Atomtrans Tech Corp. Privacy Policy

I. INTRODUCTION

This Privacy Policy (“Policy”) is hereby adopted by Atomtrans Tech Corp. (the “Company” or “ATC”) in compliance with Philippine Republic Act No. 10173 or the Data Privacy Act of 2012, its Implementing Rules and Regulations and other relevant laws to the extent that the same may apply to the Company’s compliance with the protection of personal data (“Data Privacy Laws”).

The Company respects and values the data privacy rights of its clients, users, employees, service providers, contractors, and any other third persons who have transactions with the Company. The Company makes sure that all personal data collected from them are processed in adherence to the Data Privacy Laws and the general principles of transparency, legitimate purpose, and proportionality.

The Company guarantees that it has implemented the relevant security measures and technologies to maintain the confidentiality and integrity of the personal and sensitive personal information, as defined herein. Further, the Company continues to monitor and update its security measures and technologies, whenever necessary, in order to ensure the protection of the data privacy rights of its clients, users, employees, service providers, contractors, and any other third persons who have transactions with the Company.

This Policy shall constitute as an integral part of and subject to the Company’s Terms and

Conditions

of

Use,

available

at

https://atcex.ph/service/termsOfUse

and

https://www.atcremit.ph/about/html/sytk/062409543623.html.

Any matter not otherwise covered under this Policy, but is covered by the Data Privacy Laws or any subsequent issuance by the applicable regulatory bodies, shall be deemed incorporated into this Policy.

II.DEFINITION OF TERMS

(a)“ATC System” shall refer to the mobile application with the name ATC Remittance Mobile APP (“ATC Remittance Application”), and the websites with the domain name www.atcremit.ph; and the mobile application with the name ATC Exchange, and the website with the domain name www.atcex.ph.

(b)“Clients” refers to persons who have transacted with or availed of the services of the Company, including but not limited to the ATC System.

(c)“Commission” refers to the Philippine National Privacy Commission.

(d)“Company” refers to Atomtrans Tech Corp.

(e)“Consent of the Data Subject” refers to any freely given, specific, informed indication of will, whereby the Data Subject agrees to the collection and processing of Personal Information about and/or relating to him or her.

1

(f)“Data Protection Officer” refers to the person who the Company shall authorize to oversee the compliance of the Company with the Data Privacy Laws and other related policies and ensure the Company’s compliance with the latter.

(g)“Data Subject” refers to a natural person to whom personal data relate.

(h)“Data Privacy Laws” refers to Republic Act No. 10173 or the Data Privacy Act of 2012, its implementing rules and regulations, and such other applicable laws and issuances.

(i)“Person” refers to either a natural or juridical person as defined by law.

(j)“Personal Information” or “Personal Data” refers to any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For purposes of this Policy, Personal Information may include Sensitive Personal Information, and the log-in credentials of the Clients to the ATC System.

(k)“Processing” refers to any operation or set of operations which is performed upon personal information, whether or not by automatic means, such as: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

(l)“Sensitive Personal Information” refers to personal information revealing or concerning (directly or indirectly) a person’s age, marital status, racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal record, trade union membership, and health or sex life.

(m)“User” refers to the visitors of the ATC System, Company’s website, apps, and other digital properties of the Company, and may include potential customers, Clients, third party service providers, contractors, consultants, stockholders, Board of Directors, officers, employees, agents and/or representatives of the Company.

(n)“Policy” refers to the Privacy Policy of the Company.

III. SCOPE AND LIMITATIONS

All Clients and Users, and any and all third parties who shall henceforth deal, transact, or otherwise engage in business with the Company, shall be subject to the terms set out in this Policy, in accordance with the terms herein set forth.

IV. PERSONAL INFORMATION OTHER THAN YOUR OWN

When the Client and/or the User discloses to the Company another person’s Personal Information (i.e. money remittance recipients, your spouse, beneficiary, children, and/or parents, and/or agents or representatives), the Client and/or the User attest that consent has

2

been obtained from that person to disclose and process personal information in accordance with law and this Policy.

V. PROCESSING OF PERSONAL DATA

A. COLLECTION AND METHOD OF USE

The Company only collects personal data it needs in order to provide the services and/or information that the Company’s visitors, Users, Clients, third party service providers, contractors and consultants have asked for or that it needs in relation to its dealings with the Company.

When dealing with Personal Information and/or Sensitive Personal Information, the Company will state the purpose of collection of the information and seek the Data Subject’s consent before using such information.

Unless otherwise specified, the data collected shall be used for identification, verification, confirmation purposes and compliance with laws especially the Anti-Money Laundering Act of 2001, as amended, and other relevant laws, rules and regulations issued by the relevant Philippine government entities such as, but not limited to, the Bangko Sentral ng Pilipinas (BSP) and the Anti-Money Laundering Council and its counterparts in foreign states. Data may also be collected to personalize, maintain, and improve the services of the Company, to enable communication between Users and the Company, and to provide notice to the User regarding the Company’s marketing and promotional materials.

The Company collects pertinent Personal Information and Sensitive Personal Information in the following cases:

1.When a Client or User registers with the ATC System.

2.When a Client or User pays the fees to be able to register and use the ATC System.

3.When a Client or User uses the ATC System, including but not limited to the purchase and sell of virtual currencies, and remittance of virtual currencies.

4.When a Client or User purchases or avails of ATC’s products, services, promos, marketing activities and events.

5.When a Client or User deals or interacts with ATC, its sales agents, reservation officers or specialists in whatever means.

6.When a Client or User submits information through manual and/or online form on the ATC System or contacts the latter through any of its social media accounts.

7.When a Client or User provides information in connection with inquiries, requests, suggestions and complaints.

8.When a Client or User agrees to participate in surveys, promotions and other marketing and sales activities of ATC.

9.When a Client or User submits Personal Data for any other purposes.

Unless otherwise specified, the data collected shall be used for the following purposes:

1.For identification, verification, and confirmation purposes, pursuant to the Company’s Know-Your-Customer (KYC) and Anti-Money Laundering (AML) Policies;

2.For compliance with laws, such as but not limited to Republic Act No. 9160, also known as the Anti-Money Laundering Act of 2001 (AMLA), as amended; the rules and

3

regulations issued by the BSP; and legal proceedings, and for compliance with legal obligations, to prevent imminent harm to the public, and to ensure public security or order;

3.For the prevention, detection and investigation of crime, including fraud, money- laundering, terrorist financing activities, and to analyze and manage other commercial risks;

4.For the personalization, maintenance, and improvement of the services of the Company, to enable communication between Users and the Company, and to provide notice to the User regarding the Company’s marketing and promotional materials.

5.For the efficient and effective use of the ATC System, which may be subject to fees and charges as relayed to the Client through the relevant platforms. The ATC System includes the following services and features:

a.For ATC Remittance Platform

The Clients may avail of the Company’s services and facility to conduct, manage and control digital and over-the-counter transactions involving virtual currencies within the ATC System and the Client’s ATC Wallet. In connection with the foregoing, the ATC’s remittance services, which the Client may avail are as follows:

a)Top-up/Cash-In – recharge or infuse the Client’s ATC Remittance Account (aka ATC Wallet) with virtual currency (ATCP).

b)Cash-Out – withdrawal or conversion of the ATCP from the ATC Wallet into cash or Fiat Currency.

c)Remittance – conversion of ATCP to Fiat Currency and transfer to Client’s preferred account duly made known to ATC.

b.For ATC Exchange Platform

The Clients may avail of the Company’s services offered in the ATCEx System, such as the exchange, buy and sell of virtual currencies. In relation to the foregoing, the Client may avail of the following services:

a)The Client has the right to browse the real-time quotes and transaction information of cryptocurrencies in the ATCEx System, to submit digital asset transaction instructions and to complete the digital asset transaction through the ATCEx System.

b)The Client has the right to view information under the member accounts on the ATCEx System to apply the functions and features available in the ATCEx System.

B. STORAGE, RETENTION, ACCESS, AND SECURITY

The Company ensures that Personal Information and Sensitive Personal Information, including the Virtual Currency Wallets and Client’s log-in credentials, under its custody are protected against accidental, unauthorized or unlawful access, destruction, alteration, and disclosure, as well as any other unlawful processing. The data collected shall be stored in a database

4

encrypted with the latest security measures, free from access by unauthorized persons, viruses, and other factors that can corrupt data. Only authorized persons or representatives of the Company are allowed to have access to the data stored within its system.

The Company secures and protects the Personal Information and Sensitive Personal Information, including the Virtual Currency Wallets and Client’s log-in credentials, of the Clients, Users and Data Subjects, as may be applicable. The Company has established a strong IT System in place to protect the confidentiality security, accuracy and integrity of the Personal Information and Sensitive Personal Information, such as but not limited to the following (collectively, the “Data” or Database”):

a.Client personal data:

i.Client name

ii.Permanent and current addresses

iii.Contact number

iv.Email Address

v.Age/Birth Date

vi.Marital Status

vii.Nationality

viii.Criminal Record

ix.Other Client personal information as may be indicated in the Company’s KYC Policy

x.Client Identification Documents/Cards (IDs)

xi.Client login information

xii.Risk ranking, in accordance with the Company’s AML Policy

b.Client order details:

i.Order date

ii.Order action(buy/sell)

iii.Amount

iv.Currency

v.Order status

vi.Client ID

c.Client transaction/exchange data:

i.Transaction/exchange date

ii.Transaction/exchange action(buy/sell)

iii.Amount

iv.Currency

v.Client ID

vi.Loss/profit

The Company employs a database audit function, which is used in real-time to help decentralize management of the third-party operation, maintenance personnel and internal high authority users who can access the Data. As part of internal control compliance, access of the operation and maintenance personnel to the Data through tool software is strictly controlled, and information such as the Client/User account, access time, source IP, access page, operation event, and residence time, is recorded for transparency and data integrity. Audited data is retained for a minimum of one (1) year.

5

The database audit system is used to conduct a comprehensive and accurate audit trail of all the behavior of logging in and accessing the Data, and the traceability can be tracked quickly when any abnormal access occurs. Using a database access system, multi-factor-based login control is implemented on the operation and maintenance side.

The Company uses a database firewall, which is used to defend against external SQL injection attacks directed on the Database. Data desensitization is used to desensitize the data designed for personal basic information in the production system, to meet the needs of business system development and testing, while protecting Sensitive Data. Data encryption is used to prevent hackers from dragging libraries. At the outermost layer by the firewall, IPS, WAF, network access and other security systems ensure network boundary security.

ATC websites shall be deployed using HTTPS to ensure that encrypted communication between Users and websites is maintained, to prevent hackers from listening, and to ensure the security of data transmission.

From the aspects of physical security, network security, system security, application security, data security and so on, a comprehensive and multi-level security protection system is constructed in security area division, security boundary protection, access control means, active defense strategy, and so on:

Physical security: Water cooling and air conditioning are used to control the room temperature at room temperature below 16 degrees Celsius, to ensure that the room is dust-free, and to restrict unauthorized personnel from entering the room.

Network security: Intranet interaction is used between servers, reverse proxy and load balancing are used to hide the real IP of back-end services.

Application security: 24/7 personnel are put on monitoring duty. Alarm response time is 10 minutes. All applications adopt distributed active and standby deployment to ensure that the application can withstand high load and high availability.

Data security: Data is deployed with dual-master and multi-slave; database middleware is used to achieve read-write separation.

Moreover, the ATC System uses blockchain technology. Therefore, Data confirmed and input into the ATC System cannot be modified. This is because the system works as a decentralized network, wherein information is validated across millions of computers. A collection of data is stored in a single block containing a unique signature, called the “Hash,” which is then used in the algorithm to produce the unique signature of the next block. This makes hacking into the system, and unlawful and unauthorized access to the Personal Information, Sensitive Personal Information, and Data, nearly impossible, because tampering with one block will affect the signature of that block and the succeeding blocks

Nevertheless, the Company shall use an intrusion detection system to monitor security breaches. The system shall be programmed in a way that it will alert the Company of any attempt to interrupt or disturb the system. Moreover, the Company shall first review and evaluate software applications before the installation thereof in the computers and devices of

6

the Company and that of its employees, to ensure the compatibility of security features with overall operations.

The Company reviews security policies, conducts vulnerability assessments, and performs penetration testing on a regular basis being prescribed or as required by, or to be required by the Commission.

The Data Subject’s Personal Information and Sensitive Personal Information may be stored in the region where the Company maintains servers and facilities and the Company ensures that such storage is also compliant with the applicable data privacy laws in that state.

The Company utilizes standard manual and computerized methods and systems to file, store and process Personal Information. Collection and Processing of Personal Information will be undertaken in accordance with the principles set out in this Policy and as required by law.

The Company will only retain Personal Information and Sensitive Personal Information as long as necessary for the fulfillment of those purposes specified by the Company under this Policy, subject to the provisions of existing laws of the applicable jurisdiction. Generally, if practicable, they will be stored in a database for the required number of years (after inquiries, requests, complaints, etc. are acted upon) after which physical records shall be disposed of through shredding, while digital files shall be anonymized.

The Company uses external tools to improve the performance and functionality of the site. These tools are provided by a third party, who only collects non-personal data on the Client’s or User’s use of the Company’s site.

C. DISCLOSURE AND SHARING

Recipients of Personal Information and Sensitive Personal Information that the Company collects include persons within the Company or its principals, directors, officers, stockholders, employees or representatives, service providers, contractors, consultants and other persons involved in the business or operations of the Company (including any affiliates or related companies), and third parties to whom the Company has outsourced or may outsource certain business or operating activities, advisers, and service providers, in order to achieve the purposes. The Company may also disclose information, whether intended to be kept confidential or not, upon lawful request by a governmental authority, in response to a court order, or when required by applicable law.

Personal Information and Sensitive Personal Information, obtained by the Company from the Client shall only be available to the following third parties, who are also bound to protect the Client’s Personal Information and to use them only for the purposes for which they are disclosed, to wit:

a.Banks, financial institutions, credit agencies or credit bureaus, for the purpose of verifying authenticity of information provided by the Client or to address queries relating to anti-money laundering due diligence on transactions that were coursed through the Company;

b.Counterparties and their respective banks in relation to fund transfers, payments, and other transactions;

7

c.Agents, contractors, third party service providers, or tie-up partners who provide operational services to the Company, such as courier services, telecommunications, information technology, payment, payroll, processing, training, market research, storage, archival, customer support investigation services or other services to the Company; and

d.Regulatory or government agencies, such as but not limited to Bangko Sentral ng Pilipinas and the Anti-Money Laundering Council, to comply with existing laws, rules and regulations.

The Company shall ensure that all such recipients of Personal Information and Sensitive Personal Information, except the regulatory or government agencies, which have its own policies and regulations regarding the management of personal, sensitive personal and/or confidential information, shall maintain confidentiality and secrecy of all such information that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal Information and Sensitive Personal Information under the custody of the Company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data. Moreover, these persons are also required to be bound by the confidentiality of all the information which they have access to by requiring them to comply with any and all laws, rules and regulations governing data privacy protection.

(i)Cookies and how the Company uses them

A cookie enables the Company’s website to identify a Client’s or User’s computer as the latter views different pages of the Company’s website.

Cookies allow websites and applications to store a Client’s or User’s preferences in order to present content, options or functions that are specific to a Client or User. They also enable the Company to see information like how many people use the website and what pages they tend to visit.

(ii)How the Company uses Cookies

The Company may use cookies to:

Analyze its web traffic using an analytics package. Aggregated usage data helps the Company improve the website structure, design, content and functions.

Identify whether a Client or User is signed in to the Company’s website. A cookie allows the Company to check whether a Client or User is signed in to the site.

Test content on the Company’s website. For example, 50% of the Users might see one piece of content, the other 50% a different piece of content.

Store information about a Client’s or User’s preferences. The website can then present a Client or User with information and ads that a Client or User may find more relevant and interesting.

To recognize when a Client or User returns to the Company’s website. The Company may show a Client’s or User’s relevant content, or provide functionality he/she used previously.

8

Cookies do not provide the Company with access to a Client’s or User’s computer or any information about a Client or User, other than that which a Client or User chooses to share with the Company.

(iii)Controlling Cookies

A Client or User can use his/her web browser’s cookie settings to determine how the Company’s website uses cookies. If a Client or User does not want the Company’s website to store cookies on a Client’s or User’s computer or device, a Client or User should set his/her web browser to refuse cookies. However, doing this may affect how the Company’s website functions. Some pages, products and services may become unavailable to a Client or User.

Unless a Client or User has changed his/her browser to refuse cookies, the Company’s website will issue cookies when a Client or User visits it.

Nevertheless, the Company may allow third parties to use cookies on its app to collect the same type of data for the same purposes with which the Company uses the data collected. Third parties may be able to associate a User’s personal data as collected through the cookies with other personal data of the same User that they possess and obtained from other sources. The Company does not necessarily have any access to, or control over the cookies used by such third parties.

Cookies may nevertheless be deactivated through the usual modes of deletion and as provided above.

D. DESTRUCTION

All information regarding the Clients and Users of the ATC System shall be automatically deleted from the ATC System’s database upon the Client/ User’s deregistration from the ATC System. All officers, directors, employees, representatives, agents, service providers, contractors, consultants and any other person involved in the business or operations of the Company shall no longer have access to a Client’s and/or User’s information and data after the Client’s and/or User’s deregistration and the deletion of his or her data from the app’s database.

Unless otherwise provided under the law then in effect, all other information collected which are not otherwise pertinent or necessary for the operation of the Company or the ATC System shall not be retained for a period longer than one (1) year. After such period, all hard copies shall be disposed and destroyed, by shredding or other secured means.

E. INTERNATIONAL DATA TRANSFERS

The Personal Data may be stored and processed in and transferred between any of the countries in which the Company makes use of cloud services in order to enable it to use the information in accordance with this Policy. In which case, the Personal Data may be shared with the person or entity maintaining and providing such cloud services.

9

VI. BREACH AND SECURITY INCIDENTS

A. DATA BREACH RESPONSE TEAM

The Company has created a Data Breach Response Team (the “Team”), comprising of the Data Protection Officer as Head of Team, and three (3) other employees. The Team shall be responsible for immediate action in the event of a security incident or personal data breach. The Team shall conduct an initial assessment of any incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.

B. PRIVACY IMPACT ASSESSMENT

The Company regularly conducts Privacy Impact Assessments in order to identify risks in the processing system, update the system if necessary according to the assessment, and to regularly monitor the same for security breaches.

C. RECOVERY AND RESTORATION OF PERSONAL DATA

The Company always maintains a backup file for all personal data or information under its custody. In the event of a security incident or data breach, the Team or any member thereof designated by the Data Protection Officer regularly monitors the comparison of the backup file with the affected file, to determine the presence of any inconsistency or alteration that may have resulted from the security incident or data breach.

D. NOTIFICATION PROTOCOL

The Data Protection Officer shall inform the management of the Company of the need to notify the Commission and the data subjects affected by the security incident or data breach within the period prescribed by law or regulation by the Commission. The Company may decide to delegate the actual notification to any member of the Team.

E. DOCUMENTATION AND REPORTING

The Team shall prepare a detailed documentation of every security incident or data breach encountered, as well as an annual report, to be submitted to the management of the Company and the Commission, within the period prescribed by law or regulation by the Commission.

VII. RIGHTS OF THE DATA SUBJECT

The Client, User, and/or Data Subject are hereby reminded of their rights in relation to the collection, processing, and storage of their Personal Data as follows:

The right to be informed

As a Data Subject, the latter has the right to be informed that his/her personal information shall be, are being, or have been processed. This Policy serves as the

10

Company’s notice to the User or Client that his/her personal information shall be collected for the declared purposes.

The right to access

Concomitant to a Data Subject’s right to be informed, the latter also has a right to gain reasonable access to his/her Personal Information and Sensitive Personal Information that the Company collects and processes. For this purpose, the User or Client is given access to his Personal Information and Sensitive Personal Information and may amend the same from time to time as he/she deems fit.

The right to object

A Data Subject has the right to object to the Processing of his/her Personal Information and Sensitive Personal Information, including Processing for direct marketing, automated processing or profiling.

A Data Subject likewise has the right to be notified and given an opportunity to withhold consent to the Processing in case of changes to the information given to a Data Subject regarding the Processing of his/her information.

For the foregoing purposes, the Data Subject may contact the Data Protection Officer of the Company or access his Personal Information and request limitation on the Processing of the Data Subject’s personal data.

The right to erasure or blocking

A Data Subject has the right to suspend, withdraw or order the blocking, removal or destruction of a Data Subject’s Personal Information and Sensitive Personal Information upon discovery and substantial proof that:

oA Data Subject’s personal information is incomplete, outdated, false, or unlawfully obtained;

oIt is being used for purposes the Data Subject did not authorize;

oThe data is no longer necessary for the purposes for which they were collected; o The Data Subject has decided to withdraw consent, or the Data Subject objects

to its Processing, and there is no overriding legal ground for its Processing;

o The data concerns personal information prejudicial to the Data Subject - unless justified by freedom of speech, of expression, or of the press; or otherwise authorized;

o The Processing is unlawful; or

o The Data Subject’s rights as a data subject have been violated.

In case the User or Client decides to withdraw his/her consent to the Processing of his/her Personal Information, and depending on the nature of his/her consent or withdrawal, the Company may no longer be in a position to continue to provide products and services to the User or Client to further deal with the latter.

11

The right to damages

A Data Subject has the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of Data Subject’s Personal Information, taking into account any violation of the Data Subject’s rights and freedoms as a data subject.

The right to file a complaint

A Data Subject may also file a complaint in accordance with best practice and depending upon where the data subject is and the laws to which the Company may be subject to in accordance with the applicable law.

The Data Subject has a right to lodge a complaint with his or her local supervisory authority if he or she has concerns about how the Company is Processing his or her personal information.

The right to rectification

A Data Subject has the right to dispute any inaccuracy or error in his/her Personal Information and call the attention of the Company to correct it immediately, unless the request is vexatious or unreasonable. Once corrected, the Company will ensure that the Data Subject will have access to both new and retracted information. The Company shall also ensure the simultaneous receipt of the new and the retracted information by the recipients thereof.

The right to data portability

Where a Data Subject’s Personal Information is processed by electronic means, the Data Subject has a right to obtain a copy of his/her Personal Information in an electronic or structured format that is commonly used and allows for further use.

The Client and/or Data Subject recognize that the abovementioned rights shall be subject to and without prejudice to the provisions of the Company’s AML Policy and the KYC Policy.

VIII. CLIENT’S RESPONSIBILITIES

A. SAFEGUARDING OF VC WALLETS AS WELL AS LOG-IN CREDENTIALS

In ensuring the security of the Client’s assets and log-in credentials in the ATC System, the Client acknowledges that he/she/it shall have the following responsibilities:

a)To promptly update his/her/its information in the ATC System in case the previously provided and/or registered e-mail address, contact number, residence address, identification and other pertinent information have changed.

b)To supervise, manage and control the confidentiality of your nominated User ID and Passwords. It is the Client’s responsibility to assume liability for any loss or damages

12

that may arise due to negligence and failure to keep and secure the User ID and password.

c)To keep themselves updated on the recommended procedures to safeguard their wallet and log-in credentials, available on the following ATC platforms:

For ATC Remittance: https://atcremit.ph/about/html/new/062409543623.html and https://atcremit.ph/about/html/new/062409543624.html

For ATC Exchange: https://atcex.ph/help/list/SspZGblFb025GKO2iAHsgw?IsVideo=2&Keywords =Safety and https://atcex.ph/help/detail/RoV3crNY002TBki6sF_0kQ?IsVideo=2&Keywor ds=Beginner%27s%20guide

IX. PROBLEM RESOLUTION PROCEDURE

In case the Client reasonably believes that his/her/its rights enunciated under this Policy have been violated, or in case the of a security incident or personal data breach, and the Client reasonably believes that he/she/it has suffered pecuniary damages, the Client shall promptly notify ATC of such violation and/or damage within forty-eight (48) hours from the time of discovery of the violation and/or pecuniary damage. The notification may be done through either of the following means: (1) walk-in or personal visit to the Company’s office and submission of the Consumer Complaint Form; (2) call the Consumer Protection Hotline or ATC hotline and provide the complete details of the complaint, and thereafter transmit the Consumer Complaint Form physically or via e-mail; or (3) e-mail through the Company’s Customer Complaint E-mail address and provide complete details of the complaint as reflected in the Consumer Complaint Form. The Company, with the assistance and advice of the DPO, shall evaluate the customer complaints, analyze the nature of the complaints and recommend a resolution of the case or if needed to be elevated to proper authorities.

X. CONFIDENTIALITY

The recipients of the Personal Information and Sensitive Personal Information shall operate and hold personal data under strict confidentiality. They are required to sign non-disclosure agreements and to have received training on the company’s privacy and security policies to ensure confidentiality and security of the Data Subject’s information.

XI. AMENDMENTS

The Company shall have the right to modify, update, or amend the terms of this Policy at any time by updating the copy thereof as uploaded to the ATC System. The continuous use of the ATC System, or the communication between the Company and the Client, signifies the Client’s

13

acceptance of the modifications, updates, or amendments to the terms of this Policy. The terms of this Policy shall be subject to such laws and implementing rules as may be promulgated by the relevant regulatory agencies from time to time.

XII. INQUIRY

The Company will make readily available to you information about its policies and practices relating to the management of your personal information. Should you have further questions or concerns, you may contact our Data Protection Officer (DPO) through the following:

1. Via e-mail to: [email protected]

You may also contact ATC’s customer service:

1. Via personal visit to the Main Office Address of ATC 17F The Bonifacio Prime 20th Drive Mckinley Business Park, Bonifacio Global City Taguig City Metro Manila

2.Via teleconference. For this purpose, the contact number of ATC is (02) 8262526 or (02) 85611756.

3.Via e-mail to: [email protected]

4.Via instant messaging:

a. Facebook: https://www.facebook.com/AtomtransTechCorp/;

b. Twitter: @ATCRemittance; and

We are committed to conducting our business in accordance with these principles in order to ensure that the confidentiality of personal information is protected and maintained.

qI have read this Policy, understood its contents and consent to the processing of my personal data. I understand that my consent does not preclude the existence of other criteria for lawful processing of personal data, and does not waive any of my rights under the Data Privacy Laws.

14