DATA MANAGEMENT POLICY

23rd October 2025

The operator of the Orquid App application and system, Orquid EU Zrt. (company registration

No. 01 10 142977; registered office: Bécsi út 25., Budapest, 1023; hereinafter referred to as the

"Data Controller" or "Service Provider") hereby informs the Users about the processing of

data in the Orquid App mobile application and web application (www.orquid.com) in

accordance with Regulation 2016/679 of the European Parliament and of the Council on the

General Data Protection Regulation (hereinafter referred to as the "GDPR").

Subject matter, scope of the privacy policy

Unless otherwise defined, terms and definitions in this Privacy Policy in capital letters shall have

the same meaning as defined in the Orquid App General Terms and Conditions of Use (hereinafter

referred to as the "Orquid App GTC").

The Data Controller may unilaterally change this Privacy Policy at any time. This Privacy Policy

is available in the App.

This Privacy Policy shall enter into force upon its publication.

Name and contact details of the controller

With regard to Orquid App, the Data Controller is Orquid EU Zrt. (Cg. 01 10 142977; registered

office: Bécsi út 25., Budapest, 1023.; e-mail address: info@orquid.com.

The Data Controller processes your personal data. You, as the natural person identified or

identifiable in relation to the processing, will be the data subject of the processing.

The Data Controller records that the data subjects of the processing are the persons who use the

Orquid App mobile application, register on these platforms, through which they use or access the

product or service of the Data Controller, and thereby access the content or function displayed by

the Data Controller on these platforms (hereinafter referred to as the "Service").

The Controller determines the purposes and means of the processing of personal data. Processing

means any operation or set of operations which is performed on personal data or on sets of

personal data, whether or not by automated means, such as collection, recording, organisation,

structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission,

dissemination or otherwise making available, alignment or combination, restriction, erasure or

destruction.

3. Legal basis for processing

3.1. In each case, the legal basis for processing by the Data Controller is one of the following:

a) the voluntary informed consent of the user to the processing of personal data pursuant to

Article 6(1)(a) of the GDPR (hereinafter: Consent);

b) according to Article 6(1)(b) of the GDPR, processing is necessary for the performance of

a contract to which the User as data subject is a party (hereinafter: Performance of the

contract);

1c) d) the processing is necessary for compliance with a legal obligation to which the controller

is subject (such as the fulfilment of an accounting or bookkeeping obligation - hereinafter

referred to as 'Compliance with a legal obligation'); or

processing is necessary for the purposes of the legitimate interests pursued by the controller

or a third party pursuant to Article 6(1)(f) of the GDPR (hereinafter: Legitimate Interest).

3.2. The legal basis for the processing of certain personal data processed in the App is set out in each

case separately by reference to the categories set out above.

4. Determining the scope of the personal data processed, the purpose and duration of the

processing

4.1. The data subject of the personal data processed by the Data Controller is always the registered

User of Orquid App, while the source of the processed data is the data subject (unless otherwise

specified in this notice.

4.2. Data management related to Orquid App account, registration

4.2.1. Scope of data processed:

a) Username;

b) Password;

c) Name (First name, Last name);

d) Address;

e) Citizenship;

f) Mother's maiden name;

g) Gender (Male/Female);

h) Date of birth (place and date of birth);

i) Phone number;

j) E-mail address;

k) Identity document (passport or ID card, driving licence);

l) Utility bills;

4.2.2. Purpose of processing:

a) identification of the User,

b) communication,

c) fulfil the rights and obligations of the Service Provider under the contract,

d) the processing of data necessary for the termination of the contract,

e) meeting the tax obligations of the Service Provider if they are related to the User,

f) fulfil the data reporting obligations of the Service Provider, if they are related to the User,

g) develop and offer personalised offers to the recipient and user of the Service.

4.2.3. Legal basis for processing:

a) in respect of the categories of data under 4.2.1 a) - h), the performance of the Contract or

Legitimate Interest

b) For the categories of data under 4.2.1. i) - l), the performance of the Contract or the Consent

of the data subject.

4.2.4. Demonstration of legitimate interest: in the case of data processing for claims and enforcement

purposes, the Service Provider will use the above-mentioned data of Users in order to settle

disputes arising from the contract with the User regarding the Orquid App system, for the purpose

of providing evidence in litigation, non-litigation or other official proceedings. These data are

processed by the Service Provider in order to enable the Service Provider to use them for the

purpose of evidence in the event of a dispute with the User in connection with the contract. The

2Service Provider may exercise this right within a limitation period. The processing is therefore

necessary to protect the rights and legitimate interests of the Service Provider. The purpose of the

data processing cannot be achieved otherwise.

4.2.5. The user may object to the processing based on the above legitimate interest by sending an email

to the Data Controller's customer service.

4.2.6. Duration of processing:

a) in the case of a legal basis under 4.2.3. a): the data will be retained for a general limitation

period of 5 years from the date of cancellation of the Orquid App registration, provided

that if civil, criminal, administrative or other official proceedings are initiated during this

period, the data will be retained until the final conclusion of such proceedings.

b) are managed until the Orquid App account is deleted.

4.3. Orquid App customer service data management

4.3.1. Scope of data processed:

a) Name (First name, Last name);

b) E-mail address;

c) Other personal data contained in a request to Customer Service

4.3.2. Purpose of processing:

a) identification of the User,

b) communication,

c) settling the issue,

d) Claims and enforcement

4.3.3. Legal basis for processing:

Legitimate Interest

4.3.4. Demonstration of legitimate interest: the processing of data in the context of the investigation,

handling and processing of the enquiry sent to the customer service is in the legitimate interest of

the Data Controller and also in the interest of the Partners, as the processing of these data is

necessary to enforce our consumer protection and civil rights and interests in connection with the

use of the services available in the App.

4.3.5. The user may object to the processing based on the above legitimate interest by sending an email

to the Data Controller's customer service.

4.3.6. Duration of processing:

request.

4.4. Data processing in connection with the Cashcard service

4.4.1. Register your DiPocket (prepaid) card on Orquid App

4.4.1.1. Scope of data processed:

a) Name on the card

b) Card number

c) Card expiry date

d) card CVV/CVC code

Within the general limitation period under civil law, i.e. 5 years from the date of sending the

34.4.1.2. Purpose of processing:

a) identification of the User,

b) Creation, definition, modification and performance of a contract

c) claims and enforcement, fraud prevention and management.

4.4.1.3. Legal basis for processing:

4.4.1.2. for objectives (a) to (b): performance of the contract

For purpose 4.4.1.2. c): Legitimate interest

4.4.1.4. Demonstration of legitimate interest: in the case of data processing for claims and enforcement

purposes, the Service Provider will use the above-mentioned data of Users in order to settle

disputes arising from the contract with the User regarding the Orquid App system, for the purpose

of providing evidence in litigation, non-litigation or other official proceedings. These data are

processed by the Service Provider in order to enable the Service Provider to use them for the

purpose of evidence in the event of a dispute with the Customer in connection with the contract.

The Service Provider may exercise this right within a limitation period. The processing is

therefore necessary to protect the rights and legitimate interests of the Service Provider. The

purpose of the processing cannot be achieved otherwise.

4.4.1.5. The user may object to the processing based on the above legitimate interest by sending an email

to the Data Controller's customer service.

4.4.1.6. Duration of processing:

Deletion of the card from Orquid App by the User, but no later than the termination of the Orquid

App registration.

4.4.2. Services to support payment transactions, to learn about payment history

4.4.2.1. In this context, the Service Provider shall be considered as the data processor of DiPocket UAB

and shall process the above data as a data processor, while the data controller shall be DiPocket

UAB.

4.4.2.2. Scope of data processed as a data processor:

a) User name

b) card balance

c) details of previous transactions

4.4.3. Services to support NFC payments

4.4.3.1. In this context, the Service Provider shall be considered as the data processor of DiPocket UAB

and shall process the above data as a data processor, while the data controller shall be DiPocket

UAB.

4.4.3.2. Scope of data processed as a data processor:

a) Name on the card

b) Card number

c) Card expiry date

d) Card CVV/CVC code

e) phone number

4.4.3.3. Without the above information, NFC payment and the necessary card authentication will not be

possible.

44.5. Processing for the purposes of electronic direct marketing enquiries

The Service Provider sends to the Users who have given their consent to the direct marketing method

electronic direct marketing messages containing news, news, promotions, advertisements, offers, etc.

related to Orquid App and related services and the services of the Partners, sweepstakes and other

marketing content by electronic communication, which may be an e-mail message sent to the User's e-

mail address, a message placed in the User's Orquid App account, an in-app message or push

notification, as well as any other similar electronic message sent over an online network.

In this context, the Service Provider carries out the following data processing:

4.5.1. Scope of data processed:

a) Name (First name, Last name);

b) E-mail address;

4.5.2. Purpose of processing:

Sending electronic direct marketing messages, such as newsletters and advertisements, in order

to generate business

4.5.3. Legal basis for processing:

Consent

4.5.4. Duration of processing:

Withdrawal the Consent, but at the latest deletion the Orquid App account.

4.6. Processing for the purpose of sending system messages by e-mail, in-app or push messages

The Service Provider will send system messages to Orquid App Users from time to time. A system

message is any message related to the operation of Orquid App, possible service outages,

maintenance, Orquid App features, changes to existing and new features, new features, the range

of services available through Orquid App and how to use them, the General Terms of Use, the

Privacy Policy or any modification thereof, the rights and obligations of the Users in relation to

Orquid App, the services used, including confirmation messages, certificates, notifications,

confirmations, electronic receipts, invoices sent for each service used. For the purposes of sending

the system message, the Service Provider will perform the following processing:

4.6.1. Scope of data processed:

a) Name (First name, Last name);

b) E-mail address;

4.6.2. Purpose of processing:

Sending a system message to fulfil the contract.

4.6.3. Legal basis for processing:

Contract performance.

4.6.4. Duration of processing:

For 5 years after the message is sent (until the expiry of the general civil limitation period).

55. Processing of data collected through Cookies

The Cookie Policy contains the relevant rules.

6. Your rights as a data subject

6.1. As a data subject, you have the following rights in relation to the personal and special categories

of personal data processed about you:

6.1.1. request access from the Data Controller to the personal data processed about you;

(The right of access provides you with the opportunity to receive feedback from the Data

Controller as to whether or not processing is taking place in relation to you and, if so, to have

access to your personal data and to request information from the Data Controller concerning the

processing.)

6.1.2. have the right to request the rectification or erasure of personal data and the restriction of the

processing of such data;

(The right of rectification and erasure ("right to be forgotten") gives you the possibility to request

the controller to rectify inaccurate or incomplete data or to request the erasure of your personal

data. If you request restriction of the processing of your personal data, the Controller may restrict

the processing in accordance with your request. If you contest the accuracy of your personal data,

the period of restriction shall be for the period of time necessary to allow the Controller to verify

the accuracy of those data. You may request the restriction of the use of your personal data if the

processing is unlawful but you object to its erasure. You may also make such a request where the

controller no longer needs your personal data for the purposes of the processing, but you require

the restriction of processing for the establishment, exercise or defence of legal claims.)

6.1.3. have the right to the portability of their data;

(In the context of the right to data portability, you have the right to receive the personal data

provided to the Data Controller in a structured, commonly used, machine-readable format and the

right to transmit these data to another data controller without the Data Controller's hindrance. If

technically feasible, you may also request that the Controller transfer your personal data directly

to another controller.)

6.1.4. has the right to withdraw its consent to the processing of all or part of the data at any time,

(You may withdraw your consent at any time, free of charge and free of charge, for any or all of

the purposes for which the data are processed. Please note that the withdrawal of your consent

does not affect the lawfulness of the processing carried out on the basis of your consent prior to

the withdrawal.)

6.1.5. have the right to object to the processing free of charge.

6.2. You, as the data subject, may exercise the rights set out in point 6.1 above in writing, by

post to the Data Controller at its registered office indicated in Chapter 2 of this notice or by

e-mail to its e-mail address.

7. Right to lodge a complaint, judicial redress, compensation for unlawful processing

If you become aware that your rights have been infringed during the processing of your data,

you have the following options:

6• You may contact the Data Controller directly by post or e-mail using the contact details

set out in Chapter 2. If you have any questions about data protection or if you wish to

exercise your rights, please contact our Data Privacy Officer at the following mailing

address:

Name: Miklós Suppan

Tel: +36706003493

Email: miklos.suppan@peakfs.io

Head office: 1021 Budapest, Hűvösvölgyi út 32.

You can lodge a complaint with the supervisory authority concerned:

Nemzeti Adatvédelmi és Információszabadság Hatóság

Address: 1055 Budapest, Falk Miksa u. 9-11

Postal address: 1363 Budapest, Pf.: 9.

Phone number: +36-1-391-1400

E-mail: : ugyfelszolgalat@naih.hu

You can take legal action against unlawful processing of your data and breaches of data security.

You may be entitled to damages and compensation for damages as provided by law.

8. Transfer of data to a third country

Please be informed that the Data Controller will transfer personal data processed about you to

third countries only if indicated in this Privacy Policy.

9. Information on data processing

9.1. We use data processors to process your personal data. A data processor is a legal person (in this

case a company) that processes personal data on behalf of the Data Controller. Processing is any

technical or other operation related to the processing activity.

9.2. The Data Controller uses the following data processors:

Microsoft Azure (cloud and hosting service provider)

Peak Card Services Limited (IT service provider)

9.3. The data processors used by the Data Controller process personal data only in accordance with

the instructions of the Data Controller and on the basis of the relevant data processing contract.

10. Information on data transfers

10.1. Some of the personal data provided during the use of the App will be transferred to DiPocket

UAB as a separate data controller, in addition to the above data processors, on the basis of a

contract concluded with it, if the User uses the Cashcard service:

➢ personal data provided as part of the KYC process, as identified in section 4.2.1

➢ details of the payment transaction initiated on the App interfaces:

o Transaction amount

o Recipient name

7o Recipient's account details

10.2. The above recipients of the transfer are considered as independent controllers in respect of the

data transferred to them.

11. Disclosure of data processing statements and the obligation to provide data

11.1. You may make your requests, statements, comments and any questions concerning the processing

of your personal data and the provisions of this notice by post to the Data Controller's registered

office indicated in point 2 or by e-mail to the Data Controller's e-mail address.

11.2. You are not obliged to consent to the processing.

11.3. You are under no legal or contractual obligation to provide your data, the provision of the data

and registration via Orquid App referred to in this Privacy Policy is necessary to enter into a

contract with the Data Controller as a service provider, i.e. to access and use the Service .

11.4. The Data Controller explicitly draws your attention to the fact that the processing of your personal

data is carried out directly for the purposes of the Service and to enable you to use and enjoy the

Service, you have the right to object at any time to the processing of your personal data for these

purposes, including profiling, where it is related to the Service. If you object to the processing of

your personal data for the purposes of the Service, your personal data may no longer be processed

for those purposes, but the Controller may no longer provide the Service to you.

Date: 23rd October 2025

Data Controller Name: Orquid EU Zrt.