Zelture Peso Privacy Policy Commitment to Your Privacy and Data Security Loan Partner Details In line with our commitment to providing secure and compliant loan and credit solutions, Zelture Peso works with authorized loan providers. We prioritize transparency and wish to share detailed information about our partner with you. - Company Name: FINGERTIP LENDING CORP. - SEC Registration Number: 2020070001053-00 - Certificate of Authority (License) Number: 3298 - Registered Address: 12/F, Security Bank Centre, 6776 Ayala Avenue, San Lorenzo, City of Makati, Fourth District, NCR, 1226, Philippines FINGERTIP LENDING CORP. operates under Philippine laws and applicable financial regulations to ensure secure and compliant lending services. Welcome to Zelture Peso ("we," "our," or "us"). We value your privacy and are committed to protecting your personal information. This Privacy Policy applies exclusively to users of our iOS (iPhone) mobile loan application ("the App"). It explains how we collect, use, process, store, protect, and share your information when you use the App. This policy is designed to comply with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations (IRR), and the issuances of the National Privacy Commission (NPC). By downloading, registering, or using the Zelture Peso App, you signify your acceptance of this Privacy Policy. If you do not agree, please discontinue use of the App. Effective Date: January 1, 2026 Scope of This Policy This Privacy Policy applies exclusively to: - Platform: iOS mobile devices (iPhone only). - Territory: Users located in the Philippines. - Service: Loan and financial services delivered via the Zelture Peso App. Key Definitions To ensure clarity and alignment with RA 10173, we define the following terms: - Personal Information: Any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would identify an individual. - Sensitive Personal Information: Personal information about an individual’s race, marital status, age, health, education, government-issued IDs (e.g., SSS, TIN), or financial data. - Processing: Any operation performed upon personal data, such as collection, recording, storage, use, consolidation, blocking, erasure, or destruction. - Personal Information Controller (PIC): Zelture Solutions Inc., the entity responsible for controlling the collection and use of your data. - Personal Information Processor (PIP): Any third party to whom we outsource the processing of personal data, subject to our instructions and safeguards. - Consent: Any freely given, specific, informed indication of will whereby you agree to the processing of your personal information. - Legitimate Interests: The lawful basis for processing necessary for our business purposes, provided it does not override your fundamental rights and freedoms. Information We Collect We adhere to the principles of proportionality and transparency. We collect only the data necessary to verify your identity, assess creditworthiness, and provide our services. 1. Identity and Contact Details Collected during registration to establish your account and verify your identity: - Full Name, Date of Birth, Gender, Nationality - Current and permanent address - Mobile number and Email address 2. Government ID and Verification To comply with KYC (Know Your Customer) regulations: - Government-issued ID numbers (e.g., UMID, Driver’s License, Passport) - Photos of your ID and a "selfie" for facial recognition matching 3. Financial and Employment Data To assess repayment capacity and disburse funds: - Employer name, job title, and income details - Bank account or e-wallet details for loan disbursement 4. Contact List and Location Data (Optional) Location: We may collect location information (subject to your permission) to prevent fraud, verify regional eligibility, and assist in risk assessment. You may disable location access at any time in iOS Settings. Contact List Metadata: If you permit access, we collect encrypted metadata from your contact list solely for credit risk scoring and fraud prevention. We do NOT use this data for marketing, nor do we contact your friends or family for debt collection purposes. We use aggregated data to detect fraudulent patterns (e.g., fake contacts). 5. Camera Permission and Usage We request access to your iOS camera solely for identity verification and document capture (e.g., selfie match to government ID and taking photos of ID documents) to comply with KYC/AML regulations and prevent fraud. - Consent and Control: Access is optional and requires your explicit consent via iOS prompts. You may disable it anytime in Settings, though this may limit onboarding. - Lawful Basis: We rely on Consent for access, and Legal Obligation/Contractual Necessity for the verification process. - Security: Captured images are encrypted in transit and at rest, used only for verification, and not for marketing. - Retention: We retain images for 3 to 5 years per our retention policy. You may contact our DPO to withdraw consent or exercise your rights. 6. Photo Library Permission and Usage We may request access to your photo library to allow you to upload specific images of your government IDs or supporting documents for identity verification (KYC/AML) and fraud prevention. We do not scan or access your entire photo library; we only process the specific images you explicitly select via the iOS system photo picker. - Consent and Control: Access is optional and requires your explicit permission. You can manage or revoke permissions in iOS Settings at any time, although disabling this may limit your ability to upload documents for verification. - Lawful Basis: We rely on Consent for the optional selection process, and Legal Obligation/Contractual Necessity for the subsequent processing of the images required for loan verification. - Security: Selected images are encrypted during transmission and at rest. They are used exclusively for identity verification and fraud checks, and are not used for marketing or advertising. - Retention: We retain these images for 3 to 5 years in accordance with our retention policy. You may contact our DPO to exercise your rights regarding this data. How We Use Your Information and Lawful Bases We process your data for specific purposes anchored on lawful bases under Section 12 of RA 10173: Purpose of Processing Lawful Basis (RA 10173) Loan Services: User onboarding, credit assessment, disbursement, repayment processing, and customer support. Contractual Necessity: Processing is required to fulfill the loan agreement with you. Legal Compliance: AML (Anti-Money Laundering) checks, KYC verification, and regulatory reporting. Legal Obligation: Necessary to comply with BSP and NPC regulations. Risk & Fraud Control: Identity verification, detecting abnormal behavior, preventing identity theft. Vital Interests & Legitimate Interests: Protecting the integrity of the financial system and preventing fraud. Service Improvement: App optimization, analytics, and user experience enhancement. Legitimate Interests: Improving our products, provided this does not override your rights. Optional Features: Location-based offers, contact list risk scoring. Consent: Explicit permission obtained within the App. Balancing Test: When relying on legitimate interests, we balance our business needs against your privacy rights. We ensure transparency and provide you with the right to object where applicable. How We Share Your Information We do not sell your personal data. We share information only when necessary and subject to strict accountability measures per RA 10173 Section 21: - Service Providers (PIPs): We share data with trusted partners for payments, facial recognition (IDV), credit scoring, cloud hosting, and analytics. All partners are bound by data sharing agreements requiring comparable levels of protection. - Legal Obligations: We may disclose data to courts, law enforcement, or regulators (e.g., NPC, BSP) when required by law or subpoena. - Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity under secure conditions. Accountability: We conduct due diligence on all third parties and maintain records of data processing and disclosures. Data Storage and Retention Storage: Your data is stored on secure cloud servers with strict access controls and encryption. Retention Period: We retain your personal data only as long as necessary: - While your account is active to provide services. - For 3 to 5 years after account closure or transaction completion, as required by financial regulations and for tax/audit purposes. Upon the expiration of the retention period, your data will be securely deleted, overwritten, or anonymized so that it can no longer be associated with you. Data Security Measures We implement reasonable and appropriate organizational, physical, and technical security measures pursuant to Section 20 of RA 10173: - Technical: End-to-end encryption (AES, TLS) for data in transit and at rest; regular vulnerability assessments. - Physical: Secure data centers and restricted access to physical records (if any). - Organizational: Strict role-based access controls; regular privacy training for employees; confidentiality agreements. While we employ industry-standard protections, no system is 100% secure. We continuously review and upgrade our security posture to protect your data. Your Rights and How to Exercise Them Under the Data Privacy Act, you have the following rights regarding your personal data: Information & Access - Right to be Informed: To know what data we collect and why. - Right to Access: To request a copy of your personal data held by us. - Right to Data Portability: To obtain your digital data in a structured format. Control & Correction - Right to Rectify: To correct inaccurate or incomplete data. - Right to Erasure/Blocking: To ask us to delete or block your data (subject to legal retention periods). - Right to Object: To object to processing (e.g., for marketing). You also have the Right to Damages for violations of your rights and the Right to File a Complaint with the National Privacy Commission (NPC). How to Exercise: Contact our Data Protection Officer (DPO) at operate@zelturesolutionsinc.com. We will respond to your request within the statutory timeline (typically 30 days), subject to necessary identity verification. Consent and Withdrawal Obtaining Consent: We obtain your explicit consent via checkboxes or system dialogs for optional data (e.g., location, contacts). For core services, your agreement to this policy and the Terms of Service constitutes consent. Withdrawal: You may withdraw your consent for specific features (like location) via App settings. For full withdrawal (account closure), please contact us. Note that withdrawing consent for core data may prevent us from providing loan services. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. Sensitive Personal Information We handle Sensitive Personal Information (e.g., government IDs, health, biometric data) with stricter safeguards pursuant to Section 13 of RA 10173: - We process this data only with your specific consent or when required by law. - We use this data solely for identity verification, credit scoring, and fraud prevention. - We never use sensitive personal information for direct marketing purposes. Children’s Privacy Adults Only: Our services are strictly intended for individuals aged 18 and above. We do not knowingly collect information from minors. Age Assurance: We employ age verification measures during onboarding. If we discover that we have inadvertently collected data from a minor, we will delete it immediately. In accordance with NPC guidance, we prioritize the best interests of the child in all our data practices. Cookies & Third-Party SDKs We use cookies, device identifiers, and third-party Software Development Kits (SDKs) to ensure App security and functionality. - Purpose: Session management, fraud detection, analytics, ID verification, and push notifications. - No Ad Tracking: We do not use these technologies for third-party advertising tracking. We review all SDKs for compliance. A detailed list of third-party SDKs used in the App is available upon request. IDFA (Identifier for Advertisers) and App Tracking Transparency (ATT) The IDFA (Identifier for Advertisers) is a unique device identifier assigned by Apple to a user's device for advertising purposes. Under Apple's App Tracking Transparency (ATT) framework, apps must request permission to track users across apps and websites owned by other companies. We value your privacy and are committed to full transparency regarding our use of this identifier. - Current Practice: We do not currently use IDFA for third-party advertising tracking or cross-app/site tracking. Consequently, we do not present an ATT tracking consent prompt within the App at this time. - Future Use and Consent: Should we determine a need to use IDFA in the future for limited, compliant purposes (such as non-advertising install attribution), we will first obtain your explicit consent via Apple's ATT prompt. You will have the option to allow or ask the App not to track. - Lawful Basis: Any future processing of IDFA would be based strictly on your Consent. We do not rely on legitimate interests or contractual necessity for advertising tracking. - No Sale of Data: We do not sell your personal information, nor do we use IDFA for marketing, profiling, or behavioral advertising. - Data Rights and Security: Any identifiers collected in the future will be processed securely, retained only as long as necessary (typically 3 to 5 years per our retention policy), and subject to your rights under the Data Privacy Act of 2012 (RA 10173), including the rights to access, rectification, erasure, and objection. Personal Data Breach Notification In the unlikely event of a personal data breach, we have an established Incident Response Plan: - Notification: We will notify the National Privacy Commission (NPC) and affected data subjects within 72 hours of knowledge or reasonable belief that a breach has occurred, specifically if it involves sensitive personal information that poses a real risk of serious harm. - Mitigation: Our response team will immediately take steps to contain the breach, secure systems, and mitigate potential harm to you. Contact Us For any privacy-related inquiries, complaints, or to exercise your rights, please contact our Data Protection Officer (DPO): Zelture Solutions Inc. Email: operate@zelturesolutionsinc.com Address: 16th Floor, Latitude Corporate Center, Cardinal Rosales Avenue, Cebu Business Park, Mabolo, Cebu City (Capital), Cebu, Region VII (Central Visayas), 6000 We are committed to resolving your privacy concerns and will respond to your request as soon as possible. Changes to This Privacy Policy We may update this policy to reflect changes in our services, technology, or regulations. Significant changes will be notified to you via an in-app announcement or email. Effective Date: January 1, 2026