Privacy Notice

What Personal Data we collect and for what purposes

• We collect the following types of Personal Data about you:

  Purpose	Types of Data Processed	Provided by	Legal Basis
  A) Downloading the App Creating an account on the App	full name mobile number national ID residency cards passport number national address date and place of birth	You to us YAKEEN	Performance of a contract (between you and STC Bank) Article 6(2) of the PDPL
  B) Creating an account Conducting CDD/KYC activities Using the services offered via the App	salary employment sector cash receipt cash expenditure patterns passcode Tax Residency Information	You to us	Performance of a contract (between you and STC Bank) Article 6(2) of the PDPL Explicit consent Article 5 of the PDPL
  C) Applying for a debt product Evaluating your credit profile Conducting risk assessments Assist with determining issuing amounts for debts any other product or liability	SIMAH score and credit performance data	You to us Saudi Credit Bureau (SIMAH) and any other relevant governmental body	Explicit consent Article 5 of the PDPL
  D) Using the App	transactions you carry out details of any bank accounts you transact to and from the App using the services offered via the App and purchasing goods or services available on the App IP address localization data for the purposes of enabling browsing the App	You to us	Performance of a contract between you and STC Bank Article 6(2) of the PDPL Explicit consent Article 5 of the PDPL
  E) Marketing and/or direct sales of STC Bank’s products and/or services Sending advertising material Carrying out promotional activities	full name e-mail address mobile number account name on the App	You to us	Explicit consent Article 5 of the PDPL

  We are collecting personal data that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers etc.

  You shall provide us only with Personal Data that are accurate, complete, up-to-date, and relevant for the purpose for which they are collected. We will take reasonable steps to ensure that your Personal Data are accurate, complete, up-to-date and relevant for the purpose for which they are collected but we will not be responsible for any inaccuracy, incompleteness, antiquity or irrelevance of the Personal Data if these are a consequence of your error or omission.

Mandatory and optional provision of Personal Data

• The provision of Personal Data under Section 1, letters A,B,C and D is mandatory to enable STC Bank to provide the services described therein to you. Consequently, failure to provide Personal Data for the purposes referred to in Section 1, letters A,B,C and D will make it impossible for us to carry out the activities described therein.

  
  

  The provision of Personal Data under Section 1, letter E is optional and failure to provide such Personal Data will have no consequences other than make it impossible for us to carry out the activities described therein.

How we collect and process your Personal Data

• We collect and process Personal Data only when you specifically give it to us by registering on and/or using the App or by the third parties mentioned in Section 1 above.

  
  

  The Personal Data you provide will be processed in compliance with the Applicable Laws and, in any case, in such a way as to guarantee the security and confidentiality of the same, to prevent unauthorised disclosure or use, alteration or destruction. The Personal Data will be processed on paper and/or via telematic means, also with the help of electronic and information means. We will process your Personal Data in our own technological infrastructure and/or using the technological infrastructure of third-party suppliers appointed as data processors. We process Personal Data for the purposes set out in Section 1.

  
  

  You may reach out to STC Bank’s DPO to the address indicated in Section 9 below for any queries related to collecting and processing your Personal Data.

Protecting your Personal Data

The transmission of information via the Internet is not completely secure. We will do our best to protect your Personal Data while it is in our possession, however, we cannot guarantee the security of your data transmitted online or over the App.

We recognise industry standards and employ security safeguards to protect Personal Data from unauthorised access and misuse. All information you provide to us is stored on secure servers. Any payment transactions will be protected and safeguarded by encryption.

Sharing your Personal Data with third parties and cross-border transfers

We may share Personal Data with third party providers so they can provide you with certain services through the App. Achieving this may require sharing Personal Data with external third party providers on a regular basis, multiple times, or once, as required for one of the purposes set out in Section [1]. We will require these third party providers to take steps to ensure that your Personal Data is kept secure and used in accordance with this Privacy Notice. However, we shall not be liable for any unauthorised use of your Personal Data by a third party provider.

The Personal Data may be communicated, exclusively for the purposes indicated in this Privacy Notice, to the categories of subjects listed below:

• A) persons, companies, associations or professional firms that provide services and activities of assistance and consultancy to STC Bank, with particular but not exclusive reference to accounting, administrative, legal, tax and financial matters;

• B) companies that provide, on behalf of STC Bank, certain services related to the App and to the management and execution of purchase orders through the App, with particular but not exclusive reference to the analysis of Personal Data, the management of payment services, the management, shipment and delivery of products purchased on the App, marketing activities, the management of services provided through the App and their customisation in your favour;

• C) in the event of a sale, merger, liquidation, receivership or transfer of assets of STC Bank or one of our affiliated companies, to the prospective buyer of the business and their professional advisers;

• D) companies belonging to the same corporate group as STC Bank, with particular but not exclusive reference to activities of Personal Data analysis in aggregate and anonymised form, identity management of user profiles on the App, profiling and profiled marketing in relation to users who have given their consent to these activities;

• E) subjects to whom the right to access the Personal Data is required by law, secondary legislation, a court order or by a regulatory authority of competent jurisdiction or if we believe that such disclosure is necessary, to protect, defend or enforce our rights. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and

• F) third party companies and clients with whom STC Bank collaborates as a business partner (e.g. for the promotion of goods and services) including those third parties assisting us in supplying our services to you or perform certain functions on our behalf, including IT support services, card management services or professional services.

The Personal Data may be communicated, exclusively for the purposes indicated in this Privacy Notice, to the categories of recipients listed above and having their registered offices in the Kingdom of Saudi Arabia and acting, as the case may be, as data processors on behalf of STC Bank or as separate data controllers, in this case providing you, under his/her own responsibility, with appropriate information.

For the purposes of providing you with our payment services, the Personal Data may also be communicated, exclusively for the purposes indicated in this Privacy Notice, to the categories of recipients listed above and having their registered offices in countries outside the Kingdom of Saudi Arabia (in this case in compliance with the provisions of the Applicable Laws regarding data transfers and acting as data processors on behalf of STC Bank or as autonomous data controllers).

Your Personal Data will be stored on the servers available to STC Bank or to the persons in charge located in Kingdom of Saudi Arabia. Should it become necessary for technical and/or operational reasons to use subjects located outside the Kingdom of Saudi Arabia, or should it become necessary to transfer some of the collected Personal Data to technical systems and services managed in the cloud and located outside the Kingdom of Saudi Arabia, the processing will be regulated in compliance with the provisions of the Applicable Laws regarding data transfers.

This Privacy Notice only applies to Personal Data collected on the App. Although the App may provide links to websites of third parties, such as banks, this Privacy Notice does not apply to any other application or website that you connect to from the App. We are not responsible for the content or practices of applications and websites operated by third parties that are linked to or from the App and you should refer to the relevant privacy policies issued by such third parties.

Underage users and users lacking legal capacity

STC Bank encourages parents to monitor their children's use of the Internet for safe and filtered use of its content, including through the use of parental control tools. Besides ensuring an online environment suitable for minors, these tools can prevent the disclosure of personal data by children or young people who do not have their parents' consent. With regard to the collection and processing of personal data, STC Bank does not process personal data of subjects under 15 years of age. Creating an account on the App is, therefore, only permitted to users who have reached the age of majority or to users who are at least 15 years old. STC Bank, moreover, encourages the creation of an account on the App of parents of registered users who are minors: in this way, parents have the opportunity to keep abreast of the initiatives that STC Bank makes available to their children, and to check their compliance with their own expectations and educational models and paths. STC Bank urges all users who are under the age of 15 not to communicate their personal data, under any circumstance, and reserves the right to exclude from the App any user who has concealed their under-age or who has communicated their personal data despite being aged less than 15.

Legal guardians of subjects under 15 years of age or of subjects lacking legal capacity shall exercise data subjects’ rights set out in the Applicable Laws and this Privacy Notice on their behalf.

Data retention period

The Personal Data collected for the processing purpose indicated in Section 1 above shall be retained for the time necessary for the pursuit of such purposes and thereafter, and in any case for the permitted time under the Applicable Law from the achievement of the respective purposes as required by the Applicable Laws, except in case of extraordinary necessity of STC Bank to keep the Personal Data further in order to defend its rights, also in relation to disputes existing at the time of the request or upon indication of public authorities or as otherwise permitted by the Applicable Laws.

The Personal Data collected for the processing purpose indicated in Section 1 letter E above shall be retained until the withdrawal of the relevant consent or until you expressly request the deletion of such Personal Data, which shall be deleted or anonymized in accordance with our internal policies, part of which is requesting third party providers to provide destruction confirmation, which confirms that Personal Data has been securely and permanently destroyed in accordance with agreed standards. and in any case for the permitted time under the Applicable Law from the last purchase made, except in case of extraordinary necessity of STC Bank to keep the Personal Data further in order to defend its rights, also in relation to disputes existing at the time of the request or upon indication of public authorities or as otherwise permitted by the Applicable Laws.

Changes to this Privacy Notice

Any changes we may make to this Privacy Notice in the future will be posted on the App and, where appropriate, notified to you. By continuing to use the App you will be deemed to accept the changes to this Privacy Notice.

Contact

Your personal data processing controller is STC Bank. You can contact STC Bank at any time by mail or e-mail at DPO@stcbank.com.sa. If you have any questions regarding this Privacy Notice, please include it in the email subject to enable our DPO to contact you. We shall review and respond to your questions within a maximum period of (30) days and may be extended for a similar period, which you will be notified of in advance, stating the reasons for such extension if implementing the request requires any additional effort.

STC Bank has appointed its own Data Protection Officer (also known as the "DPO"), who may be contacted for matters relating to the processing of your data. By writing to DPO@stcbank.com.sa you may also exercise the rights indicated under Section 10 below

Your rights

Unless otherwise permitted by the Applicable Laws, we hereby remind you that you have the following rights:

• to the extent that consent was given for any processing of Personal Data, the right to withdraw your consent at any time by selecting the appropriate option in the App or sending an e-mail to our contacts above;

• the right to obtain information in relation to the purposes and legal basis for which your Personal Data is processed;

• the right to obtain correction of inaccurate, incomplete and/or outdated Personal Data relating to you;

• the right to obtain that the Personal Data concerning you is only kept without any other use of the Personal Data in the following cases: (a) you contest the accuracy of the Personal Data, for the period necessary to allow us to verify the accuracy of such Personal Data; (b) the Personal Data is necessary for the establishment, exercise or defense of legal claims; and (c) you object to the processing and are awaiting verification as to whether the legitimate grounds of the data controller for processing prevail over those of the data subject;

• the right to obtain the cessation of processing in cases where your Personal Data is processed for marketing purposes; and

• the right to receive in a readable and clear format, a copy of the Personal Data provided to STC Bank.

If you are not satisfied with the results of our complaint handling, or if you believe that your Personal Data is being processed unlawfully or for an unlawful purpose, you may file a complaint with the Saudi Central bank. You can view the instruction on how to complaint or objection through submit a submitting an individual rights request.

Please note that in the Kingdom of Saudi Arabia you have the right to turn to the national authority (SDAIA / NDMO) to assert your rights in relation to the processing of your Personal Dat, and the right to claim compensation for financial or moral damages under the violations stipulated in the PDPL.

Furthermore, by writing to the address DPO@stcbank.com.sa you may exercise the rights set forth under this Section.

Amendment date: Jumada II 10, 1447 corresponding with December 1, 2025