and/or rights, confidentiality, security, or property of the Data Controller and its affiliates.

25. When processing personal data, the Data Controller will make sure that personal data is accurate (assuming such data is true without having to verify the same), sufficient, and, where necessary, and fit for purpose. The Data Controller will take appropriate measures to delete or update incomplete or inaccurate data, including in the events referred to in this Policy.

26. The Data Controller will apply required managerial, technical, and administrative arrangements to protect personal data received on the Website in accordance with the PD Regulations.

27. The Data Controller will store personal data collected on the Website for as long as necessary for the purposes of this Policy unless longer storage is necessary or permitted by the laws applicable to the Data Controller.

28. The Data Controller may terminate personal data processing once the purposes of such processing have been attained or where such processing is found to be illegitimate.

29. If processing of personal data collected on the Website is found to be illegitimate (on receipt of Your or Your representative's query, on receipt of a request from an authorized agency, or following an internal audit) or if personal data is found to be inaccurate, the Data Controller will block or procure the blocking of such personal data that is processed illegitimately on receipt of such query or request for as long as such personal data processing is verified:

— if the inaccuracy of personal data is confirmed based on the information You, Your authorized representative, or an authorized agency may provide in any form in writing or based on any other documents pursuant to PD Regulations, the Data Controller shall update such personal data or procure the same to be updated within seven (7) business days of receipt of such data and unblock the same;
— if the illegitimate personal data processing is confirmed, the Data Controller shall terminate such illegitimate processing within three (3) business days of confirmation of the illegitimate processing or delete such personal data within ten (10) business days of confirmation of the illegitimate processing. The Data Controller shall notify You, or Your representative, or the authorized agency, if the legitimacy of processing was verified at the request of such agency, of remedying any such violations.

30. If You revoke Your consent, the Data Controller shall terminate personal data processing immediately, except when continued processing of such personal data is required by the laws applicable to the Data Controller, and in any event the Data Controller shall notify You of the outcome of such revocation.

31. If the purposes for which personal data collected on the Website have been attained, the Data Controller shall terminate personal data processing and destroy personal data within thirty (30) days of when the purposes of processing have been attained, unless Your consent received by the Data Controller provides for a different deadline. If personal data collected on the Website may not be destroyed by such deadline, the Data Controller will block such personal data and ensure that the same is destroyed within six (6) months, unless the laws applicable to the Data Controller, Your consent for personal data processing, or an agreement to which You are a party, require otherwise.