Skip to main content
0 800 200 502 Email Telegram Viber
Kredyt Kapital
Contact Pay online
Мова, Język, Language:

© 2026 TOV "FK Kredyt-Kapital"

Homepage

Privacy Policy

PRIVACY POLICY

LLC “FC Kredyt-Kapital”

Last updated: 5 June 2026

1. Who we are

This Privacy Policy sets out the principles for the processing of personal data by Limited Liability Company “Financial Company Kredyt-Kapital” (LLC “FC Kredyt-Kapital”, EDRPOU code 35234236).

Personal Data Controller:

LLC “FC Kredyt-Kapital”

EDRPOU: 35234236

Address: 1/28 Smal-Stotskoho Street, Lviv, 79018, Ukraine

Website: kredyt-kapital.com.ua

E-mail: info@kredyt-kapital.com.ua

Phone: 0 800 200 502

For matters related to personal data protection, you may contact us at:

E-mail: privacy@kredyt-kapital.com.ua

2. Who this Policy applies to

This Policy applies to:

  • website users;
  • clients and prospective clients of the Company;
  • persons contacting the Company;
  • contractors and representatives of contractors;
  • job applicants;
  • persons whose personal data are processed in connection with the Company’s financial activities, including debt management and debt servicing.

Additional notices on the processing of personal data may apply to certain categories of persons.

Detailed rules for the processing and protection of personal data are set out in the Regulation on the protection of personal data processed by LLC “FC Kredyt-Kapital” and in its published annexes.

A detailed description of the categories of personal data processed in the Company’s individual personal data databases is provided in Annex No. 4 to the Regulation on the protection of personal data.

The Company, as a financial institution, may acquire rights of claim under credit and other agreements from original creditors (assignment of claims, factoring). In such cases, personal data of the debtor, guarantor and related persons are obtained by the Company not from the personal data subject, but from the original creditor together with the claims portfolio. The Company informs the data subject about the acquisition of rights of claim and the processing of personal data within thirty business days from the date of data collection in accordance with part 2 of Article 12 of the Law of Ukraine “On Personal Data Protection”.

We do not collect personal data to an extent greater than necessary to achieve the specified purposes of processing and to comply with legal requirements.

3. What data we may process

Depending on the nature of your relationship with the Company, we may process:

  • technical data related to the use of the website.
  • data contained in requests, correspondence and communication with the Company;
  • data provided through online forms;
  • financial and transactional data;
  • contact details;
  • identification data;

Detailed information on the processing of personal data in connection with the provision of financial services, debt servicing and the exercise of rights and obligations arising from agreements is provided in the Regulation on the protection of personal data and in Annex No. 4 to that Regulation.

In cases provided for by legislation on consumer lending and the settlement of overdue debt, the Company records direct interactions with the consumer and other persons specified by law, including telephone conversations. Carriers of such recordings are retained for three years after the interaction.

protection of the rights and legitimate interests of the Company (protection of the legitimate interests of the Company, fulfilment of an obligation established by law).

4. Purposes of personal data processing

We process personal data for the following purposes and on the following legal grounds:

  • statistical analysis of website operation (protection of the legitimate interests of the Company and, where required by law, user consent);
  • ensuring information security and cybersecurity (fulfilment of an obligation established by law, protection of the legitimate interests of the Company);
  • prevention of fraud and other abuses (fulfilment of an obligation established by law, protection of the legitimate interests of the Company or third parties);
  • compliance with legal requirements (fulfilment of an obligation established by law);
  • reviewing requests and inquiries (fulfilment of an obligation established by law, protection of the legitimate interests of the Company);
  • communication with clients, contractors and website users (conclusion or performance of a contract, fulfilment of an obligation established by law, protection of the legitimate interests of the Company and, where required by law, consent of the personal data subject);
  • debt management and debt servicing (conclusion or performance of a contract, exercise of an acquired right of claim, fulfilment of an obligation established by law, protection of the legitimate interests of the Company or third parties);
  • provision of financial services (conclusion or performance of a contract; fulfilment of an obligation established by law);

5. Legal grounds for personal data processing

Personal data are processed in accordance with the applicable laws of Ukraine, in particular the Law of Ukraine “On Personal Data Protection”.

Depending on the circumstances, the legal ground for processing may be:

  • consent of the personal data subject;
  • conclusion or performance of a contract;
  • fulfilment of an obligation established by law;
  • protection of the legitimate interests of the Company or third parties;
  • protection of vital interests of an individual.

6. To whom we may disclose personal data

Personal data may be disclosed only to the extent necessary to achieve the specified purposes and in accordance with legal requirements.

Recipients of personal data may include:

  • state authorities and regulators;
  • courts and enforcement authorities;
  • legal advisers and consultants;
  • banks and financial institutions;
  • providers of information technology and cybersecurity services;
  • other persons providing services to the Company.

We do not sell personal data to third parties and do not disclose such data for marketing purposes without an appropriate legal basis.

The detailed procedure for granting access to personal data, including the rules for reviewing third-party requests and the grounds for refusal or deferral of access, is set out in Annex No. 3 to the Regulation on the protection of personal data.

7. Cookies and analytics technologies

Our website uses cookies and similar technologies for the following purposes:

  • ensuring proper operation of the website;
  • increasing the level of security;
  • saving user settings and preferences;
  • conducting statistical analysis;
  • improving the quality of services.

We may use:

  • necessary cookies;
  • functional cookies;
  • analytical cookies;
  • other technologies necessary for the operation of the website.

The user may independently manage cookie settings through their browser.

Detailed information on the use of cookies may be published in a separate Cookie Policy.

8. How long we retain personal data

We retain personal data only for the period necessary to achieve the purposes for which they were collected, as well as for the periods established by law.

After the relevant periods expire, personal data are deleted or anonymised in a manner that prevents identification of the person.

Detailed rules for the retention, destruction, depersonalisation and possible restoration of personal data are set out in Chapter 5 of the Regulation on the protection of personal data.

9. Personal data security

We apply appropriate technical and organisational measures to protect personal data against:

  • unauthorised access;
  • data loss;
  • data alteration;
  • data destruction;
  • unauthorised disclosure.

Security measures include, in particular, access control, encryption of data transmission, monitoring of information systems and procedures for responding to security incidents.

Detailed organisational principles for personal data protection are set out in the Regulation on the protection of personal data. Some documents concerning internal organisational and technical measures and access rights are not subject to publication for information security reasons.

10. Your rights

In accordance with the laws of Ukraine, you have the right to:

  • obtain information about the processing of personal data;
  • access your personal data;
  • correct inaccurate or incomplete personal data;
  • delete personal data in cases provided for by law;
  • restrict the processing of personal data;
  • withdraw consent, where processing is based on consent;
  • object to the processing of personal data;
  • lodge a complaint with the competent authority.

To exercise your rights, you may contact us using the contact details specified in this Policy.

A detailed description of the procedure for exercising personal data subjects’ rights, including the time limits for responding to requests and the procedure for considering reasoned requests for modification or destruction of data, is provided in Annex No. 3 to the Regulation on the protection of personal data.

In the event of any discrepancy between this Policy and the Regulation, the Regulation shall apply.

The detailed procedure for the processing and protection of personal data, including procedures for exercising the rights of personal data subjects, time limits for reviewing requests and reasoned demands, and the procedure for destruction and restoration of data, is set out in the Regulation on the protection of personal data processed by LLC “FC Kredyt-Kapital”, available in the legal documents section on this website.

11. Additional information on personal data protection

For certain categories of persons, the Company may publish additional notices on the processing of personal data, in particular for:

  • Such documents supplement this Policy.
  • persons whose personal data are processed in connection with debt acquisition and debt servicing.
  • users of contact forms;
  • contractors and representatives of contractors;
  • employees and associates;
  • job applicants;

12. Supervisory authority

If you believe that the processing of personal data violates the requirements of Ukrainian law, you have the right to lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (Ombudsman).

Additional information is available at:

www.ombudsman.gov.ua

13. Amendments to the Policy

The Company may periodically update this Policy to align it with changes in legislation, technology or organisational arrangements.

The current version of the Policy is always available on the Company’s website.

The date of the last update is indicated at the beginning of the document.

14. Final provisions

Matters not regulated by this Policy shall be governed by the laws of Ukraine, in particular in the field of personal data protection, financial services, information security and protection of the rights of consumers of financial services.

In the event of any discrepancy between language versions of this document, the Ukrainian version shall prevail.

Annex No. 1

to the Regulation “On the protection

of personal data processed by

LLC “FC “Kredyt-Kapital”

in the edition dated 05 June 2026

Powers of the person and/or structural unit responsible for organising work related to the protection of personal data during processing

1. The person/structural unit responsible for organising work related to the protection of personal data during processing is appointed and approved by Order of the General Director.

2. The responsible person/structural unit, for the purpose of ensuring the Company’s compliance with the requirements of applicable legislation, ensures:

2.1. familiarisation of employees of the owner and/or processor of the personal data database with the requirements of personal data protection legislation, in particular with their obligation not to disclose in any way personal data entrusted to them or learned by them in connection with the performance of professional, service or employment duties;

2.2. organisation of personal data processing by employees of the owner and processor of the personal data database in accordance with their professional, service or employment duties, to the extent necessary for the performance of such duties;

2.3. organisation of work on handling requests for access to personal data from participants in relations related to personal data processing;

2.4. access of personal data subjects to their own personal data;

2.5. informing and advising the head of the owner and processor of the personal data database on measures that need to be taken to bring the composition of personal data and procedures for their processing into compliance with the law;

2.6. informing and advising the head of the owner and processor of the personal data database on breaches of established personal data processing procedures;

2.7. implementation of the rights of personal data subjects;

2.8. use of access to any data processed by the owner/processor and to all premises of the owner/processor where such processing is carried out;

2.9. in the event of detection of breaches of personal data protection legislation and/or the Regulation on personal data protection, notification of the head of the owner/processor for the purpose of taking necessary measures;

2.10. analysis of threats to the security of personal data;

2.11. cooperation with the Commissioner of the Verkhovna Rada of Ukraine for Human Rights and designated officials of the Commissioner’s Secretariat on matters of preventing and eliminating violations of personal data protection legislation.

3. The requirements of the responsible person/structural unit concerning measures to ensure the security of personal data processing are mandatory for all employees who process personal data.

Annex No. 2

to the Regulation “On the protection

of personal data processed by

LLC “FC “Kredyt-Kapital”

in the edition dated 05 June 2026

1. Procedure for organising the protection of personal data of natural persons in the Company’s PDD

1.1. The protection of PD of natural persons against unlawful use and loss is ensured by the Company.

1.2. The Company ensures that premises where personal data of natural persons are stored or processed are equipped with system and software-technical means and communication facilities that prevent loss, theft, unauthorised destruction, distortion, falsification and copying of information.

1.3. The Company ensures the preservation of data archives received from its clients.

1.4. Technical information protection means comply with the legislation of Ukraine.

1.5. Persons responsible for the general organisation of protection and processing of personal data of natural persons whose data are contained in the Company’s PDD are appointed and approved by Order of the General Director of the Company.

1.6. The following are subject to protection:

- information on personal data of a natural person;

- documents (in paper form and in the form of card files) containing personal data about a natural person;

- personal data stored on electronic media.

1.7. Throughout the entire retention period, personal data may be depersonalised or destroyed in the manner defined by this Regulation, the law, by order of the General Director or upon a reasoned request of the PDS.

1.8. After expiry of the retention period, personal data may be depersonalised in information systems and/or destroyed on paper media.

1.9. The Company has established the following levels of access to personal data:

- Level I access. Grants an authorised employee/person the right to access those personal data that are necessary for the performance of assigned duties.

- Level II access. Grants an authorised employee/person access to their own personal data.

For each access level, the PDD to which the authorised employee has access for the performance of assigned duties is specified and designated with the following letters:

“P” - PDD “Employees of the Company”

“S” - PDD “Consumers”

“K” - PDD “Counterparties”

1.10. Employees on maternity/parental leave are automatically assigned Level II access to personal data, regardless of whether they had a higher level of access before such leave.

2. Procedure for processing personal data in paper form (card files):

2.1. Personal data stored in paper form and/or in the form of card files are kept in premises (cabinets, safes) protected from unauthorised access.

2.2. Doors to premises (cabinets, safes) must be equipped with a lock or access control.

2.3. Access to such premises and/or to such card-file cabinets/safes is permitted to certain employees of the Company holding positions that require such access.

3. Actions of Company employees in the event of an abnormal situation.

3.1. If an employee detects unauthorised access to personal data, damage to technical equipment, or other abnormal or emergency situations, the employee must immediately notify:

- the head of the structural unit;

- the IT Department service (if unauthorised access occurred through interference with computer equipment and information/automated systems);

- the unit responsible for the Company’s internal security.

3.2. The head of the unit responsible for the Company’s internal security and the head of the IT Department report the situation to the General Director and, in coordination with the General Director of the Company, develop a plan of further actions, which may include, in particular, the following decisions:

- notifying law enforcement authorities of the situation that occurred in the Company;

- emergency disconnection of the Company’s servers from the Internet;

- conducting an internal investigation to identify the causes of the abnormal situation and hold responsible persons liable;

- restricting access to the Company’s premises;

- taking other decisions aimed at remedying the situation or maximising reduction of the damage caused by the abnormal situation.

Annex No. 3

to the Regulation “On the protection

of personal data processed by

LLC “FC “Kredyt-Kapital”

in the edition dated 05 June 2026

Rights of personal data subjects. Time limits for responding to requests from PDS and third parties

1. Rights of the personal data subject:

1.1. A personal data subject has the right to obtain any information about themselves from any participant in relations related to personal data, without specifying the purpose of the request, except in cases established by law, in particular:

- to know the sources of collection, location of their personal data, purpose of their processing, location or place of residence (stay) of the owner or processor of personal data, or to issue an appropriate instruction to authorised persons to obtain this information, except in cases established by law;

- to receive information on the conditions for granting access to PD, including information on third parties to whom their PD contained in the relevant PDD are transferred;

- to access their personal data contained in the relevant PDD;

- to receive, no later than thirty calendar days from receipt of the request, except in cases provided by law, a response as to whether their personal data are processed, and to receive the content of such personal data;

- to submit to the owner of personal data a reasoned request objecting to the processing of their personal data;

- to submit a reasoned request for modification or destruction of their personal data to any owner and processor of personal data if such data are processed unlawfully or are inaccurate;

- to exercise other rights granted to them under the Law of Ukraine “On Personal Data Protection” and applicable Ukrainian legislation.

1.2. Access of the PDS to their personal data is free of charge.

1.3. The PDS submits a request for access (hereinafter the “request”) to personal data to the owner of the PDD. The request must state:

- surname, first name and patronymic, place of residence (place of stay) and details of the document identifying the personal data subject;

- other information enabling identification of the personal data subject.

1.4. The request is satisfied within 30 calendar days from the date of its receipt, unless otherwise provided by law.

1.5. If the Personal Data Subject believes that the processing of personal data violates the requirements of Ukrainian legislation, they have the right to file a complaint with the Commissioner of the Verkhovna Rada of Ukraine for Human Rights (Ombudsman). Additional information is available at: www.ombudsman.gov.ua

2. Procedure for considering a reasoned request of the PDS for modification or destruction of PD.

2.1. If the PDS submits to the Company, as Owner of the PDD, a reasoned request for modification or destruction of their PD on the grounds that such data are processed unlawfully or are inaccurate, authorised employees of the Owner who, according to their assigned job duties, are authorised to respond to requests (demands) of the PDS must:

- within five business days from receipt of the request, verify the disputed information. During verification, the PD of such subject should be marked accordingly;

- leave the subject’s PD unchanged and remove the mark from the PD if the information indicated by the PDS is not confirmed, and inform the personal data subject accordingly;

- make the relevant changes to the information contained in the subject’s PD if the disputed information is changed, and inform the personal data subject accordingly;

- destroy the personal data of the PDS if the reasoned request of the PDS for destruction of PD is satisfied, and inform the personal data subject accordingly.

2.2. The authorised employee is obliged, within 10 days, to notify the PDS and the participants in relations related to personal data to whom such data were transferred, of the change to the disputed information or of the information removed from the PD of that subject.

Changes to PD may be made upon request of other participants in relations related to PD if the PDS has consented to this or the relevant change is made pursuant to an instruction of the Commissioner or designated officials of the Commissioner’s Secretariat, or pursuant to a final court decision.

2.3. If a reasoned request for modification or destruction of their PD (where such data are processed unlawfully or are inaccurate) is submitted by the PDS to the Company as processor of the PDD, the Company informs the PDS of the contact information of the PDD owner and performs other actions provided for by the Personal Data Processing Agreement.

2.4. The personal data subject has the right to withdraw consent to the processing of personal data without stating reasons, if the sole basis for processing is the consent of the personal data subject. From the moment consent is withdrawn, the owner is obliged to cease processing the personal data.

3. Conditions for disclosure (dissemination/transfer) of information about personal data to third parties

3.1. The procedure for third-party access to personal data is determined by the terms of the PDS consent granted to the PDD owner for processing such data, or in accordance with legal requirements.

3.2. Access to PD is not granted to a third party if that party refuses to assume an obligation to ensure compliance with the Law of Ukraine “On Personal Data Protection” and this Regulation, or is unable to ensure such compliance.

3.3. A participant in relations related to PD submits a request for access (hereinafter the “request”) to PD to the PDD owner. The request must state:

- surname, first name and patronymic, place of residence (place of stay) and details of the document identifying the natural person submitting the request (for a natural person applicant);

- name and location of the legal entity submitting the request, position, surname, first name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the powers of the legal entity (for a legal entity applicant);

- surname, first name and patronymic, as well as other information enabling identification of the natural person in respect of whom the request is made;

- information about the personal data database to which the request relates, or information about the owner or processor of that database;

- list of requested personal data;

- purpose and/or legal grounds of the request.

3.4. The period for examining a request for the purpose of determining whether it may be satisfied may not exceed 10 business days from the date of its receipt. Within this period, the owner of the personal data database informs the requester that the request will be satisfied or that satisfaction of the request is refused, stating the grounds for refusal.

3.5. The request is satisfied within 30 calendar days from the date of its receipt, unless otherwise provided by law.

3.6. Deferral of third-party access to PD is permitted if the necessary data cannot be provided within 30 calendar days from receipt of the request. The total period for resolving the matters raised in the request may not exceed 45 calendar days.

3.7. Notice of deferral is communicated in writing to the third party that submitted the request, with an explanation of the procedure for appealing such decision.

3.8. The notice of deferral states:

- surname, first name and patronymic of the official;

- date of sending the notice;

- reason for deferral;

- period within which the request will be satisfied.

3.9. Refusal of access to PD is permitted if access to such data is prohibited by law.

3.10. The refusal notice states:

- surname, first name and patronymic of the official refusing access;

- date of sending the notice;

- reason for refusal.

4. Specific rules for disclosure (dissemination/transfer) of information relating to personal data

4.1. Provision of documents containing PD to the personal data subject and/or representative of a natural person (including an advocate) is carried out in accordance with applicable Ukrainian legislation and this Regulation. Information about a natural person whose data are contained in a PDD is provided upon availability of one or more of the following documents:

4.1.1. If the request for information is submitted personally by the PDS, information is provided upon presentation of a document identifying the PDS.

4.1.2. If the application (request) is sent by post, the person’s signature on such application must be notarised. In cases provided for by applicable legislation, the person’s signature on the application may also be certified by an official of a local self-government body, the head of a penal institution, or an official of the organisation where the PDS works.

4.1.3. If the application (request) is submitted personally by the PDS representative, information is provided upon presentation by the representative of an identity document, a power of attorney certified in accordance with clause 4.1.2 of this subclause (a notarised copy is permitted), or a duly certified copy of the agreement concluded between the advocate and the PDS, which grants the right to request and obtain information about the natural person on their behalf.

4.1.4. If the application is submitted by the PDS representative by postal means, information is provided upon availability of the documents specified in clause 4.1.2 of this subclause.

4.2. The employee who personally receives from the PDS or their representative copies of the documents specified in clause 4.1 of the Regulation certifies them with their signature, indicating position, full name, date and time of receipt.

4.3. The person authorised to personally receive from an employee of the Company information constituting PD of a natural person confirms receipt of the information by placing on one copy of the covering document the note “Documents received personally, full name, signature, date and time of delivery, and undertaking”. This copy remains and is stored at the Enterprise.

4.4. Documents and powers of attorney are stored for 5 years.

4.5. Provision of personal data of natural persons to employees of state authorities is carried out in accordance with applicable Ukrainian legislation and this Regulation.

4.6. Access to PD and copies of documents is not granted if the person attempting to obtain them refuses to assume an obligation to ensure compliance with the requirements of the Law “On Personal Data Protection” or is unable to ensure such compliance.

Annex No. 4

to the Regulation “On the protection

of personal data processed by

LLC “FC “Kredyt-Kapital”

in the edition dated 05 June 2026

Information on the Company’s personal data databases

1. The Company processes personal data of natural persons in the following personal data databases:

1.1. PDD “Employees of the Company”.

1.2. PDD “Counterparties”.

1.3. PDD “Consumers”.

2. Information on the personal data database “Employees of the Company”

2.1. Purpose of personal data processing in the PDD “Employees of the Company”:

“In connection with the need to properly comply with applicable regulatory legal acts, including but not limited to the Labour Code of Ukraine, the Tax Code of Ukraine and the Company’s Charter, the purpose of personal data processing is: to ensure the implementation of employment relations, administrative and legal relations, tax relations, accounting relations, human resources management relations, in particular personnel potential management.”

2.2. Categories of personal data processing in the PDD “Employees of the Company”:

“In accordance with Articles 6 and 7 of the Law of Ukraine “On Personal Data Protection”, the categories processed in the personal data database “Employees of the Company” are the following personal data of natural persons: surname, first name and patronymic, passport data (series, number, issuing authority and date of issue), identification number, sex, citizenship, date of birth, home and work telephone number, profession, registered address and actual residential address, social insurance certificate number, place of birth, data concerning military registration (status, specialty, fitness, registration group, rank, registration category, special registration, corps, military commissariat), disability, MSEC certificate number, education data (type, specialty, foreign language and level of proficiency), photograph, birth data, marital status, employment activity (data on experience and length of service, employment record book data), family members, their dates of birth and surname, first name and patronymic, and other data necessary for the proper performance of employment duties.”

2.3. Form of personal data processing:

Personal data are processed in mixed form (paper and electronic).

2.4. Grounds for personal data processing:

- consent of the personal data subject to the processing of their personal data;

- permission to process personal data granted to the owner of personal data in accordance with the law exclusively for the exercise of the owner’s powers;

- necessity to fulfil an obligation of the owner of personal data provided for by law;

- conclusion and performance of a legal transaction to which the personal data subject is a party, or which is concluded for the benefit of the personal data subject, or taking steps prior to entering into a legal transaction at the request of the personal data subject.

2.5. Location of the PDD “Employees of the Company”:

- 79018, Lviv, 1 Smal-Stotskoho Street, building 28.

3. Information on the personal data database “Counterparties”

3.1. Purpose of personal data processing in the PDD “Counterparties”:

“In connection with the need to properly comply with applicable regulatory legal acts, including but not limited to the Civil Code of Ukraine, the Tax Code of Ukraine, the Commercial Code of Ukraine and the Company’s Charter, the purpose of personal data processing is: to ensure the implementation of administrative and legal relations, tax relations, accounting relations, as well as relations arising from legal transactions.”

3.2. Categories of personal data processing in the PDD “Counterparties”:

“In accordance with Articles 6 and 7 of the Law of Ukraine “On Personal Data Protection”, the categories processed in the personal data database “Counterparties” are the following personal data of natural persons: surname, first name and patronymic, passport data (series, number, issuing authority and date of issue), identification number, sex, citizenship, date of birth, home and work telephone number, profession, registered address and actual residential address, bank details (including current account number and the name of the bank servicing such account), data from the state registration certificate of an individual entrepreneur, data on the tax system of the individual entrepreneur, data on the place of activity of the individual entrepreneur, etc.”

3.3. Form of personal data processing:

Personal data are processed in mixed form (paper and electronic).

3.4. Grounds for personal data processing:

- consent of the personal data subject to the processing of their personal data;

- permission to process personal data granted to the owner of personal data in accordance with the law exclusively for the exercise of the owner’s powers;

- conclusion and performance of a legal transaction to which the personal data subject is a party, or which is concluded for the benefit of the personal data subject, or taking steps prior to entering into a legal transaction at the request of the personal data subject;

- necessity to fulfil an obligation of the owner of personal data provided for by law;

- necessity to protect the legitimate interests of the owner of personal data or a third party to whom personal data are transferred, except where the needs to protect the fundamental rights and freedoms of the personal data subject in connection with the processing of their data override such interests.

3.5. Location of the PDD “Counterparties”:

- 79018, Lviv, 1 Smal-Stotskoho Street, building 28.

4. Information on the personal data database “Consumers”

4.1. Purpose of personal data processing in the PDD “Consumers”:

“to ensure the implementation of administrative and legal relations, tax relations, accounting relations, relations arising from legal transactions, including performance of a legal transaction to which the personal data subject or the PDD owner is a party, compliance with a legal obligation binding on the PDD owner or the PD subject, and for the legitimate interests pursued by the owner.”

4.2. Categories of personal data processing in the PDD “Consumers”:

“personal data of natural persons of a general nature; data of natural persons: identification and passport data (surname, first name, patronymic, passport series and number, issuing authority and date of issue, identification number, sex, citizenship, date of birth, etc.), contact telephone numbers (mobile, home, telephone number to which the debt is attributed, etc.), professional data (place of work, position, name and address of the enterprise, etc.), address (registered address and actual address of residence/location, etc.), personal information (age, sex, marital status, etc.), financial information (bank details, payment details: account, EDRPOU code, MFO, recipient bank, number(s) of legal transaction(s), content and type of legal transaction, type of credit, purpose of credit, payment delay period, amount of credit granted and monthly payment amount, amount and date of last payment, identification data of the guarantor, information on collateral property, amount and composition of debt as of a specific date, etc.), audio recordings of telephone conversations, electronic identification data (email, etc.), legal documents (court decisions, enforcement writs, notarial enforcement endorsement, statement of claim, etc.), data from the state registration certificate of an individual entrepreneur, data on the tax system of the individual entrepreneur, data on the place of activity of the individual entrepreneur, information about website visitors (technical data, cookies), job applicants, etc.”

4.3. Form of personal data processing:

Personal data are processed in mixed form (paper and electronic).

4.4. Grounds for personal data processing:

- consent of the personal data subject to the processing of their personal data;

- permission to process personal data granted to the owner of personal data in accordance with the law exclusively for the exercise of the owner’s powers;

- conclusion and performance of a legal transaction to which the personal data subject is a party, or which is concluded for the benefit of the personal data subject, or taking steps prior to entering into a legal transaction at the request of the personal data subject;

- necessity to fulfil an obligation of the owner of personal data provided for by law;

- necessity to protect the legitimate interests of the owner of personal data or a third party to whom personal data are transferred, except where the needs to protect the fundamental rights and freedoms of the personal data subject in connection with the processing of their data override such interests.

4.5. Location of the PDD “Consumers”:

- 79018, Lviv, 1 Smal-Stotskoho Street, building 28.

A P P R O V E D

by Order of the General Director

LLC “FC “Kredyt-Kapital”

No. 1-05/06/2026 dated 05 June 2026

______________________ M.R. Khrobak

REGULATION

on the protection of personal data processed by

Limited Liability Company “Financial Company “Kredyt-Kapital”

(new edition)

LVIV - 2026

T A B L E O F C O N T E N T S:

1. Definitions and scope of application of the Regulation

2. General provisions

3. Composition of personal data. Personal data databases of the Company

4. General requirements for personal data processing

4.1. Processing of personal data of natural persons

4.2. Requirements for employees processing personal data of natural persons

5. Destruction of personal data

6. Liability for disclosure of confidential information related to personal data

Annexes:

Annex No. 1 “Powers of the person and/or structural unit responsible for organising work related to the protection of personal data during processing”

Annex No. 2 “Procedure for organising the protection of personal data of natural persons in the Company’s PDD”.

Annex No. 3 “Rights of personal data subjects. Time limits for responding to requests from PDS and third parties”.

Annex No. 4 “Information on the Company’s personal data databases”.

Annex No. 5 “Organisational and technical measures for the protection of personal data during their processing within an information (automated) system”

Annex No. 6 List of positions according to the granted level of access to personal data processed by LLC “FC “Kredyt-Kapital”

Annexes 5 and 6, which contain internal organisational and technical security measures and the access rights matrix, are internal documents of the Company and are not subject to publication for information security reasons.

1. Definitions and scope of application of the Regulation:

1.1. The following terms and definitions are used in this Regulation:

Personal data database (abbreviated as PDD) means a named set of organised personal data in electronic form and/or in the form of personal data card files;

Owner of a personal data database means a natural or legal person that determines the purpose of personal data processing, establishes the composition of such data and the procedures for their processing, unless otherwise provided by law;

Depersonalisation of personal data means the removal of information that makes it possible to directly or indirectly identify a person;

Processing of personal data means any action or set of actions, such as collection, registration, accumulation, storage, adaptation, modification, renewal, use and dissemination (distribution, sale, transfer), depersonalisation and destruction of personal data, including through the use of information (automated) systems;

Card file means any structured personal data accessible according to specific criteria, regardless of whether such data are centralised, decentralised or divided on functional or geographical principles;

Personal data (abbreviated as PD) means information or a set of information about a natural person who is identified or may be specifically identified;

Recipient means a natural or legal person to whom personal data are provided, including a third party;

Processor of personal data means a natural or legal person that has been granted the right, by the owner of personal data or by law, to process such data on behalf of the owner;

Personal data subject (abbreviated as PDS) means a natural person whose personal data are processed;

Collection of personal data is an element of the PD processing process involving actions to select or arrange information about a natural person and enter it into a PDD.

Protection of personal data of a natural person means a set of measures (organisational and administrative, technical, legal) aimed at preventing unlawful or accidental access to such data, their destruction, distortion, blocking, copying or dissemination of personal data of subjects, as well as other unlawful actions.

Third party means any person other than the personal data subject, the owner or processor of personal data and the Commissioner of the Verkhovna Rada of Ukraine for Human Rights, to whom personal data are transferred by the owner or processor;

Company/Enterprise means Limited Liability Company “Financial Company “Kredyt-Kapital”;

Person responsible for organising work with personal data means a designated person who organises work related to the protection of personal data during processing, in accordance with the law;

Special categories of data means personal data concerning racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, criminal conviction, as well as data concerning health, sex life, biometric or genetic data.

Local regulatory act means an act (order, instruction, regulation, charter, internal rules, etc.) effective only within the Company.

Authorised employee/person means an employee of the Company who processes personal data of natural persons for the purpose of performing assigned job duties.

Authorised structural unit means a structural unit of the Company that processes personal data of natural persons for the purpose of performing current tasks.

Authentication means the procedure for establishing that the identifier presented by an employee of the owner or processor of a personal data database belongs to that employee.

Authorisation means the procedure for obtaining permission to perform personal data processing actions in a personal data database within an information (automated) system.

Identification means the procedure for recognising a user in the system, usually by means of a predetermined name (identifier) or other information about the user perceived by the information (automated) system.

2. General provisions

2.1. This Regulation has been developed on the basis of:

- the Constitution of Ukraine;

- the Law of Ukraine “On Personal Data Protection”;

- the Civil Code of Ukraine;

- the Tax Code of Ukraine;

- the Law of Ukraine “On Financial Services and Financial Companies”;

- other regulatory legal acts in force in the territory of Ukraine.

2.2. This Regulation determines the procedure for collection, registration, accumulation, storage, adaptation, modification, renewal, use and dissemination (distribution, sale, transfer), depersonalisation and destruction of personal data, including through the use of information (automated) systems, which are processed at the Enterprise in accordance with the purposes specified in local regulatory acts.

2.3. Personal data of natural persons constitute information with restricted access.

2.4. Legal and natural persons that process personal data of natural persons within the scope of their powers shall be liable for breach of the regime for the protection, processing and use of information about a natural person/persons in accordance with the applicable legislation of Ukraine.

2.5. Amendments to the Regulation on personal data protection are introduced on the basis of an Order of the General Director. All employees of the Company who process personal data of natural persons must be familiarised with this Regulation and any amendments to it. Employees may be familiarised with this Regulation by sending a copy to the employee’s email address.

2.6. Heads of units/departments/divisions of the Company, with the approval of the General Director and for the purpose of additional protection of personal data of natural persons, may approve technological process cards that are mandatory within the subordinate department/unit/division. Such cards may supplement the measures and procedure for the protection of personal data approved by this Regulation. They may not amend or contradict this Regulation.

2.7. Personal data of natural persons may be processed by the Company in written form (in the form of card files) and/or in electronic form.

2.8. The names, processors, purposes and categories of processing of personal data of natural persons in personal data databases may be approved in Annex No. 4 to this Regulation. The list of PDD Processors is not exhaustive and may be amended on the basis of legal transactions entered into by the Company.

2.9. This Regulation is mandatory for responsible persons and employees of the Company who directly process and/or have access to personal data of natural persons in connection with the performance of their professional or employment (service) duties.

2.10. The Company has the right to systematically update information about PDS contained in the Company’s PDD, provided that such information has been obtained in accordance with the applicable legislation of Ukraine and from lawful sources. Heads of the relevant structural units of the Company are responsible for maintaining the accuracy and reliability of personal data of natural persons.

2.11. The Company informs the personal data subject about the composition and content of the collected personal data, the subject’s rights under the law, the purpose of collecting personal data and the third parties to whom the subject’s personal data are transferred:

- at the time of collecting personal data, if the personal data are collected from the personal data subject;

- in other cases, within thirty business days from the date of collecting the personal data.

The notification may be made in electronic or written form. Evidence of notification of personal data subjects is retained throughout the entire processing period.

2.12. Concise information for personal data subjects is provided through the Privacy Policy published on the Company’s website.

3. Composition of personal data. Personal data databases of the Company

3.1. Personal data of a natural person include, in particular:

- identification and passport data (full name, passport data, identification number, etc.);

- contact details (address, phone number, etc.);

- professional data (place of work, position, etc.);

- financial information (bank details, content and type of legal transaction, etc.);

- electronic identification data (email, etc.);

- legal documents (court decisions, enforcement writs);

- personal information (age, sex, marital status, etc.).

3.2. The list of categories of personal data of natural persons whose data are processed in the Company’s PDD is approved in Annex No. 4 to this Regulation.

3.3. Documents containing the above data constitute information with restricted access; however, given their mass nature, clearly defined processing and storage locations, the relevant restricted access marking is not placed on such documents.

4. General requirements for personal data processing

4.1. Processing (use) of personal data of natural persons.

4.1.1. In order to ensure human and civil rights and freedoms, as well as compliance with the applicable legislation of Ukraine, employees who process personal data of natural persons in the performance of their professional or employment (service) duties must strictly comply with the requirements set out in this Regulation.

4.1.2. The Company may entrust the processing of PD of natural persons to a PDD Processor only on the basis of a written agreement. Depending on the contractual relationship with the counterparty, legal transactions may contain clauses (sections) on non-disclosure of confidential information and personal data protection.

4.1.3. In accordance with the Law of Ukraine “On Personal Data Protection”, PD are processed by the Company for specific and lawful purposes determined by the consent of the personal data subject or in cases provided for by the laws of Ukraine, in the manner prescribed by legislation.

4.1.4. The use of PD by employees of the Company whose work is related to PD must be carried out only in accordance with their professional or employment (service) duties. Employees must prevent disclosure of PD of natural persons entrusted to them or learned by them in connection with the performance of their professional or employment (service) duties. This obligation remains in force after termination of activities related to PD, except in cases established by law.

4.1.5. Access to PD is not granted to an employee/employees or third party/parties if such person(s) refuse to assume an obligation to ensure compliance with this Regulation and the Law of Ukraine “On Personal Data Protection”, or are unable to ensure such compliance.

4.1.6. Owners or Processors of PDD are obliged to make changes to PD on the basis of a reasoned written request of the PDS. The decision to satisfy a request for changes is made by the head of the relevant structural unit authorised to process PD in a specific PDD. The procedure for making changes is defined in the Annexes to this Regulation.

Note: changes to personal data may be made upon request of other participants in relations related to personal data, if the personal data subject has consented to this or the relevant change is made pursuant to a final court decision.

4.1.7. Employees of the Company who have access to PD of natural persons have the right to obtain only those PD that are necessary for the performance of specific professional or employment (service) functions (duties). Such employees provide a written undertaking not to disclose personal data entrusted to them or learned by them in connection with the performance of professional, service or employment duties.

4.1.8. Admission of other employees to PD of natural persons without duly authorised access is prohibited.

4.1.9. The processing of personal data concerning racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, criminal conviction, as well as data concerning health, sex life, biometric or genetic data (special categories of data) is prohibited, except where the circumstances provided for in parts 1 and 2 of Article 7 of the Law of Ukraine “On Personal Data Protection” exist.

4.1.10. The Company, as the owner of personal data databases, keeps records of:

- facts of granting and revoking employees’ right of access to personal data and their processing;

- attempts and facts of unauthorised and/or unlawful actions involving personal data processing;

- the date, time and source of collection of the subject’s personal data;

- changes to personal data;

- viewing of personal data;

- any transfer (copying) of the subject’s personal data;

- the date and time of deletion or destruction of personal data;

- the employee who performed any of the specified operations;

- the purpose and grounds for modification, viewing, transfer and deletion or destruction of personal data.

4.2. Requirements for employees processing PD of natural persons.

4.2.1. Access to PD of natural persons is granted to employees of the Company who:

- have been familiarised with the “Regulation on personal data protection” and other local regulatory acts of the Company governing the procedure for processing and protecting personal data at the Enterprise;

- have provided a written undertaking to maintain the confidentiality of PD of natural persons and comply with the rules for their processing.

Note: the Human Resources Management Department is responsible for obtaining such undertakings.

4.2.2. An employee of the Company who has access to PD in connection with the performance of job duties must:

- ensure appropriate protection of information containing PD of a natural person from third parties;

- comply with the “clean desk policy”. When an employee is absent from the workplace, there must be no documents containing PD of natural persons whose data are contained in the registered PDD of the Company;

- prevent loss of personal data or their unlawful use.

4.2.3. An employee of the Company who has access to PD in connection with the performance of job duties must immediately notify the Responsible Person and the direct head of the unit/division of:

- loss or destruction of information carriers containing personal data;

- loss of keys to premises, safes or cabinets where personal data are stored;

- cases where identification data for access to the automated personal data processing system have become known to unauthorised persons;

- detection of an attempted unauthorised access to personal data.

4.2.4. When going on leave, a business trip or in other cases of prolonged absence from the workplace, the employee is obliged to transfer documents and other carriers containing personal data of natural persons to the employee who, by a local act of the Company (order, instruction, etc.), will be entrusted with performing the absent employee’s duties. Measures are taken to prevent such person’s access to personal data.

Note: if such person has not been appointed, documents and other carriers containing personal data of employees are transferred to another employee who has access to employees’ personal data upon instruction of the head of the structural unit, or are stored in premises, cabinets or safes protected from unauthorised access. In the event of dismissal of an employee who had access to personal data, or transfer to another position not involving work with personal data of subjects, measures are taken to prevent such person’s access to personal data, and documents and other carriers containing personal data of subjects are transferred to another employee.

4.2.5. Persons working with personal data must undergo annual training on the procedure for applying and complying with the Law of Ukraine “On Personal Data Protection” and other regulatory legal acts in the field of personal data protection in the performance of their job duties. Training is conducted by heads of structural units every November of the reporting calendar year. Control over the conduct of training is assigned to the person responsible for organising work related to the protection of personal data during their processing.

4.2.6. Upon dismissal of an employee who has access to PD of natural persons, documents and other carriers containing such personal data are timely transferred to another employee who has access to personal data of natural persons upon instruction of the head of the structural unit, or directly to the head of the unit.

5. Destruction, depersonalisation and restoration of personal data

5.1. Personal data of a natural person are subject to destruction in the following cases:

5.1.1. expiry of the data retention period defined by the PDS’s consent to the processing of such data or by law;

5.1.2. termination of legal relations between the PDS and the owner or processor of the database, unless otherwise provided by law;

5.1.3. entry into force of a court decision on removal of data about a natural person from the PDD;

5.1.4. satisfaction of a reasoned request of the PDS for destruction of PD;

5.1.5. issuance of a relevant order by the Commissioner of the Verkhovna Rada of Ukraine for Human Rights or by designated officials of the Commissioner’s Secretariat;

5.1.6. collection of personal data in violation of the Law of Ukraine “On Personal Data Protection”.

5.2. Personal data are destroyed in a manner that excludes any subsequent possibility of restoring such personal data.

5.2.1. Personal data of a PDS may be restored if the PDS submits a written application to the Company for restoration of their personal data, or if the Company receives a relevant request from an authorised executive authority.

5.2.2. The final decision on restoration of personal data of a personal data subject in the Company’s PDD is made by the General Director within 30 days. Interested persons are notified of the decision by email, telephone message or letter.

5.3. The retention period for personal data of natural persons, taking into account the Company’s business needs, is 5 years unless another period is established by legislation, contract or the need to protect the rights and legitimate interests of the Company. This period may be extended in cases provided for by law and subject to the requirements of the applicable legislation of Ukraine.

5.4. The selection of documents containing personal data whose retention periods have expired for destruction is carried out by an expert commission, the composition of which is determined by an order of the director of the Company.

5.5. For the purpose of statistical reporting, taking into account the Company’s business needs and in accordance with the requirements of applicable Ukrainian legislation, personal data of natural persons may be depersonalised. Personal data are considered depersonalised if information enabling identification of a natural person has been removed from their content.

5.6. The list of personal data subject to depersonalisation is submitted electronically to the General Director by the head of the relevant structural unit of the Company upon prior approval by the person responsible for organising work related to the protection of personal data during their processing.

6. Liability for disclosure of confidential information and restricted-access information related to personal data of natural persons

6.1. Persons guilty of violating the rules governing the procedure for obtaining, processing and protecting personal data of natural persons bear disciplinary, administrative, civil or criminal liability in accordance with the legislation of Ukraine in force at the time of the offence and the Company’s local administrative acts.