MBI Privacy Policy

Medici Bank International Privacy Policy

The MBI Privacy Policy intends to inform you about what Medici Bank International, LLC, (“MBI”OR “The Bank”) a Puerto Rico registered and regulated International Financial Entity, does with your personal information. MBI respects your privacy and is committed to protecting your personal data therefore, it is important that you read this privacy notice together with any other  notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy applies to all clients outside of the European Union (EU). For clients residing in the EU please see our “Compliance with the General Data Protection Regulation (“GDPR”) Policy”.

Definitions

• Affiliates- Companies related by common ownership or control. They can be financial and non-financial companies.
• Non affiliates-Companies not related by common ownership or control. They can be financial and non-financial companies.
• Joint Marketing- A formal agreement between non-affiliated financial companies that together market financial products or services to you.

Why?

Financial Institutions may choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires MBI to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand how we handle and share your information.

What?

The types of personal information we collect, and share depend on the product or service you have. This information can include but is not limited to:

• Social security number
• Tax ID
• Transaction History
• Email address

How?

Financial companies need to share customers' personal information to effectively run their daily operations. In the section below, we list the reasons financial companies can share their customers' personal information, whether you can limit or opt-out of sharing and the reason that MBI shares the information.

Reasons we can share your personal information	Does MBI share?	Can you limit this sharing?
For our everyday operations: To process your transactions, maintain your account(s), respond to court orders and legal investigations, or to provide services.	Yes	No
For our affiliates' everyday operations: information about your transactions	Yes	No
For Marketing: to offer our products and services to you	No	No
For joint marketing with other financial companies	No	MBI doesn't share
For our affiliates' everyday business purposes - information about your transactions and experiences	No	MBI doesn't share
For our affiliates' everyday business purposes - information about your creditworthiness	No	MBI doesn't share
For our affiliates to market to you	No	MBI doesn't share
For non-affiliates to market to you	No	MBI doesn't share

How does MBI protect my personal information?

To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer server safeguards such as encryption. We also maintain other procedural safeguards to protect this information and we limit access to information to those employees for whom access is appropriate.

How does MBI Bank collect my personal information?

MBI Collects your personal information whenever you do one of the following actions:

• Give us your contact information through our website
• Open an account through online banking
• Provide account information online or via phone call
• Conduct withdrawals from your account

We also collect your personal information from others, such as affiliate companies or third parties for non-documentary verifications.

Why can't I limit all sharing?

Federal law furnishes you the right to limit certain sharing of information particularly,

• Sharing for affiliates' everyday business purposes - information about your creditworthiness
• Sharing for affiliates from using your information to market to you
• Sharing for non-affiliates to market to you

State laws and individual companies may give you additional rights to limit sharing (See Other important information below)

Other important information

State Laws:

There are privacy protections applicable under specific state laws. To the extent these state laws apply, we will comply with them if we share information about you.

Vermont Residents - We do not share information we collect about you with non-affiliated third parties. In addition, we do not share information about your creditworthiness with our affiliates.

Nevada Residents - Pursuant to Nevada law, if you prefer not to receive marketing calls from us, you may be placed on our internal Do Not Call list by calling 1-787-563-9290. You may also contact the Bureau of Consumer Protection, Office of the Nevada Attorney General, 100 N. Carson, Carson City, Nevada 89701; phone number: 702-486-3132, http://ag.nv.gov.

For California Residents

CCPA Privacy Notice

Medici Bank International, LLC (“MBI”) is providing this CCPA-specific privacy notice to supplement to our Privacy Policy above. This notice applies to individuals residing in California from whom we collect Personal Information.

The chart below contains the categories of Personal Information as defined by the CCPA, that we have collected and/or disclosed for a business purpose. The examples below were taken from the CCPA and have been included only to aid you in understanding each category. The examples are not full depiction of the information collected. There may be examples of information that we never collect, disclose or sell.

Category	We Collect	We Disclose	We Sell
A. Identifiers	Yes	Yes	No
Examples: Name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
B. Categories of Personal Information in Cal. Civ. Code 1798.80(e)	Yes	Yes	No
Examples: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
C. Characteristics of Protected Classifications under California or Federal Law	No	N/A	N/A
Examples: Race or color, ancestry or national origin, religion or creed, age (over 40), mental or physical disability, sex (including gender and pregnancy, childbirth, breastfeeding or related medical conditions), sexual orientation, gender identity or expression, medical condition, genetic information, marital status, military and veteran status.
D. Commercial Information	Yes	No	No
Examples: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
E. Biometric Information	No	N/A	N/A
Examples: Physiological, biological, or behavioral characteristics, including DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
F. Internet or Other Electronic Network Activity Information	No	N/A	N/A
Examples: Browsing history, search history, and information regarding a consumer's interaction with an internet website, application or advertisement.
G. Geolocation Data	No	N/A	N/A
Example: Precise physical location.
H. Sensory Information	No	N/A	N/A
Examples: Audio, electronic, visual, thermal, olfactory, or similar information.
I. Professional or employment-related information	Yes	No	No
Examples: Job application or resume information, past and current job history, and job performance information.
J. Non-Public Education Information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99)	No	N/A	N/A
Examples: Records that are directly related to a student maintained by an educational agency or institution or by a party acting for the agency or institution.
K. Inferences Drawn from Personal Information	No	N/A	N/A
Examples: Consumer profiles reflecting a consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Use of Personal Information

Medici Bank International collects, uses, and discloses Personal Information pursuant to our Privacy Policy above, this includes Personal Information in accordance with the specific CCPA business and commercial purposes below:

1. Auditing related to a current interaction with you and concurrent transactions, including, but not limited to auditing compliance with this specification and other standards.
2. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
3. Debugging to identify and repair errors that impair existing intended functionality.
4. Short-term, transient use.
5. Contracting with service providers to perform services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
6. Undertaking internal research for technological development and demonstration.
7. Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.
8. Otherwise enabling or effecting, directly or indirectly, a commercial transaction.
9. For other purposes for which we provide specific notice at the time the information is collected.

Collection and Disclosure of Personal Information

The information that we collect will be from general sources including you, your use of our services, your devices, our affiliates, our vendors, and our service providers. If the information previously provided to you in our Privacy Policy changes it will be reflected on our website under the Privacy Policy section and can be accessed at any moment.

As explained in our Privacy Policy, we share your Personal Information with the following categories of CCPA third parties: 

1. Vendors and service providers, for providing products and services provided to you.
2. Third parties integrated into our services.
3. Third parties as required by law and similar disclosures.

Your California Privacy Rights

If you are a California resident, you may exercise the following rights. 

Right to Know and Access. You may submit a request for information regarding the: (1) categories of Personal Information collected or disclosed by us; (2) purposes for which categories of Personal Information are collected by us; (3) categories of sources from which we collect Personal Information; and (4) specific pieces of Personal Information we have collected about you during the past twelve months.

• Right to Delete. Subject to certain exceptions, you have the option to delete Personal Information about you that we have collected from you.
• Requests for access or deletion of Personal Information are subject to identity verification and pursuant to relevant CCPA requirements, limitations and regulations.
• Right to Equal Service and Price. You have the right not to receive discriminatory treatment for the exercise of your CCPA privacy rights, subject to certain limitations.

Submit Requests. To exercise your rights under the CCPA, you can also reach out to us at support@medici.bank.

Contact

If you have any questions regarding the MBI Privacy Policy, you may call our customer support number at 1-787-563-9290 Monday through Friday 9am to 5pm EST.

Please note: Our Privacy Policy is revised on an annual basis please see our website at www.medici.bank to see the most updated version of this policy.

“Compliance with the General Data Protection Regulation (“GDPR”) Policy”.

The MBI Privacy Policy intends to inform you about what Medici Bank International, LLC, (“MBI” or “The Bank”) a Puerto Rico registered and regulated International Financial Entity, does with your personal information. MBI respects your privacy and is committed to protecting your personal data therefore, it is important that you read this privacy notice together with any other  notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.

The way we treat your personal information is regulated under the General Data Protection Regulation ((EU) 2016/679) or “GDPR”, which applies across the European Economic Area (“EEA”). This regulation also applies to companies outside of the EEA that provide their services to clients within the EEA.

We collect personal data about you when you access our website, open an account through online banking, and contact us. We collect this personal information from you either directly, or indirectly, such as through your browsing activity while on our website (see our Online Security Disclosure).

We may collect, use, store and transfer different kinds of personally identifying information about you which we have grouped together follows:

• Personally Identifiable Information: Where you fill in a contact form, which includes your name, your email address, and any personal data provided by you in your message to us. You may also correspond with us by email, phone and provide identifying information in that manner.
• Technical data, which includes your internet protocol (IP) address, your browser type and version, your time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Website. This data is collected through analytics providers, and by using cookies. More information about our use of cookies is available at: http://www.crownagentsbank.com/cookie-policy/
• Usage data, which includes information about how you use our website, products and services. We may also collect, use and share aggregated data such as statistical or demographic data for any purpose. aggregated datamay be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may use aggregated data to calculate the percentage of users accessing a specific website feature. If we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. We do not collect any special categories of personal data about you through your use of the Website, nor do we collect any information about criminal convictions and offences.

HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following:

circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you or an entity represented by you. For example, we may use identity data for this purpose.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. For example, we may use your identity, technical and usage data to deliver relevant content to you via the Website. We may use your technical and usage data to administer and protect our business and

Privacy Notice

This  Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).

• Where we need to comply with a legal or regulatory obligation. Generally we do not rely on consent as a legal basis for processing your personal data.

COOKIES

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see http://www.crownagentsbank.com/cookie-policy/.

CHANGE OF PURPOSE

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

PROVIDING INFORMATION TO THIRD PARTIES

We ensure that any third-party service providers we use are required to take appropriate security measures to protect your personal data in line with our policies and we only permit them to process your personal data for specified purposes and in accordance with our instructions. We will not share any of the information you provide to us with any third parties for marketing purposes.

TRANSFER OF YOUR PERSONAL DATA OUT OF THE EEA

We do not currently envisage that we will need to transfer any of your personal data to which this notice applies outside the EEA. If in the future we decide to transfer personal data covered by this notice to external third parties based outside the EEA, we will ensure that adequate safeguards are in place, as required under the GDPR.

DATA RETENTION

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

DATA SECURITY

We have put in place security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

PROCESSING IN LINE WITH YOUR RIGHTS UNDER THE GDPR

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;

Privacy Notice

• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
• Request the transfer of your personal information to another party.

DATA PRIVACY MANAGEMENT

We have appointed an internal team to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact us in the first instance: email: dataprotection@crownagentsbank.com; telephone: +44 (0)20 3903 3000.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal

data, or request that we transfer a copy of your personal information to another party, please contact us in writing.